Title: ISSA Delaware Valley Chapter Meeting
1- ISSA Delaware Valley Chapter Meeting
- Achieving Enterprise Security through
Collaboration - Steve Orrin
- CTO
- Sanctum Inc.
2Recent News
3Impact of Security Defects
- Bad Business
- On average, there are 5 to 15 defects in every
1,000 lines of code - US Dept. of Defense and the Software Engineering
Institute - Slow Business
- It takes 75 minutes on average to track down one
defect. Fixing one of these defects takes 2 to 9
hours each - 5 Year Pentagon Study
- Researching each of the 4,200 vulnerabilities
published by CERT last year for 10 minutes would
have required 1 staffer to research for 17.5 full
workweeks or 700 hours - Intel White paper, CERT, ICSA Labs
-
- Loss of Business
- A company with 1,000 servers can spend 300,000
to test deploy a patch most companies deploy
several patches a week - Gartner Group
-
-
4Pressures on the Application Lifecycle Increasing
- Time-to-Market
- Bringing new applications to market quickly
- Complexity is Growing
- Increased application lifecycle complexity
- Increasing Business Risks Driven by Security
Defects - Rise in Hacker activity
- Government scrutiny and regulation pressures
(HIPAA, GLBA, SB1386, etc..) - Liability precedents for security defects
- Costs Escalate Dramatically the longer you wait
to Find and Fix - Bad software costs the economy 59.5 billion a
year- cost of breakdowns and repairs (Nat.
Institute of Standards Technology, May 2002)
5Why Application Security Defects Matter
- Frequent
- 3 out of 4 business websites are vulnerable to
attack (Gartner) - Pervasive
- 75 of hacks occur at the Application level
(Gartner) - Undetected
- QA testing tools not designed to detect security
defects in applications - Manual patching - reactive, never ending, time
consuming expensive - Dangerous
- When exploited, security defects destroy company
value and customer trust
2000 application Healthchecks with AppScan
98 vulnerable all had firewalls and encryption
solutions in place
6Business Impact of Application Hacks
- Through a browser, a hacker can use even the
smallest bug or backdoor to accomplish identity
theft, fraud, denial of service and to obtain and
manipulate Customer and Consultants records
Misdirect customers to bogus site
Change parameters ie.total contribution100
7Legislation Validation and Reporting Required
- GLBA mandatory privacy and security standards in
financial services industry (and enforced by the
FTC) - HIPAA mandatory privacy and security standards
in healthcare industry - FERC mandatory privacy and security standards in
energy industry - SB1386 Calif law requires companies to warn
consumers when personal information may have been
stolen - Sarbanes-Oxley mandatory auditing controls
requiring CEO/CFO to certify adequate internal
control safeguards are in place - Putnam Bill (still in debate) mandatory
security audits -
- Identity Theft complaints come to the FTC at
- more than 13,000/month
8Government and Industry Regulations
Impact Matrix on Internet
Security
Yellow Minor Impact, Orange Medium Impact,
Red Major Impact
Source IDC, 2003 (modified)
9Example Cross Site Scripting
- Vulnerability explanation
- Extremely common A flaw in servers web page
leads to compromise in a client - A third party creates a link (or sends an email)
and the URL contains a parameter with a script
once the user connects, the site runs this script - Why Cross Site Scripting
- Many parameters are implanted within the HTML of
following responses, while not checking their
content for scripts - As a result of this manipulation
- Virtual hijacking of the session. Any
information flowing between the legitimate user
and site can be manipulated or transmitted to the
evil 3rd party. The fault is simply echoing user
input! (Trusting user input!!) -
10CSS In Action
Welcome.asp Hello,
11CSS In Action
12Web Services Threats
13XML/Web Services Attack Vectors
- Old Attacks still valid
- CWVs
- Injection Attacks
- Buffer Overflow
- Denial of Service
- The New Manipulation Attacks
- Entity and Referral Attacks
- DTD and Schema Attacks
- The Next Generation Attacks
- Web Service Enabled Application Attacks
- Multi-Phase Attacks
14XML Attack Example (Entity Expansion)
- An attack on XXX Application Server
- 1. Find a web service which echoes
- back user data such as the parameter "in"
- 2. Use the following SOAP request
- 3. And you'll get
- C\WinNT\Win.ini in the response (!!!)
- How it works
- A. XXX App Server expands the entity foo into
full text, gotten from the entity definition URL
- the actual attack takes place at this phase
(by XXX Application Server itself) - B. XXX App Server feeds input to the web service
- C. The web service echoes back the data
... "file///c/winnt/win.ini" ... foo
15Next Generation AttacksXPath Injection
- Query based injection attack targeting Web
applications using XML data sources (XML
documents and XML Databases) - Why XPath Injection?
- Traditional Query Injection ' or 11 or '''
- XPath Blindfolded Injection
- Attacker extracts information per a single query
injection. The novelty is - No prior knowledge of XPath query format required
(unlike traditional SQL Injection attacks). - Whole XML document eventually extracted,
regardless of XPath query format used by
application - Defending against XPath injection (similar to
defending against SQL injection) - The application must sanitize/validate user input
- Use an application firewall in front of the web
site
16Next Generation AttacksHTTP Response Splitting
- A new carrier affecting Web Server communications
to perform old attacks in a more elegant and
malicious way. - Hackers can easily and with greater immunity
perform the following attacks - Web Cache Poisoning (new type of attack)
- poisoning the reverse proxy cache defacement
- poisoning an intermediate cache server next
generation phishing - poisoning a browser cache targeted attack
- Hijacking a page (HTTP response) with user
sensitive information - Diverts a response intended for a client, to the
attacker - Cross-site scripting (XSS)
- New way to implement XSS with above mentioned
added benefits
17Anti-Forensics PropertiesA step toward the
"perfect hack" !
- Easily reversible - manually by attacker and as
part of normal cache operations - The nature of the attack hampers incident
response activities - Allows for removal of evidence
- Allows the attacker to more easily cloak the
evidence of attack - Web Caching is rarely logged
- End result a novice cracker can hack with a
level of impunity once reserved for the very
skilled
18How it works
- Normal Request Response scenario
- User sends request to a Web server/application
Web server / application process request and
sends response - Attack scenario 1 Attack request (normal request
with embedded attack) with 2 responses - Attacker sends attack request to a web
server/application - Web server/application process request
- When Web server interprets response from
application the attack tricks the Web server
into breaking the response and sends a second
request (the embedded attack request) - The attack request is sent to user/cache
- Root cause
- Poor user input validation
19The Heart of the Issue Input Trust
- All input is evil, until proven otherwise!
- The root of most serious vulnerabilities
- Buffer Overruns
- Canonicalization issues
- Cross-site Scripting (XSS) attacks
- SQL Injection attacks
- Integer overflow attacks
- Good guys give you well-formed data, bad guys
dont! - Dont rely on your client application providing
clean data - Dont assume attackers play by the rules
- They go under the radar
20Input Remedies
- Require authenticated connections
- Sanitize all input from untrusted sources
- Look for valid data
- Reject everything else
- High-level languages can use RegExp
- SSN \d3-\d2-\d4
- Make no assumptions about the trustworthiness of
data - Never directly echo Web-based user input
- Verify input, then echo it
- At the very least, HTML or URL encode the output
21Introducing Risk Early The Vicious Cycle
Staging
Design, Develop, Test
Deployment Operations
- Responsibilities
- Develop high quality secure apps
- Tools
- IDEs
- Performance functionality QA tools
- Manual test scripts and code review
- Freeware
- Challenges
- Dont have the tools, time or training for
security testing - Result
- Dangerous security defects passed downstream to
operations - Code comes back to development to work on again
- Responsibilities
- Audit apps before/after deployment
- Patch fix
- Communicate to development
- Tools
- Network Scanners
- Vulnerability Assessment Tools
- Challenges
- Ran out of time!
- Being measured on deployment not sending back
to development - Results
- Kept waiting for quality software to deploy
- Anxious about overall software quality deployed
the next attack.
Production
Development is fertile ground for security bugs
Ops, Admins, Auditors are expensive
exterminators
22Automated Security Testing for the Application
Lifecycle
- Develop (Developer)
- Construct application
- Unit test application components
- Test (Tester/ QA Engineer)
- Create test plan
- Create, run manage test scripts
- Defect assignment tracking
- Delta, trend and results analysis
- Approve release to production
- Audit (Ops Security Auditor)
- Create operations plan
- Deploy maintain business compliance
- Scheduled (or not!) application audits
23Financial Impact
Cost to Fix dramatically increases the longer you
wait to test
24Cost of BacklogStatistics from 10 F100 Companies
2.5 month avg. delay 25M in lost
savings/revenue
25The Bottom Line
- Costs of defects introduced early in lifecycle
quickly add-up - Untested applications in production
- Longer development cycles
- More development cycles
- Considerable business risks
26Understand, Communicate, Measure
- Understand your exposure
- Use tools that scan for exposure points at the
web server and application layers as part of
application development process - The data collected must be relevant to the
audience receiving it - The importance of terminology and types of data
provided - Communicate your the exposures (security defects)
- Various stake holders in the development
lifecycle need different types of data - Use the tracking tools already in place
- Map security defects to business needs
- Measure your assessment process / security defect
remediation - Analyze exposure from individual assessments and
compare results across the cycle
27Understand
28Communicate Developers/QAthe right data for
the right audience
29Communicate Prod Mgmtthe right data for the
right audience
30Communicate Auditorsthe right data for the
right audience
31Measure Trend Analysis
32From Vicious to Virtuous Development Cycle
Give developers, QA and administrators the tools
and training they need to succeed!
33The Result Address Compliance
- Ensure the security confidentiality of
customer records and information - Protect against any unanticipated threat or
hazard to the security or integrity of these
records - Protect against unauthorized access that could
result in substantial harm or inconvenience to
customer
Network devices do not detect these
vulnerabilities
34The ResultAddress Compliance
- Prevent unauthorized access to California
customers or employee personal information - Penalty of breach each customer/employee must
be individually notified in writing of breach in
confidentiality in less than two weeks. - Otherwise, a public announcement to the press
must occur
35Automated Web Application Testing and Risk
Assessment
-
- S.A.F.E. Speed, Accuracy, Flexibility and
Efficiency - Site Smart for QA and Audit
- Seamlessly integrates into any QA or Audit
environment - Tests both new and existing Internet
infrastructures - Ensures Compliance of security best practices and
external regulations - Application Lifecycle Security Accelerates ROI
- increased revenue
- increased customer satisfaction
- decreased customer acquisition and retention
costs -
- Application Lifecycle Security to increase the
Speed - and Ease of Application Deployment in a Secure
Environment
36Application Security Across the Lifecycle
- Incorporate security into the process early
on and at each stage - Document and report demonstrate compliance
- Improve overall result
- Reduce costs
37QA
- Steve Orrin, CTO
- Sanctum, Inc.
- sorrin_at_sanctuminc.com
- www.sanctuminc.com
38For More Information
- Sanctum, Inc
- Sanctuminquiry_at_sanctuminc.com
- Toll free (877) 888-3970