Application Security - Myth or Fact Slides
-
Upload
dfgrumpy -
Category
Technology
-
view
862 -
download
0
Transcript of Application Security - Myth or Fact Slides
![Page 1: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/1.jpg)
Application
Security
@dfgrumpy
blog.dkferguson.com
www.cfhour.com
Dave Ferguson
Myth or Fact?
![Page 2: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/2.jpg)
Obligatory “About Me” Slide
Working in field for a long, long time (15+ years)
Using ColdFusion since version 1.5
Adobe Community Professional
Sr. Developer for Nonfat Media
One of the voices of the <CFHour> ColdFusion podcast w/ Scott Stroz ( @boyzoid )
![Page 3: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/3.jpg)
If you have a question
please ask it anytime
![Page 4: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/4.jpg)
APPLICATION SECURITY?(isn’t that the network guy’s problem?)
Why should you care about
![Page 5: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/5.jpg)
At its core, Security is about risk
management
![Page 6: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/6.jpg)
Security is fundamentally
about protecting “assets”
![Page 7: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/7.jpg)
Most applications don’t have
enough protection
![Page 8: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/8.jpg)
Any protection in place is
probably insufficient
![Page 9: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/9.jpg)
Security implementation is usually
in place to protect server /
network, not application
![Page 10: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/10.jpg)
Using captcha to protect a form is
not the same as anti-intrusion
![Page 11: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/11.jpg)
Once you understand the
perceived value of your
application, you will better
understand how to protect it
![Page 12: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/12.jpg)
What does it mean to have
a secured application?
![Page 13: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/13.jpg)
Some stuff for the
“Network Guy”
Viruses
Worms
Network intrusion
OS Compromise
![Page 14: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/14.jpg)
OWASPOpen Web Application Security Project
![Page 15: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/15.jpg)
OWASP Top 10 (as of 2010)
• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session
Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
![Page 16: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/16.jpg)
GAME TIME!
![Page 18: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/18.jpg)
MYTH
SSL encrypts data in transit.
Entry and exit points are still unprotected.
Think of a tunnel through a mountain.
Anyone can enter either side but once
inside you can only interact with what is in
the tunnel.
SSL will prevent some things, such as a
“man in the middle” attack.
![Page 19: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/19.jpg)
“My application is secure because I
have a login screen”
![Page 20: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/20.jpg)
MYTH(for the most part)
If not implemented correctly, then this
becomes a myth.
Demo time…
![Page 21: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/21.jpg)
“I don’t need to worry about security
because I am using (insert framework here)”
![Page 22: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/22.jpg)
MYTH
Frameworks give structure to code.
Frameworks make writing secure software
easier by inherently enforcing certain coding
best practices.
Code written in a framework can still have the
same security holes as non-framework code
Frameworks can add some complexity which
requires developers to be more vigilant when
looking for possible attack vectors.
![Page 23: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/23.jpg)
“Our data access layer is ORM so we
are safe from sql injection”
![Page 24: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/24.jpg)
MYTH
Properly implemented ORM does protect
against injection.
However, utilizing HQL can expose the
system to injection.
Demo Time…
![Page 25: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/25.jpg)
“We don’t need to worry about security because our site has nothing of value“
![Page 26: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/26.jpg)
MYTH
Value is perceptual.
The true value of your application is what others deem its value is.
If an intruder believes your application is hiding something of value, they may try to find it.
Your site may only contain trivial data. However, does it contain data that could allow an attacker to get into other systems?
Storing any data about a person makes your site a target.
![Page 27: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/27.jpg)
“The Global Script Protection setting in
the ColdFusion admin is sufficient”
![Page 28: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/28.jpg)
MYTH
The keyword there is “sufficient”.
Relying on script protection to save you is a fool’s errand.
The setting will strip out some things but should not be treated as a silver bullet.
Demo Time…
![Page 29: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/29.jpg)
“Our URL / form variables are encryptedso they can’t be tampered with”
![Page 30: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/30.jpg)
MYTH
If a loose encryption is used, the
encryption could be predicted.
![Page 31: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/31.jpg)
“Thinking like an attacker will help
protect my system”
![Page 32: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/32.jpg)
FACT
Keep up to date on current security trends.
Take a step back when writing code and evaluate it for possible intrusion.
Remember that security is a practice or frame of mind, not a “once in a while” type thing.
![Page 33: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/33.jpg)
“We are using anti-intrusion software
so we are just fine”
![Page 34: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/34.jpg)
MYTH
Anti-intrusion software blocks known intrusion patterns.
They act as a filter to incoming data to stop potentially harmful requests from being processed.
Not 100% effective, as intruders will attempt to bypass blocking software.
Examples: ModSecurity
SecureIIS
FuseGuard
Demo time…
![Page 35: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/35.jpg)
A Couple of things to always think
about when writing code
Tips for the future:
![Page 36: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/36.jpg)
If a section is supposed to be
secure, make sure security is
checked on all pages, not just
entry points
![Page 37: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/37.jpg)
Compartmentalize your
application to minimize exposure
if system is compromised
![Page 38: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/38.jpg)
Reduce the attack surface and
remove unused sections or code
![Page 39: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/39.jpg)
Don’t rely on a single security
layer, use “defense in depth” and
employ multiple security layers
![Page 40: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/40.jpg)
Treat all data from a client as
bad until ... Forever.
![Page 41: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/41.jpg)
Don’t leave security for the
other guy to handle
![Page 42: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/42.jpg)
Security by obscurity gives you
a false sense of security
![Page 43: Application Security - Myth or Fact Slides](https://reader033.fdocuments.us/reader033/viewer/2022042716/55a2b9381a28abfc498b468a/html5/thumbnails/43.jpg)
Thank You
Any
Questions?
@dfgrumpy
http://blog.dkferguson.com
http://www.cfhour.com
Dave Ferguson