An Approach to Application Security

For beginners

#vodqa

Hi!

Why are you here?

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

AgendaIntroduction and case study

High-level threat modeling

Application threat modeling

Vulnerability Testing

References

Case study

BackgroundHave food industry background

Known network of food critics

Business and Investment numbers

Start-up

Venture capital investment: ~$10mn

Number of employees: 50

Hired contractors for development

Application strategyFood critics write and read reviews

In the future, plans to extend ads to hotels for revenue

Critical assetsCustomers (food critics)

Credibility

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

Mockups

Mockups

Mockups

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

Phases in our delivery lifecycleInception (Business Feasibility Study and Requirement Gathering)

Design thinking and tech analysis

Development

Testing

Release

Inception

ParticipantsBusiness stakeholders : CTO, CFO, Tech architect

Delivery team: BA, Tech lead, QA, Tech architect, developers (optional)

High-level Threat modelingStructured, shared understanding of what could go wrong

Incorporate security thinking throughout our software delivery

Vocabulary to record and talk about possible threats

Understand the security threats that your client is facing

Understand the stakeholders’ concerns

ASK!

Split up in delivery teams

What are the

services and people

that are a

part of YourFeedback’s ecosystem?

Employees?

Hotels?

App users?

Government?

Cloud systems?

ActorsPeople and services within a system

But first, why protect anything?

What

does YourFeedback app want

to protect?

CIA TriadConfidentiality

IntegrityAvailability

What

does YourFeedback app want

to protect?

Reviews?

Customer information?

Logs?

Server?

AssetDevice, data or service that needs to be protected

Who

might

attack

YourFeeback’s assets?

Competitors?

Application users?

Firewall?

Hacktivists?

Government?

Other app in the same network?

AttackerPeople/services that intentionally, or unintentionally, compromise an asset

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

What are we protecting our assets against?

ThreatA cause of a possible incident that could lead an attacker to attack an asset

AttackerAsset Threat

Assets● Reputation, credibility

● Investors

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Identifying threats and risk

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

Assets● Reputation, credibility

● Investors Info

● Application

● Servers

● Code

● Reviews

● Customer data

● Audit/financial data

● Investment

● Application / Server Logs

Attackers● Business competitors

● Application user

● Hotel owners

● Investor’s competitors

● Hotel’s competitors

● Hackers

● Firewall

● Delivery team

● Employees

● Hacktivists

(Sample List)

More terminologiesMitigation : Ways to counterbalance a threat

Vulnerability : An un-mitigated or insufficiently mitigated threat

Risk : An onset of a threat on a vulnerability

Threat Vulnerability

Mitigation

Risk Magic QuadrantImpact

Probability

Our Risk Magic Quadrant (examples)

Application User giving unfair reviews

Application user misusing customer data

Hotel Owner changing reviews in favor of themselves

Business competitors bringing down Reputation and Credibility

Hackers bring down reputation and credibility

Probability

Impact

Firewall brings down the server

Business competitor’s catching hold of investment detailsEmployees disclosing

customer data

Design thinkingTech analysis

ParticipantsBusiness stakeholders : Tech team (if distributed team)

Delivery team: BA, Tech lead, QA, Tech architect, developers

Application Threat ModelingStructured, shared understanding of what could go wrong in identified threats

Incorporate security thinking into user stories and designThreat awareness for the delivery teamUnderstand protection mechanisms

But first, what ways can attackers attack in?

Example - STRIDESpoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of privileges

Application Threat Modeling : Attack TreesOpen safe

Break openLearn combinationPick lock

Find written combination

Get combination from someone

Look into emails/chatsLook into personal diary/notebooks Social engg PhishingCheck notes in laptop

Goal

Ways

What will bring Our business down?

Lose Customers

Lose Credibility

Targeted Marketing - By CompetitorsUnrelated/Unfair reviews

Competitors release attractive features before YourFeedback.comApplication is not usable.

Application is not performing as expected.

Illegitimate/Offensive content posted on the site.

Business owners have lost personal credibility.

Has been proved to be hacked at least once.

