All Printable Job Applications

Document Sample
All Printable Job Applications Powered By Docstoc
					Web Application Security
            Presented By
            Allen Brokken
 Principal Systems Security Analyst
        GSEC, CSDA, CPTS
                 Overview
•   Disclaimer
•   Why Should I Care?
•   Open Web Application Security Project
•   OWASP Top Vulnerabilities
•   Practice Sites
•   MU SafeWeb Initiative
                         Disclaimer
• The information contained in this presentation is intended to be used
  to educate developers about security vulnerabilities commonly found
  in Web Applications.
• This presentation is not intended as training material for those with
  malicious intent against information systems.
• Exploitation of the vulnerabilities listed in this presentation on
  systems or applications not owned or developed by the viewer is
  illegal in jurisdictions worldwide.
• It is a violation of the University of Missouri Acceptable Use policy to
  transmit these exploits across the MU network without explicit
  permission of the system or application owner they are directed at.

• The presenter is a trained professional, don’t try this at home…
Why Should I Care?
      “[all users] were able to view individual
      customers' orders for… items of intimate
      apparel in which the retailer specializes.”

      “One clever MySpace user … figured out
      how to force others to become his friend …
      In less than 24 hours, "Samy" had
      amassed over 1 million friends …


       “… informed its members that their
       credit card information might have been
       compromised after a Chicago-based
       hacker cracked the site's code…”
        Why Should I Care?
• Common Misconceptions
  – Aren’t I protected by firewalls or something?
  – I thought you just needed to keep things
    patched?
  – I’m not using Microsoft, so I must be secure.
  – Isn’t keeping me secure your job?
     The Open Web Application
          Security Project
The Open Web Application Security Project (OWASP) is
 dedicated to finding and fighting the causes of insecure
                        software.

 They have chapters world wide and manage multiple
 projects designed to help individuals and organizations
    increase the level of security of their applications.

                   http://www.owasp.org
          OWASP TOP 10
#1 Unvalidated Input
Information from web requests is not
  validated before being used by a web
  application. Attackers can use these flaws
  to attack backend components through a
  web application.
          OWASP TOP 10
#2 Broken Access Control
Restrictions on what authenticated users are
  allowed to do are not properly enforced.
  Attackers can exploit these flaws to
  access other users' accounts, view
  sensitive files, or use unauthorized
  functions.
            OWASP TOP 10
#3 Broken Authentication and Session
  Management
Account credentials and session tokens are not
  properly protected. Attackers that can
  compromise passwords, keys, session cookies,
  or other tokens can defeat authentication
  restrictions and assume other users' identities.
Brute Force Password Statistics
                                         Character set
     Length
      of the               Lowercase          Both lowercase and   all printable
               Lowercase
    password               letters and         uppercase letters       ASCII
                 letters
                              digits                               characters
<=4                                 instant                           2 min
5               instant     2 min                   12 min           4 hours
6               10 min     72 min                  10 hours          18 days
7              4 hours     43 hours                23 days           4 years
8               4 days     65 days                 3 years          463 years
9              4 months    6 years                178 years        44530 years
          OWASP TOP 10
#4 Cross Site Scripting (XSS) Flaws
The web application can be used as a
  mechanism to transport an attack to an
  end user's browser. A successful attack
  can disclose the end user's session token,
  attack the local machine, or spoof content
  to fool the user.
          OWASP TOP 10
#5 Buffer Overflows
Web application components in some
 languages that do not properly validate
 input can be crashed and, in some cases,
 used to take control of a process. These
 components can include CGI, libraries,
 drivers, and web application server
 components.
                   OWASP TOP 10
#5 Buffer Overflows cont.
                                                  Attacker Sends 200
     Memory            Memory Manager Table       Bytes to Your Code
                        Program      Allocation       Attack Code
                       Your Code #1148-#1248          #1148-#1248
                       Explorer.exe #1548-#5548       #1548-#1568


    Free Memory     Attack Data

     Your Code     100 Bytes of Data
                   100 Bytes of Data
    Explorer.exe
           OWASP TOP 10
#6 Injection Flaws
Web applications pass parameters when they
  access external systems or the local operating
  system. If an attacker can embed malicious
  commands in these parameters, the external
  system may execute those commands on behalf
  of the web application.
          OWASP TOP 10
#7 Improper Error Handling
Error conditions that occur during normal
  operation are not handled properly. If an
  attacker can cause errors to occur that the
  web application does not handle, they can
  gain detailed system information, deny
  service, cause security mechanisms to fail,
  or crash the server.
          OWASP TOP 10
#8 Insecure Storage
Web applications frequently use
  cryptographic functions to protect
  information and credentials. These
  functions and the code to integrate them
  have proven difficult to code properly,
  frequently resulting in weak protection.
          OWASP TOP 10
#9 Denial of Service
Attackers can consume web application
  resources to a point where other legitimate
  users can no longer access or use the
  application. Attackers can also lock users
  out of their accounts or even cause the
  entire application to fail.
          OWASP TOP 10
#10 Insecure Configuration Management
Having a strong server configuration
  standard is critical to a secure web
  application. These servers have many
  configuration options that affect security
  and are not secure out of the box.
                        Practice Sites
•   Starfleet Academy
    – http://academy.dyndns.org
•   HACK This Site
    – http://www.hulla-balloo.com/hack/level1/
•   Next Generation Security Games
    – http://quiz.ngsec.com/
•   WebGoat
    – http://www.owasp.org/software/webgoat.html
    – Requires a Java Virtual Machine be available on the local machine, and runs
      from the local machine.
•   HACME Bank / HACME Books
    – http://www.foundstone.com
    – Note you will have to install these on a system you can run an appropriate web
      server on.
• Objectives
   – Applications development standards with an emphasis on
     security.
   – Data classification policies.
   – Secure server environments that support the defined data
     classifications.
   – Auditing policies and processes to insure adherence to the
     standards.
   – Minimum training requirements for applications
     development, database administration and server
     administration.
• Activities to date
  – Faculty Collaboration Meeting
  – Multiple one-off or guest lectures
  – Multi-Media efforts
  – Secure Coding Requirement Pilot
• Report Details
  –   Severity
  –   File Name(s)
  –   Summary
  –   Execution
  –   Implication
  –   Fix
  –   References
Management Console Look at Student Learning
                    Q&A
• SafeWeb Initiative
  – http://safeweb.missouri.edu
• Application Security Software
  – http://www.spidynamics.com
• Presenter Contact
  – brokkena@missouri.edu
                    References
• Victoria's Secret reveals far too much
  – http://cooltech.iafrica.com/technews/280300.htm
• Cross-Site Scripting Worm Hits MySpace
  • http://www.betanews.com/article/CrossSite_Scripting_Worm_Hit
    s_MySpace/1129232391
• Online political warriors savage opposition
  Web sites
  – http://www.statesman.com/metrostate/content/metro/stories/07/1
    4hackers.html

				
DOCUMENT INFO
Description: All Printable Job Applications document sample