Injecting Security Controls into Software Applications. Katy Anton

Similar documents
OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

SECURE CODING ESSENTIALS

Web Application Security. Philippe Bogaerts

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Your Turn to Hack the OWASP Top 10!

Sichere Software vom Java-Entwickler

Copyright

C1: Define Security Requirements

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

epldt Web Builder Security March 2017

Solutions Business Manager Web Application Security Assessment

Security Course. WebGoat Lab sessions

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

1 About Web Security. What is application security? So what can happen? see [?]

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application Penetration Testing

Ruby on Rails Secure Coding Recommendations

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Welcome to the OWASP TOP 10


Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Certified Secure Web Application Engineer

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Uniform Resource Locators (URL)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Exploiting and Defending: Common Web Application Vulnerabilities

CSWAE Certified Secure Web Application Engineer

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

John Coggeshall Copyright 2006, Zend Technologies Inc.

6-Points Strategy to Get Your Application in Security Shape

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

GOING WHERE NO WAFS HAVE GONE BEFORE

IEEE Sec Dev Conference

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

COMP9321 Web Application Engineering

Web Application Security GVSAGE Theater

Aguascalientes Local Chapter. Kickoff

SQL Injection. EECS Introduction to Database Management Systems

Application Layer Security

Engineering Your Software For Attack

TIBCO Cloud Integration Security Overview

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

OWASP Top 10 The Ten Most Critical Web Application Security Risks

DreamFactory Security Guide

CSE 127 Computer Security

CSCE 813 Internet Security Case Study II: XSS

Certified Secure Web Application Secure Development Checklist

Xerox Audio Documents App

Web Penetration Testing

NET 311 INFORMATION SECURITY

CSCE 548 Building Secure Software SQL Injection Attack

Magento Security How to break the code

Web Application Whitepaper

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Web Application Security Evaluation

Managed Application Security trends and best practices in application security

Deliver Strong Mobile App Security and the Ultimate User Experience

OWASP TOP 10. By: Ilia

Web Application Vulnerabilities: OWASP Top 10 Revisited

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Secure Development Guide

ME?

Multi-Post XSRF Web App Exploitation, total pwnage

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Web Applications Penetration Testing

Securing ArcGIS Services

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Combating Common Web App Authentication Threats

Configuring User Defined Patterns

Application security : going quicker

Web Vulnerabilities. And The People Who Love Them

CIS 4360 Secure Computer Systems XSS

Applications Security

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

RiskSense Attack Surface Validation for Web Applications

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

SECURITY PRACTICES OVERVIEW

Transcription:

Injecting Security Controls into Software Applications Katy Anton

About me Software development background Principal Security Consultant - CA Technologies Veracode OWASP Bristol Chapter Leader Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

Injection

Injection First mentioned in Phrack magazine in 1998 20 years anniversary 2004 2009 2010 2013 2017 Injection A6 A2 A1 A1 A1

Decompose the Injection Data interpreted as Code Input Parser Output Get / Post Data File Uploads HTTP Headers Database Data Config files SQL Parser HTML Parser XML Parser Shell LDAP Parser SQL HTML XML Bash Script LDAP Query

Extract Security Controls Output Parser Input Vulnerability Encode Output Parameterize Validate Input SQL Injection R R XSS R R XML Injection (XPATH Injection) R OS Cmd Injection R R R LDAP Injection R R R Primary Controls Defence in depth

Sensitive Date Exposure Data at Rest and in Transit

Vulnerabilities Data Types Encryption Hashing Data at Rest Require initial value E.q: credit card Data at rest Don t require initial value E.q: user passwords Data in transit R R R

Data at Rest: Vulnerabilities How Not to Do it! In the same folder - 2 file: The content of password.txt: encryption_key = PBKF2(password, salt, iterations, key_length);

