Post on 14-Jan-2016
New TechnologiesNew Risks
PricewaterhouseCoopers
Technology and Security EvolutionMainframe
Technology– Single host– Limited Trusted users
Security– Internal user
authentication– Access Control List
on single host
PricewaterhouseCoopers
Technology and Security EvolutionNetwork
Technology– Multiple Trusted hosts– Multiple Trusted users
Security– Access Control Lists
on multiple trusted hosts
– Internal user authentication
– Network segmentation
PricewaterhouseCoopers
Technology and Security EvolutionInternet
Technology– Large number of
untrusted users– Untrusted network– Complexity
• Network• Configuration
Security
– Access Control Lists on multiple untrusted hosts
– External user authentication
– Network segmentation and filtering (Firewalls)
PricewaterhouseCoopers
Technology Evolution E-commerce and Web services
•Critical Data
•Complexity– Network– Configuration– Development
•Business 2 Business (B2B)
•Business 2 Clients (B2C)
E-commerce and Web services
New Risks
PricewaterhouseCoopers
Access to Critical data over trusted communication ports
Hackers
Port 80 – HTTP
Port 443 – HTTPS
Firewall
Server
Data
Apps
Server, OS
HTTP/HTTPS Requests
Server
Data
Apps HTTP/HTTPS requests go through open firewall port 80 or 443
Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability
1
2
Hackers
Port 80 – HTTP
Port 443 – HTTPS
Firewall
Server
Data
Apps
Server, OS
HTTP/HTTPS Requests
Server
Data
Apps HTTP/HTTPS requests go through open firewall port 80 or 443
Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability
Hackers Hackers
Port 80 – HTTP
Port 443 – HTTPS
Firewall
Server
Data
Apps
Server
Data
Apps
Server, OS Server, OS
HTTP/HTTPS Requests
Server
Data
Apps
Server
Data
Apps HTTP/HTTPS requests go through open firewall port 80 or 443
Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability
1
2
PricewaterhouseCoopers
Rapid development Complex Development Framework
•Competitive Market
•Development Cost
•Automation Tools
PricewaterhouseCoopers
High level language for complex tasks
•New languages hide complexity
•Development Complexity is hidden
•Template and Wizards
•Distributed Programming Architecture
PricewaterhouseCoopers
Scripting language
•Not compiled
•Process flow can be modified at run time
•Rely on compiled languages
•Used in untrusted environment to access critical data
PricewaterhouseCoopers
Dynamic Environment
•High level of customization
•Different integration requirements
•Custom development
How web application works?
PricewaterhouseCoopers
Web Application Process
RequestPage to the Web Server
Web Server process Server Side ScriptInterpreter
Server Side Script Requestexternal data
Return Processed HTMLto the user
Script return HTML to the server
PricewaterhouseCoopers
Terminology
Script Argumenthttp://somesite.com/script?argument1=somedata
Script Argument Data
http://somesite.com/script?argument1=somedata1
PricewaterhouseCoopers
Web communication
GET– Most widely used
request method used.– Simplest request
method.– Consist of resource
and argument– Example:http://server/file?argument1=data
POST– Used to transfer data
with server.– Mostly used in
conjunction with HTML form
Current Attack Methods
PricewaterhouseCoopers
SQL Injection
•SQL injection is the process of modifying the internal SQL query of the server side script to perform actions not intended by the developers.
•SQL injection can have serious security implications from data loss to full infiltration of your internal network.
•Widely used and most documented type of web application attack
•Can be used against most language used to develop web applications
•Only impact application using back end SQL server to store data
PricewaterhouseCoopers
Code Injection
•Code injection is the process of injecting code that will be processed by the server.
•Code injection is extremely dangerous since the remote attacker can make the server run is code..
•Code injection is not widely used and is cause by file access abstraction.
•Not all programming language are affected.
PricewaterhouseCoopers
Application Discovery with Program Error
•Like normal applications, web application will display error messages when something goes wrong
•Error messages will often display a lot of information on the environment and the cause of the error.
•Often the information displayed give to much information
•Error messages are often used by attackers to help them gain a better understanding of the environment they are attacking and can help them construct very precise attacks.
PricewaterhouseCoopers
Error Reporting Example
Development Considerations
to Prevent Attacks
PricewaterhouseCoopers
Dealing with Hostile Environment
All incoming data should be threaded as potentially invalid
All outgoing data should be documented and all undocumented data should not be sent to the client
All error messages should be standardized
PricewaterhouseCoopers
Dealing with Error Reporting
All error should be catched by the application When an error occur, the user should be directed to
a standard page indicating an that an error as occurred.
The full error message should be sent to the development team.
PricewaterhouseCoopers
Programming Language - Application Programming Interface
Developers and Software engineer should review all functions used and the full impact they might have.
A detailed list of valid characters should be made and all other should be rejected.
PricewaterhouseCoopers
Platform Configuration
Administrators should read the documentation of the specified platform used to run the web applications.
Administrators and developers should be aware of the types of internal and external communication it may use with other applications (single sign on, data base, LDAP, ...).
PricewaterhouseCoopers
Network Configuration
Only port used by your web server (often 80(HTTP) and 443(HTTP-SSL) should be allowed as incoming communication.
Outgoing communication should be restricted to limit many types of attack.
All communication between the various servers used in your environment should be documented and all other types of communication should be restricted.
For added security, all traffic between servers that should not be talking to each other should be flagged and investigated immediately.
PricewaterhouseCoopers GRMS
PricewaterhouseCoopers
GRMS - Information Security Solutions
Web Application Assessment– Input Validation– Configuration– Assessment of platform
Attack and Penetration– Network Security Assessment– Penetration Tests– Host Security Assessment
Source Code review– Security Architecture
review– Identification of
vulnerable functions calls– Integrity