Application security : going quicker

Size: px

Start display at page:

Download "Application security : going quicker"

Sharon Wilkerson
6 years ago
Views:

1 Application security : going quicker The web application firewall example Agenda

2 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

3 Intro Context Who am I? A web application firewall friend A pentester A developer Responsible of the appsec and pentest dpt at Excellium

4 Intro Context From the Verizon DataBreach report

5 Intro Context While the malwares are more related to the users. the hacking side is more related to the servers

6 Intro Context : all begin here

7 Intro Context Historical approach : the magic box theory (WAF) Team : Infra Managed by the infrastructure Not understanding HTTP Positive and negative security models Block 100% of the attacks (as the vendor said) Block more than 100% of the attacks in reallity

8 Intro Context Historical approach : peer programming Team : Dev Quality oriented Limited by the reviewer knowledge Slow

Intro Context Bug bounty programs Team : Red

9 Intro Context Bug bounty programs Team : Red team Microsoft : up to 100 k / bug Y Google : up to 100 k / bug Facebook up to 15 k / bug Performed by security experts Only the visible surface No knowledge of the enterprise strengths/weaknesses How can the attacker be trusted or not?

10 Intro Context Historical approach : SDLC enhancement Team : Risk and Compliance

11 Application Security costs

12 Intro Context : all begin here

13 Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

14 Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

15 Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

16 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

17 How to protect : the enterprise view How to assess the security if the application changes continuously? How to stay in the budget? How to protect an application we don t know?

18 How to protect : the enterprise view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities WAF Rewriting engine Signatures Whitelist Virtual patching Infra

19 obfuscation level How to protect : the enterprise view Business logic Custom code Database Middlewares Frameworks and libraries Application containers Web/Application servers Communication channel Network and security devices Application components

20 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

21 How to protect : the dev view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks

22 Frameworks Can the security tools automate the tests for each kind of stacks? Knowing the frameworks are hidding the vulnerabilities (GWT. )

23 How to protect : the dev view

24 How to protect : the dev view

25 How to protect : the dev view Pro Cons Automated Not fully security oriented Ran for each change Doesn t test the environment Quick But slow if manual Knowledge of the frameworks Not controlled by the security teams Integrated with the repository

26 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

27 How to protect : the infra view WAF Rewriting engine Signatures Whitelist Virtual patching Infra

28 How to protect : the infra view Web Attack types (from OWASP) Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

29 How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

30 How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

31 How to protect : the security team view Pro Cons Exhaustive (as a security component) No knowledge of the application changes Controlled by the security teams Ruleset to maintain Good false positive tuning capabilities Not aware of the application business logic Protect the environment Not Integrated with the repository

32 How to protect : the security team view DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities

33 How to protect : the dev view

34 How to protect : the security team view Pro Cons Automated No knowledge of the application changes Controlled by the security teams Lack of framework support (JavaScript) Quick Not aware of the application business logic Test the environment Limited to known vulnerability patterns Integrated with the repository

35 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

36 Before Design Go live Implementation + Unit testing Security validation arrives only at the end! Fix issues Integration testing External security audit Business testing

37 SDLC enhancement The audit validates the complete stack, Can it be automated? Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing What about the time for a vulnerability to be integrated in this cycle? Security audit Security code and configuration review Is it possible to follow the cycle for more than vulnerabilities per year? Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing

38 SDLC enhancement But the release has to be quicker With more feature With less bugs Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing.. Security audit Security code and configuration review Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing

39 Agility Impact Release Management as sprint implies quicker. Patch management Risk analysis Security policy update/definition Roll back capabilities

40 Agility Impact

Limitation of a Pathname to a Restricted Directory

Retrieve exploit and tools Step2 CSC 5-1: No antivirus

CSC 11-7 Lack of filtering on the network/application

MS14-58 Vulnerabilities in Kernel-Mode Driver Allow

41 What to fight against? Get shell on the server Step1 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CAPEC-88: OS Command Injection Retrieve exploit and tools Step2 CSC 5-1: No antivirus deployed. CSC 11-7 Lack of filtering on the network/application firewalls Get admin crendential and maintain Step3 MS14-58 Vulnerabilities in Kernel-Mode Driver Allow Remote Code Execution Plaintext password stored in memory CSC 16-8: Weak or inexistant password policy CWE-262: Not Using Password Aging (krbtgt account)

42 Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

Application Security Secure software requirement Compliance ISO 27001 Security requirements

43 Application Security Secure software requirement Compliance ISO Security requirements Compliance with clients, asking for security proofs Intrusion tests result and release postponed Data privacy

44 Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

45 Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

46 Agility Impact What do we want? Continuous security test Quick security policy update -> the dev team knows how to automate (continuous integration) Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

47 Agility Impact What do we want? Continuous security test Quick security policy update Quick release -> (dev team problem!) Less vulnerabilities Less false positives Detect the vulnerabilities quicker

48 Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities -> (the infrastructure team has the DAST tools) Less false positives Detect the vulnerabilities quicker

49 Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives -> (the security team knows the attacks) Detect the vulnerabilities quicker

50 Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker -> (the security team knows the attacks, the infrastructure team has the SAST tools)

51 Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update -> the dev team knows how to automate (devops) Quick release (dev team) Less vulnerabilities (the infrastructure team has the DAST tools) Less false positives (the security team knows the attacks) Detect the vulnerabilities quicker (the security team knows the attacks, the infrastructure team has the SAST tools)

52 Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time

53 Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time

54 Security dev Jenkins SonarQube IIS / Tomcat OWASP Zap OWASP Dependency Check

55 Security infrastructure : EyeWAF Visitor Application Server HTTP(s) WAF Testing Server Tester

56 Agility Impact Can we imagine? The dev team handling the dev and helping in the automation? The infrastructure handling the infrastructure rules based on the other team input The security team controlling what is done and creating the policies

57 Agility Impact

58 Agility Impact

59 Excellium Services S.A. Thank you!

Web Application Penetration Testing

Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate