Newell Budge Security by tae66661


									Newell & Budge Security
   Web Application Security


1.   Information Security Demystified!
2.   Overview of Changing Security Threats
3.   Introduction to Web Application Security
4.   Example Attack
5.   Why Does the Problem Exist?
6.   Risk Management Strategies
Information Security?

 Availability                                            Integrity
Maximise functionality and                           Ensure accuracy of data and
         uptime                                           data processing


                        Ensure information privacy
Changing Threat
 From this…
 Changing Threat

 Gateway Email Scanning service provider, MessageLabs, detects 18
  Million Phishing emails during 2004.

                   Phishing Emails Intercepted by MessageLabs in 2004

             Jan   Feb   Mar    Apr    May     Jun    Jul    Aug    Sep   Oct   Nov
Impact on UK Businesses

                    Type                       Attacked       Cost
    Virus Attacks                                77%      £27.8m

    Denial of Service                            20%      £1.3m

    Financial Fraud                              17%      £121m

    System Penetration                           11%      £6.6m

    Criminal use of the net                      17%      £23m

    Corporate site spoofing                      15%      £4.8m

     Source: NHTCU Hi-Tech Crime Survey 2004
Problems with Insecure Code

Attackers can directly access application and
 make it do bad things
   – Undetected
   – Very damaging

Code is full of vulnerabilities
   – Every 1000 lines of code averages 15 security defects
   (US Dept of Defense)

Applications are the new target
   – Flood of tools, papers, and even books
   – 75% of attacks now target the application layer
A Few More Facts and figures:

     How Many Vulnerabilities Are Application Security Related?
Application Attack Techniques
                             IPS / Network Firewalls
      Application Threat
 Platform buffer overflow             Little
 Cross Site scripting                 Little
 Injection Attacks                    Little
 Hidden field manipulation           None

 Stealth Commanding                  None
 Parameter Tampering                 None
 App Buffer overflow                 None
 Google Hacks                        None
 Forceful Browsing                   None
 Identity Theft                      None
 Application DoS                     None
 Data Theft                          None
Hidden Field Manipulation Example
Hidden Field Manipulation Example
Hidden Field Manipulation Example
Hidden Field Manipulation Example
  Why Web Application Risks Occur

                 The Web Application
                    Security Gap

   Security                             Application
 Professionals                          Developers
                                        and Testing

Don’t Know The                         Don’t Know
  Applications                           Security
How Do I Cope??
It’s Easy!

 Embed Security principles throughout the Software
  Development Lifecycle

 Commission Application Penetration Testing

 Carry out Architecture & Functional Specification Review

 Conduct Source Code Security Reviews

 Oh.. and Complete Remedial Work where appropriate!!
Embed Security in the SDLC?

                        Every 1000 lines of code averages 15 security
                        (US Dept of Defense)

                        It takes 75 minutes on average to track down one
                        defect. Fixing each defect takes 2 to 9 hours.
                        (5-year Pentagon Study)

                        The average business application has 150,000-
                        250,000 lines of code.
                        (Software Magazine)

200,000 lines / 1000 lines per defect x 15 defect x 5 hrs = 15,000 hrs/app

 Create or identify existing artefacts within the development
  methodology that can be used to attain security goals
   – logical architecture diagrams
   – class diagrams, sequence diagrams
   – authentication, authorisation, exception handling
   – use cases

 It is important to find a balance between functionality, cost,
  performance, usability, etc and of course security

 The key to finding this balance is collaboration between the
  stakeholders, the development team and the security team.
Application Penetration Testing
    Overview
      – Analysis of how the application interacts with users
      – How developers may have exposed data and systems through insecure
        coding practices
      – Test application’s susceptibility to common application level attacks
      – Now recommended by CESG for all new government web applications
    What is tested?
      – Client identification and authentication
      – Application level user permissions
      – Parameter tampering
      – Illicit navigation
      – HTTP headers including HTTP header expiration
      – Session ID usage
      – Client-side data usage
      – Cookie usage
Arch’ & Functional Spec’ Review

 Overview
    – Analysis of application design
    – Threat modelling
    – Considers business context and role of application
    – Considers application dependencies on supporting infrastructure
 What is tested?
    – Application architecture design security analysis
    – Application security controls
    – Data integrity (data at rest and in transit)
    – Custom components
    – Application servers
    – Application level database security
    – Database secure design and build
    – Audit trails (system logs, user event logs)
    – Application management – account management, source code control, change control.
Code Review
 Overview
    – Assess the coding standards from a security perspective
    – Develop a model of the code
    – Understand linkages between functions, objects and modules
    – Establish entry points and begin iterative process of tracing the code to
      answer security related questions regarding implementation
    – Provides greater insight than application penetration testing or architectural
 What is tested?

    •   Authentication
    •   Authorisation
    •   Input/output validation and sanitisation
    •   Sensitive data
    •   Session management
    •   Communication
    •   Exception management
Remedial Options

 Code re-work
   –   Can be most comprehensive option – if done right!
   –   Skills transfer to development team
   –   Costly, time consuming & difficult

 Architecture Redesign
   –   May be some quick wins
   –   Can be impractical in some cases

 Third-Party Solution
   –   Sometimes best option for legacy systems
   –   Reduced operational impact
   –   Often least cost / quickest time to deployment
   –   Application Gateway Appliances now maturing & provide additional functionality
Your Local Partner…
 One thought to take away...

    With security it isn’t a case of being killed by an alligator….

more often, it’s about being pecked to death by a thousand chickens!
          Tom McCann
   Risk & Assurance Services

     Newell & Budge Security

To top