Dileep Kalidindi presented on securing enterprise and cloud applications. He began with an overview of common cyber threats and their impact. He then discussed cryptography concepts like hashing, symmetric and asymmetric encryption. Next, he covered considerations for securing data in the cloud, including issues around data residency, encryption key management and shared infrastructure vulnerabilities. Finally, he outlined secure coding practices for Java like preventing injection attacks and cross-site scripting, and discussed penetration testing tools and methodologies.

1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1
DILEEP KALIDINDI
23rd June 2015
Securing Enterprise & Cloud Applications
Concept Mashup
#Cryptography #CloudSecurity #SecureCoding #PenentrationTesting

2. About Me ..!!
 Dileep Varma Kalidindi
 Senior Engineer @Responsys (since Apr’14), Circles Team.
 Fascination: Problem Solving , Distributed & BigData churning systems.
 Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.

3.  As an Aam Admi (Not Jhadu wala app) -
? Had your (Digital) assets ever been hacked ?
? How many phishing/malware emails do you have in your Gmail inbox ?
 As a Cloud Product Engineer
? Application Security - What scares hell out of you.
? Can you host Responsys Customer Credit cards information on some Oracle Cloud X product.
? Did you ever do a HotFix to fix a Security vulnerability in your code
? Do we have an explicit Secure coding check list & Security testing as part of Release deliverables
 Absolute Security is a myth !!
What do you think ?

4.  HeartBleed Bug at SSL/TLS – view data over HTTPS
Open SSL 1.1 Encryption flaw – missing validation on a variable (length)
 Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails
 APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.
 Drupal Boogey man – SQL Injection attack
 Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$
 3rd party apps- Drop box passwords leaked, Snapchat images leaked
 Stuxnet, FLAME
Secure world – Reality – Top 2014 flaws

5. Agenda
 Cyber Threats and Impact
 Crypto Concepts
 Cloud - Data security considerations
 Java Security Landscape
 Secure Coding practices
 Pen Testing
 DEMO

6. Attack landscape – basic identification
 Attacks – Secrecy (Stealing), Integrity (Phishing), Availability (DoS) & APT’s (persistent)
 Attack vectors – path by which an attack takes places
Kernal/Design flaws – Buffer overflow (Stack/heap) – Insufficient Input validation (Injection) –
Misconfiguration – Symlinks – File Descriptors – Race conditions – Incorrect permissions – Social engineering.
 Operational Impact
Denial of Service – host/network/distributed, Installed Malware (Remote code), Web/Root/User compromise
 Informational Impact
Distort – Disrupt – Destruct – Disclosure & Discovery
 Target Systems
OS (Kernal/user/Driver), Network, Application (Server, DB, Email, Web & Client)

7. Cryptography – Back to basics & concepts
5 April 2016 7

8. Cryptography - Basics & Concepts
 Security Goals
• Data Integrity, Authentication, Non repudiation, Confidentiality & Trust
• Deals with making communications and storage secure.
 Encryption / Decryption
• Encryption: clear-text message to cipher-text
• Decryption: Cypher-text to clear-text
 Types of encryption algorithms
• Symmetric Key.
• Asymmetric Key.

9. Cryptography - Hashes
 Infeasible to reverse – 1 way encryption
 Variable-length input string to a short fixed-length binary sequence.
 Efficient – easy to compute, Infeasible to craft collisions
 Used for storage of passwords
 Algos– MD 5 128 bits (Broken),
SHA1 160b & SHA – 256 & 512
 Attacks – Dictionary / Rainbow attacks – Hash collision
 Mitigation – Use random salts, SHA-256,2 factor auth

10. Symmetric Crypto - Overview
 Symmetric – Same key used for encryption and decryption
 Need a mechanism to exchange the shared key securely.
 Key must be secret and safely stored.
 For Storage and secure transmission
 Key ciphers are efficient
 Inexpensive in Strength, encryption/decryption
 Algos – DES, 3 DES, AES, RC4
 Attack – Cryptanalysis & Key compromise
 Mitigation – secure key store

11. Asymmetric Crypto - Overview
 Public key is published to all & Private key is a secret (to be stored)
 Encrypt with one key & decrypt with other
 Infeasible to compute private key from public key
 Smaller keys are efficient
Longer keys have higher crypto strength
 Secure Communications – Key exchange during session establishment – SSL, PGP & SSH
 Mechanisms – Digital Signatures & Certificates

12. Digital Signatures - Overview
 Hashing & Asymmetric crypto
 Data is cleartext but Signature is hashed
 Alog – RSA/SHA-x, DSA
 Applications – PGP Signed emails,
- SSL Certs

13. Digital Certificates- Signatures + Chain of trust
 Builds on Digital signature & PKI
 Certificate - Digitally signed public key
- Is Public & valid for a time
- Certifie that pulic key identifies subject
- Affixed with CA signature
 Chain of trust with CA’s – VeriSign, Symantec

14. Data security considerations for Cloud
5 April 2016 14

15. Cloud data security - Issues
 Data security is crucial for enterprises and protection is vital for reputation.
 Cloud Computing adoption – major deterrent is Data Security Concern.
• Data moves out of enterprise boundaries
• Trust on cloud providers
• Shared infrastructure.
 Benefits are compelling if comprehensive and non-intrusive data security.
 Top Cloud data security issues - Gartner
 Xen Hypervisor virtualization bug
 Breach notification and data residency
 Encryption key management & resiliency of encryption system.

