Anna Pasupathy, CISSP, profile picture
Uploaded byAnna Pasupathy, CISSP
PDF, PPTX68 views

WebApp_to_Container_Security.pdf

The document provides a comprehensive overview of application security, covering various topics such as web, mobile, API, container, and open-source security. It highlights key vulnerabilities, attack methods, and best practices for securing applications against risks like injections, broken authentication, and insecure data handling. Additionally, it emphasizes the importance of continuous security assessments and adherence to best practices to mitigate potential threats.

Embed presentation

Download as PDF, PPTX
Application Security By Anna Pasupathy CISSP, CISM © 2019 Claren
Application Security Application Security: Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
Web Application Security OWASP Top 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
Web Application Security: Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
Injection, Broken Authentication © 2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
Sensitive Data Exposure, XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
Broken Access Control, Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
Cross Site Scripting (XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
Mobile Security © 2019 Claren
Mobile Security: Challenges & Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
Mobile Security: Challenges & Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
API Security © 2019 Claren
API Security: An overview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
API Security: Challenges • Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
API Security: Methods • Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
API Security: Best Practices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
API Security: Best Practices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
Container Security © 2019 Claren
Container Security: An Overview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
Container Security: Challenges • Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
Container Security: Challenges • Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
Container Security: Challenges • Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
Container Security: Best Practices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
Open Source Security © 2019 Claren
Open-source Security: Challenges • Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
Open-source Security: An Overview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
Open-source Security: Challenges • Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
Open-source Security: Best Practices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
Conclusion © 2019 Claren VAST ROUGH
Your Journey © 2019 Claren Get a handle on these for a SMOOTH SAIL !

More Related Content

PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PDF
OWASP Top 10 2017
bySiddharth Phatarphod
 
PDF
Designing Secure APIs
bySteven Chen
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
OWASP API Security Top 10 Examples
by42Crunch
 
OWASP Top 10 2017
bySiddharth Phatarphod
 
Designing Secure APIs
bySteven Chen
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 

Similar to WebApp_to_Container_Security.pdf

PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
PDF
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PDF
Landmines in the API Landscape
byMatt Tesauro
 
PDF
5 step plan to securing your APIs
by💻 Javier Garza
 
PDF
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
byapidays
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
PPTX
Secure practices with dot net services.pptx
byKnoldus Inc.
 
PDF
SecDevOps for API Security
by42Crunch
 
PPTX
BDSE03-1121-API-PresentationTemplate.pptx
bySudhanshuKachhotia
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
PDF
Takeaways from API Security Breaches Webinar
byCA API Management
 
PDF
Virtual Meetup - API Security Best Practices
byJimmy Attia
 
PPTX
Web API Security
byStefaan
 
PPTX
Toronto Virtual Meetup #5 - API Security and Threats
byAlexandra N. Martinez
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 
OWASP Top 10 2021 What's New
byMichael Furman
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
API Security Best Practices and Guidelines
byWSO2
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
APIsecure 2023 - Time to Take the "F*^!" out of ShiFt Left, Christine Bevilac...
byapidays
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
Landmines in the API Landscape
byMatt Tesauro
 
5 step plan to securing your APIs
by💻 Javier Garza
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
byapidays
 
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
Secure practices with dot net services.pptx
byKnoldus Inc.
 
SecDevOps for API Security
by42Crunch
 
BDSE03-1121-API-PresentationTemplate.pptx
bySudhanshuKachhotia
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
Takeaways from API Security Breaches Webinar
byCA API Management
 
Virtual Meetup - API Security Best Practices
byJimmy Attia
 
Web API Security
byStefaan
 
Toronto Virtual Meetup #5 - API Security and Threats
byAlexandra N. Martinez
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 

Recently uploaded

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

WebApp_to_Container_Security.pdf

  • 1.
    Application Security By Anna PasupathyCISSP, CISM © 2019 Claren
  • 2.
    Application Security Application Security:Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
  • 3.
    Web Application Security OWASPTop 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
  • 4.
    Web Application Security:Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
  • 5.
    Injection, Broken Authentication ©2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
  • 6.
    Sensitive Data Exposure,XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
  • 7.
    Broken Access Control,Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
  • 8.
    Cross Site Scripting(XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
  • 9.
    Using Components withKnown Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
  • 10.
  • 11.
    Mobile Security: Challenges& Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
  • 12.
    Mobile Security: Challenges& Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
  • 13.
  • 14.
    API Security: Anoverview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
  • 15.
    API Security: Challenges •Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
  • 16.
    API Security: Methods •Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
  • 17.
    API Security: BestPractices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
  • 18.
    API Security: BestPractices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
  • 19.
  • 20.
    Container Security: AnOverview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
  • 21.
    Container Security: Challenges •Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
  • 22.
    Container Security: Challenges •Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
  • 23.
    Container Security: Challenges •Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
  • 24.
    Container Security: BestPractices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
  • 25.
  • 26.
    Open-source Security: Challenges •Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
  • 27.
    Open-source Security: AnOverview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
  • 28.
    Open-source Security: Challenges •Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
  • 29.
    Open-source Security: BestPractices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
  • 30.
  • 31.
    Your Journey © 2019Claren Get a handle on these for a SMOOTH SAIL !