Post on 16-Apr-2017
TT
Application Security ReviewPresented by Manoj Agarwal
CEP on Dec 5, 09@IIA-India, Bombay Chapter
TDecember 09 © ANB Consulting CO. Pvt. Ltd.2
Agenda• What is an Application Security Review• Why Application Security Assessment• Examples of Potential Vulnerabilities• Q & A
TDecember 09 © ANB Consulting CO. Pvt. Ltd.3
Reviewing Application• Confidentiality
– Confidential information must only be divulged as appropriate, and must be protected from unauthorized disclosure or interception.
– Confidentiality includes privacy considerations.Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.
• Integrity– Information integrity refers to the state of data as being correct and
complete. This specifically includes the reliability of financial processing and reporting.
– The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon
• Availability– Information must be available to the business, its customers, and
partners when, where, and in the manner needed. – Availability includes the ability to recover from losses, disruption, or
corruption of data and IT services, as well as from a major disaster where the information was located.
TDecember 09 © ANB Consulting CO. Pvt. Ltd.4
Motivation For Application Security• Cost of recovery and lost productivity• Loss of data• Impact on consumer confidence• Legal risks
TDecember 09 © ANB Consulting CO. Pvt. Ltd.5
Security Principles • Confidentiality• Integrity• Authentication• Authorization• Availability• Non-repudiation
TDecember 09 © ANB Consulting CO. Pvt. Ltd.6
Managing Risk• Strategic • Tactical • Operational• Legal
TDecember 09 © ANB Consulting CO. Pvt. Ltd.7
Assessment Criteria• Definition of an application• Scope of assessments
– High-risk– Medium-risk– Low-risk
• Types of Assessments – Limited assessments– Comprehensive assessments
TDecember 09 © ANB Consulting CO. Pvt. Ltd.8
Participants
Security PolicySecurity Policy Threat ModelingThreat Modeling
CorporateCorporateSecuritySecurity
ApplicationApplicationReviewReviewTeamTeam
OperationsOperationsITIT
BusinessBusinessUnit ITUnit ITGroupsGroups
Risk AssessmentRisk Assessment AuditsAudits
Action on AuditAction on AuditFindingsFindings
Action on AuditAction on AuditFindingsFindings
TDecember 09 © ANB Consulting CO. Pvt. Ltd.9
Application Security Process Framework
Verify In Production Applications
Design, Develop, Test, and Verify Secure Apps
Educate IT Professionals
Maintain and Publish Policies and Guidelines
Respond to Security Exposure Incidents
Apply Lessons Learned
TDecember 09 © ANB Consulting CO. Pvt. Ltd.10
Application Management – Secure Infrastructure
NETWORKNETWORK HOSTHOST APPLICATIONAPPLICATION ACCOUNTACCOUNT TRUSTTRUST ArchitectureArchitecture TransportTransport Network device Network device Access control Access control
list (ACL) list (ACL) permission permission settingssettings
Operating Operating systemsystem
ServicesServices Internet Internet
Information Information Services (IIS)Services (IIS)
Simple Mail Simple Mail Transfer Transfer Protocol Protocol (SMTP)(SMTP)
File Transfer File Transfer Protocol (FTP)Protocol (FTP)
NetBIOS/NetBIOS/Remote Remote procedure call procedure call (RPC)(RPC)
TerminalTerminal ServicesServices
Microsoft Microsoft SQL Server SQL Server TMTM
Input validationInput validation Clear text Clear text
protocolprotocol AuthenticationAuthentication AuthorizationAuthorization CryptographyCryptography Auditing and Auditing and
logginglogging
Unused Unused accountsaccounts
Weak or blank Weak or blank passwordspasswords
Shared Shared accountsaccounts
Access Access privilegesprivileges
Rogue trustsRogue trusts
TDecember 09 © ANB Consulting CO. Pvt. Ltd.11
Building Secure Networks – Configuration• Network segmentation• Firewalls• Routers and switches
TDecember 09 © ANB Consulting CO. Pvt. Ltd.12
Building Secure Networks – Intrusion Detections Systems And Network Encryption
• Detection systems should monitor for– Reconnaissance attacks– Exploit attacks– Denial of service attacks
• Network encryption– Key tool in preventing sensitive data from being read – Sensitive communication should be encrypted– Industry-standard encryption methods: Secure Sockets Layer (SSL),
secure shell program such as SSH, Internet Protocol Security (IPSec)
TDecember 09 © ANB Consulting CO. Pvt. Ltd.13
Building Secure Hosts For Applications
• Patch management• Configuration• Permissions• Simple Network Management Protocol community strings• Antivirus software• Server auditing and logging• Server backup and restore
TDecember 09 © ANB Consulting CO. Pvt. Ltd.14
Application Layer Requirements
• Input validation• Session management• Authentication and authorization• Design and code review• Application and server error handling• Application auditing and logging• Application backup and restore• Private data encryption
TDecember 09 © ANB Consulting CO. Pvt. Ltd.15
Common Application Development Issues
• User input validation• Cookies, authentication, and access• Passwords• Access control lists• Auditing and logging
TDecember 09 © ANB Consulting CO. Pvt. Ltd.16
Lessons Learned
• If you wait until an application is already in production to make it secure, you are too late
• Good security practices take into account both the host and the application client
• Create clearly written and easily accessible security guideline documentation
• Create security checklists that include step-by-step instructions• Develop a thoroughly considered policy exception tracking process• Education is crucial to the success of a security program• Processes and reporting are required to ensure that inventory
information is maintained• Security is an ongoing, always changing, concern
TDecember 09 © ANB Consulting CO. Pvt. Ltd.17
Lessons Learnt..• 70% of applications reviewed by security firms had significant
security design flaws• Interaction between server, 3rd party code, and custom business
logic creates vulnerabilities• Patching or rebuilding app expensive• Perception exists that locking down OS and web server = web
security• Web-facing, business critical applications• HTTP & SLL open to the world• Much investment focused on infrastructure• Well understood threats, mature products• Firewalls, authentication, intrusion detection• Security many times an overlooked facet of web development
projects
TDecember 09 © ANB Consulting CO. Pvt. Ltd.18
Policies
• Applications should comply with application security policies and guidelines• Applications should go through a security design review process• Third-party application vendors should provide assurances that the software
does not contain anything that could be used to compromise security controls
• Internet-facing applications should use existing methods of authentication• Applications that reside on the corporate network should rely on Windows
integrated authentication • Applications that cannot use Windows integrated authentication should
either encrypt or hash the password stores • Credentials should never be stored or sent unencrypted• User input should be filtered and examined at the Web server• Web applications should use strong, nonpredictable session IDs• Web applications should use an inactivity timeout• Cookies that contain sensitive data should be marked as secure and
nonpersistent
TDecember 09 © ANB Consulting CO. Pvt. Ltd.19
Examples…Parameter Tampering• Price information is stored in hidden HTML field with assigned $
value• Assumption: hidden field won’t be edited• Attacker edits $ value of product in HTML• Attacker submits altered web page with new “price”• Still widespread in many web stores
TDecember 09 © ANB Consulting CO. Pvt. Ltd.20
Examples…Cookie Poisoning• Attacker impersonates another user
– Identifies cookie values that ID’s the customer to the site• Attacker notices patterns in cookie values
– Edits pattern to mimic another user
TDecember 09 © ANB Consulting CO. Pvt. Ltd.21
Un-validated Input Attack• Exploitation of implied trust relations• Instead of:
– john@doe.com• Attacker inputs:
– //////////////////////////////////////////////////• Exploits lack of boundary checkers on back-end application
TDecember 09 © ANB Consulting CO. Pvt. Ltd.22
TDecember 09 © ANB Consulting CO. Pvt. Ltd.23
Thank You