evolving threats. application security - understanding the problem desktoptransportnetworkweb...
TRANSCRIPT
Evolving Threats
Application Security - Understanding the Problem
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /IDS / IPS
Firewall
Databases
BackendServer
ApplicationServers
Info Security Landscape
Hackers Exploit Unintended Functionality to Attack Apps
Unintended Functionality
Actual FunctionalityIntended Functionality
The OWASP Top 10Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page
Common Web Application Vulnerabilities
Contd..
Where Do These Problems Exist?
• Type:• Customer facing services• Partner portals• Employee intranets
• Source:• Applications you buy• Applications you build internally• Applications you outsource
How common are these issues ?
• 80% of Websites and applications are vulnerable to these attacks – Watchfire Research
Motives Behind Application Hacking Incidents
Source: Breach/WASC Web Hacking Incident Annual Report
Web Hacking Incidents by Industry
What is the Root Cause?
• Developers not trained in security• Most computer science curricula have no security courses
• Under investment from security teams• Lack of tools, policies, process, etc.
• Growth in complex, mission critical online applications• Online banking, commerce, Web 2.0, etc
• Number one focus by hackers• 75% of attacks focused on applications - Gartner
Result: Application security incidents and lost data on the rise
Building Security Into the Development Process
• Test existing deployed apps• Eliminate security exposure in
live applications
Production
• Test apps before going to production
• Deploy secure web applications
Deploy
• Test apps for security issues in QA organization along with performance and functional testing
Test
• Test apps for security issues in Development identifying issues at their earliest point
• Realize optimum security testing efficiencies (cost reduction)
Development• Security requirements, architecture, threat modeling, etc
Define/Design
Security Testing Within the Software Lifecycle
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity
Other Vector for Attack
• Network• Cloud• LAN/WAN
• Network Devices
• Database• Processed information of
• Financial data• People Private Information• Government's Confidential data
Resources
• https://www.owasp.org• Sans.org• Nist.gov• Tools
• Nikto• Burp• Zap Proxy• W3af• Nmap• shodan