330 likes | 655 Views
Application Security: What Does it Take to Build and Test a “Trusted” App?. John Dickson, CISSP Denim Group. Overview. What is Application Security? Examples of Potential Vulnerabilities Potential Strategies to Build Secure Apps Questions and Answers. Denim Group Background.
E N D
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group
Overview • What is Application Security? • Examples of Potential Vulnerabilities • Potential Strategies to Build Secure Apps • Questions and Answers
Denim Group Background • Enterprise application development company with security expertise • Custom software development • Application-level integration • Application security assessments and secure application development
What is Application Security • Security associated with custom application code • Focus is on web application security • Versus non-Internet facing applications • Complements existing infrastructure security assets such as firewalls, IDS, and secured operating systems
Nature of HTTP and the Web • Connectionless protocol – no state • Anonymity of attacks • Assumption: web servers expect request to come from browser, therefore implicitly trust input
Why Application Security • 70% of applications reviewed by security firm had significant security design flaws • @Stake Security Briefing • Interaction between server, 3rd party code, and custom business logic creates vulnerabilities • Patching or rebuilding app expensive • Perception exists that locking down OS and web server = web security
Why Application Security • Web-facing, business critical applications • HTTP & SLL open to the world • Much investment focused on infrastructure • Well understood threats, mature products • Firewalls, authentication, intrusion detection • Security many times an overlooked facet of web development projects
Parameter Tampering • Price information is stored in hidden HTML field with assigned $ value • Assumption: hidden field won’t be edited • Attacker edits $ value of product in HTML • Attacker submits altered web page with new “price” • Still widespread in many web stores
Cookie Poisoning • Attacker impersonates another user • Identifies cookie values that ID’s the customer to the site • Attacker notices patterns in cookie values • Edits pattern to mimic another user
Unvalidated Input Attack • Exploitation of implied trust relations • Instead of: • john@doe.com • Attacker inputs: • ////////////////////////////////////////////////// • Exploits lack of boundary checkers on back-end application
Open Web Application Security Project Top Ten Most Critical Web Application Security Vulnerabilities • Unvalidated Input • Broken Access Control • Broken Authentication and Access Control • Cross-Site Scripting Flaws • Buffer Overflows • Injection Flaws • Improper Error Handling • Insecure Storage • Denial of Service • Insecure Configuration Management Source: www.owasp.org
Client–side authentication • Web apps many times use client-side code to present and manage data • Storage of usernames or ID numbers in cookie make them ripe for forgery • Sites rely on cookie expiration to terminate sessions • You can modify cookies to extend time • Bottom line: Never trust anything from an http request
Key Issue: Build vs. Measure Cultures • Application Development groups are building technical capabilities based upon evolving business requirements • Corporate IS Security dept. in charge of ongoing security operations
Additional Challenges • Most organizations do not have sufficiently skilled resources to cope with application security assessments • Development teams typically under deadlines I love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
Emerging Best Practices • Security must become a key aspect of the development process • Security requirements reflected in design plan • Ensure the security is part of the iterative development process • Changes to web sites are ongoing and are not static • QA Group should not be last line of defense
Code Evaluation Paths • Code review – auditing source code • Expensive, time consuming, and takes expertise • Application assessments – reviews functionality and interactions of compiled applications in real-life environments • Potentially superficial and only capture a % of actual vulnerabilities in custom code
Application Security Reviews • Internal or 3rd party process to assess internally developed applications • Assessment reviews major web app vulnerabilities • Use best-of-breed tools and custom scripts • Integrated with client development schedule • Reviews designed to coincide with key development milestones of client project
Application Security Reviews • Commercial security scanners are becoming more widespread • Automated tools are great first-round way to assess potential vulnerabilities • However, in-depth assessments use custom scripts and code reviews (sometimes) • Analogy of network scanners • Consider Augmenting security team with internal or external .Net and Java security experts
Assessment Benefits • 3rd-party assessment of applications by noted experts; Increase confidence & reliability in application • Compliance with government regulations • Sarbanes Oxley, GLB, HIPAA • Satisfies potential SEC audit objectives • Knowledge transfer to clients on development techniques for secure applications
Wrap up • Application Security is emerging as a critical aspect of enterprise security • Emerging best practices include iterative assessments and defense in depth • Cultural, organizational, and technical challenges all may hinder an effective strategy
Wrap Up • Questions and Answers