Security Controls Cryptographic Storage Strong Encryption Algorithm AES Key Management Store unencrypted keys away from the encrypted data. Protect keys in a Key Vault (Hashicorp Vault / Amazon KMS) Keep away from home grown key management solutions. Define a key lifecycle. Build support for changing algorithms and keys when needed Document procedures for managing keys through the lifecycle Source: https://www.owasp.org/index.php/cryptographic_storage_cheat_sheet

Security Controls Password Storage - Use a Strong Algorithm PBKDF2 bcrypt scrypt Argon2i Java PHP - password_hash() supports Argon2i from version 7.2 Source: https://www.owasp.org/index.php/password_storage_cheat_sheet

Security Controls Data in Transit Client > Application server Server > Non-browser components

Intrusion Detection If a pen tester is able to get into a system without being detected, then there is insufficient logging and monitoring in place.

Security Controls Security Logging Security logging: The security control that developers can use to log security information during the runtime operation of an application. Logging implementation Logging framework : SLF4J with Logback or Apache Log4j2. Use a standard logging approach to facilitate correlation and analysis.

The 6 Best Detection Point Types Good attack identifiers: 1. Authorisation failures 2. Authentication failures 3. Client-side input validation bypass 4. Whitelist input validation failures 5. Obvious code injection attack 6. High rate of function use Source: https://www.owasp.org/index.php/appsensor_detectionpoints

Intrusion Detection Points Examples Request Exceptions Application receives GET when expecting POST Additional form or URL parameters submitted with request Authentication Exceptions The user submits a POST request which only contains the username variable. The password variable has been removed. Additional variables received during an authentication request (like admin=true ') Input Exceptions Input validation failure on server despite client side validation Input validation failure on server side on non-user editable parameters (hidden fields, checkboxes, radio buttons, etc) Source: https://www.owasp.org/index.php/appsensor_detectionpoints

Vulnerable Components Using Software Components with Known Vulnerabilities

Root Cause Difficult to understand Easy to break Difficult to test Difficult to upgrade Increase technical debt

Third Party Components Age 45% of the third-party components are over 4 years old Source: Synopsys - State of Software Composition 2017

Components Examples Example of external components: Open source libraries - for example: a logging library APIs - for example: vendor APIs Libraries / packages by another team within same company

Example 1: Implement Logging Library Third-party - provides logging levels: FATAL, ERROR, WARN, INFO, DEBUG. We need only: DEBUG, WARN, INFO.

Simple Wrapper Helps to: Expose only the functionality required. Hide unwanted behaviour. Reduce the attack surface area. Update or replace libraries. Reduce the technical debt.

Example 2: Implement a payment gateway Scenario: Vendor APIs - like payment gateways Can have more than payment gateway one in application Require to be inter-changed

Adapter Design Pattern Converts from provided interface to the required interface. A single Adapter interface can work with many Adaptees. Easy to maintain.

Example 3: Implement a Single Sign-On Libraries / packages created by another team within same company Re-used by multiple applications Common practice in large companies

Façade Design Pattern Simplifies the interaction with a complex sub-system Make easier to use a poorly designed API It can hide away the details from the client. Reduces dependencies on the outside code.

Secure Software Starts from Design! Wrapper To expose only required functionality and hide unwanted behaviour. Adapter Pattern To convert from the required interface to provided interface Façade Pattern To simplify the interaction with a complex sub-system.

How often?

Rick Rescorla United States Army office of British origin Born in Hayle, Cornwall Director of Security for Morgan Stanley at WTC

Security Controls Recap

Security Controls Recap Log Exceptions Application Server Operating System Encode output Param Queries Software Application Mod Mod Mod Mod Mod Mod Param Queries Secure Date Key Management TLS Validate Input Harden XML Parser Encaps Library Mod Encode output TLS XML TLS

Get the Basics Right Most cyber threats are not that sophisticate actors will use simple tools and techniques if they work. Implementing basic cyber security practices remains the best way to tackle the majority of cyber threats. Source: Director of GCHQ CyberUK18

OWASP Snakes and Ladders https://www.owasp.org/images/0/08/owasp-snakesandladders-webapplications-en.pdf

Thank you very much

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback