Securing Your Web Application
against security vulnerabilities
Ong Khai Wei, IT Specialist, Development Tools (Rational)
IBM Software Group
Agenda
• Security Landscape
• Vulnerability Analysis
• Automated Vulnerability Analysis
We Use Network
Vulnerability Scanners
Neglect the security of the
software on the network/web
server
The Myth: “Our Site Is Safe”
We Have Firewalls
and IPS in Place
Port 80 & 443 are open
for the right reasons
We Audit It Once a
Quarter with Pen Testers
Applications are constantly
changing
We Use SSL Encryption
Only protects data between
site and user not the web
Reality: Security and Spending Are Unbalanced
of All Attacks on Information Security are Directed to the Web Application Layer
75%
of All Web Applications are Vulnerable
Hacking Stage 6
— Wikipedia, Feb 9 2007
Why Application Security is a High Priority
• Web applications are the #1 focus of hackers:
– 75% of attacks at Application layer (Gartner)
– XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
• Most sites are vulnerable:
– 90% of sites are vulnerable to application attacks (Watchfire)
– 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) – 80% of organizations will experience an application security incident by 2010 (Gartner)
• Web applications are high value targets for hackers:
– Customer data, credit cards, ID theft, fraud, site defacement, etc
• Compliance requirements:
The Security Landscape of the past
• Traditional Infrastructure was easier to protect . . . • Concrete entities that were easy to understand • Attack surface and vectors were very well-defined • Application footprint very static
Changing Security Landscape of Today
• “Webification” has changed everything ...
• Infrastructure is more abstract and less defined • Everything needs a web interface
• Agents and heavy clients are no longer acceptable • Traditional defenses no longer apply
High Level Web Application Architecture Review
(Presentation) App Server (Business
Logic)
Database Client Tier
(Browser)
Middle Tier Data Tier Firewall Sensitive data is stored here SSL Protects
Transport Protects Network
Customer
App is deployed here
Perimeter IDS IPS Intrusion Detection System Intrusion Prevention System
Network Defenses for Web Applications
App Firewall
Application Firewall Firewall
System Incident Event Management (SIEM)
Why Do Hackers Today Target Applications?
• Because they know you have firewalls
– So its not very convenient to attack the network anymore – But they still want to attack „cos they still want to steal data … • Because firewalls do not protect against app attacks!
– So the hackers are having a field day!
– Very few people are actively aware of application security issues • Because web sites have a large footprint
– No need to worry anymore about cumbersome IP addresses • Because they can!
– It is difficult or impossible to write a comprehensively robust application
• Developers are yet to have secure coding as second nature • Developers think differently from hackers
• Cheap, Fast, Good – choose two, you can‟t have it all • It is also a nightmare to manually QA the application
• “White-box” static code analyzers don‟t test for inter-app relationships
Application Threat Negative Impact Example Impact
Cross-Site®scripting Identity Theft, Sensitive Information
Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference
Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on
web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage
Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login page
Automated Vulnerability Analysis
SECURITY TESTING IS PART OF SDLC QUALITY TESTING
TEAM SERVER
Manage Test Lab Create
Plan TestsBuild
Report Results Collaborative Application Lifecycle Management
Functional
Testing Performance
Testing Web ServiceQuality
Code Quality
Security and Compliance
Test Management and Execution
SDLC Quality Assurance
Quality Dashboard
Open Lifecycle Service Integrations
Defect Management Requirements
Management
Best Practice Processes
homegrown Open Platform Java System z, i SAP .NET
AppScan in the Rational Portfolio
Developer Test Functional Test
Automated Manual
Rational RequisitePro Rational ClearQuest Rational ClearQuest
Defects
Project Dashboards Detailed Test Results Quality Reports
Performance Test
SOFTWARE QUALITY SOLUTIONS
Test and Change Management
Test Automation Quality Metrics DE VEL OPMENT OPERA T OI NS BUSINESS Rational ClearQuest Requirements Test Change
Rational PurifyPlus
Rational Test RealTime
Rational Functional Tester Plus
Rational Functional Tester Rational Robot Rational Manual Tester Rational Performance Tester Security and Compliance Test AppScan PolicyTester
Rational AppScan
• What is it?
– AppScan is an automated tool used to perform vulnerability assessments on Web Applications
• Why do I need it?
– To simplify finding and fixing web application security problems • What does it do?
– Scans web applications, finds security issues and reports on them in an actionable fashion
• Who uses it?
– Security Auditors – main users today
– QA engineers – when the auditors become the bottle neck
How does AppScan work?
• Approaches an application as a black-box
• Traverses a web application and builds the site model
• Determines the attack vectors based on the selected Test policy
• Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules
