Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1
How does Application Security Testing work? Explore source code and/or web site to detect structure Identify Vulnerabilities ranked after severity and show how it was identified Advanced remediation, fix recommendations and security enablement 2
Black-box (Discovering SQL Injection) ****** SELECT * from tusers where userid= AND password= foobar 3
How BB Scanners Work Stage 1: Crawling as an honest user http://mysite/ http://mysite/login.jsp http://mysite/feedback.jsp http://mysite/editprofile.jsp http://mysite/logout.jsp 4
How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests 5
White-box (Discovering SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + username + "' " + "AND password='" + password + "'"; //... ResultSet rs = stmt.executequery(query); Source a method returning tainted string User can change executed SQL commands Sink - a potentially dangerous method 6
White-box (Discovering SQL Injection) String username = request.getparameter("username"); //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; String query = "SELECT " + username //... ResultSet rs = stmt.executequery(query); ResultSet rs = stmt.executequery(query); 7
A Common Fix (not always the best for SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + Encode(username) + "' " + + "' " + "AND password='" + Encode(password) + "'"; + "'"; //... ResultSet rs = stmt.executequery(query); Sanitizer: a method returning a non-tainted string 8
BB vs. WB Paradigm BB Cleverly guessing behaviors that may introduce vulnerabilities WB Examines infinite numbers of behaviors in a finite approach 9
BB vs. WB - Perspective BB - Works as an attacker - HTTP awareness only - Works on the big picture WB - Resembles code auditing - Inspects the small details - Hard to connect the dots SQL Injection Found 10
BB vs. WB Prerequisite BB - Any deployed application - Easier to use in the testing stage - Where code is often unavailable WB - Application code - Can be used earlier during development - As soon as the application compiles Bank.war 11
BB vs. WB Development Effort BB - Oblivious to different languages - And most server-side technology - Affected by Client-Side Technology - Different communication protocols require attention WB - Different languages require support - As do some frameworks - Less affected by Client-Side Technology - Oblivious to communication protocols 12
BB vs. WB Time/Accuracy Tradeoffs BB - Crawling takes time - Testing mutations takes (infinite) time WB - Refined model consumes space - And time - Analyzing only important code - Approximating the rest 13
BB vs. WB Accuracy Challenges BB - Challenge: - Cover all attack vectors WB -Challenge: - Eliminate non-exploitable issues Hacking 102: Integrating Web Application Security Testing into Development 14
Black-box (Dynamic) Analysis Examining a system or software with no prior knowledge or application assets Strengths Testing real software allows for high confidence in findings No need for design specifications or source code Source code and environment agnostic Software is easily tested across a network Challenges Impossible to determine code coverage Logical design flaws are easily missed Requires deployed application 15
White-box (Static) Analysis All relevant information is known and available to tester Source code Architectural design Strengths Logical design flaws can be determined Entire attack surface can be examined Very effective at finding programming and implementation errors Challenges Poor coding practices may result in non-vulnerable finding (false positive) Access to source code is not always possible Some weaknesses are only exposed in deployment Software is not easily remotely tested 16
Automated vs. Manual Analysis Automated Strengths Low cost Repeatable Scalable Weaknesses Missing human intelligence Manual Weaknesses High cost Dependant on ability Not scalable Strengths Human intelligence IF time and cost were not a barrier to the organization, manual analysis would win out over automation every single time! Human intelligence can not be automated. Automated tools allow you to find the low hanging fruit and address the opportunistic vulnerabilities! 17
Security Analysis Techniques Black Box Manual Manual Proxy Netcat Threat Modelling Architectural Fuzzing Tools Web App Scanners Binary Analysis Database Scanners Automated Code Review Analysis Source Code Scanners White Box 18
Black-box Analysis Composite Analysis White-box Analysis Accuracy Code/path coverage Source free Limited to given code Code coverage More than HTTP validations HTTP awareness only Support partial applications Multi components support Support per language/framework Requires deployed application No need to deploy application Few Prerequisites Over approximation Works as a remote attacker Integration/deployment issues 19
Security Testing Technologies... Combination Delivers a Comprehensive Solution Static Code Analysis = Whitebox Scanning source code for security issues Total Potential Security Issues Dynamic Analysis = Blackbox Performing security analysis of a compiled application Static Analysis Best Coverage Dynamic Analysis
Secure code development and vulnerability management IBM Rational AppScan A market leader for Web application vulnerability scanning A leader in numerous industry bake offs Automatically scans Web applications for vulnerabilities SQL Injection Cross-site Scripting Provides clear recommendations on how to remediate identified vulnerabilities Scans Web sites for embedded malware Protect your Web site from distributing the next Conficker to every Web site visitor Powered by the IBM Internet Security Systems X- Force malware prevention system 21
