Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The...

45
Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula

Transcript of Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The...

Page 1: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Security Testing & The Depth Behind OWASP Top 10 

Yaniv Simsolo, CISSPImage: Hubble Telescope: The cat’s eye nebula

Page 2: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

OWASP Top 10 2013OWASP Top 10 – 2013 has evolved:• 2013-A1 – Injection• 2013-A2 – Broken Authentication and Session

Management• 2013-A3 – Cross Site Scripting (XSS)• 2013-A4 – Insecure Direct Object References• 2013-A5 – Security Misconfiguration• 2013-A6 – Sensitive Data Exposure• 2013-A7 – Missing Function Level Access Control• 2013-A8 – Cross-Site Request Forgery (CSRF)• 2013-A9 – Using Known Vulnerable Components (NEW)• 2013-A10 – Unvalidated Redirects and Forwards

Page 3: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

OWASP Top 10 2013OWASP Top 10 – 2013 Resources:• https://www.owasp.org/index.php/Top_10_2013-

Top_10• OWASP Top 10 2013 presentation by Dave Wichers,

on the OWASP web site

Page 4: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Mapping Top 10: From 2010 to 2013

Source: OWASP Top 10 2013 presentation by Dave Wichers 

Page 5: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Assumptions• In Information Security – several top 10 exist– OWASP Top 10 is dominant

• “Top 3”: we all know about XSS’s Injections, CSRF’s etc.

• Most organizations are well aware of these issues

Page 6: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Assumptions• OK. What now?• “Top 6” = (“Top 3”) + (“we test what we can”):– Broken authentication and session management– Unvalidated redirects and forwards– Insecure direct object references

• Most organizations are aware of these issues• OK, What now?

Page 7: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

What did we miss?• Security misconfiguration – A5.• Missing Function Level access control – A7.• Using known vulnerable components – A9• A6 – sensitive data exposure now includes a merge of:– Insufficient transport layer protection (2010 – A9)– Insecure cryptographic storage (2010-A7)

Page 8: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

What did we miss?• Security misconfiguration – A5.– (almost) not Web Application but: Application/system

• Missing Function Level access control – A7.– Partial Web Application, Partial Application/system

• Using known vulnerable components – A9– (almost) not Web Application but: Application/syste

Page 9: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

What did we miss?• A6 – sensitive data exposure now includes a merge of:– Insufficient transport layer protection (2010 – A9)– Insecure cryptographic storage (2010-A7)

• Is this just Web Application? • Is the problem more severe once we look below the Web Layer?

Page 10: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

What did we miss? Example

Security misconfiguration – A5+

Using known vulnerable components – A9=

Perimeter is not working

Page 11: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Problem 

Image: Hubble Telescope: The cat’s eye nebula

Page 12: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Over Complexity • Too much data• Endless attack possibilities• Too many security solutions, vendors, products

• No homogenous approach

Page 13: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Attack Vectors– Any system– Any infrastructure– Any communication– Any language– Any architecture– Any component– Any information, any data– Any physical layer– Any logical layer– Any storage device / facility

– Any (communication) channel

– Any interface– Any encryption– Any environment– Any site (including DR)– Any transaction– Any log and audit trail– Any archive– Any process (operations, ongoing, development)

Page 14: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Attack Types– Any system– Any infrastructure– Any communication– Any language– Any architecture– Any component– Any information, any data– Any physical layer– Any logical layer– Any storage device / facility

– Any (communication) channel

– Any interface– Any encryption– Any environment– Any site (including DR)– Any transaction– Any log and audit trail– Any archive– Any process (operations, ongoing, development)

TakeoverData theft

Data tamperingSystem integrity disruption

Business Logic manipulationEavesdropping

Backdoors – built in by designBackdoors – creation by attackers

Unintentional attacksIntentional by authorized entities

Attacks by non-human entitiesDenial of Service

De Facto Denial of ServiceAuthorization bypass

Access bypassSmuggling, Splitting and evasion-type attacks

Page 15: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The ProblemEven the simplified security areas present a demanding challenge. For example - XSS:• Very difficult to detect all variants in modern systems

• Almost impossible to retain high security level once achieved 

Page 16: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Common Solutions• Superficial security tests.–Many “good reasons”:• Budget• Time constraints• Lack of understanding • Over complexity

Page 17: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Common Solutions• Impacts of superficial security tests in the long run?–Partial to no security–Poor security practices– These organizations effect the security market, pulling downwards!– Loss or partial integrity of security professionals–Worse still: false sense of security

Page 18: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Where Did That Got Us?• Ludicrous security warnings:– January 2013: Department of Homeland Security: Do not use Java. Remove the JRE.

– April 2014: Department of Homeland Security: Versions 6 – 11 of IE are not to be used. 

– April 2014: OpenSSL is insecure

Page 19: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Where Did That Got Us?• Poor security in design and architecture• (Almost) no security in Agile/Continuous Delivery developed code

Page 20: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

20

Modern Systems Common Pitfall• Modern systems are more secured.  ???

Page 21: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Where Did That Got Us?• Challenging security presentations:– In-Depth Security is dead (RSA conference 2011)– Security is dead (Rugged coding - RSA conference 2012)

• Ignorance is bliss….

Page 22: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Security Testing 

Image: Hubble Telescope: The cat’s eye nebula

Page 23: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

How to Test?• This is messy. VERY messy.• There are shortcuts

Page 24: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

How to Test?• Actually – most is quiet easy to test. • Go back to theory.• Forget about the payloads.

