Overview of Web Application Security and Setup

Transcription

1 Overview of Web Application Security and Setup

2 Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security Requirements Web Application Security Requirements

3 Material Source OWASP Testing Guide v3 WebGoat Lab Goals Learn real world skillz Teach offensive and defensive security Teach self- reliance and communication Instill collaborative development and teamwork

4 Developed and published by OWASP Application security testing guideline Breaks down testing

5 Vulnerable web application used to teach web app security Our use is two- fold Teach yourself how to exploit the vulnerabilities Projects will require you to report and fix bugs

6 GoogleGroups forum/comp327- spring OWASP Testing Guide OWASP_Testing_Guide_v3.pdf WebGoat Tutorial Videos TAs

7 Download project appliances from the site Setup Bitbucket accounts Create a private git repo Link the repo to the one on the VM Share your repo with the course TAs Reading Assignment

8 Download the Virtual Appliances Do it on campus with a wired connection!

9 OWASP_BWA_Comp327.ova Contains an instance of WebGoat Used to test and learn how to exploit the vulnerabilities you will fix. webgoat_developer.ova Development environment Eclipse with Java EE environment WebGoat source code in a git repo

10 Download & Install VirtualBox Import the Virtual Appliance In class demo Google if not in class Ask questions on the forum if confused

11 Configuring network for VMs In class demo Google if not in class Ask questions on the forum if confused

12 Create a Bitbucket Account 1 person in each group needs to do this Link the git repo on Webgoat_Developer with a new repo in BitBucket Invite your partner to the repo and they will follow similar procedures outlined below

13

14

15 Start the WebGoat_Development VM Login to the VM User: webgoatdev Pass:!webgoatdev Start a Terminal Click the Black Screen in the bar

16 Type./eclipse/eclipse in the Terminal After Eclipse is started Goto: Windows- >Open Perspective- >Other Select: Git Repository Exploring

17 Expand Webgoat [master] Right click Select: Create Remote Type or copy in the git repo Type in the username and password Click Finish

18

19

20 Right click on the origin under Remotes

21

22

23 Click Save and Push

24 Click on the progress bar in lower left to reveal upload progress

25 When the push is complete

26 Once your Bitbucket repo is synched Share (invite) the TAs to your repository Theodore Book (tbook) Adam Pridgen (apridgen)

27 How do web applications work? Source: for- the- consumer/

28 How do attack web attacks work? Source: penetration- testing- service.php

29 Basic Vocabulary Threat, Vulnerability, Risk, Mitigation Attack vs. Defense Client vs. Server Web Proxy Session Cookie

30 Web Application Security Testing Overview Manual Inspections & Reviews Threat Modeling Source Code Review Penetration Testing

31 Manual Inspections & Reviews Review Technical decisions Review Architectural designs Review Security (configuration and coding) policies Review Security requirements

32 Manual Inspections & Reviews Advantages Requires no supporting technology Can be applied to a variety of situations Flexible Promotes teamwork Early in the SDLC Manual Inspections & Reviews Disadvantages Can be time consuming Supporting material not always available Requires extensive knowledge and experience

33 Threat Modeling Decomposing the application Defining and classifying the assets Exploring potential vulnerabilities Exploring potential threats Creating mitigation strategies

34 Threat Modeling Advantages Practical attacker's view of the system Flexible Early in the SDLC Threat Modeling Disadvantages Extensive knowledge and experience required Project or business names change over lifecyle

35 Source Code Review Evaluate data and control flow of application Line by line analysis of source code Read comments and intended functionality

36 Source Code Review Advantages Completeness and effectiveness Potential accuracy Manual and automated processes Source Code Review Disadvantages Requires highly skilled security developers Can miss issues in third- party libraries Run- time errors may go unnoticed Subtleties and knowledge of the underlying language

37 Penetration Testing Black box testing using attack tools Mostly Develop an understanding based on Error messages Client and server technologies Exploit the application Attempt to compromise users, functionality, and data

38 Penetration Testing Advantages Time boxed and scope limited Tests code and functionality that is exposed Penetration Testing Disadvantages Completeness of testing Latent services or data manipulation and usage Only tests code and functionality that is exposed

39 User Management Authentication Authorization Data Confidentiality Integrity Accountability Session Management Transport Security Tiered System Segregation (Trust relationships) Privacy

40 Web Application Security Testing Framework Authentication & Access Control Input Validation & Encoding Data and Transport Encryption User and Session Management Error and Exception Handling Auditing and Logging

41 1. OWASP Testing Guide v3, OWASP_Testing_Guide_v3.pdf

42 Authentication & Access Control

43 Input Validation & Encoding

44 Data and Transport Encryption

45 User and Session Management

46 Error and Exception Handling

47 Auditing and Logging