IBM Rational AppScan Ecosystem AppScan Enterprise / Reporting Console / Source Ed Core AppScan Source Ed for Developer / Remediation AppScan Ent. QuickScan (web client) AppScan Source Ed for Automation (scanning agent) (QA clients) AppScan Tester Ed AppScan Enterprise user (web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational Build Forge Rational Quality Manager AppScan Source Ed for Security Rational ClearQuest / Issue Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows SECURITY Security & Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan
AppScan Source Ed User Components AppScan Source Edition for Security is required in every deployment Security auditor/analyst is the primary user; can be used/deployed to anyone (ie. development leads) Requires connection to a Core Available as Authorized user only AppScan Source Edition for Developer IDE deployment: Eclipse versions 3.2, 3.3, and 3.4; IBM Rational Application Developer V7.0 and V7.5; Visual Studio.NET 2003, 2005, and 2008 Supported Project Files: Visual Studio.NET 2003, Visual Studio 2005, Visual Studio 2008, WebSphere Studio, Application Developer 5.1, Eclipse 3.1, 3.2, 3.3, IBM Rational Application Developer V6.0 and V7.0 Requires a connection to a Core AppScan Source Edition for Remediation Same plug-in as AppScan Source Edition for Developer except no ability to scan
Bug in APIs marked both Source, Tainted Callback 24
Type II No Trace: Where s the source? 25
Profiling for Sources Evaluating technologies in use APIs are marked as technologies Controlled by custom rules Enumerated in SmartAudit 36 email API usages (no trace info) 242 SOAP API usages (no trace info) 26
Profiling Gives You Knowledge to Ask Questions Why is there an email interface? Identifying critical assets Highlights usage in code Why is the application opening a socket? 27
AppScan Source Edition Reporting Integration with AppScan Enterprise / AppScan Reporting Console Add-on allows import of results from AppScan Source Ed Provides centralized security dashboard & trend reporting engine for blackbox and whitebox results Reporting Console reporting requirements are to be routed to either offering Clicking on the matrix cells changes the results list below AppScan Enterprise / Reporting Console AppScan Source Ed for Developer / Remediation AppScan Source Ed for Security
Hacking 102: Integrating Web Application Security Testing into Development 29
Basic Operational Responsibilities Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality Configure: Use the Project Configuration Wizard to get set up to scan your applications Scan: Scan large code bases and return results. Ounce s unique security compiler technology handles code complexity and size with maximum efficiency Triage: Separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Resolve: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions Verify fixes: Rescan the code to assure that vulnerabilities are eliminated
Rational AppScan Source Ed Deployment Overview Build Rational AppScan Source for Automation Functions: Rational AppScan Source Ed Core Development Rational AppScan Source Ed for Developer or for Remediation Security Rational AppScan Source Ed for Security 31
Enabling security testing across the SDLC AppScan Enterprise / Reporting Console AppScan Build Ed AppScan Tester Ed AppScan Developer Ed (desktop) AppScan Ent. QuickScan (Web client) (scanning agent) (scanning agent) (QA clients) AppScan Enterprise user (Web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational BuildForge Rational Quality Manager AppScan Express (desktop) Rational ClearQuest / Defect Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing and remediation workflows SECURITY Security and Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan 32
Deployment and workflow should support your needs Managers Define security requirements Track development progress, review vulnerability data, and monitor remediation results Security Analysis Team Configure scanner for build integration Retrieve code for analysis Scan entire application Triage results Assign vulnerabilities to developers Developers Perform necessary remediation Check in code Hacking 102: Integrating Web Application Security Testing into Development 33
AppScan Source Edition Workflow Security Analyst Security Analyst, Reporting Console Configure, On_Board Automation Server, or Developer Plug-in Security Analyst Publish Scan Triage Security Analyst or Developer Plug-in Remediate Assign Security Analyst 34
Flexible Deployment Rational AppScan: -Source for Automation -Standard Ed Build QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Functions: Rational AppScan Source Ed Core Rational AppScan Enterprise portal Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance
Rational ALM Integrations Build Forge Build Rational AppScan: -Source for Automation -Standard Ed Application Developer QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Rational AppScan Source Ed Core Rational AppScan Enterprise portal Quality Manager ClearQuest Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance
AppScan Source Edition serves many stakeholders Insight & Assessment, with Trend Analysis Supports standards compliance Rapid prioritization of threats, full coverage of all assets Simplified analysis customization, provides guidance & confidence Focus on highest-severity threats Distributed reporting & annotated aggregation of results Profiles risk in IT and Audit oriented terms Audit-centric reports Provides critical metrics (Vdensity) to prioritize & track remediation Accepts bundled and annotated results from security analysts Provides full diagnostic capability on developer desktops Simplifies security remediation through extensive knowledgebase