Securing Applications

60 %
40 %
Information about Securing Applications
Technology

Published on January 6, 2009

Author: dayioglu

Source: slideshare.net

Securing Applications A Practical Primer for Developers Burak Dayıoğlu Your security, your future

About the presenter

Application Security Today BJ's Settles Case with FTC over Customer Data JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data Visa, Amex Cut Ties with CardSystems Jan 18, 2007 Massive Security Breach Reveals Credit Card Data The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad. CNBC's Easy Money BusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stock-picking contest USDA admits data breach, thousands of social security numbers revealed Thursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.

Holistic Approach to Security Port blocking Filtering Encryption Updates IIS hardening ACLs CAS Logging Least privilege Account mgmt. Validation Hashing Encryption Secrets mgmt. Cookie mgmt. Session mgmt. Error handling Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. Network Host Application Defend the network Defend the host Defend the application

Hacking with Google

Security in the Development Lifecycle Requirements Assessment Design Complete Test Plans Complete Code Complete Ship Post Ship Applying Security Patterns External Review Development Team Training Security Testing Secure Programming Techniques Source Code Reviews Static Analysis Tools Review Check-Ins Penetration Test Learn and Improve External Review and/or Test Threat Modeling Support and Incident Response Assessing Security Requirements Use of Design Principles Inspecting Previous Vulnerabilities

Guiding Design Principles Secure the weakest link Practice defense in depth Fail securely Follow the principle of least privilege Compartmentalize Keep it simple Remember that hiding secrets is hard Be reluctant to trust

Secure the weakest link

Practice defense in depth

Fail securely

Follow the principle of least privilege

Compartmentalize

Keep it simple

Remember that hiding secrets is hard

Be reluctant to trust

Attack Surface Reduction (ASR) A system's attack surface is the set of ways in which an attacker can enter and potentially cause damage to the system T he measure of a system's attack surface is an indication of the system's security T he larger the attack surface, the more insecure the system

A system's attack surface is the set of ways in which an attacker can enter and potentially cause damage to the system

T he measure of a system's attack surface is an indication of the system's security

T he larger the attack surface, the more insecure the system

Reducing the Attack Surface Reduce the amount of running code 80 % of your users actually use the functionality? If not, turn it off Reduce entry points If you can do the same with less ports, sockets, service entry points etc., then just do it Reduce a ccess to e ntry p oints by u ntrusted u sers Restrict access to network endpoints used by your application to the local subnet or IP range

Reduce the amount of running code

80 % of your users actually use the functionality? If not, turn it off

Reduce entry points

If you can do the same with less ports, sockets, service entry points etc., then just do it

Reduce a ccess to e ntry p oints by u ntrusted u sers

Restrict access to network endpoints used by your application to the local subnet or IP range

Input Validation All data coming from untrusted sources should be validated before being processed It might be possible to tamper application flow and/or behaviour with invalid data What you can trust depends on the application context Users Applications on same host Shared libraries (.so, .dll etc.) OS interfaces Other modules in the same app.

All data coming from untrusted sources should be validated before being processed

It might be possible to tamper application flow and/or behaviour with invalid data

What you can trust depends on the application context

Users

Applications on same host

Shared libraries (.so, .dll etc.)

OS interfaces

Other modules in the same app.

Blacklisting is “Bad” Endless security issues with PHF (mid 1990’s) Command injection (improper input validation) Fix through blacklisting Command injection, round 2 (in just two days) Fix through blacklisting Command injection, round 2 (in just another day) Fix through whitelisting (Problem solved) Command injection, SQL injection, LDAP injection etc.

Endless security issues with PHF (mid 1990’s)

Command injection (improper input validation)

Fix through blacklisting

Command injection, round 2 (in just two days)

Fix through blacklisting

Command injection, round 2 (in just another day)

Fix through whitelisting (Problem solved)

Command injection, SQL injection, LDAP injection etc.

Sample SQL Injection Sample vulnerable code fragment When criteria is SECURITY When criteria is “’; DELETE FROM news--” $query = “SELECT title FROM news WHERE body LIKE ‘%” . $criteria . ”%’”; SELECT title FROM news WHERE body LIKE ‘%SECURITY%’ SELECT title FROM news WHERE body LIKE ‘% ’; DELETE FROM news -- %’

Sample vulnerable code fragment

When criteria is SECURITY

When criteria is “’; DELETE FROM news--”

What would be the Query? Select * from users where username = “ _1_ ” and password = “ _2_ ”;

Select * from users where

username = “ _1_ ” and

password = “ _2_ ”;

Cross-Site Scripting (XSS) /location=<script>document.images[4].src= &quot;http://www.badsite.com/news.jpg&quot;</script>

