injecting security controls in software applications · security controls: encryption cryptographic...
TRANSCRIPT
![Page 1: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/1.jpg)
InjectingSecurityControls
inSoftwareApplications
KatyAnton@KatyAnton
March14,2019
![Page 2: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/2.jpg)
Aboutme
• Softwaredevelopmentbackground
• PrincipalApplicationSecurityConsultant-Veracode
• OWASPBristolChapterLeader
• Projectco-leaderforOWASPTop10ProactiveControls
(@OWASPControls)
![Page 3: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/3.jpg)
Injection
![Page 4: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/4.jpg)
CWEsinInjectionCategory
CWE-93:CRLFInjection
CWE-74Injection
CWE-943:ImproperNeutr.ofSpecialElinQuery
CWE-94:CodeInjection
CWE-91:XMLInjection
CWE-78:XSS
CWE-77:CommmandInjection
CWE-89:SQLInjection
CWE-90:LDAPInjection
Source:NVD
CWE-78:OSCmdInj
CWE-78:ArgumentInj
![Page 5: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/5.jpg)
DecomposetheInjection
Get / Post DataFile Uploads
HTTP HeadersDatabase Data
Config files
SQLHTML XMLBash ScriptLDAP Query
SQL ParserHTML ParserXML Parser
ShellLDAP Parser
Input Output Parser
DatainterpretedasCode
![Page 6: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/6.jpg)
ExtractSecurityControls
Input Output Parser
Vulnerability Encode Output Parameterize Validate InputSQL Injection R R XSS R R XML Injection(XPATH Injection) R R
OS Cmd Injection R R R LDAP Injection R R
Primary Controls Defence in depth
![Page 7: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/7.jpg)
SensitiveDateExposure
DataatRestandinTransit
![Page 8: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/8.jpg)
Vulnerabilities
Data Types Encryption Hashing
DataatRest:
RequirestheinitialvalueE.q:creditcard
R
DataatRest:
Doesn’trequiretheinitialvalueE.q:userpasswords
R
DatainTransit R
![Page 9: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/9.jpg)
HowNottoDoit!
DataatRest:Vulnerabilities
encryption_key = PBKF2(password, salt, iterations, key_length);
In the same folder - 2 file:
The content of password.txt:
![Page 10: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/10.jpg)
SecurityControls:Encryption
CryptographicStorage
StrongEncryptionAlgorithm:
• AES
KeyManagement
• Storeunencryptedkeysawayfromtheencrypteddata.
• ProtectkeysinaKeyVault(HashicorpVault/AmazonKMS)
• Keepawayfromhomegrownkeymanagementsolutions.
• Defineakeylifecycle.
• Buildsupportforchangingalgorithmsandkeyswhenneeded
• Documentproceduresformanagingkeysthroughthelifecycle
Source:https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
![Page 11: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/11.jpg)
SecurityControls:PasswordStorage
UseaStrongAlgorithm:
•PBKDF2
•bcrypt
• scrypt
•Argon2i
• Java
•PHP-password_hash()supportsArgon2ifromversion7.2
Source:https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
![Page 12: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/12.jpg)
SecurityControls:DatainTransit
TLSEverywhere!
•Client—>Applicationserver
•Server—>Non-browsercomponents
![Page 13: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/13.jpg)
IntrusionDetection
“Ifapentesterisabletogetintoasystemwithoutbeingdetected,thenthereisinsufficientloggingandmonitoringinplace.“
![Page 14: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/14.jpg)
SecurityControls
SecurityLogging:
Thesecuritycontrolthatdeveloperscanusetologsecurity
informationduringtheruntimeoperationofanapplication.
![Page 15: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/15.jpg)
The6BestDetectionPointTypes
Goodattackidentifiers:
1. Authorisationfailures
2. Authenticationfailures
3. Client-sideinputvalidationbypass
4. Whitelistinputvalidationfailures
5. Obviouscodeinjectionattack
6. Highrateoffunctionuse
Source:https://www.owasp.org/index.php/AppSensor_DetectionPoints
![Page 16: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/16.jpg)
IntrusionDetectionPointsExamples
RequestExceptions
• ApplicationreceivesGETwhenexpectingPOST
• AdditionalformorURLparameterssubmittedwithrequest
AuthenticationExceptions
• TheusersubmitsaPOSTrequestwhichonlycontainstheusernamevariable.The
passwordvariablehasbeenremoved.
