ISSA Delaware Valley Chapter Meeting - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

ISSA Delaware Valley Chapter Meeting

Description:

ISSA Delaware Valley Chapter Meeting. Achieving Enterprise Security through Collaboration ... FTC investigates PetCo.com security holes. SecurityFocus, Dec 5, 2003 ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 39
Provided by: yarong
Category:

less

Transcript and Presenter's Notes

Title: ISSA Delaware Valley Chapter Meeting


1
  • ISSA Delaware Valley Chapter Meeting
  • Achieving Enterprise Security through
    Collaboration
  • Steve Orrin
  • CTO
  • Sanctum Inc.

2
Recent News
3
Impact of Security Defects
  • Bad Business
  • On average, there are 5 to 15 defects in every
    1,000 lines of code
  • US Dept. of Defense and the Software Engineering
    Institute
  • Slow Business
  • It takes 75 minutes on average to track down one
    defect. Fixing one of these defects takes 2 to 9
    hours each
  • 5 Year Pentagon Study
  • Researching each of the 4,200 vulnerabilities
    published by CERT last year for 10 minutes would
    have required 1 staffer to research for 17.5 full
    workweeks or 700 hours
  • Intel White paper, CERT, ICSA Labs
  • Loss of Business
  • A company with 1,000 servers can spend 300,000
    to test deploy a patch most companies deploy
    several patches a week
  • Gartner Group

4
Pressures on the Application Lifecycle Increasing
  • Time-to-Market
  • Bringing new applications to market quickly
  • Complexity is Growing
  • Increased application lifecycle complexity
  • Increasing Business Risks Driven by Security
    Defects
  • Rise in Hacker activity
  • Government scrutiny and regulation pressures
    (HIPAA, GLBA, SB1386, etc..)
  • Liability precedents for security defects
  • Costs Escalate Dramatically the longer you wait
    to Find and Fix
  • Bad software costs the economy 59.5 billion a
    year- cost of breakdowns and repairs (Nat.
    Institute of Standards Technology, May 2002)

5
Why Application Security Defects Matter
  • Frequent
  • 3 out of 4 business websites are vulnerable to
    attack (Gartner)
  • Pervasive
  • 75 of hacks occur at the Application level
    (Gartner)
  • Undetected
  • QA testing tools not designed to detect security
    defects in applications
  • Manual patching - reactive, never ending, time
    consuming expensive
  • Dangerous
  • When exploited, security defects destroy company
    value and customer trust

2000 application Healthchecks with AppScan
98 vulnerable all had firewalls and encryption
solutions in place
6
Business Impact of Application Hacks
  • Through a browser, a hacker can use even the
    smallest bug or backdoor to accomplish identity
    theft, fraud, denial of service and to obtain and
    manipulate Customer and Consultants records

Misdirect customers to bogus site
Change parameters ie.total contribution100

7
Legislation Validation and Reporting Required
  • GLBA mandatory privacy and security standards in
    financial services industry (and enforced by the
    FTC)
  • HIPAA mandatory privacy and security standards
    in healthcare industry
  • FERC mandatory privacy and security standards in
    energy industry
  • SB1386 Calif law requires companies to warn
    consumers when personal information may have been
    stolen
  • Sarbanes-Oxley mandatory auditing controls
    requiring CEO/CFO to certify adequate internal
    control safeguards are in place
  • Putnam Bill (still in debate) mandatory
    security audits
  • Identity Theft complaints come to the FTC at
  • more than 13,000/month

8
Government and Industry Regulations
Impact Matrix on Internet
Security
Yellow Minor Impact, Orange Medium Impact,
Red Major Impact
Source IDC, 2003 (modified)
9
Example Cross Site Scripting
  • Vulnerability explanation
  • Extremely common A flaw in servers web page
    leads to compromise in a client
  • A third party creates a link (or sends an email)
    and the URL contains a parameter with a script
    once the user connects, the site runs this script
  • Why Cross Site Scripting
  • Many parameters are implanted within the HTML of
    following responses, while not checking their
    content for scripts
  • As a result of this manipulation
  • Virtual hijacking of the session. Any
    information flowing between the legitimate user
    and site can be manipulated or transmitted to the
    evil 3rd party. The fault is simply echoing user
    input! (Trusting user input!!)

10
CSS In Action
Welcome.asp Hello,
11
CSS In Action
12
Web Services Threats
13
XML/Web Services Attack Vectors
  • Old Attacks still valid
  • CWVs
  • Injection Attacks
  • Buffer Overflow
  • Denial of Service
  • The New Manipulation Attacks
  • Entity and Referral Attacks
  • DTD and Schema Attacks
  • The Next Generation Attacks
  • Web Service Enabled Application Attacks
  • Multi-Phase Attacks

14
XML Attack Example (Entity Expansion)
  • An attack on XXX Application Server
  • 1. Find a web service which echoes
  • back user data such as the parameter "in"
  • 2. Use the following SOAP request
  • 3. And you'll get
  • C\WinNT\Win.ini in the response (!!!)
  • How it works
  • A. XXX App Server expands the entity foo into
    full text, gotten from the entity definition URL
    - the actual attack takes place at this phase
    (by XXX Application Server itself)
  • B. XXX App Server feeds input to the web service
  • C. The web service echoes back the data

... "file///c/winnt/win.ini" ... foo
15
Next Generation AttacksXPath Injection
  • Query based injection attack targeting Web
    applications using XML data sources (XML
    documents and XML Databases)
  • Why XPath Injection?
  • Traditional Query Injection ' or 11 or '''
  • XPath Blindfolded Injection
  • Attacker extracts information per a single query
    injection. The novelty is
  • No prior knowledge of XPath query format required
    (unlike traditional SQL Injection attacks).
  • Whole XML document eventually extracted,
    regardless of XPath query format used by
    application
  • Defending against XPath injection (similar to
    defending against SQL injection)
  • The application must sanitize/validate user input
  • Use an application firewall in front of the web
    site

16
Next Generation AttacksHTTP Response Splitting
  • A new carrier affecting Web Server communications
    to perform old attacks in a more elegant and
    malicious way.
  • Hackers can easily and with greater immunity
    perform the following attacks
  • Web Cache Poisoning (new type of attack)
  • poisoning the reverse proxy cache defacement
  • poisoning an intermediate cache server next
    generation phishing
  • poisoning a browser cache targeted attack
  • Hijacking a page (HTTP response) with user
    sensitive information
  • Diverts a response intended for a client, to the
    attacker
  • Cross-site scripting (XSS)
  • New way to implement XSS with above mentioned
    added benefits

17
Anti-Forensics PropertiesA step toward the
"perfect hack" !
  • Easily reversible - manually by attacker and as
    part of normal cache operations
  • The nature of the attack hampers incident
    response activities
  • Allows for removal of evidence
  • Allows the attacker to more easily cloak the
    evidence of attack
  • Web Caching is rarely logged
  • End result a novice cracker can hack with a
    level of impunity once reserved for the very
    skilled

18
How it works
  • Normal Request Response scenario
  • User sends request to a Web server/application
    Web server / application process request and
    sends response
  • Attack scenario 1 Attack request (normal request
    with embedded attack) with 2 responses
  • Attacker sends attack request to a web
    server/application
  • Web server/application process request
  • When Web server interprets response from
    application the attack tricks the Web server
    into breaking the response and sends a second
    request (the embedded attack request)
  • The attack request is sent to user/cache
  • Root cause
  • Poor user input validation

19
The Heart of the Issue Input Trust
  • All input is evil, until proven otherwise!
  • The root of most serious vulnerabilities
  • Buffer Overruns
  • Canonicalization issues
  • Cross-site Scripting (XSS) attacks
  • SQL Injection attacks
  • Integer overflow attacks
  • Good guys give you well-formed data, bad guys
    dont!
  • Dont rely on your client application providing
    clean data
  • Dont assume attackers play by the rules
  • They go under the radar

20
Input Remedies
  • Require authenticated connections
  • Sanitize all input from untrusted sources
  • Look for valid data
  • Reject everything else
  • High-level languages can use RegExp
  • SSN \d3-\d2-\d4
  • Make no assumptions about the trustworthiness of
    data
  • Never directly echo Web-based user input
  • Verify input, then echo it
  • At the very least, HTML or URL encode the output

