ISSA Spring Security Summit 2009 Mike Parsons, CISSP, IAM,
IEM
Slide 2
Why web application security The value proposition Who sets the
standard W3C IETF OWASP WASC PCI Remediation strategies Some common
threats and exploits
Slide 3
Cenzic, Inc. reports in its Web Application Security Trends
Report, Q3-Q4 2008 that total vulnerabilities up over 10 percent
from the first half (of 2008) -- number of Web application
vulnerabilities went up 80 percent. At least 80 percent of
applications tested suffering from severe vulnerabilities. Most
common vulnerabilities related to Information Leaks and Exposures,
Cross-Site Scripting, and Session Management.
Slide 4
However, the economic crisis is holding a number of
organizations back from moving forward with this initiative. Whats
surprising is that most of these companies are still spending money
on network security. With 80 percent to 90 percent of Web
applications vulnerable, and with 75 percent of attacks occurring
through the Web sites, this budget allocation defies logic. But,
lack of awareness and understanding of the issues around
application security are partly to blame. Cenzic, Inc.
Slide 5
Universal client pdas, netbooks, laptops, all OSs Graphical
user interface XML and its extended family provides common protocol
stack from UI to backoffice presentation, business logic, schema
Reduced development time Provides systems integration fabric
Slide 6
Web applications on the rise External facing web sites are the
new company storefronts Intrinsic impacts Branding Customer
experience Securing the data entrusted by partners, customers and
employees Cost impacts Fines Legal liability Loss of business
Slide 7
ECommerce Employee and partner portals Federation ERP
applications Unique branding and intellectual property issues Cloud
computing Software as a Service Hardware as a service
Slide 8
Retail PCI, State privacy laws Medical HIPAA, PCI, State
privacy laws Banking GLBA, PCI, State privacy laws Education FERPA,
PCI, State privacy laws
Slide 9
W3C IETF OWASP WASC NIST PCI
Slide 10
Purpose of the web find useful information Evolution to
ecommerce and eGovernment Standards for SGML, HTML, XML XML
Signatures and Encryption Platform for Privacy Preferences Quality
assurance through development of validators
Slide 11
Related organizations ISOC Internet Society IAB (Architectural
Oversight), IESG (Steering Group), IETF (Standards and Practices),
IANA (Protocol parameters and addressing) Sample standards and
practices TCP UDP HTTP Cryptography
Slide 12
Open Web Application Security Project Organization established
to develop and distribute information related to application
security OWASP top 10 Recognized in PCI DSS 1.2, Control 6.6 Tools
like WebGoat and Scarab There is a chapter in North Carolina
Slide 13
Develop open source and widely agreed upon best-practice
security standards for the World Wide Web. Projects Web Application
Security Scanner Evaluation criteria Web Hacking Incidents Database
Distributed Open Proxy Honeypots Web Security Threat Classification
Web Application Firewall Evaluation Criteria Web Application
Security Statistics
Slide 14
Computer Security Division provides standards and technology to
protect information systems against threats to the confidentiality,
integrity, and availability of information, processes and services
in order to build trust and confidence in (IT) systems. Standards
and guidelines of interest include encryption, web application
scanners, hashing algorithms, digital signatures
Slide 15
Data Security Standard requirement 6.6 addresses Web
Application Security specifically References OWASP Top 10 Requires
either Web application firewall Code review of all application code
by qualified reviewer Clarification issued in May that includes WAF
evaluation criteria
Slide 16
VulnerabilityDescription A1 - Cross Site Scripting (XSS) XSS
allows attackers to execute script in the victim's browser which
can hijack user sessions, deface web sites, possibly introduce
worms, etc. A2 - Injection Flaws The attacker's hostile data tricks
the interpreter into executing unintended commands or changing
data. A3 - Malicious File Execution Malicious file execution
attacks affect PHP, XML and any framework which accepts filenames
or files from users. A4 - Insecure Direct Object Reference
Attackers can manipulate direct object references to access other
objects without authorization. A5 - Cross Site Request Forgery
(CSRF) Forces a logged-on victim's browser to send a pre-
authenticated request to a vulnerable web application, which then
forces the victim's browser to perform a hostile action to the
benefit of the attacker.
Slide 17
VulnerabilityDescription A6 - Information Leakage and Improper
Error Handling Applications unintentionally leak information about
their configuration, internal workings, or violate privacy through
a variety of application problems. A7 - Broken Authentication and
Session Management Attackers compromise passwords, keys, or
authentication tokens to assume other users' identities. A8 -
Insecure Cryptographic Storage Web applications rarely use
cryptographic functions properly to protect data and credentials.
A9 - Insecure Communications Applications frequently fail to
encrypt network traffic when it is necessary to protect sensitive
communications. A10 - Failure to Restrict URL Access Frequently, an
application only protects sensitive functionality by preventing the
display of links or URLs to unauthorized users.
Slide 18
Educate your developers, systems engineers and business units
Know your infrastructure; reduce the exposure window Have third
party assess your security and application integrity Evaluate tools
and strategies Code assessment Web application firewalls
Slide 19
PCI DSS RequirementsTesting Procedure 6.6 For public-facing web
applications, address new threats and vulnerabilities on an ongoing
basis and ensure these applications are protected against known
attacks by either of the following methods: Reviewing public-facing
web applications via manual or automated application vulnerability
security assessment tools or methods, at least annually and after
any changes Installing a web-application firewall in front of
public-facing web applications 6.6 For public-facing web
applications, ensure that either one of the following methods are
in place as follows: Verify that public-facing web applications are
reviewed (using either manual or automated vulnerability security
assessment tools or methods), as follows: - At least annually -
After any changes - By an organization that specializes in
application security - That all vulnerabilities are corrected -
That the application is re-evaluated after the corrections Verify
that a web-application firewall is in place in front of
public-facing web applications to detect and prevent web- based
attacks.
Slide 20
Qualified organizations that specialize in application security
are difficult to find and process is expensive 3 rd party
development or COTS poses problems Access to source code and
developers the issue Can be used for in-house development Expertise
in secure coding practice Review takes place outside of development
Can you review all code changes
Slide 21
WhiteHat Sentinel, AppScan OnDemand Comprehensive Cenzic Click
to Secure services Trustwave Managed Security Services Qualys more
generic, but has web services component
Slide 22
Accunetix WVS IBM Rational Appscan HP Webinspect (Formerly Spi
Dynamics) Cenzic Hailstorm N-Stalker (has free edition) NCircle
WebApp 360
Slide 23
No Magic Quadrant. Gartner has issued various notes on the
subject Consider WAFEC criteria to evaluate Consider DSS criteria
to evaluate Enterprise architecture is a governing factor In-line
vs out-of-line Javascript vs XML vs Ajax vs Web Services 2.0
Webserver strategy Look for additional value such as positive
security model and application integrity remediation Look for
management interface, flexibility in blocking traffic,
scalability
Slide 24
WAFEC addresses the following areas in Version 1.0 (2006)
Deployment Architecture HTTP Support Detection Techniques
Protection Techniques Logging Reporting Management Performance XML
Future releases to address following areas Compliance,
certifications, and interoperability. Increase coverage of
performance issues (especially on the network level). Increase
coverage of the XML-related functionality.
Slide 25
Meet all applicable PCI DSS requirements pertaining to system
components React appropriately (defined by active policy or rules)
to threats against relevant vulnerabilities as identified, at a
minimum, in the OWASP Top Ten and/or PCI DSS Requirement 6.5. Based
on the active policy or rules, and log actions taken. Inspect web
application input and respond appropriately (allow, block, and/or
alert) Prevent data leakagemeaning have the ability to inspect web
application output and respond appropriately(allow, block, mask
and/or alert) Enforce both positive and negative security models.
Inspect both web page content, e.g. Hypertext Markup Language
(HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and
the underlying transport protocols that deliver content, e.g.
Hypertext Transport Protocol (HTTP) and Hypertext Transport
Protocol over SSL (HTTPS). Inspect web services messages, if web
services are exposed to the public Internet. E.g. Simple Object
Access Protocol (SOAP) and eXtensible Markup Language (XML), both
document- and RPC-oriented models, in addition to HTTP. Inspect any
protocol or data construct that is used to transmit data to or from
a web application, Defend against threats that target the WAF
itself. Support SSL and/or TLS termination, or be positioned such
that encrypted transmissions are decrypted before being inspected
by the WAF.