• Additionalvariablesreceivedduringanauthenticationrequest(like‘admin=true’')
InputExceptions
• Inputvalidationfailureonserverdespiteclientsidevalidation
• Inputvalidationfailureonserversideonnon-usereditableparameters(hidden
fields,checkboxes,radiobuttons,etc)
Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints
![Page 17: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/17.jpg)
VulnerableComponents
UsingSoftwareComponentswithKnownVulnerabilities
![Page 18: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/18.jpg)
RootCause
•Difficulttounderstand•Easytobreak•Difficulttotest•Difficulttoupgrade• Increasetechnicaldebt
![Page 19: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/19.jpg)
ComponentsExamples
Exampleofexternalcomponents:
• Opensourcelibraries-forexample:alogginglibrary
• APIs-forexample:vendorAPIs
• Libraries/packagesbyanotherteamwithinsamecompany
![Page 20: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/20.jpg)
Example1:ImplementLoggingLibrary
• Third-party-provideslogginglevels:• FATAL,ERROR,WARN,INFO,DEBUG.
• Weneedonly:
• DEBUG,WARN,INFO.
![Page 21: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/21.jpg)
SimpleWrapper
Helpsto:
•Exposeonlythefunctionalityrequired.•Hideunwantedbehaviour.
•Reducetheattacksurfacearea.•Updateorreplacelibraries.•Reducethetechnicaldebt.
![Page 22: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/22.jpg)
Example2:Implementapaymentgateway
Scenario:
• VendorAPIs-likepaymentgateways
• Canhavemorethanpaymentgatewayoneinapplication
• Requiretobeinter-changed
![Page 23: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/23.jpg)
AdapterDesignPattern
• Convertsfromprovidedinterfacetotherequired
interface.
• AsingleAdapterinterfacecanworkwithmany
Adaptees.
• Easytomaintain.
Your Code
Third-party code
Adapter
![Page 24: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/24.jpg)
Example3:ImplementaSingleSign-On
• Libraries/packagescreatedbyanotherteaminthecompany
• Re-usedbymultipleapplications
• Commonpracticeinlargecompanies
![Page 25: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/25.jpg)
FaçadeDesignPattern
•Simplifiestheinteraction
withacomplexsub-system
•Makeeasiertouseapoorly
designedAPI
• Itcanhideawaythedetails
fromtheclient.
•Reducesdependenciesontheoutsidecode.
![Page 26: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/26.jpg)
SecureSoftwareStartsfromDesign!
WrapperTo expose only required functionality and hide unwanted behaviour.
Façade PatternTo simplify the interaction with a complex sub-system.
Adapter PatternTo convert from the required interface to provided interface
Your Code
Third-party code
Adapter
![Page 27: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/27.jpg)
Howoften?
![Page 28: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/28.jpg)
RickRescorla
• UnitedStatesArmyofficeofBritishorigin
• BorninHayle,Cornwall
• DirectorofSecurityforMorganStanleyin
WTC
![Page 29: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/29.jpg)
SecurityControlsRecap
![Page 30: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/30.jpg)
SecurityControlsRecap
Application Server
Operating System
Software Application Param Data
Param Queries
Key Management
SecureDate
Encode output
TLS
Validate Input
TLS
TLS
LogExceptions
Encode output
Mod
Mod
Encaps
Mod
Mod
Mod
Library
Mod
Mod
![Page 31: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/31.jpg)
FinalTakeaways
![Page 32: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/32.jpg)
FinalTakeaways
CWEsFocus on Security Controls
which prevent
![Page 33: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/33.jpg)
FinalTakeaways
VerifyRegularly CWEsFocus on Security Controls
![Page 34: Injecting Security Controls in Software Applications · Security Controls: Encryption Cryptographic Storage Strong Encryption Algorithm : • AES Key Management • Store unencrypted](https://reader034.vdocuments.site/reader034/viewer/2022042711/5f756cb314eea94425114580/html5/thumbnails/34.jpg)
Thankyouverymuch
@KatyAnton