21
Introducing Risk Early The Vicious Cycle
Staging
Design, Develop, Test
Deployment Operations
  • Responsibilities
  • Develop high quality secure apps
  • Tools
  • IDEs
  • Performance functionality QA tools
  • Manual test scripts and code review
  • Freeware
  • Challenges
  • Dont have the tools, time or training for
    security testing
  • Result
  • Dangerous security defects passed downstream to
    operations
  • Code comes back to development to work on again
  • Responsibilities
  • Audit apps before/after deployment
  • Patch fix
  • Communicate to development
  • Tools
  • Network Scanners
  • Vulnerability Assessment Tools
  • Challenges
  • Ran out of time!
  • Being measured on deployment not sending back
    to development
  • Results
  • Kept waiting for quality software to deploy
  • Anxious about overall software quality deployed
    the next attack.

Production
Development is fertile ground for security bugs
Ops, Admins, Auditors are expensive
exterminators
22
Automated Security Testing for the Application
Lifecycle
  • Develop (Developer)
  • Construct application
  • Unit test application components
  • Test (Tester/ QA Engineer)
  • Create test plan
  • Create, run manage test scripts
  • Defect assignment tracking
  • Delta, trend and results analysis
  • Approve release to production
  • Audit (Ops Security Auditor)
  • Create operations plan
  • Deploy maintain business compliance
  • Scheduled (or not!) application audits

23
Financial Impact
Cost to Fix dramatically increases the longer you
wait to test
24
Cost of BacklogStatistics from 10 F100 Companies
2.5 month avg. delay 25M in lost
savings/revenue
25
The Bottom Line
  • Costs of defects introduced early in lifecycle
    quickly add-up
  • Untested applications in production
  • Longer development cycles
  • More development cycles
  • Considerable business risks

26
Understand, Communicate, Measure
  • Understand your exposure
  • Use tools that scan for exposure points at the
    web server and application layers as part of
    application development process
  • The data collected must be relevant to the
    audience receiving it
  • The importance of terminology and types of data
    provided
  • Communicate your the exposures (security defects)
  • Various stake holders in the development
    lifecycle need different types of data
  • Use the tracking tools already in place
  • Map security defects to business needs
  • Measure your assessment process / security defect
    remediation
  • Analyze exposure from individual assessments and
    compare results across the cycle

27
Understand
28
Communicate Developers/QAthe right data for
the right audience
29
Communicate Prod Mgmtthe right data for the
right audience
30
Communicate Auditorsthe right data for the
right audience
31
Measure Trend Analysis
32
From Vicious to Virtuous Development Cycle
Give developers, QA and administrators the tools
and training they need to succeed!
33
The Result Address Compliance
  • Ensure the security confidentiality of
    customer records and information
  • Protect against any unanticipated threat or
    hazard to the security or integrity of these
    records
  • Protect against unauthorized access that could
    result in substantial harm or inconvenience to
    customer


Network devices do not detect these
vulnerabilities
34
The ResultAddress Compliance
  • Prevent unauthorized access to California
    customers or employee personal information
  • Penalty of breach each customer/employee must
    be individually notified in writing of breach in
    confidentiality in less than two weeks.
  • Otherwise, a public announcement to the press
    must occur


35
Automated Web Application Testing and Risk
Assessment
  • S.A.F.E. Speed, Accuracy, Flexibility and
    Efficiency
  • Site Smart for QA and Audit
  • Seamlessly integrates into any QA or Audit
    environment
  • Tests both new and existing Internet
    infrastructures
  • Ensures Compliance of security best practices and
    external regulations
  • Application Lifecycle Security Accelerates ROI
  • increased revenue
  • increased customer satisfaction
  • decreased customer acquisition and retention
    costs
  • Application Lifecycle Security to increase the
    Speed
  • and Ease of Application Deployment in a Secure
    Environment

36
Application Security Across the Lifecycle
  • Incorporate security into the process early
    on and at each stage
  • Document and report demonstrate compliance
  • Improve overall result
  • Reduce costs

37
QA
  • Steve Orrin, CTO
  • Sanctum, Inc.
  • sorrin_at_sanctuminc.com
  • www.sanctuminc.com

38
For More Information
  • Sanctum, Inc
  • Sanctuminquiry_at_sanctuminc.com
  • Toll free (877) 888-3970
Write a Comment
User Comments (0)
About PowerShow.com