Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Application Security-Understanding The Horizon

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

  • Inicia sesión para ver los comentarios

Application Security-Understanding The Horizon

  1. 1. Application Security-I Understanding The Horizon Lalit Kale
  2. 2. Overview • Introduction • Foundations of Security • Layered Security Approach • Importance of Application Security • OWASP Top 10 Threats • Industry Gap • Bridging The Gap-Step by Step • Microsoft Security Lifecycle Development (MS-SDL) • Measurable results of applying MS-SDL • Resources
  3. 3. Movie- Ocean Eleven
  4. 4. DEMO Simple website hacking
  5. 5. Why you should know hacking? • Developers need to hone their cyber-offence skills • • Hack your own website • • If you can’t think like hacker, it's difficult to defend against them First website security assessment Defense in depth • Fix multiple security flaws that would otherwise have been single point of failure
  6. 6. Who are hackers? • Ethical Hackers/Hactivists • • Cyber Criminals • • Motivated for higher cause Motivated for financial gain, identity theft, malicious intentions Nation States • Cyber warfare for national security and political interest
  7. 7. Hacker Targets • Enterprise Websites/Portals • Financial Websites/Portals • Government Websites/Portals • Social Media Websites/Portals
  8. 8. Common Myth App Server Web Server Hardened OS Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer We are secure since we have a firewall ! Firewall Firewall Network Layer • You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
  9. 9. Man in Middle Attack
  10. 10. Common Sources of Untrusted Data • User • In URL via a query string or route • Posted via a form • Browser • Cookies • Request Headers • Other • External Services • Your own database!
  11. 11. Building A Risk Profile • Attackers wants to understand as much as possible about the website in order to find out vulnerabilities in website. So analyzes What are points of untrusted data entry? • What sanitation practices have been employed? • What framework and libraries the website is running on? • What can be discovered about site structure? • What can be used from “view source” option of browsers? • Are there any useful internal error messages up to the browser? • Are there sufficient access controls on diagnostic data? •
  12. 12. Data Breaches of 2012
  13. 13. Cybercrime Evolution 1986–1995 • LANs • First PC virus • Motivation: damage 1995–2003 • Internet Era • “Big Worms” • Motivation: damage Cost of U.S. cybercrime: About $70B 2004+ 2006+ • OS, DB attacks • Spyware, Spam • Motivation: Financial • Targeted attacks • Social engineering • Financial + Political 2007 Market Prices Credit Card Number $0.50 - $20 Full Identity $1 - $15 Bank Account $10 - $1000 Source: U.S. Government Accountability Office (GAO), FBI
  14. 14. Evolving Threats
  15. 15. Information security, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”
  16. 16. Foundations of Application Security • Authentication= (Who are you?) • Authorization=(What can you do?) • Auditing(Non-repudiation) =Can not deny your action • Confidentiality(Privacy)=Data remains private and confidential • Integrity=Data is protected • Availability=System remains available
  17. 17. Layered Security Approach Physical Security Controlled Access, electronic surveillance ,video surveillance, security personnel Perimeter Security Firewalls, IDS Network Security Segmentation, Secure W-LAN , IPSec, DMZ Host Security Server Hardening, Client Hardening, Patch Management, Anti-virus, Distributed Firewalls Application Security IIS hardening, Exchange Hardening, SQL Server hardening,
  18. 18. Attacks are focusing on applications Operating system vs browser and application vulnerabilities 90% of vulnerabilities are remotely exploitable From the Microsoft Security Intelligence Report V7 Sources: IBM X-Force, 2008
  19. 19. Importance of Application Security • Web applications have largest number of vulnerabilities. Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.
  20. 20. Web Applications Complexity • Very complex architectures, multiple platforms and protocols Web Application HTTP Web Services Network Application Server Database Server Presentation Layer Wireless Web Servers Business Logic Customer Identification Media Store Browser Content Services Access Controls Transaction Information Core Business Data
  21. 21. Web Applications Breach Perimeter Internet IIS Apache Trusted Inside DMZ ASP .NET WebSphere Java MS-SQL Oracle DB2 HTTP(S) Browser Allows HTTP port 80 Allows HTTPS port 443 Firewall only allows applications on the web server to talk to application server. Firewall only allows application server to talk to database server. Corporate Inside
  22. 22. OWASP Top 10 Threats Application Threat Negative Impact Example Impact Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts. Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one) Security Misconfiguration Attackers can gain detailed system information Malicious system investigation may assist in developing further attacks Sensitive Data Exposure Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user Missing Function Level Access Control Attacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Using Components with Known Vulnerabilities Attacker can exploit vulnerable component to gain access to system Attacker can do data loss and also perform server takeover. Unvalidated Redirects and Forwards Attacker can redirects victims to phishing sites Attacker can redirects victims to phishing or malware sites or use forwards to access unauthorized pages
  23. 23. DEMO OWASP Top 10 Threats (Project: WebGoat)
  24. 24. Industry Gap Security Professional Application Developers and QA “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build/test great features and functions while meeting deadlines, but I don’t know how to develop/test my web application with security as a feature.”
  25. 25. Bridging The Gap-Step by Step • • • • • Prioritize application security as important non functional requirement Improve awareness of application security in developers and QAs. Incorporate security in SDLC. Define clear role and responsibility towards application security Promote Penetration testing of application
  26. 26. Microsoft Security Development Lifecycle Education Administer and track security training Process Guide product teams to meet SDL requirements Accountability Establish release criteria and sign-off as part of FSR Ongoing Process Improvements Incident Response (MSRC)
  27. 27. Measurable results: Microsoft SDL and Windows 400 Total Vulnerabilities Disclosed One Year After Release 242 157 119 66 Windows XP Before SDL Windows Vista OS I After SDL 45% reduction in Vulnerabilities Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008 OS II OS III
  28. 28. Measurable results: Microsoft SDL and SQL Server 187 Total Vulnerabilities Disclosed 36 Months After Release 34 3 SQL Server 2000 Before SDL 91% reduction in Vulnerabilities Sources: Analysis by Jeff Jones (Microsoft technet security blog) SQL Server 2005 After SDL Competing commercial DB
  29. 29. DEMO Microsoft Security Assessment Tool 4.0
  30. 30. Resources • OWASP (Open Web Application Security Project): • Microsoft Security: • Wikipedia:
  31. 31. Lalit Kale . This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.