16. Cloud data security – Who is responsible
 Encryption of data (sent to Cloud) is always a good practice
 Different level of providers for overall security
 Shared infrastructure can make a Security breach higher.
 API’s allow many admin functions – weakness in API can be catastrophic.
 Encryption layers:
 Higher level encryption can protect but hard (& in efficient)
 Still who has the keys ? – provider
 Disks encrypted by provider – he can see the content
 File systems encrypted by provider – he can see file content !!

17. Manage your cloud
 1-way hashes :
 Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).
 Symmetric Crypto:
 Secure way to store uploaded data, sensitive personal information in databases, VM images,
emails etc.
 Encrypt sensitive data stores in database, search indexes in the apps provided by you.
 Asymmetric crypto:
 Use HTTPS for all confidential exchanges
 Sign emails especially for input emails that trigger workflow action.
 Implement Certificate-based client authentication properly.

18. Cloud data security - trends
 Hardware Security Modules (HSM)
 Cryptographic black box – input data comes out transformed (crypto)
 Secure & tamper – resistent storage for high – value keys
 Cloud Encryption gateways
 Fully homomorphic encryption (Advanced research)

19. Java Security Landscape
5 April 2016 19

20. Security Overview - Java
 Java platform at core
Type safety, Auto GC, Secure class loading & Verification.
 Basic principles
Implementation independence, interoperability & Algo extensibility.
 Robust Bytecode verification and class loading.
 API’s to integrate Security into Java application code,
Cryptography,
PKI (Public key infra), Authentication,
Secure comm & Access control

21. Security model - evolution
 JDK 1.0 – allowed trusted (in JVM) & untrusted Remote code in Sandbox (Applets)
 JDK 1.1 – allowed trusted remotecode in JVM
 Java 2 Platform Security Model

22. Security model
 JVM View:

23. Security model – policy stages

24.  Secure Class loading
 PKI – Public Key Cryptography –Secure exchange of information
keys, certificates, public key encryption, and trusted Certification Authorities (CAs)
PKI tools – keytool, jarsigner
 Secure Communication – SSL / TLS, SASL, GSS-API & Kerbos
Other concepts:

25. Secure Coding Practices
5 April 2016 25

26. Secure Coding – safeguard from Injection
 Avoid Injection attacks –
 SQL Injection – Injecting SQL snippets into un-sanitized form fields.
 Regex Injection – Sanitize Regular expressions (in search fields)
 Log Injection – Do not log un-sanitized inputs
Coding errors are major cause of software vulnerabilities
- 64% percent of 2500 in National Vulnerability database
Comprehensive
list @ CERT
Standards
Lets drive by code

27. Secure Coding – avoid Cross site scripting
 XSS – injection of client side malicious script into Web pages through web requests or un-
validated dynamic content.
 Mozilla XSS-Me Demo
 Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp )
• Injected through data in HTTP query params or form submissions
• Non validated user supplied input in Response can cause this.
• When user script input is stored in server it becomes Persistent attack. (Search user preferences)
 XSS Prevention Model
 Use HTTPOnly flag on session cookie (to avoid access by any java script)
 Content security policy on browser side

28. Secure Coding – avoid Cross site scripting

29. Security Coding practices - Java
 Prevent Denial of Service (Dos attacks)
 Avoid serving expensive requests (repeated large files download)
 Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING
 Release all resources in all cases (finally block, or use try-with)
 Best practices for Input Validation & Data Sanitization
 Do not trust contents of hidden form fields – Sanitize them !!
 Perform String modifications before validations – (Avoid XSS) – Java example
 Object orientation security practices
 Compare Class not Class names
 Source code analysis tools – BugScout, Pitbull SCC

30. Pen Testing
5 April 2016 30

31. Penetration Testing
 Method to evaluate security of our web application – active analysis for vulnerabilities
 Hack your own application – before someone does !!
 Testing Phases – SetUp, Passive Phase & Active phase
 Attack Environment (SetUp)
 Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers).
 Try to penentrate as a stranger without any privileges on resources.
 What do we need ?
 Reconnaissance about the app
 Right tools (Plugins, Exploit frameworks, Crawlers)
 System to Hack & Mindset to Crack !!

32. Pen Testing – Passive
 Reconnaissance – Know your target
 Determine application types & versions
 Refer to latest vulnerabilities with OSVDB / NVD
 Observe regular application behaviour – RI
 Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking
 Application mapping - https://pentest-tools.com
 Active Phase – attack plan
 Business logic
 Authentication, Authorization & Session Management
 Data Validation & Denial of Service

33. Pen Testing – Tools
 Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to
inputs of a computer program.
Required technique to find out SQL Injection, DDos & XSS Scripting attacks.
 Tools:
 Exploit Frameworks - Metaspolit
 Web Proxy – BURP, Paros, Webscarab
 Fuzzing – WS Fuzzer
 Brute force – Brutus
 Password cracking- John the ripper
 Scanner – W3AF and Zap.

34. 4/5/2016 34
References

35. Links & References
• https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html#asserting_a_subset_of_privil
eges
• https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch
• https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
• https://pentest-tools.com
• http://techbus.safaribooksonline.com/book/programming/java/0201787911
•

36. 4/5/2016 Confidential36
Q & A

37. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.37
Thank you

39. APPENDIX