Web application security has never been harder. Our adversary is cunning and clever, and with software becoming more and more complex its harder than ever to ensure security. This presentation is about using Aspect Oriented Programming to help organize our code in a way that makes implementing security practices easier, centrally maintained and helps to bring security to the forefront of the software development process. The aim is to slow or stop our attackers using AOP as our mechanism for achieving this.
2. DISCLAIMERS
2
Disclaimer One
I make no guarantees about beard length. But a
beard will always be attached to this sexy face!
IN OTHER WORDS DON’T COME CRYING TO ME ON TWITTER AND/OR
OTHER SOCIAL NETWORKS THAT YOU MAY OR MAY NOT FIND ME
ON!
Disclaimer Three
I don’t curse in the presence of my family
therefore I have brought my family with me so
that I don’t have curse in front of you.
Disclaimer Two
I curse, frequently… sorry…
Disclaimer Four
Opinions are my own. Advice provided with no
warranty.
If you go back and implement an algorithm I told
you to implement you do so at your own risk.
IF YOURE READING AND/OR SEEING THIS BEWARE
4. THE NERDIEST OF BEARDOS
4
ARCHITECT
I create pretty diagrams so that business people can understand what you people are
saying!
WANNABE SECURITY DUDE
I study cryptography and computer security for fun. Application security
defender/practitioner since someone learned me about SQL injection!
DEVELOPER
Developer for most of my life, and only job I’ve ever had!
HUSBAND/FATHER
Against all odds I’ve managed to stay married and pass on my genes (God help us
all!)
WHO’S THIS JERK ANYWAY!??
5. CREDENTIALS
5
TOOK 11 YEARS TO GET A DEGREE
Yes! I finally got a degree!
I LIED
I HAVE ONE CERTIFICATION!!
… Certified Scrum Master
CERTIFICATIONS
// TODO: get certified in something
ALSO KNOWN AS
Scum Master
Dragon Master
9. HOW TO APPROACH THIS TALK
9
• This is not the solution to all your security
problems!
• Security does not always look “logical” but it
is!
• Look for defense strategies.
• Strategies are harder than implementation*!
• For developers
11. AS A MILITARY STRATEGY
11
SITUATION
Facing a superior fighting force in both resources and numbers.
FORMATION
Deploy military units, fortifications and resources behind front line. As enemy
advances through formations you inflict more and more casualties. Decreasing
the effectiveness of the opposing army and drawing them into a war of attrition.
GOAL
Instead trying to stop the enemies advance, slow down their advance until you can
contain the enemy.
15. EXAMPLE – HOME INVASION
15
MECHANISM
Typically no more than a deadbolt
RESULT
Guys like Bill Sempf can pick that lock in a few minutes! (It may take
someone like me a few hours)
SECURITY
Provides very little security. In fact most of the security is provided
simply by the fact that the attacker is scared
17. HOME INVASION – DFENSE IN DEPTH
17
MECHANISMS
Provide security throughout house.
• Intrusion detection systems (ornaments that
make noise when stepped on)
• Intrusion prevention systems (torch at the
perimeter, heavy cans)
• “Honey Pots” (unlocked windows)
SECURITY
• Provides security even when your neighbors aren’t around to prevent
home invasion
• Security even if a security failure occurs (Joe Pesci kicks door in)
19. DEFENSE IN DEPTH – COMPUTER SECURITY
19
• Often confused with “Layered” security
• Layered security is usually part of an overall
Defense in Depth strategy.
• Deploy resources behind the perimeter (front line)
• Resources deployed throughout the network
• Slow an attackers advance
• Raise flags along the way to give the organization
time to respond
20. WHAT IF ONLY PERIMETER WAS SECURED?
20
• Cannot predict everything that can possibly
happen!
• Failures inevitably happen later in the process
when new “things” are changed.
• Cannot predict the internal state of your
application will be at any one time.
• Once perimeter security is penetrated all hell
breaks loose!
21. EXAMPLE – SQL INJECTION
21
Call Home…
Now the fun begins
SQL user found to
have elevated
privileges
OS Command
Executed through
SQL Server
(xp_cmdshell)
Attacker begins
Probing for
SQL Injection
SQL Injection
Vulnerability
deployed
22. WEB APPLICATION SECURITY
22
57
%
40
%
19
%
11%
url?name=alert(‘you’ve
been pwned!’)