Page 25: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Fallback Common Option• Test the GUI• Black Box testing methodology• Exclude the difficult stuff from scope

• This is a “good” solution: it fits organizations and security professionals

Page 26: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Fallback Common Option• “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”― Stephen Hawking

• Testing just the GUI illusion of knowledge• Testing just the FE    illusion of security• Increasingly often we are requested to test much less than the actual scope.

• Consider carefully prior to testing – what should be the actual testing scope

Page 27: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

How to test?• “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu

• Common Mobile WCF architecture– Where is the presentation layer?– Which entities are granted access to business logic?

• “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu

• Common Mobile WCF architecture– Where is the presentation layer?– Which entities are granted access to business logic?

Page 28: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

How to test?• OWASP top 10 – mobile:

Source: OWASP Top 10 Mobile project

Page 29: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Oracle Exadata Example• Oracle Exadata simplified:– Data Warehouse platform– Consolidation/Grid platform– Storage platform

• Exadata security best practices consist of:– The “regular stuff”– Database standard security – Data Warehouse specialized security – Consolidation/Grid specialized security

Page 30: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Oracle Exadata Example• Oracle Exadata (as a database platform) Security

Testing Benchmark:– Organization A tested:

• The databases• The environments• The Data Warehouse specialized security• The Exadata itself

– Organization B tested:• Just some deployed databases• Partial security testing for each database• Worse still: Exadata not to be tested as a policy

• Who said: 2013-A5 Security Misconfiguration?

Page 31: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Testing A5, A7, A9• “If you know the enemy and know yourself you need not fear the results of a hundred battles”, Sun Tzu

• Do we really know ourselves?• Where are A5, A7 and A9 implemented?• Not testing the BE  illusion of knowing

Page 32: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

The Windows XP Example• Organization C, defines and enforces strict development and deployment security standards towards all its suppliers/customers.

• Over 60 pages of procedures and instructions.• Insisting on supporting Windows XP based systems.

• Who said: 2013-A9 Using Known Vulnerable Components?

Page 33: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

2013-A9 Using known Vulnerable Components

• A vendor offers DBAAS– Excellent: beat the market offering *AAS something...

• How can the organization trust the security of DBAAS?–Will separation be enforced?–Will compartmentalization be enforced?

• Did we really tested and can trust the Cloud on which the DBAAS is based?

Page 34: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Declarative Security• What?• One of the foundations of modern languages run-time security.

• Mostly ignored or bypassed.• Who said: Security misconfiguration – A5, Missing Function Level access control – A7?

Page 35: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Declarative Security• “Deployment descriptors must provide certain structural information for each component if this information has not been provided in annotations or is not to be defaulted.” (Oracle docs.)

Page 36: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Declarative Security• “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.” Sun Tzu

• Lack or weak declarative security: Once code access achieved – the extraordinary will be feasible.

Page 37: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Declarative Security• Poor design due to no design• Cancelling off declarative security or ignoring declarative security  revoking language security fundamentals.

• Common real life deployment descriptors:

•  Killing my own code!

// Do what you will. Totally permissive policy file. grant {       permission java.security.AllPermission; };

Page 38: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Reverse Engineering (A5, A6, A9)• What for?• Why for Mobile security testing ONLY?• From Wikipedia:– Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.

Page 39: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Testing A2, A5, A6• 2013 A6 – Sensitive data exposure• 2013 A5 – Security misconfiguration• 2013 A2 – Broken authentication• Too much use of “third singulars” – The actual minute details of the tested object dissolve

Page 40: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

40

2013-A5 Security Misconfiguration• There is no external access!• The intended users will only perform intended actions…

• Virtualization  Separation

Page 41: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

2013-A5 Security Misconfiguration• How do organizations secure legacy unsecured systems?

• Install terminals (e.g. Citrix) as the presentation layer / access control layer.

• Challenge: manage multiple users across multiple systems.

• Result: the terminals are partially secure. – Too many terminals to manage over long periods– Some insecure– The insecure terminals are the attacker entry points.

Page 42: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Critical Thinking– Any system– Any infrastructure– Any communication– Any language– Any architecture– Any component– Any information, any data– Any physical layer– Any logical layer– Any storage device / facility

– Any (communication) channel

– Any interface– Any encryption– Any environment– Any site (including DR)– Any transaction– Any log and audit trail– Any archive– Any process (operations, ongoing, development)

TakeoverData theft

Data tamperingSystem integrity disruption

Business Logic manipulationEavesdropping

Backdoors – built in by designBackdoors – creation by attackers

Unintentional attacksIntentional by authorized entities

Attacks by non-human entitiesDenial of Service

De Facto Denial of ServiceAuthorization bypass

Access bypassSmuggling, Splitting and evasion-type attacks

Page 43: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Critical Thinking• Critical thinking is the ability to think clearly and rationally. This requires reflective and independent thinking. (Philosophy field)

• For organization security is too difficult: over complexity, too much to orchestrate, etc.

• Increasingly often we are requested to test much less than the actual scope.

• Some organizations will not be educated.• Push the industry back up with those organizations that can be educated.

Page 44: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Critical Thinking• For the security professionals, security is a challenge. Hence, always employ critical thinking and review the process of testing itself.– Flexibility under varying technologies– Use automated testing tools to the max AND be always aware of their limitations

– Scoping accurately is mandatory

Page 45: Security Testing & The Depth Behind OWASP Top 10 Yaniv Simsolo, CISSP Image: Hubble Telescope: The cat’s eye nebula.

Qustions?

Yaniv Simsolo, CISSPImage: Hubble Telescope: The cat’s eye nebula