Application security : going quicker The web application firewall example Agenda
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
Intro Context Who am I? A web application firewall friend A pentester A developer Responsible of the appsec and pentest dpt at Excellium
Intro Context From the Verizon DataBreach report
Intro Context While the malwares are more related to the users. the hacking side is more related to the servers
Intro Context : all begin here
Intro Context Historical approach : the magic box theory (WAF) Team : Infra Managed by the infrastructure Not understanding HTTP Positive and negative security models Block 100% of the attacks (as the vendor said) Block more than 100% of the attacks in reallity
Intro Context Historical approach : peer programming Team : Dev Quality oriented Limited by the reviewer knowledge Slow
Intro Context Bug bounty programs Team : Red team Microsoft : up to 100 k / bug Y Google : up to 100 k / bug Facebook up to 15 k / bug Performed by security experts Only the visible surface No knowledge of the enterprise strengths/weaknesses How can the attacker be trusted or not?
Intro Context Historical approach : SDLC enhancement Team : Risk and Compliance
Application Security costs
Intro Context : all begin here
Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team
Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team
Intro Context : the beginning Infrastructure team Production team Development team System team Testing team Architecture team GRC team Middleware team Business team
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
How to protect : the enterprise view How to assess the security if the application changes continuously? How to stay in the budget? How to protect an application we don t know?
How to protect : the enterprise view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities WAF Rewriting engine Signatures Whitelist Virtual patching Infra
obfuscation level How to protect : the enterprise view Business logic Custom code Database Middlewares Frameworks and libraries Application containers Web/Application servers Communication channel Network and security devices Application components
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
How to protect : the dev view SAST Code quality Injections Insecure crypto issue Libraries analysis Dynamic langagues Dynamic frameworks
Frameworks Can the security tools automate the tests for each kind of stacks? Knowing the frameworks are hidding the vulnerabilities (GWT. )
How to protect : the dev view
How to protect : the dev view
How to protect : the dev view Pro Cons Automated Not fully security oriented Ran for each change Doesn t test the environment Quick But slow if manual Knowledge of the frameworks Not controlled by the security teams Integrated with the repository
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
How to protect : the infra view WAF Rewriting engine Signatures Whitelist Virtual patching Infra
How to protect : the infra view Web Attack types (from OWASP) Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE
How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE
How to protect : the infra view WAF Capabilities Client side Session side Server side Programming language side Application side Data side XSS Reflective Persistant DOM based CSIT Flash Applets (HTML5 Web Sockets) Clickjacking Cookie fixation Cookie stealing Cookie guessing CSRF SOP bypass (HTML5) FingerPrinting Exploit Crowling Path transversal http methods File Extension Http spliting Http smuggling Error message Exploit File inclusion Variable control Variable Overwritting Serialization Error message Business logic Privilege escalation Replay BufferOverFlow Authentication Code injection WSDL discovery SOAP XML DoS Error message SQL injection SQL Wildcard LDAP injection XML injection XPath injection SMTP header injection XXE
How to protect : the security team view Pro Cons Exhaustive (as a security component) No knowledge of the application changes Controlled by the security teams Ruleset to maintain Good false positive tuning capabilities Not aware of the application business logic Protect the environment Not Integrated with the repository
How to protect : the security team view DAST Vulnerability scanner Bad configuration checks Infrastructure checks Generic vulnerabilities
How to protect : the dev view
How to protect : the security team view Pro Cons Automated No knowledge of the application changes Controlled by the security teams Lack of framework support (JavaScript) Quick Not aware of the application business logic Test the environment Limited to known vulnerability patterns Integrated with the repository
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
Before Design Go live Implementation + Unit testing Security validation arrives only at the end! Fix issues Integration testing External security audit Business testing
SDLC enhancement The audit validates the complete stack, Can it be automated? Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing What about the time for a vulnerability to be integrated in this cycle? Security audit Security code and configuration review Is it possible to follow the cycle for more than 16000 vulnerabilities per year? Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing
SDLC enhancement But the release has to be quicker With more feature With less bugs Fix issues (only small issues here) Go live Design Design Security review Implementation + Unit testing.. Security audit Security code and configuration review Fix issues Fix issues Risk analysis validation Integration testing Internal Security audit Business testing
Agility Impact Release Management as sprint implies quicker. Patch management Risk analysis Security policy update/definition Roll back capabilities
Agility Impact
What to fight against? Get shell on the server Step1 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CAPEC-88: OS Command Injection Retrieve exploit and tools Step2 CSC 5-1: No antivirus deployed. CSC 11-7 Lack of filtering on the network/application firewalls Get admin crendential and maintain Step3 MS14-58 Vulnerabilities in Kernel-Mode Driver Allow Remote Code Execution Plaintext password stored in memory CSC 16-8: Weak or inexistant password policy CWE-262: Not Using Password Aging (krbtgt account)
Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
Application Security Secure software requirement Compliance ISO 27001 Security requirements Compliance with clients, asking for security proofs Intrusion tests result and release postponed Data privacy
Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test Quick security policy update -> the dev team knows how to automate (continuous integration) Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test Quick security policy update Quick release -> (dev team problem!) Less vulnerabilities Less false positives Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities -> (the infrastructure team has the DAST tools) Less false positives Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives -> (the security team knows the attacks) Detect the vulnerabilities quicker
Agility Impact What do we want? Continuous security test Quick security policy update Quick release Less vulnerabilities Less false positives Detect the vulnerabilities quicker -> (the security team knows the attacks, the infrastructure team has the SAST tools)
Agility Impact What do we want? Continuous security test -> the dev team knows how to automate Quick security policy update -> the dev team knows how to automate (devops) Quick release (dev team) Less vulnerabilities (the infrastructure team has the DAST tools) Less false positives (the security team knows the attacks) Detect the vulnerabilities quicker (the security team knows the attacks, the infrastructure team has the SAST tools)
Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time
Can we automate? How to reduce the vulnerability window? Can we see the infrastructure as a software component of the application? Kind of security tests : Static tests We don t automated Dynamic tests Regression tests WAF policy tests Because Because Behavior driven tests We don t have time
Security dev Jenkins SonarQube IIS / Tomcat OWASP Zap OWASP Dependency Check
Security infrastructure : EyeWAF Visitor Application Server HTTP(s) WAF Testing Server Tester
Agility Impact Can we imagine? The dev team handling the dev and helping in the automation? The infrastructure handling the infrastructure rules based on the other team input The security team controlling what is done and creating the policies
Agility Impact
Agility Impact
Excellium Services S.A. Thank you!