application security: what can you do? · powerpoint presentation author: declan o'riordan...
TRANSCRIPT
![Page 1: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/1.jpg)
Test and Verification Solutions
Application Security: What Can You Do?
Delivering Tailored Solutions for Hardware Verification and Software
Testing
BCS – Bristol9th March 2015 Declan
O’Riordan
![Page 2: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/2.jpg)
Copyright TVS Limited | Private & Confidential | Page 2
What is driving security?
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
![Page 3: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/3.jpg)
Copyright TVS Limited | Private & Confidential | Page 3
Threat growth
Source: Verizon
2014 - Commercial cyber security spending $46 billion
2013 - 20% more breaches
2012 - 30% higher cost per breach
![Page 4: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/4.jpg)
Copyright TVS Limited | Private & Confidential | Page 4
Why is Application Security important?
Make that 153m accounts/
![Page 5: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/5.jpg)
Copyright TVS Limited | Private & Confidential | Page 5
What is Application Security?
It is NOT Building, or Network Security!
84% of attacks target the applications (Source: HP)90% of sites are vulnerable to application attacks (Watchfire)
1.7% of security budget is spent on Applications.
(OWASP 2014)
![Page 6: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/6.jpg)
Copyright TVS Limited | Private & Confidential | Page 6
Reactive Perimeter Defencesw.w.w. data is exploding: 2010 = 1.2 zettabytes2015 = 7.9 zettabytes2020 = 40 zettabytes?
1.2 million variants of malware per day
20%-30% of malware iscaught by anti-virus
![Page 7: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/7.jpg)
Copyright TVS Limited | Private & Confidential | Page 7
The Security Testing Lifecycle
Review SDLC ProcessReview
PolicyReview Standards
Review Requirements
Review Design
Create / Review Models
Review Code
Code Walkthrough
Unit & System Test
PenetrationTest
Config. Mgt.Review
Unit & SystemTest
AcceptanceTest
Change Verification
Health Checks
Operational Reviews
Regression Tests
Before Development
Definition & Design
Development
Deployment
Maintenance
![Page 8: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/8.jpg)
Copyright TVS Limited | Private & Confidential | Page 8
‘The’ OWASP Top 10 Web-App Risks
![Page 9: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/9.jpg)
Copyright TVS Limited | Private & Confidential | Page 9
Free Application Security Testing Procedures
& Development Guidelines
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
![Page 10: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/10.jpg)
Copyright TVS Limited | Private & Confidential | Page 10
Threat Assessment
![Page 11: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/11.jpg)
Copyright TVS Limited | Private & Confidential | Page 11
Compliance with the Standard
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
![Page 12: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/12.jpg)
Copyright TVS Limited | Private & Confidential | Page 12
Verify 168 security checkpoints
![Page 13: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/13.jpg)
Copyright TVS Limited | Private & Confidential | Page 13
The login screen
![Page 14: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/14.jpg)
Copyright TVS Limited | Private & Confidential | Page 14
Authentication: What can you do now? Bad passwords Insecure storage of credentials Verbose failure messages Password change functionality Forgotten password functionality User impersonation functionality Non-unique usernames Predictable usernames Incomplete validation of
credentials
![Page 15: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/15.jpg)
Copyright TVS Limited | Private & Confidential | Page 15
Incomplete validation of credentials
Full validation of all password characters
1. Length2. Case3. Unusual characters
![Page 16: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/16.jpg)
Copyright TVS Limited | Private & Confidential | Page 16
Authentication: What may need help?
Vulnerable credentials transmission
“Remember me” functionality Predictable initial passwords Insecure distribution of
credentials Fail-open login mechanisms Multi-stage login defects Brute-forcible login
(failedlogins=1)
![Page 17: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/17.jpg)
Copyright TVS Limited | Private & Confidential | Page 17
Access controls: What can you do now?
Completely unprotected functionality Direct access to methods Identifier-based functions Multi-stage functions Static files Platform mis-configuration Insecure access control methods Parameter / referer / location-based
access control
![Page 18: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/18.jpg)
Copyright TVS Limited | Private & Confidential | Page 18
Completely unprotected functionality
No one will know that sensitive function / resource URL. It’s secret!
But URLs appear in logs, browser histories, and are displayed on-screen. They can be emailed, bookmarked, and written down.
Attackers find them in client-side JavaScript, brute-force the names / identifiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server.
![Page 19: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/19.jpg)
Copyright TVS Limited | Private & Confidential | Page 19
Session Management: who does what?
Disclosure of session tokens in logs Vulnerable session termination Weak session token generation Weak session token handling Disclosure of tokens Meaningful tokens Encrypted tokens ECB & CBC ciphers Vulnerable token mapping Client exposure to token hijacking Liberal cookie scope Predictable session tokens
![Page 20: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/20.jpg)
Copyright TVS Limited | Private & Confidential | Page 20
Meaningful session tokens
HTTP is stateless. Each request-response message pair is an independent transaction.
Dynamic web-application functionality requires a SESSION to link user requests.
Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests.
Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35
user=declan;app=admin;date=05/07/2015
![Page 21: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/21.jpg)
Copyright TVS Limited | Private & Confidential | Page 21
Predictable session tokens
Concealed sequencesWeak random number generationTime dependencies56543-142479825411556544-1424798303925?56546-1424798337916
The first component is an incrementing sequence.The second component is the time in milliseconds.The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.
![Page 22: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/22.jpg)
Copyright TVS Limited | Private & Confidential | Page 22
Make efficient use of experts & tools
![Page 23: Application Security: What Can You Do? · PowerPoint Presentation Author: Declan O'Riordan Created Date: 20150310225819Z](https://reader034.vdocuments.site/reader034/viewer/2022043001/5f78dd34aec3c5629754c903/html5/thumbnails/23.jpg)
Copyright TVS Limited | Private & Confidential | Page 23
What Testers can do
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
• Security skills are within the project team capability• Recognize which security tests you can do now• Effectively manage the experts who are helping you