Can Behavioral-based Technology Benefit the
Secure Software Development Life Cycle?
Speaker: Bob DeWolfeTitle: Core Security EvangelistCompany: DB Networks
Agenda
Problem: SQL Injection
Who’s watching the “The Core”?
Can “behavioral-based” technology show you what is happening in The Core?
Can this technology help AppSec identify vulnerabilities/malicious activities in The Core?
SQL Injection Hall of Shame (# of Records or $ Loss)
2013
2012
2011
2010
2009
2007
50,000,000
11,000,000
7,000,000
1,000,000
FBI/NASA1,600,000
4,200,000
(Jordan)800,000
150,000
37,000
Get
tin
g w
ors
e
6,500,000
http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
100,000
130,000,000 records
2,000,000$200M in losses
2008 $1.7M loss
2,000,000450,000
500,000
950,000 records
$92M in losses
$9M in losses
How often do breaches get reported in the press?
10% of the time?1% of the time?
0.1% of the time?0.01 % of the time?
Of those, how often is the exploit reported?
10% of the time?1% of the time?
0.1% of the time?0.01 % of the time?
You do the math
Independent research confirms threat level, pervasiveness, and growth
Sample Size = 50 organizations; 63,000 incidents; 1367 confirmed breaches
Independent research confirms threat level, pervasiveness, and growth (April 2014)
Sample Size = 595 respondents; Copies available
How can this be happening 15 years later?
• Inadequate investment in perimeter security (IDS/IPS, WAF)?• Nope. That has consumed the vast majority of IT security
spending for over 25 years.
• Poor Secure Coding?• Nope. I’m personally familiar with the AppSec & developer
focused preventive technologies and education programs at JPMC, Target, and NASDAQ BEFORE the breaches.
• Lacking Real Time Pre-Production Detective Solutions?• Nope. These organizations have invested heavily in DAST
and Penetration Testing and have worked hard to feed these solutions with SAST findings.
How can this be happening 15 years later?
There is no Silver Bullet for completely preventing Core Network Security
breaches … including SQL and LDAP Injection.
How can this be happening 15 years later?
But aren’t these infallible against SQL Injection?
• Stored Procedures• Nope: Dynamic SQL with Execute Immediate
• Parameterized Queries• Nope: Inadequately coded (not fully bound)• Nope: Need for SQL keywords, table names, column names• Nope: Ad-hoc / Dynamic SQL requirement / too many combinations
• Escaping Input• Nope: Integer-based SQL Injection
What about LDAP? JNDI?
How can this be happening 15 years later?
But my organization uses (false negatives listed):• SAST
• Broken Dataflow Analysis; Missing Code; Improper Criticality; Missing Custom Rules; etc.
• DAST / Penetration Testing• Blind SQL Injection; Unknown Attack Surface; Missing Workflow
Macros; Insufficient Authentication Credentials; Web Services; etc.
• WAFs• YouTube: “WAF Bypass”; Character Encodings; Infinite # of Signatures
Needed due to SQL Language Options; SSL/TLS
• Secure Coding initiatives• Competing priorities; Differing education levels; Gaps on prior slide
Lots of slides / data to support this … come talk to me
How can this be happening 15 years later?
Still not convinced? How about:
• COTS / 3rd Party Components, Libraries, Applications
• Apps without Funding for Enhancement / Remediation
• Apps without Source Code for Remediation
• App Dev groups that don’t see the priority
• Any App you can’t securely code
What to do?
Continue using education, people, process, and technology to prevent and identify
vulnerabilities+
Monitor your Production Core Network
Core Network Monitoring
If there is no Silver Bullet and all of the techniques we’ve used for the past 15 years have gotten us to this point, we need to be monitoring our Production Core Network (DB, LDAP, etc.) and acting in Real Time to thwart them before attackers get a foothold.
• Blacklist? Nope … easily circumvented (just like WAFs are)• Whitelist? Nope … impossible to maintain / blocks legit App requests• Signatures? Nope … infinite combinations for SQL/LDAP languages
Behavioral
Whose watching ”The Core”?
Perimeter
Core
Web / ApplicationServers Database
Servers
Network F/W
WAF
Network IDS
Network DoS
NAC
VPN
Reverse Firewall
Load Balancer
Critical AssetProtection
Can Behavioral-based Technology Help?
Traditional blacklist / whitelist technologies cannot detect targeted attacks
An affirmative defense is necessary
“Know what you have. Know when it changes.”
