WEB APPLICATION SECURITY

(1)

Governance and Risk Management

WEB APPLICATION SECURITY

YOUR LAST LINE OF DEFENSE

Anthony Lim

MBA CISSP CSSLP FCITIL

Director, Security, Asia Pacific

Rational Software

Aug 06 2009

(2)

Governance & Risk Management

Prolog / Disclaimer:

State of Application Security Awareness Today

Half the people don’t know about it

Of the other half who may know something about it

–

½ of whom may know quite abit about it … but …

• ½ of these tend it keep the matter to themselves and/or assume others know

as much about it

• The other half tend to be opinionated

IBM Security

2 –

Of the other half

• ½ of these think its other people’s job /problem

• The other ½ don’t care about it or don’t want to know about it …

they have other things to worry about or

Don’t want to take on additional work

Or fear if they can’t deal with it well they will get into trouble with the

bos

(3)

Smarter planet opportunities driven by Web-enabled

applications

The Opportunity – smarter planet

Globalization and Globally Available Resources

IBM Security

3

New Forms of Collaboration Access to streams of information in the Realtime

Billions of mobile devices accessing the Web

Web 2.0

SOA

(4)

Prolog: The Security Journey Continues

• New, More, Bigger, Better …

• SYSTEMS

• APPLICATIONS

• SERVICES

•-> New Risks

4 •-> New Risks

•-> New Vulnerabilities

•-> New Hacking methods

•Viruses, Worms, RATS, Bots …

(Remote Access TROJANS = Spyware)

-> NEW: GOVERNANCE &

COMPLIANCE!

• Data Privacy

(5)

Regulation & Compliance

SARBANES-OXLEY

, HIPAA, BASEL II …

It is part of doing business

Business Continuity

An environment of TRUST

–

For doing business

–

Ensure Orderliness in Internet

world

–

Promote Economic growth

More than just

Confidentiality, Integrity

and Availability

Privacy

3 rd

_{Party Customer Data}

IBM Security

(6)

GOVERNANCE

AND

COMPLIANCE

ILLEGAL TO

STEAL

6 AND /OR

MISUSE

DATA

INCLUDING

ELECTRONIC

DATA

(7)

It Gets Worse

• WAP, GPRS, EDGE, 3G

• 802.1x

• Broadband

(8)

Changing security landscape creates complex threats

Web-enabled applications drive the

need for security

New applications are increasing the

attack surface

Complex Web applications create

complex security risks

Making applications more available

IBM Security

8 Making applications more available

to “good” users, makes them more

available to “bad” users

Web attacks are evolving to blended

attacks (i.e. planting of malware on

legitimate Web sites)

Desktop:

Browser

Server:

Hypervisor and Virtualization Web Applications

(9)

The Myth: “Our Site Is Safe”

We Have Firewalls

and IPS in Place

Port 80 & 443 are open

for the right reasons

We Audit It Once a

Quarter with Pen Testers

Applications are constantly

changing

9 We Use Network

Vulnerability Scanners

Neglect the security of the

software on the network/web

server

We Use SSL Encryption

Only protects data between

site and user not the web

(10)

SOMETHING IS STILL OUT THERE …

IBM Security

(11)

IBM Security

(12)

IBM Security

(13)

IBM Security

(14)

IBM Security

(15)

May 7, 2009 CNet Tech News

Report: Hackers broke into FAA air traffic control

systems

IBM Security

(16)

IBM Security

(17)

Reality: Security and Spending Are Unbalanced

IBM Security

17 of All Attacks on Information Security are

Directed to the Web Application Layer

75%

of All Web Applications are Vulnerable

2/3

(18)

WHY DO HACKERS TODAY TARGET APPLICATIONS?

Because they know you have firewalls

–

So its not very convenient to attack the network anymore

–

But they still want to attack ‘cos they still want to steal data …

Because firewalls do not protect against app attacks!

–

So the hackers are having a field day!

–

Very few people are actively aware of application security issues

IBM Security

18 Because web sites have a large footprint

–

No need to worry anymore about cumbersome IP addresses

Because they can!

–

It is difficult or impossible to write a comprehensively robust application

• Developers are yet to have secure coding as second nature

• Developers think differently from hackers

• Cheap, Fast, Good – choose two, you can’t have it all

• It is a nightmare to manually QA the application

(19)

Top Hack Attacks Today Target Web Applications

IBM Security

(20)

Web Application Hacks are a Business Issue

Application Threat

Negative Impact

Potential Business Impact

Buffer overflow

Denial of Service (DoS)

Site Unavailable; Customers Gone

Cookie poisoning

Session Hijacking

Larceny, theft

Hidden fields

Site Alteration

Illegal transactions

Debug options

Admin Access

Unauthorized access, privacy liability, site

IBM Security

20

Misdirect customers to bogus site

Debug options

Admin Access

Unauthorized access, privacy liability, site

compromised

Cross Site scripting

Identity Theft

Larceny, theft, customer mistrust

Stealth Commanding

Access O/S and Application

Access to non-public personal

information, fraud, etc.

Parameter Tampering

Fraud, Data Theft

Alter distributions and transfer accounts

Forceful Browsing/

SQL Injection

Unauthorized Site/Data Access

Read/write access to customer

databases

(21)

IBM Security

(22)

IBM Security

(23)

IBM Security

(24)

IBM Security

(25)

IBM Security

(26)

IBM Security

(27)

25-27 FEB 2009, GOLD COAST, AUSTRALIA

IBM Security

27

(28)

Now there’s

Web “Man-in-the Middle” Attacks

28

Mar 09 Brisbane

(29)

Malware on Web Applications

Malware can be delivered in many

ways:

– E-mail, IM, network vulnerabilities…

Today, Malware is primarily

delivered via Web Applications:

– Aims to infect those browsing the site

29

Malicious content can be

downloaded:

– From the web application itself

– Through frames & images leading to other websites

– Through links leading to malicious destinations

Legitimate Sites Hijacked to

distribute Malware!

– McAfee, Asus, US Govt Staff Travel Site, Wordpress.org, SuperBowl, …

http://evil.org http://host.com

<script src=file.js>

(30)

Real Example: Online Travel Reservation Portal

Change the reserID to 2001200

IBM Security

(31)

Real Example :

Parameter Tampering

Reading another user’s transaction – insufficient authorization

Another customer’s transaction

slip is revealed, including the

email address

IBM Security

(32)

Parameter Tampering

Reading another user’s invo

ice

The same customer invoice

that reveals the address and

contact number

IBM Security

(33)

Attacks Sophistication vs. Intruder Knowledge

High

Intruder

Knowledge

Tools

33 1980

1985

1990

1995

2000

2005

Today

Low

Attack

Sophistication

(34)

DON’T TRY THIS AT HOME!

IBM Security

(35)

Software Application Development Pressures

Today I’m being asked to:

• Deliver product faster (a lot faster!)

• Increase product innovation

• Improve quality

• Reduce cost

• Deliver a secure product (?)

IBM Security

35

(36)

WHY DO APPLICATION SECURITY PROBLEMS EXIST?

IT security solutions and professionals are normally from

the network /infrastructure /sysadmin side

–

They usually have little or no experience in application development

–

And developers typically don’t know or don’t care about security or

networking

Most companies today still do not have an application

IBM Security

36 Most companies today still do not have an application

security QA policy or resource

–

IT security staff are focused on other things and are swarmed

• App Sec is their job but they don’t understand it and don’t want to deal with it

• Developers think its not their job or problem to have security in coding

• People who outsource expect the 3

rd

_{party to security-QA for them}

It is cultural currently to not associate security with coding

–

“Buffer Overflow” has been around for 25 years!

(37)

Top 10 OWASP Critical Web Application Security Issues ‘09

1 Unvalidated Input

2 Broken Access Control

3 Broken Authentication and Session Management

4 Cross Site Scripting Flaws

5 Buffer Overflows

IBM Security

37 6 Injection Flaws

7 Improper Error Handling

8 Insecure Storage

9 Denial of Service

(38)

SECURITY TESTING IS PART OF SDLC QUALITY TESTING

Collaborative Application Lifecycle Management

Test Management and Execution

SDLC Quality Assurance

38

TEAM SERVER Manage Test Lab Create

Plan BuildTests

Report Results

Functional

Testing _Performance

Testing Web Service_Quality

Code Quality

Security and Compliance

Open Lifecycle Service Integrations Best Practice Processes

homegrown Open Platform Java System z, i SAP .NET

(39)

Building security & compliance into the SDLC – further back

Build

SDLC

Developers

Coding

QA

Security

Production

39

Developers Developers

Provides Developers and Testers with expertise on detection and

remediation ability Ensure vulnerabilities are addressed before applications are put into production