Web is just a messaging protocol

HTML Form Tampering <FORM METHOD=POST ACTION=&quot;/ pb/phonebook . php &quot;> < INPUT type=&quot;hidden&quot; name=&quot;sessionID&quot; value=” ad757gj02m357 ”> < INPUT type=&quot;hidden&quot; name=“ username &quot; value=” pinguin ”> < INPUT type=&quot;submit&quot; name=“ Retrieve Entries &quot;> </ FORM > 1 <INPUT TYPE=text NAME=phonenumber MAXLENGTH=30> 2 <INPUT TYPE=“radio” NAME=“agegroup” VALUE=“young”> <INPUT TYPE=“radio” NAME=“agegroup” VALUE=“middle”> <INPUT TYPE=“radio” NAME=“agegroup” VALUE=“old”> 3 <SELECT NAME=“langs”> <OPTION VALUE=PHP>Personal Home Page</OPTION> <OPTION VALUE=ASP>Active Server Pages</OPTION> </SELECT> 4

Validating Form Data in Browser Client side validations can be bypassed or tampered <HTML> <HEAD><TITLE> Client Side Val idation Example </TITLE> <SCRIPT LANG=&quot;Javascript1.2&quot;> <!-- function checkmail () { regexp mail = /^[a-z0-9_-.]+@([a-z0-9_-]+.)+[a-z0-9_-]+$/ ; stre mail = document. my form.e mail .value; result = stre mail . match (regexp mail ); if ( !result ) { alert (“ Address information not valid, pls try again &quot;); return false; } return true; } //--> </SCRIPT></HEAD><BODY> <FORM NAME= my form ONSUBMIT=&quot;return checkmail ()&quot;> <INPUT TYPE=text NAME=e mail MAZLENGTH=50><INPUT TYPE=submit VALUE=“ Submit &quot;> </FORM> </BODY></HTML>

Client side validations can be bypassed or tampered

Error Messages Error messages might reveal sensitive information to a potential attacker Portions of an SQL statement Error message that includes brand/version of database or directory server Error message for a file that doesn’t open up … Handle all failure cases that you can foresee, configure the environment to log (and not display) verbose error messages

Error messages might reveal sensitive information to a potential attacker

Portions of an SQL statement

Error message that includes brand/version of database or directory server

Error message for a file that doesn’t open up



Handle all failure cases that you can foresee, configure the environment to log (and not display) verbose error messages

Filesystem Operations and Security Any component that operates on files is of high risk If input validation is broken somehow Arbitrary files might be read Arbitrary files might be overwritten Arbitrary files might be uploaded & executed Beware critical symbols for filesystem objects and the OS shell . .. && || > < * ; null (%00)

Any component that operates on files is of high risk

If input validation is broken somehow

Arbitrary files might be read

Arbitrary files might be overwritten

Arbitrary files might be uploaded & executed

Beware critical symbols for filesystem objects and the OS shell

. .. && || > < *

; null (%00)

Easy to Guess Files and Directories There are things to discover by just educated guessing /CVS /admin /test README INSTALL backup.zip

There are things to discover by just educated guessing

/CVS

/admin

/test

README

INSTALL

backup.zip

Backup Files Would one of them be left somewhere? mycode.jsp~ mycode.jsp.OLD mycode.jsp.ORIG mycode.jsp.BACK mycode.jsp.BAK

Would one of them be left somewhere?

mycode.jsp~

mycode.jsp.OLD

mycode.jsp.ORIG

mycode.jsp.BACK

mycode.jsp.BAK

Directory Listings Directory listings should be turned-off for all servers/sites

Directory listings should be turned-off for all servers/sites

Thank you! [email_address] Twitter: dayioglu FriendFeed: dayioglu http://www.burakdayioglu.net Your security, your future

Add a comment

Related presentations

Related pages

Securing Applications

While most applications possess common security challenges, each application domain possesses security challenges of its own.
Read more

Application security - Wikipedia, the free encyclopedia

Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the ... Securing the network, host and application..
Read more

Securing Your Application Server

Improving Web Application Security: Threats and Countermeasures - June 2003 Ch 17: Securing Your Application Server
Read more

The Basics of Securing Applications: Part 4 - Secure ...

In this session of our conversation, The Basics of Securing Applications, Steve provides us with great architectural guidance. As usual, when it ...
Read more

Securing Applications - Oracle

4 Securing Applications. This chapter describes how to write secure Java EE applications, which contain components that perform user authentication and ...
Read more

Securing Java Applications - SAP HANA Cloud Platform

SAP ID Service provides Identity and Access Management for Java EE Web applications hosted on SAP HANA Cloud Platform through the mechanisms described in ...
Read more

Securing Web Applications - The Java EE 6 Tutorial

Securing Web Applications. Web applications are created by application developers who give, sell, or otherwise transfer the application to an application ...
Read more

Guide to Securing Web Applications - Northwestern University

The NUIT Guide to Securing Web Applications was developed as a resource for web application developers, testers, and the Information and Systems ...
Read more

Getting Started · Securing a Web Application - Spring

This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
Read more

Securing Ajax Applications eBook by Christopher Wells ...

Lesen Sie Securing Ajax Applications Ensuring the Safety of the Dynamic Web von Christopher Wells mit Kobo. Ajax applications should be open yet secure.
Read more