Insufficient authentication
and authorization around
critical sections of the
application.
SELECT * FROM ORM
WHERE 1=1; DROP NOPE;
-- I THOUGHT I WAS
SECURE
Finger Printing
HTTP Response Splitting
Click Jacking etc…
XSS INFO LEAK SQL INJECTION OTHER
23. DEFENSE IN DEPTH – YOUR APPLICATION
23
• Authentication (Ah! Its you!)
• Authorization (You may enter..)
• Confidentiality (Don’t worry your stuff is safe)
• Validation throughout your application (ARRG don’t try to
do that!)
• Detection of Tampering/Audit Logging (ooo.. You messed
with me now you shall feel the wrath!)
25. ASPECT ORIENTED PROGRAMMING
25
• Developed at Xerox
• Deals with “cross cutting concerns”
• AKA the copy and paste code you put throughout your
codebase.
• Examples:
• Logging (by the way lots of people thinks this is all its useful for)
• Authorization
• Authentication
• Transactions
• General Security
26. AOP – BASIC TERMINOLOGY
26
• Join Point: The “space” between a call
from one object to another.
• Point Cut: “Where” you will inject your
“advice”
• Advice: The code you want to inject
• Aspect: The combination of a point cut
and advice.
• Boundary: Pre defined point cuts
28. YOU’VE ALREADY BEEN USING AOP! (kinda)
28
• Created an IHttpModule
• Used a module on Apache or IIS (e.g. ModSecurity)
• Created an action filter in ASP.NET MVC
• Used Data annotations for validation
• Created an web service in .NET
• Used forms based authentication
• Used a membership or role provider configured through the
web.config
29. Audit Logging
29
• Detect when “bad things” are happening
• Log to an audit log
• Potentially integrate with SIEM
31. METHOD INTERCEPTION
31
• AOP allows us to intercept a method and
manipulate inputs and outputs
• Can do things like encrypt output
• Gives us the ability to abstract the security
“implementation” to a security team.
• But gives us control over when to apply it!
33. VALIDATION
33
• Because we can intercept methods
• We can also inspect parameters to our
methods
• We can automatically validate inputs to our
methods
34. N-TIER ARCHITECTURE
34
PRESENTATION LAYER
ASP.NET MVC
WEB API
WCF SERVICES
DOMAIN MODELS
CONTRACTS (Interfaces)
DATA MODELS/ POCO ENTITIESSERVICE LAYER
CONTRACT LAYER
DOMAIN/BUSINESS SERVICES APPLICATION SERVICES
HELPER CLASSES
DATA LAYER
CONCRETE REPOSITORIES
DATA CONNECTIVITY
(CONTEXTS, FILE ACCESS etc )
35. VALIDATION TAKE 1
35
• Attempted to build a “WAF” inside my application
• Apply firewall rules via AOP
• Interrogate every parameter to every method for every
possible attack vector!
• Bad idea!
36. IF IValidate YouValidate
36
• Applied to the domain model.
• Creates self validating objects!
• Look for IValidate using AOP
• Validate security of the object
public interface IValidate
{
bool IsValid { get; }
bool IsSecure { get; }
IEnumerable<string> ValidationErrors();
IEnumerable<string> SecurityErrors();
}
38. DRAWBACKS
38
• Does this decrease your application’s
performance?
• Yes, each additional line of code will do
that…
• Optimize your code
• Buy better hardware…you can afford it
40. WE’VE SHOWN HOW AOP CAN…
40
• Decrease the complexity of audit logging
• Help validate inputs throughout your application!
• Centralize security code
• Allow specialists to worry about implementation details!
• Make your life easier!
• Make your app safer!
• Help you get a defense in depth strategy throughout your
application!
44. FINAL THOUGHTS
44
• Its time to stop being afraid of the vulnerabilities
we’ve created
• Have an adult conversation about how to move
forward
• Agree that everyone is doing their best.
• And realize that moving forward in security calls
on us to also look back at old code!