Web Security ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird...

Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1

1 of 105 2/23/15, 1:54 PM

Web SecurityBrian Sletten ( @bsletten)

02/23/2015

2 of 105 2/23/15, 1:54 PM

2015 Greater Wisconsin Software SymposiumMarch 13-14 (Two day event)

Early bird discount ends 2/23

JUG Discount: $50 off use the promo code: nfjsusergroup50

http://nofluffjuststuff.com

3 of 105 2/23/15, 1:54 PM

Speaker QualificationsSpecialize in next-generation technologiesAuthor of 'Resource-Oriented Architecture Patterns for Webs of Data'Speaks internationally about REST, Semantic Web, Data Science, Security,Visualization, ArchitectureWorked in Defense, Finance, Retail, Hospitality, Video Game, Health Care,Telecommunications and Publishing IndustriesInternational Pop Recording Artist

···

4 of 105 2/23/15, 1:54 PM

AgendaIntroductionSecurity EngineeringSoftware SecurityWeb SecurityBooks

·····

5 of 105 2/23/15, 1:54 PM

Introduction

6 of 105 2/23/15, 1:54 PM

7 of 105 2/23/15, 1:54 PM

The Ones You've Heard Of...TJ MaxxTargetMichaelsKMartHome DepotJP Morgan

······

8 of 105 2/23/15, 1:54 PM

And...http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/

http://hackmageddon.com/2013-cyber-attacks-timeline-master-index/http://hackmageddon.com/2014-cyber-attacks-timeline-master-index/

·https://paulsparrows.files.wordpress.com/2012/01/january-2012-cyber-attacks-timeline-part-1.pnghttps://paulsparrows.files.wordpress.com/2012/01/middle-east-cyber-war-timeline1.pnghttps://paulsparrows.files.wordpress.com/2012/02/february-2012-cyber-attacks-timeline-part-i.png

9 of 105 2/23/15, 1:54 PM

10/105

10 of 105 2/23/15, 1:54 PM

Credit: http://xkcd.com/936

11/105

11 of 105 2/23/15, 1:54 PM

12/105

12 of 105 2/23/15, 1:54 PM

13/105

13 of 105 2/23/15, 1:54 PM

Through 20 years of effort, we've successfullytrained everyone to use passwords that arehard for humans to remember, but easy forcomputers to guess.

http://xkcd.com/936/

14 of 105 2/23/15, 1:54 PM

Choose a password you can't remember, anddon't write it down.

“”

Ross J. Anderson

15 of 105 2/23/15, 1:54 PM

16/105

16 of 105 2/23/15, 1:54 PM

17/105

17 of 105 2/23/15, 1:54 PM

18/105

18 of 105 2/23/15, 1:54 PM

A name......is a name...is a name...is a name...is an attack vector

····

19/105

19 of 105 2/23/15, 1:54 PM

Where Does This Go?http://example.com&gibberish=1234@167772161

http://10.0.0.1

20/105

20 of 105 2/23/15, 1:54 PM

Do the Math!http://example.com&gibberish=1234@167772161

String: 10.0.0.1Binary: 00001010 . 00000000 . 00000000 . 00000001Integer: 167772161

(10 * 16777216) + (0 * 65536) + (0 * 256) + (1 * 1) = 167772161

21/105

21 of 105 2/23/15, 1:54 PM

How About?http://example.com\@coredump.cx

In Firefox, http://coredump.cx

22/105

22 of 105 2/23/15, 1:54 PM

Or Maybe...http://example.com;.coredump.cx

In IE, http://coredump.cx

Safari, it's an error.

Others, http://example.com/;.coredump.cx

23/105

23 of 105 2/23/15, 1:54 PM

The web is an information space. When youexplore it, you don't end up buying stuff,agreeing to anything, or - in this case, losingyour domain name...

Tim Berners-Lee

24 of 105 2/23/15, 1:54 PM

From: <csupport@registerapi.com>Date: Fri Apr 11, 2003 19:31:28 US/EasternTo: timbl@w3.orgSubject: Confirm Domain Transfer

A Transfer Request was submitted for the following domains.Click on the following link to confirm the domain transfer request for these domains.

https://secure.registerapi.com/order/trx/confirm.php?id=cesO...

Your Transfer Request Code IS: ces[...]cbIhttps://secure.registerapi.com/order/trx/confirm.php

Domains:WWW.ORG

If you did not request the transfer of these domains then DO NOT click on the above links. By not clicking you are preventing a domain registrar transfer from taking place.

Thank you, The Automated Domain Transfer System

25/105

25 of 105 2/23/15, 1:54 PM

Cross Site Request Forgery (CSRF)http://bank.example.com/withdraw?acct=Bob&amt=1000000&for=Fred

26/105

26 of 105 2/23/15, 1:54 PM

Role-Based Access Control<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint>

27/105

27 of 105 2/23/15, 1:54 PM

Security Engineering

28 of 105 2/23/15, 1:54 PM

If you spend more on coffee than on ITsecurity, then you will be hacked. What'smore, you deserve to be hacked.

Richard Clarke, former U.S. Cybersecurity Czar

29 of 105 2/23/15, 1:54 PM

The main objective of secure system design is to make breaking the system

more costly than the value of the protected assets , where the 'cost' should be

measured in monetary value but also in more abstract terms such as effort or

reputation .

Christof Paar and Jan PelzlUnderstanding Cryptography: A Textbook for Students and Practitioners

30 of 105 2/23/15, 1:54 PM

Security Engineering...is about buildingsystems to remain dependable in the face ofmalice, error, or mischance.

Ross J. Anderson

31 of 105 2/23/15, 1:54 PM

Whoever thinks his problem can be solvedusing cryptography, doesn't understand hisproblem and doesn't understandcryptography.

Roger Needham/Butler Lampson

32 of 105 2/23/15, 1:54 PM

Vulnerability + Threat = Potential Security Breach

33/105

33 of 105 2/23/15, 1:54 PM

Indeed protocol vulnerabilities usually giverise to more, and simpler, attacks thancryptographic weaknesses do.

Ross J. Anderson

34 of 105 2/23/15, 1:54 PM

Systems Fail...People protect the wrong thingsProtect the right things the wrong way

35/105

35 of 105 2/23/15, 1:54 PM

There is all too often a cultural and physicalseparation between the softwaredevelopment staff and the informationsecurity staff in large enterprises.

van Wyk, Graff, Peters and BurleyEnterprise Software Security: A Confluence of Disciplines

36 of 105 2/23/15, 1:54 PM

Incentive MismatchPolicy makers don't have to live with the resultsPolicy makers don't suffer when things failHave political or CYA incentives

···

37/105

37 of 105 2/23/15, 1:54 PM

TSA14.7 billion (USD) on aggressive passenger screening100 million (USD) reinforcing cockpit doorsWe seem to be reverting w/ TSA Pre

···

38/105

38 of 105 2/23/15, 1:54 PM

Strictly speaking, strengthening anything butthe weakest link is useless.

“”

Bruce Schneier

39 of 105 2/23/15, 1:54 PM

40/105

40 of 105 2/23/15, 1:54 PM

41/105

41 of 105 2/23/15, 1:54 PM

Defense in DepthStrengthen potentially weakest linksStrengthen multiple potential weakest linksFailure of one may be blocked by success of another

···

42/105

42 of 105 2/23/15, 1:54 PM

Time Favors the AttackerWe design systems today that must survive in the futureThey need to find a single flaw, we must protect against all of them

43/105

43 of 105 2/23/15, 1:54 PM

Word StewSecrecyPrivacyConfidentialityIntegrityAuthenticity

·····

44/105

44 of 105 2/23/15, 1:54 PM

45/105

45 of 105 2/23/15, 1:54 PM

Only amateurs attack machines; professionalstarget people.

“”

Bruce Schneier

46 of 105 2/23/15, 1:54 PM

Software Security

47 of 105 2/23/15, 1:54 PM

Software security... is not security software.“ ”

Gary McGraw

48 of 105 2/23/15, 1:54 PM

Software security... the idea of engineeringsoftware so that it continues to functioncorrectly under malicious attack.

Gary McGraw

49 of 105 2/23/15, 1:54 PM

Problem is Getting WorseConnectivityExtensibilityComplexity

···

50/105

50 of 105 2/23/15, 1:54 PM

Bugs vs FlawsBugs : Implementation issueFlaws : Design problemRoughly 50/50Need to address both

····

51/105

51 of 105 2/23/15, 1:54 PM

Security is an emergent property of yoursystem.

“”

Gary McGraw

52 of 105 2/23/15, 1:54 PM

ApproachRisk ManagementTouchpointsKnowledge

···

53/105

53 of 105 2/23/15, 1:54 PM

54/105

Requirements and Use Cases

Architecture and Design Test Plans Code Tests and

Test Results

Feedbackfrom

Deployed Systems

54 of 105 2/23/15, 1:54 PM

55/105

Test Results

Feedbackfrom

Deployed Systems

ExternalReview

55 of 105 2/23/15, 1:54 PM

56/105

Test Results

Feedbackfrom

Deployed Systems

CodeReview Risk

Analysis

PenetrationTesting

SecurityOperations

Risk-basedSecurity

ExternalReview

RiskAnalysis

SecurityRequirements

AbuseCases

56 of 105 2/23/15, 1:54 PM

57/105

Test Results

Feedbackfrom

Deployed Systems

CodeReview Risk

Analysis

PenetrationTesting

SecurityOperations

Risk-basedSecurity

ExternalReview

RiskAnalysis

SecurityRequirements

AbuseCases

57 of 105 2/23/15, 1:54 PM

Credit: http://bsimm.com

58/105

58 of 105 2/23/15, 1:54 PM

[threat modeling] is the use of abstractions toaid in thinking about risks.

“”

Adam Shostack

59 of 105 2/23/15, 1:54 PM

Reasons to Threat ModelFind Security Bugs EarlyUnderstand Your Security RequirementsImproved QualityAddress Issues Other Techniques Won't

····

60/105

60 of 105 2/23/15, 1:54 PM

STRIDESpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege

······

61/105

61 of 105 2/23/15, 1:54 PM

Web Security

62 of 105 2/23/15, 1:54 PM

63/105

63 of 105 2/23/15, 1:54 PM

Web SecurityIdentityAuthenticationAuthorizationProtected ChannelsNon-Repudiation

·····

64/105

64 of 105 2/23/15, 1:54 PM

65/105

65 of 105 2/23/15, 1:54 PM

Same Origin PolicySchemeHostPort

···

66/105

66 of 105 2/23/15, 1:54 PM

JSONP<script type="application/javascript" src="http://server2.bosatsu.net/order/id/16234?jsonp=updateOrder"></script>

updateOrder({"Order" : "16234", "Status" : "Shipped"});

67/105

67 of 105 2/23/15, 1:54 PM

CORS// 1. Origin Header from browser to http://server2.bosatsu.netOrigin: http://server1.bosatsu.net

// 2. Response from http://server2.bosatsu.netAccess-Control-Allow-Origin: http://server1.bosatsu.net

68/105

68 of 105 2/23/15, 1:54 PM

JSONP vs CORSPrefer CORS, but JSONP works w/ older browsersJSONP is GET onlyCORS involves the browser

···

69/105

69 of 105 2/23/15, 1:54 PM

TLS/SSLEncryptionParty IdentificationCipherSuite selectionCertificate managementHMACProtection against downgrade

······

70/105

70 of 105 2/23/15, 1:54 PM

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm="report"

71/105

71 of 105 2/23/15, 1:54 PM

HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhostAuthorization : c2NvdHQ6dGlnZXI=

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984

72/105

72 of 105 2/23/15, 1:54 PM

Base64 != EncryptionBase64Decode(c2NvdHQ6dGlnZXI=) ====> scott:tiger

73/105

73 of 105 2/23/15, 1:54 PM

HTTP Digest#qop = auth or not-specifiedHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI)response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2) orresponse=MD5(HA1:nonce:HA2)

#qop = auth-intHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI:MD5(entityBody))response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)

74/105

74 of 105 2/23/15, 1:54 PM

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhost

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"

75/105

75 of 105 2/23/15, 1:54 PM

HTTP DigestGET /dir/index.html HTTP/1.1Host: localhostAuthorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"

HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984

76/105

76 of 105 2/23/15, 1:54 PM

OpenIDIdentity as a ServiceStagnant adoption, concerns about UX issuesTechnology in search of a problem

···

77/105

77 of 105 2/23/15, 1:54 PM

OAuth 1.0AResource management and two-legged approachComplicated by the signing of requestsNo requirement for TLSFairly widely supported

····

78/105

78 of 105 2/23/15, 1:54 PM

OAuth 2.0Simplified ApproachDifferent use casesDifferent profiles

···

79/105

79 of 105 2/23/15, 1:54 PM

Bearer TokensOAuth Web Resource Authorization Profiles (WRAP)Requires TLSCertificate chain validationSupport for MAC Access Authentication

····

80/105

80 of 105 2/23/15, 1:54 PM

81/105

81 of 105 2/23/15, 1:54 PM

RegistrationRequests tied to appAllows revocation w/o changing credentialsClient receives client_id and client_secretClient specifies redirect_uri

····

82/105

82 of 105 2/23/15, 1:54 PM

OAuth 2.0 Roles

Credit: http://tutorials.jenkov.com/images/oauth2

83/105

83 of 105 2/23/15, 1:54 PM

GET /dir/index.html HTTP/1.1Host: localhostAuthorization: Bearer fa3c.FAFDLKERE

GET /dir/index.html?access_token=fa3c.FAFDLKERE HTTP/1.1Host: localhost

84/105

84 of 105 2/23/15, 1:54 PM

Client ProfilesServer-side Web AppClient-side Browser AppNative Application

···

85/105

85 of 105 2/23/15, 1:54 PM

Server-Side Web App

86/105

86 of 105 2/23/15, 1:54 PM

Authorization Code Authorization FlowResource owner grants access and is returned to the redirect_uri w/authorization code as a parameterServer exchanges code for access token w/ client_id and client_secretAllows long-lived access via refresh tokensResource owner isn't given access to the tokens

···

87/105

87 of 105 2/23/15, 1:54 PM

Client-Side Web App

88/105

88 of 105 2/23/15, 1:54 PM

Implicit Grant Authorization FlowResource owner grants accessAccess token is returned via a fragment identifierClient parses the URLs and strips off the token to make requestsNo long-lived access via refresh tokensUser agent has access to the application and API requests

·····

89/105

89 of 105 2/23/15, 1:54 PM

Native App

90/105

90 of 105 2/23/15, 1:54 PM

Resource Owner Password Grant AuthorizationFlow

Resource owner grants access by exchanging credentials for access tokenPassword only need to establish access tokenToken is revokable and scoped to specific resourcesRequires trusted client

····

91/105

91 of 105 2/23/15, 1:54 PM

Client Credential Grant Authorization FlowClient credentials are pre-arranged and shared'Two-legged' Flow

92/105

92 of 105 2/23/15, 1:54 PM

93/105

93 of 105 2/23/15, 1:54 PM

94/105

94 of 105 2/23/15, 1:54 PM

The FutureOpenID Connect (http://openid.net/connect/)W3C Web Cryptography WG (http://www.w3.org/2012/webcrypto/)W3C Web Credentials CG (http://opencreds.org)Secure Messaging (https://web-payments.org/specs/source/secure-messaging/)

····

95/105

95 of 105 2/23/15, 1:54 PM

96 of 105 2/23/15, 1:54 PM

97/105

97 of 105 2/23/15, 1:54 PM

98/105

98 of 105 2/23/15, 1:54 PM

99/105

99 of 105 2/23/15, 1:54 PM

100/105

100 of 105 2/23/15, 1:54 PM

101/105

101 of 105 2/23/15, 1:54 PM

102/105

102 of 105 2/23/15, 1:54 PM

103/105

103 of 105 2/23/15, 1:54 PM

104/105

104 of 105 2/23/15, 1:54 PM

Questions?

brian@bosatsu.net

@bsletten

http://tinyurl.com/bjs-gplus

bsletten

105 of 105 2/23/15, 1:54 PM

Web Security ...2015 Greater Wisconsin Software Symposium March 13-14 (Two day event) Early bird...

Documents

Christmas Discount Promo codes

PROMO UPDATE · “Designer Sale,” continuing the same promo it’s been running for the past month both in-store and online. Offers include a 30%–40% discount on a wide variety

Be jug 090611_apacheservicemix

Jug Jug Maro (Kavya Comics) - Freelance Talents

Jug Zurich Slides

M series Retail System Scales V4 - Avery Berkel · Frequent shopper promotion 147 Weight/item free promotion 147 Discount promotion 150 Promo batches 151 Deleting promo batches 152

Renfert USA Fall Promo - Harris Discount · Renfert USA Fall Promo Valid September 1st through November 30th, 2017 | Se habla español ... Bi-directional communication between the

Promo for Promo

CULTURAL CAPITAL - Lord Cultural Resources · OPENING DESIGN CONTENT COORDINATION 30% Discount Promo Code: 4M14MME3 ... Exhibition” at MuseumNext conference in Newcastle Gateshead,

303 JUG - JUG Waterersjugwaterers.com/wp-content/uploads/2013/05/303-JUG-OPERATION-MAUAL.pdfthe JUG that will accommodate the incoming waterline. The proper size hole (the size of

Mastercard Guide to Beneﬁ ts · Discount Promo Code for use on a qualifying purchase on or . •The $5.00 Discount Reward expires 21 days after it is posted ... Lyft Program Description:

PROMO UPDATE - fbicgroup · “Designer Sale,” continuing the same promo it’s been running for the past month both in-store and online. Offers include a 30%–40% discount on

Water Jug & Missionaries

Terracotta JUG Milano

Java EE 7 (Lyon JUG & Alpes JUG - March 2014)

A Small Orange Promo Code: 31% Discount

Jug gridgain java_grid_computing_made_simple

Jug Fishing Tips

Watering Jug

Davide Cerbo - davidecerbo@gmail - JUG Roma Nicola Raglia - n.raglia@gmail - JUG Roma