Application security : going quicker

Similar documents
Web Application Penetration Testing

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Tiger Scheme SST Standards Web Applications

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

CSWAE Certified Secure Web Application Engineer

Web Security, Summer Term 2012

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Solutions Business Manager Web Application Security Assessment

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

GOING WHERE NO WAFS HAVE GONE BEFORE

Trustwave Managed Security Testing

Certified Secure Web Application Engineer

SECURE CODING ESSENTIALS

ShiftLeft. Real-World Runtime Protection Benchmarking

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Discover Best of Show März 2016, Düsseldorf

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Managed Application Security trends and best practices in application security

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

OWASP TOP OWASP TOP

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

PRACTICAL WEB DEFENSE VERSION 1

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

Engineering Your Software For Attack

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing


Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

EasyCrypt passes an independent security audit

WEB APPLICATION PENETRATION TESTING VERSION 2

RiskSense Attack Surface Validation for Web Applications

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Web Application Security. Philippe Bogaerts

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Welcome to the OWASP TOP 10

IEEE Sec Dev Conference

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Copyright

haltdos - Web Application Firewall

Curso: Ethical Hacking and Countermeasures

Application Security at Scale

SIEMLESS THREAT MANAGEMENT

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Human vs Artificial intelligence Battle of Trust

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SECURITY TESTING. Towards a safer web world

Let me secure that for you!


Hacking by Numbers OWASP. The OWASP Foundation

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

10 FOCUS AREAS FOR BREACH PREVENTION

epldt Web Builder Security March 2017

How to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer

C1: Define Security Requirements

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Imperva Incapsula Website Security

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Application Security Approach

Application Security Buyer s Guide

Web Applications & APIs

Secure Programming Techniques

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Hacking 102 Integrating Web Application Security Testing into Development

Secure DevOps: A Puma s Tail

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

The Top 6 WAF Essentials to Achieve Application Security Efficacy

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Application Layer Security

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

CS 161 Computer Security

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Micro Focus Fortify Application Security

CIS 4360 Secure Computer Systems XSS

Security Solution. Web Application

Nathan Desmet. Lead Engineer

Web Attacks CMSC 414. September 25 & 27, 2017

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Transcription:

Application security : going quicker The web application firewall example Agenda

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

Intro Context Who am I? A web application firewall friend A pentester A developer Responsible of the appsec and pentest dpt at Excellium

Intro Context From the Verizon DataBreach report

Intro Context While the malwares are more related to the users. the hacking side is more related to the servers

Intro Context : all begin here

Intro Context Historical approach : the magic box theory (WAF) Team : Infra Managed by the infrastructure Not understanding HTTP Positive and negative security models Block 100% of the attacks (as the vendor said) Block more than 100% of the attacks in reallity

Intro Context Historical approach : peer programming Team : Dev Quality oriented Limited by the reviewer knowledge Slow

Intro Context Bug bounty programs Team : Red team Microsoft : up to 100 k / bug Y Google : up to 100 k / bug Facebook up to 15 k / bug Performed by security experts Only the visible surface No knowledge of the enterprise strengths/weaknesses How can the attacker be trusted or not?

Intro Context Historical approach : SDLC enhancement Team : Risk and Compliance

Application Security costs

Intro Context : all begin here

Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

How to protect : the enterprise view How to assess the security if the application changes continuously? How to stay in the budget? How to protect an application we don t know?

How to protect : the enterprise view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities WAF Rewriting engine Signatures Whitelist Virtual patching Infra

obfuscation level How to protect : the enterprise view Business logic Custom code Database Middlewares Frameworks and libraries Application containers Web/Application servers Communication channel Network and security devices Application components

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

How to protect : the dev view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks

Frameworks Can the security tools automate the tests for each kind of stacks? Knowing the frameworks are hidding the vulnerabilities (GWT. )

How to protect : the dev view

How to protect : the dev view

How to protect : the dev view Pro Cons Automated Not fully security oriented Ran for each change Doesn t test the environment Quick But slow if manual Knowledge of the frameworks Not controlled by the security teams Integrated with the repository

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

How to protect : the infra view WAF Rewriting engine Signatures Whitelist Virtual patching Infra

How to protect : the infra view Web Attack types (from OWASP) Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE

How to protect : the security team view Pro Cons Exhaustive (as a security component) No knowledge of the application changes Controlled by the security teams Ruleset to maintain Good false positive tuning capabilities Not aware of the application business logic Protect the environment Not Integrated with the repository

How to protect : the security team view DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities

How to protect : the dev view

How to protect : the security team view Pro Cons Automated No knowledge of the application changes Controlled by the security teams Lack of framework support (JavaScript) Quick Not aware of the application business logic Test the environment Limited to known vulnerability patterns Integrated with the repository

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

Before Design Go live Implementation + Unit testing Security validation arrives only at the end! Fix issues Integration testing External security audit Business testing

SDLC enhancement The audit validates the complete stack, Can it be automated? Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing What about the time for a vulnerability to be integrated in this cycle? Security audit Security code and configuration review Is it possible to follow the cycle for more than 16000 vulnerabilities per year? Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing

SDLC enhancement But the release has to be quicker With more feature With less bugs Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing.. Security audit Security code and configuration review Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing

Agility Impact Release Management as sprint implies quicker. Patch management Risk analysis Security policy update/definition Roll back capabilities

Agility Impact

What to fight against? Get shell on the server Step1 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CAPEC-88: OS Command Injection Retrieve exploit and tools Step2 CSC 5-1: No antivirus deployed. CSC 11-7 Lack of filtering on the network/application firewalls Get admin crendential and maintain Step3 MS14-58 Vulnerabilities in Kernel-Mode Driver Allow Remote Code Execution Plaintext password stored in memory CSC 16-8: Weak or inexistant password policy CWE-262: Not Using Password Aging (krbtgt account)

Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

Application Security Secure software requirement Compliance ISO 27001 Security requirements Compliance with clients, asking for security proofs Intrusion tests result and release postponed Data privacy

Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test Quick security policy update -> the dev team knows how to automate (continuous integration) Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test Quick security policy update Quick release -> (dev team problem!) Less vulnerabilities Less false positives Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities -> (the infrastructure team has the DAST tools) Less false positives Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives -> (the security team knows the attacks) Detect the vulnerabilities quicker

Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker -> (the security team knows the attacks, the infrastructure team has the SAST tools)

Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update -> the dev team knows how to automate (devops) Quick release (dev team) Less vulnerabilities (the infrastructure team has the DAST tools) Less false positives (the security team knows the attacks) Detect the vulnerabilities quicker (the security team knows the attacks, the infrastructure team has the SAST tools)

Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time

Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time

Security dev Jenkins SonarQube IIS / Tomcat OWASP Zap OWASP Dependency Check

Security infrastructure : EyeWAF Visitor Application Server HTTP(s) WAF Testing Server Tester

Agility Impact Can we imagine? The dev team handling the dev and helping in the automation? The infrastructure handling the infrastructure rules based on the other team input The security team controlling what is done and creating the policies

Agility Impact

Agility Impact

Excellium Services S.A. Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback