Upload
mahdi-dolati
View
256
Download
4
Tags:
Embed Size (px)
DESCRIPTION
ارائه در مورد ضرورت ایجاد امن نرمافزار و روشهای انجام آن
Citation preview
An example to see why
Top Ten Attacks
• Open Web Application Security Project
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
owasp.org/index.php/Top_10_2013-T10
SQL Injection
http://www-935.ibm.com/services/us/iss/xforce/trendreports/
SQL Injection
• Fill in the blanks!
• SELECT OrderIdFROM SalesWHERE CustomerId = ‘ ’
• SELECT OrderIdFROM SalesWHERE CustomerId = ‘’UNIONSELECT Table_NameFROM INFORMATION_SCHEMA.Table; -- ’
SQL Injection
SELECT OrderIDFROM SalesWHERE CustomerID = ‘ ’
Giving Information to the Attacker
‘‘
Giving Information to the Attacker
Hide the Error
•
• try {resultSet = READ FROM DATABASE;
} catch(error) {redirect(“home.html”);
}if(resultSet.RowCount > 0)
redirect(“history.html”);else
redirect(“home.html”);
Read From DB
Error?
Is Result
> 0
Go to “home”
Go to “history”
Yes
Yes
No
No
CustomerID = ‘
CustomerID = ‘ ;delay 1 min. ;--
Wait 1 min.Go to “home”
Go to “home”
Blind SQL Injection
Is the first letter of the name of the first table an
‘A’ No, it’s notgo to “home”
Is the first letter of the name of the first table an
‘B’ Yes, it isgo to “history”
SELECT OrderID FROM Sales WHERE CustomerID = ‘’ ORMID(
(SELECT table_name FROM INFORMATIN_SCHEMA.tables LIMIT 1), 1, 1) = ‘A’
Blind SQL Injection
Solutions
• Validate Input
• No SQL syntax
• No single quote
• What about Mr. John O’Malley?
• No single quote attack
• URL encoding
• Prevent OR 1 = 1
• Regex
• Encode or escape
Solutions
• Validate Input
• No SQL syntax
• No single quote
• Prevent OR 1 = 1
• Regex
• Encode or escape
Solutions
• Validate Input
• No SQL syntax
• No single quote
• Prevent OR 1 = 1
• Regex
• Encode or escape
Regexlib.comSearch for: person’s nameAllows apostrophesSQL injection: X’ OR A IS NOT NULL
Solutions
• Validate Input
• No SQL syntax
• Escape input
• Insert backslash
• Parameterized queries
• Stored Procedures
Bake Security In
Cost
• “Economic Impacts of Inadequate Infrastructure for Software Testing”
Nist.gov/director/planning/upload/report02-3.pdf
0
5
10
15
20
25
30
35
Req. / Design Coding / Unit Testing Integration Testing Customer BetaTesting
Release
Relative Cost to Fix Software Defects
Time
Find vulnerabilities
Hold release to
fix
Fix
Schedule a pentest
Pentest
HOWto bake security in?
Training
Threat Modeling
• Ultimate pessimist’s game
• Many Approaches
• Asset-centric
• Attacker-centric
• Software-centric
• Mitigation
• E.g. encrypt database
SDL Threat Modeling Tool
• A Data Flow Graph
• STRID
• Spoofing
• Tampering
• Information disclosure
• Denial of service
• Elevation of privilege
Add item into cart
View cart
contents
User database
Product Catalog
Cart Database
User
Secure Coding Libraries
• Don't reinvent the wheel
• Code review
• Correctness or Disuse
• OWASP AntiSamy or Microsoft Anti-XSS
• OpenSSL
Secure Coding Libraries
Bryan Sullivan and Vincent Liu, Web Application Security, McGraw Hill, 2011
Code Review
Static Analysis Tools
• White-Box Testing
• Integrate them
• Build process
• Code repository server
• False positive reports
Automated Analysis Tools
Tool Lang / Framework Free / Commercial
FindBugs™ Java Free (LGPL)
OWASP LAPSE+ Java Free (GPL)
FxCop .NET Free (Ms-PL)
PHP SecurotyScanner
PHP Free (GPL)
JSLint JavaScript Free (LGPL)
HP Fortify Source Code Analyser
C/C++, .NET, Java, PHP, others
Commercial
Security Testing
• Functional test approach
• Black-Box Testing
• Just like a Hacker
• Active
• Passive
Black-Box Testing Tools
IBM Rational AppScan
• Active
• Commercial
OWASP WebScarab
• Reactive
• Free
Back-Box vs. White-Box
GoF# Scala Admin.php
System Boundary
Security Incident Response planning
Industry Standard Secure Development Methodologies
Trustworthy Computing Memo
training• Core
Security Training
Req.• Establish
Security Requirements
• Create Quality Gates/Bug Bars
• Security & Privacy Risk Assessment
Design• Establish
Security Requirements
• Analyze Attack Surface
• Threat Modeling
Impl.• Use
Approved Tools
• Deprecate Unsafe Functions
• Static Analysis
Verif.• Dynamic
Analysis
• Fuzz Testing
• Attack Surface Review
Release• Incident
Response Plan
• Final Security Review
• Release Archive
Resp.• Execute
Incident Response Plan
Security Development Lifecycle (SDL)
Microsoft.com/sdl
SDL-Agile
OWASPComprehensive Lightweight Application Security Process (CLASP)
Project manager
Security Auditor
Test Analyst
Implementer
Architect
Requirements Specifier
Designer
`