Application Security: What Does it Take to Build and Test a “Trusted” App?

John Dickson, CISSP

Denim Group

Overview

What is Application Security? Examples of Potential Vulnerabilities Potential Strategies to Build Secure Apps Questions and Answers

Denim Group Background

Enterprise application development company with security expertise Custom software development Application-level integration Application security assessments and secure

application development

What is Application Security

Security associated with custom application code

Focus is on web application securityVersus non-Internet facing applications

Complements existing infrastructure security assets such as firewalls, IDS, and secured operating systems

Nature of HTTP and the Web

Connectionless protocol – no state Anonymity of attacks Assumption: web servers expect request

to come from browser, therefore implicitly trust input

Why Application Security

70% of applications reviewed by security firm had significant security design flaws

@Stake Security Briefing

Interaction between server, 3rd party code, and custom business logic creates vulnerabilities

Patching or rebuilding app expensive Perception exists that locking down OS and web

server = web security

Why Application Security

Web-facing, business critical applicationsHTTP & SLL open to the world

Much investment focused on infrastructureWell understood threats, mature productsFirewalls, authentication, intrusion detection

Security many times an overlooked facet of web development projects

Examples of Potential Vulnerabilities

Parameter Tampering

Price information is stored in hidden HTML field with assigned $ value

Assumption: hidden field won’t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with

new “price” Still widespread in many web stores

Price Changes via Hidden HTML tags

Price Changes via Hidden HTML tags

Cookie Poisoning

Attacker impersonates another user Identifies cookie values that ID’s the customer

to the site Attacker notices patterns in cookie values

Edits pattern to mimic another user

Cookie Poisoning

Cookie Poisoning

Cookie Poisoning

Cookie Poisoning

Unvalidated Input Attack

Exploitation of implied trust relations Instead of:

john@doe.com Attacker inputs:

////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end

application

Unvalidated Input Attack

Unvalidated Input Attack

Unvalidated Input Attack

Unvalidated Input Attack

Open Web Application Security Project

Top Ten Most Critical Web Application Security Vulnerabilities

1. Unvalidated Input2. Broken Access Control3. Broken Authentication and Access Control4. Cross-Site Scripting Flaws5. Buffer Overflows6. Injection Flaws7. Improper Error Handling8. Insecure Storage9. Denial of Service10. Insecure Configuration Management

Source: www.owasp.org

Client–side authentication

Web apps many times use client-side code to present and manage data

Storage of usernames or ID numbers in cookie make them ripe for forgery

Sites rely on cookie expiration to terminate sessions You can modify cookies to extend time

Bottom line: Never trust anything from an http request

Potential Strategies to Build Secure Apps

Key Issue: Build vs. Measure Cultures Application Development groups are

building technical capabilities based upon evolving business requirements

Corporate IS Security dept. in charge of ongoing security operations

Additional Challenges

• Most organizations do not have sufficiently skilled resources to cope with application security assessments

• Development teams typically under deadlinesI love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.

Emerging Best Practices

Security must become a key aspect of the development processSecurity requirements reflected in design plan

Ensure the security is part of the iterative development processChanges to web sites are ongoing and are not

staticQA Group should not be last line of defense

Code Evaluation Paths

Code review – auditing source codeExpensive, time consuming, and takes

expertise Application assessments – reviews

functionality and interactions of compiled applications in real-life environmentsPotentially superficial and only capture a % of

actual vulnerabilities in custom code

Application Security Reviews

Internal or 3rd party process to assess internally developed applications

Assessment reviews major web app vulnerabilities

Use best-of-breed tools and custom scripts Integrated with client development schedule

Reviews designed to coincide with key development milestones of client project

Application Security Reviews

Commercial security scanners are becoming more widespread

Automated tools are great first-round way to assess potential vulnerabilities

However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners

Consider Augmenting security team with internal or external .Net and Java security experts

Assessment Benefits 3rd-party assessment of applications by noted

experts; Increase confidence & reliability in application

Compliance with government regulationsSarbanes Oxley, GLB, HIPAASatisfies potential SEC audit objectives

Knowledge transfer to clients on development techniques for secure applications

Wrap up

Application Security is emerging as a critical aspect of enterprise security

Emerging best practices include iterative assessments and defense in depth

Cultural, organizational, and technical challenges all may hinder an effective strategy

Wrap Up

Questions and Answers