Lets see how one of those goals can be achieved by Attacker

Attack threats for you to pick upDisplay unreliable reviews

Make application unusable for users

Offensive/illegitimate content posted on the sites

Targeted marketing (by competitors/hotel owners)

Competitors release attractive features before us

Application is not performing as expected for business

Make the App not usable by user

Make the App not usable

Existing users are not able to Login

Redirect to another website

Bring the server down

Change Password

Delete User

Creating too much load

Sending too many asynchronous calls

Hide content on page load

Stop users from viewing/reading content

of website

Show popup on page load

Getting access to DB server

Show pop up on any click

Make website/browser too slow

Access the DB through application

Creating load on Database

Show irrelevant content on top of

actual page content

Running too many scripts on page

load

Display unreliable reviews

Display unreliable reviews

Login as existing member

Phishing

Change directly in database

Bypass login

Social engineering

Find password

Add new member

Bug in login

Get Password

Post wrong reviews

Offensive/illegitimate content posted on the sites

Offensive/illegitimate content posted on the sites

Offensive content in the review section

Run a script with offensive images

Login as existing user and post review

Add a new user and post review

Add offensive content and image in the information PDF

Load illegitimate image on page load

Get password

Bug in login

Get access to DB server

Targeted marketing (by competitors/hotel owners)

Targeted marketing

Capture attention by Ads

Call /email customers directly Get Customer Info

Posts Add in our feedback App

Get customers to visit competitor’s sites

Social Engineering Get Customer Info

Competitors market new attractive features before Yourfeedback.com

Competitors market new features before Yourfeedback.com

Get access to staging or pre prod environment

Get access to project management system

Accessing development branch to get active code

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

DevelopmentTesting

Vulnerability IdentificationVulnerability is an unmitigated or insufficiently mitigated threat

OWASP Top 10 Vulnerabilities : A Start

SQL InjectionServer-side attack

Misuses interpreter to attack database

Different types of SQL injections: Error-based, Blind etc.

Cross-Site Scripting (XSS)A type of injection

Client-side attack

Misusing powers of HTML, Javascript, CSS etc.

Types:

Reflective

Persistent

Reflective XSS

Reflective XSS

Persistent XSS

Persistent XSS

Path TraversalAccess or execute command on restricted directories or files

Outside the web root folder

a.k.a. ‘dot-dot-slash’, ‘directory traversal’, ‘directory climbing’ or ‘backtracking’

Demo

Let’s test

Make the App not usable

Existing users are not able to Login

Redirect to another website

Bring the server down

Change Password

Delete User

Creating too much load

Sending too many Asynchronous Calls

Hide actual page content on Page

load

Stop users from viewing/reading content

of website

Show popup on Page load

Getting access to DB server

Show pop up on any click

Make website/browser too slow

Access the DB from the application

Creating load on Database

Show irrelevant content on top of

actual page content

Running too many scripts on page load

Access the DB from the applicationChange Password

Delete User

Hide actual page content on Page

load

Show popup on Page load

Redirect to another website

Display unreliable reviews

Display unreliable reviews

Login as existing member

Phishing

Change directly in database

Bypass login

Social engineering

Find password

Add new member

Bug in login

Get Password

Post wrong reviews

Competitors market new attractive features before Yourfeedback.com

Competitors market new features before Yourfeedback.com

Get access to staging or pre prod environment

Get access to project management system

Accessing development branch to get active

code

Reference: https://www.owasp.org

Identify Security

Objectives

Application Overview

Decompose Application

Identify Threats

Identify Vulnerabilities

Mitigations/SuggestionsSQL Injections :

Input Validation, like use of ORM.

Limit Database Permission

Configure Error Reporting

Path Traversal :

Use of search function instead of appending from URL.

XSS

CSP - Content Security Policy

Use AutoEscape

Input validation

Tool ExamplesZed Attack Proxy

BurpSuite

IronWASP

Fiddler

TamperData

Websecurify

XSS Me, SQL Inject Me etc.

ReferencesVulnerable application: https://github.com/jaydeepc/vul_feedback_app

Fixed application: https://github.com/jaydeepc/non_vul_python_app

https://www.thoughtworks.com/insights/blog/appsec101-welcoming-all-roles-world-security

https://www.owasp.org

Thank you!Harinee Muralinath (harineem@thoughtworks.com) , Jaydeep Chakraborty (jaydeepc@thoughtworks.com)

Nagesh Kumar, Shraddha Suman, Navya Bailkeri, Fathima Harris, Pallipuspa Samal, Astha Jaiswal, Hitesh Sharma

Presenters:

Volunteers: