SQuAD: Application Security
Testing
Terry Morreale Ben Whaley
Why talk about security?
•
There has been exponential growth of networked
digital systems in the past 15 years
•
The great things about technology progress are
also the things that make security harder:
also the things that make security harder:
•
The ability to encapsulate knowledge
(software)
•
The ability to easily traverse geographic
borders (networking)
Th bilit t t
t diffi lt t k
•
The ability to automate a difficult task
Moore’s Law for processers: old hat
•
Yeah, we’ve heard about (and
,
(
experienced) Moore’s Law for “a long
time”.
•
So what about NOW?
•
Storage is getting cheaper faster than
computing
•
Bandwidth is getting cheaper faster
h
Networks have become the 21st century
driver
p
ent
Optical Fiber
(bits per second)
o
llar S
p
(Doubling time 9 Months)per D
o
Data Storage
(bits per square inch)
rmance
( p q )
(Doubling time 12 Months)
What is security?
• Vigilance Knowledge • Knowledge
• Risk management
• Methodology and policies • Applied science / forensicsppl ed sc e ce o e s cs • Architecture
• Implementation • Operations
• 3 risks and 3 priorities:
• Disclosure -> Confidentiality
• Corruption -> IntegrityCorruption Integrity
• Unavailability -> Availability
• Multi-layered defense
W h t d l ith li ti d h t it
Common security myths
• Myth #1: “We aren’t a likely target of attack.”
• Fact: 42% of the 2009 CSI/FBI Computer Crime Survey
• Fact: 42% of the 2009 CSI/FBI Computer Crime Survey
respondents reported detecting a breach in the prior 12 months.
Common security myths
• Myth #2: “A small percent of attacks/breaches involve
i id ”
insiders.”
• Fact: Actually, today nearly half of all attacks/breaches involve insiders.
Common security myths
• Myth #3: “We’re secure because we have a firewall.”
• Fact: Almost nothing could be further from the truth
• Fact: Almost nothing could be further from the truth.
Multiple surveys have established that 95% of organizations that had a break-in had a standard commercial firewall in place.
Common security myths
• Myth #4: “We haven’t been broken into, therefore we are
” secure.”
• Fact: Most break-ins go undetected for more than six Fact: Most break ins go undetected for more than six months.
Key trends
• One-third of CSI Survey Respondents’ organizations were fraudulently represented as the sender of a phishing message fraudulently represented as the sender of a phishing message • Incidents increasing in frequency: financial fraud, malware
infection, denials of service, password sniffing, and Web site defacement
defacement
• Incidents decreasing in frequency: wireless exploits and instant messaging abuse
• Regulations, standards, and rules, oh my!g , , , y • HIPAA and HITECH
• Sarbanes-Oxley (SOX)
• FISMA
• Gramm-Leach-Bliley Act (Financial Services Modernization)
• SAS70
• PCI/DSS
Which standards affect software developers and testers?
• Many standards specifically reference information system development and testing
development and testing
• ISO27002 – Accepted industry best practices
• NIST 800 series – A collection of Special Publications
developed accepted as IT security standards by the federal developed accepted as IT security standards by the federal government
• PCI DSS – compliance required for all organizations that process credit card payments
p p y
• HIPAA – compliance required for all organizations that store or process EPHI
• While HIPAA does not specifically address coding or testing requirements, in order for organizations using software to be compliant, the products must meet certain standards
Some examples
• ISO27002
• Section 12.2.1 Input data validation
• Data input to applications should be validated to ensure that this data is correct and appropriate.
• Checks should be applied to the input of business transactions
• Checks should be applied to the input of business transactions, standing data, and parameter tables. The following guidelines should be considered:
• Dual input or other input checks, such as boundary checking or limiting fields to specific ranges of input data to detect the following errors: fields to specific ranges of input data, to detect the following errors:
• Out of range values
• Invalid characters in data fields
• Missing or incomplete data
• Exceeding upper and lower data volume limits
• Exceeding upper and lower data volume limits
• Unauthorized or inconsistent control data
• Periodic review of the content of key fields or data files to confirm their validity and integrity
• Procedures for responding to validation errorsProcedures for responding to validation errors
ISO27002 continued
• Section 12.2.2 Control of internal processing
• Validation checks should be incorporated into
applications to detect any corruption of information through processing errors or deliberate acts.
• Section 12.2.3 Message integrity
• Requirements for ensuring authenticity and protecting
message integrity in applications should be identified and appropriate controls identified and implemented.
• Section 12.2.4 Output data validation
• Data output from an application should be validated to p pp
ensure that the processing of stored information is correct and appropriate to the circumstances.
NIST 800-53
• Section SC-2 Application Partitioning
Th i f i f i li
• The information system separates user functionality
(including user interface services) from information system management functionality.
• The information system prevents the presentation of
• The information system prevents the presentation of
information system management-related functionality at an interface for general users.
• Section SC-3 Security Function Isolationy
• The information system isolates security functions from nonsecurity functions.
• Section SC-4 Information in Shared Resources
• The information system prevents unauthorized and
unintended information transfer via shared system resources.
• Section SC-5 Denial of Service Protection
NIST 800-53 continued
• The list goes on and on…
• A few more examples
• Resource priority (limit use of resources by priority)
• Boundary protection (control communication at the y p (
boundaries)
• Transmission integrity (protect transmitted information
from modification))
Open Web Application Security Project
• The OWASP guide is the de-facto authoritative resource for
b li ti it web application security
• For example, the PCI DSS standard requires that
applications are developed according to OWASP
• Too “loose” to be called a standard, but still a wonderful
resource
• Lots of resources:
• OWASP GuideOWASP Guide
• Top 10 Lists
• WebGoat training application
W bS b
OWASP Top 10
OWASP Description
A1 – Injection SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command query.
A2 – Cross-Site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation. A3 B k th ti ti d A li ti f ti l t d t
A3 – Broken authentication and session management
Application functions related to
authentication and session management are often not implemented correctly. A4 – Insecure Direct Object Exposure of an internal implementation j Reference
p p
OWASP Top 10
OWASP Description
A5 – Cross Site Request Forgery A pre-authenticated session that
coerces a vulnerable web application to execute arbitrary actions on behalf to execute arbitrary actions on behalf of the attacker.
A6 – Security Misconfiguration The application, framework
dependencies, server, or platform are not security configured and/or are poorly maintained.
A7 – Insecure Cryptographic Storage Sensitive data is not protected by encryption or hashing.
OWASP Top 10
OWASP Description
A8 – Failure to Restrict URL Access Access to sensitive data restricted only by URL obfuscation (security through obscurity).
A9 – Insufficient Transport Layer
Protection Lack of authentication, encryption, or other security controls for data in transit controls for data in transit. A10 – Unvalidated Redirects or
Forwards.
Redirects and forwards are not properly validated, allowing attackers to trick users in to
i i i li i
OWASP Top 10 versus MITRE Vulnerability Trends
Real World SQL Injection Attacks
• April 13, 2008: Oklahoma Department of Corrections leaks
10 597 SSN f th ff d i t b it
10,597 SSNs from the sex offender registry web site
• A “printer friendly” link used a raw SQL string as a
URL parameter
• Trivially manipulating the parameters allowed arbitrary y p g p y
database queries, including SSN
Real World XSS Attack
• April 18, 2008 – Barack Obama’s official site hacked
• Javascript and malicious HTML passed to the URL was
not properly validated
OWASP Testing Guide
• Defines 10 categories for testing web applications
• Information Gathering
• Config. Management Testing
• Business Logic Testingg g
• Authentication Testing
• Authorization Testing
• Session Management Testing
• Session Management Testing
• Data Validation Testing
• Denial of Service Testing
• Web Services Testing
Security testing techniques
• Manual Inspection and Review
• Pros: Flexible, low cost of entry, improves communication
• Cons: Extremely time consuming, high level of skill req’d
• Threat Modeling – Decompose, Define/Classify, Explore
vulnerabilities and threats, Mitigate, g
• Pros: Practical “attacker” view of the system/process,
standards based (NIST 800-30)
• Cons: New, somewhat vagueCons: New, somewhat vague
• Source Code Review
• Pros: Complete coverage, Accurate
C R i t kill i l biliti i
• Cons: Requires extreme skill, may miss vulnerabilities in
dependencies
• Pen Testing