320 likes | 448 Views
Application Security… What’s that?. An Introduction to application security Level 101. What is AppSec (application security)?.
E N D
Application Security…What’s that? An Introduction to application security Level 101
What is AppSec (application security)? Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application. *wikipedia
What is AppSec? • Wait, what does “application” mean? • AppSec and My InfoSec program • Application security is only one part of a complete information security program • Successful InfoSec programs have “buy-in” from all levels of the organization • Application security has a higher importance within an InfoSec program due to exposure • This requires a focus on “real world” testing • Pen Testing
What is AppSec? • What is a penetration test? • A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. wikipedia
What is AppSec? • Penetration tests are valuable for several reasons: • Determining the feasibility of a particular set of attack vectors • Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence • Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
What is AppSec? • Penetration tests are valuable for several reasons: • Assessing the magnitude of potential business and operational impacts of successful attacks • Testing the ability of network defenders to successfully detect and respond to the attacks • Providing evidence to support increased investments in security personnel and technology
What is AppSec? • Testing Types • White Box Testing • In penetration testing, white-box testing refers to a methodology where an ethical hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system. • Black Box Testing • In penetration testing, black-box testing refers to a methodology where an ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration test is to simulate an external hacking or cyber warfare attack.
What is AppSec? • Network security defects • Secured By Firewalls and IDS’s • Server security defects • Secured By Access Controls, Firewalls, IDS’s, Patch Management. • Application and Web Services security defects • Ref: OWASP Top 10 The applications are the most easily exploitable conduit to the data CSRF Malware Source Disclosure SQL INJECTION Session Hijacking Unauthorized access Cross Site Scripting Code injection
What is AppSec? • Who are my enemies? • Hackers • Insider Attacks • Script Kiddies • Hacktivists
What is AppSec? • Hackers • White Hat • A "white hat hacker" (also known as an ethical hacker) breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. • Black Hat • A "black hat hacker" (also known as a cracker) is a hacker who violates computer security with malicious intent or for personal gain" (Moore, 2005).
What is AppSec? • Insider Threats • Disgruntled Employees • Corporate Espionage • Internal threats include any harmful actions with data that violate at least one of the fundamental principles of information security (integrity, availability, and confidentiality) and originate from within a company’s information system.
What is AppSec? • Script Kiddies • A "script kiddie" (aka skiddie) is a person who breaks into computer systems using automated tools with no understanding or care of how they work. • Hactivist • A hacktivist is a hacker regardless of classification who utilizes technology to announce a social, ideological, religious, or political message.
What is AppSec? • Key Terms • Vulnerability • Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
What is AppSec? • Key Terms • Threat • Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
What is AppSec? • Key Terms • Risk • The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
What is AppSec? • Key Terms • APT • An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
What is AppSec? • What are the most likely threats facing my AppSec Program? • Cross-Site Scripting (XSS) • SQL Injection (SQLi) • Weak Authentication • Secure Session Vulnerabilities • Secure Transmission Vulnerabilities • Privilege Escalation • Information Leakage and Improper Error Handling
What is AppSec? • Cross-Site Scripting (XSS) • Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. • Persistent VS. Reflected
What is AppSec? • SQL Injection • A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. • A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
What is AppSec? • Weak Authentication Vulnerabilities • Weak Passwords • User Enumeration • Lack of Account Lockout • Password Reset Vulnerabilities
What is AppSec? • Secure Session Vulnerabilities • Session Poisoning • A method to exploit insufficient input validation within a server application • Session Fixation • An attack that permits an attacker to hijack a valid user session • Persistent Cookies • Remain on your hard drive until you erase them or they expire • Stored with your browser when you click the "remember me" button on the login form
What is AppSec? • Insecure Communication • Login Forms without SSL Encryption • Old or Out Dated Algorithm use • Backend host communication • Failure to encrypt sensitive communications means that an attacker who can sniff traffic from the network will be able to access the conversation, including any credentials or sensitive information transmitted
What is AppSec? • Privilege Escalation • Occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation/changes should have been prevented by the application
What is AppSec? • Information Leakage and Improper Error Handling • Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems • Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers • Web applications will often leak information about their internal state through detailed or debug error messages
The Story Of Johnny… He then contact’s Wendy by phone… “Sure Johnny, Let me just log in and take a look at your “record”… “Hello, I would like to review my grades please…” The attack executes in Wendy’s browser without notice. Johnny has captured her sessionid. Johnny substitutes his sessionid with that of Wendy and assumes the identity of Wendy within the application. sessionid Counselor Wendy Johnny Username / password Johnny plants an attack (within his record) to hijack Wendy’s sessionid sessionid
What happened to the Firewall??? Hackers Worms & Viruses Malicious Insiders
Fundamentally Flawed Perception Fails to protect the most critical component - the Applications Outsourcing http/https Legacy Application Integration http/https Web-facing Applications http/https Employee Self-Service http/https Today, even the code itself is sometimes “outside the firewall!” http/https Connectivity with Partners, Suppliers
What a Hacker sees… Eavesdropping Cross-Site Scripting SQL Injection Password Guessing Account Enumeration Information Gathering Social Engineering
How Does This Happen? In a perfect world… Actual Functionality Intended Functionality
In The Real World… Actual Functionality Intended Functionality ? ? Working Features Security Defects Functional Defects
Secure The Application Exception Management Cryptography Input Validation Authorization Configuration Management Protect Sensitive Data Session Management Authentication Parameter Manipulation Auditing and Logging Secure The Host Patches Accounts Ports Updates Files Registry Services Directories Auditing Protocols Shares Logging Network Security Router Firewall Switch Threats and Countermeasures