DBA Access
Application Servers
Discovered App servers
Discovered DBs
Undocumented DB
Attribution Requested
It’s all in the protocols…
Incorporate TIME
Busy App servers
Busy connections
Inactive DB
Newly discovered DB
Newly discovered app servers
Achieving the Behavorial-based Vision
1• Decode Protocols (includes proprietary)
• SQL, No-SQL, FTP, Active X, LDAP, other…
2• Organize the Data Collected
• Create an easy-to-use Learning System
3• Create a Behavioral Model
• Identify deviations from the behavior learned
An Example: SQL Protocol
• SQL Protocol contains a Wealth of Information• Know what you have! (static information…)
• Applications & Application Servers• Database Servers & the Databases that available• Other end point access…
• Things we’ve seen in the wild…• Databases sessions operating wireless networks• Application Development mapped into Production DB’s• Gbytes of unexpected traffic at unexpected times
• Know when it changes! (dynamic information…)
• New database online, or database inactive• New end point active, new Application server introduced• And the potential for enforcing Policy
No Rules to write or maintain, ever! Improved accuracy in attack detection Cannot be defeated through obfuscation
40% - 60% of the SQL generated is sufficient Key advantage versus blacklist/white list
Learning can be done quickly / automatically Manual exercise for many applications Automated load generation DAST “spidering” w/ OWASP ZAP Proxy
The Benefits of Behavioral Machine Learning
Target sql(175): select USERID from login where userName='alex' and password='alexpass'
Suspect sql(185):select USERID from login where userName= '' or 1=1 --' and password=‘junkpass'
Sophisticated, Real-Time SQL Inspection
Is this SQL statement known safe?
Does it contain Suspicious SQL?
Insertion on Known, Safe Statement?
Does Insertion Fall on a Literal Boundary?
Is request syntactically consistent?
Certain
No
Maybe
Yes
Yes
Yes
Traditional SDLC: QA/Test Environment
3rd Party & In-House developed applications Including SCADA
DAST cannot identify vulnerabilities without a return signal Payload Response Error Message, etc.
Vulnerabilities make their way into Production Blind SQL Injections
Development
QA/Test Production
Extended SDLC: Continuous Monitoring
Vulnerability detection continues in Production The most cost effective way to
identify & remediate vulnerabilities Including Blind SQL Injection
Natural application usage exposes vulnerabilities A continuation of
SDLC benefits
Rogue SQL Confirm no Dynamic SQL Monitor in tandem w/ SOC
Development
QA/Test ProductionQA/Test
Core IDS Installed
Case Study Medical Website
Lost PCI Certification because of a breach 10,000 usernames/passwords compromised Implemented Core IDS in Production
6-months later during PCI Re-certification Core IDS discovers a Blind SQL Injection
Commercial DAST reported “no vulnerabilities found” PCI Certification granted that afternoon
Today Core IDS is supporting their SDLC 2 attacks & 12+ vulnerabilities identified
Normal application usage Orderly remediation
Conclusions
• Behavioral-based technology can benefit AppSec• Confirm that your applications are behaving the
way you intend them to behave• Test & monitor 3rd Party / COTS applications• Identify Blind SQL Injections
• Visibility beyond just QA/Test• Identify user-generated SQL vulnerabilities• Know that you have been attacked before the attacker knows
• The technologies is available today!• Easy to implement & Easy-to-Use• Demonstration available
Pass The Word Companion Presentation
Identifying and Tracking Critical Software Infrastructure Using Behavioral-based Continuous Monitoring
Applicable to: ISSA, ISACA, OWASP, BeWize, IAPP, ISC2 Chapters
Animations:Continuous Monitoring & Analysis (2:15 min.)Adaptive Behavioral Analysis (2:01 min.)
New Whitepaper!Title: “SQL Injection Defense: There are No Silver
Bullets”
Companion Presentation Identifying and Tracking Critical Software
Infrastructure Using Behavioral-based Continuous Monitoring Applicable to: ISSA, ISACA, OWASP, BeWize,
IAPP, ISC2 Chapters
Animations:Continuous Monitoring & Analysis (2:15 min.)Adaptive Behavioral Analysis (2:01 min.)
New Whitepaper!SQL Injection Defense: There are No Silver
Bullets
Thank You
Speaker: Bob DeWolfeTitle: Core Security EvangelistCompany: DB NetworksEmail: [email protected]