38
Web Security – Everything we know is (Still) wrong (2017) IT Summit – Nov 8th

Web security – everything we know is wrong cloud version

Embed Size (px)

Citation preview

Page 1: Web security – everything we know is wrong   cloud version

Web Security – Everything we know is (Still) wrong (2017)

IT Summit – Nov 8th

Page 2: Web security – everything we know is wrong   cloud version

Eoin Keary

• CEO edgescan.com

• OWASP GLOBAL BOARD MEMBER – 2009-2015

• OWASP Project Lead

Page 3: Web security – everything we know is wrong   cloud version

edgescan

• Fullstack vulnerability management

• Continuous

• False Positive Free/Expert Validation

• 1000’s of systems every month

• Leader in “Gartner Peer Insights” Report

• PCI ASV Certified

Page 4: Web security – everything we know is wrong   cloud version

4© 2012 WhiteHat Security, Inc.

HACKED

Page 5: Web security – everything we know is wrong   cloud version

“(Cyber crime is the) second cause of economic crime experienced by the financial services sector” – PwC

“556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”

Globally, every second, 18 adults become victims of cybercrime- Symantec “The loss of industrial information and intellectual property through

cyber espionage constitutes the greatest transfer of wealth in history” - Gen. Keith Alexander

Cyber crime damage costs to hit $6 trillion annually by 2021

Eoin, I didn’t click it – My Grandma

“One hundred BILLION dollars” -Dr Evil

2017 – so farTrump – administration details leakedClash of Clans – 1,000,000Cellebrite – 900 GB of DataSWIFT – Fake Trade Documents - 3 banks – IndiaCoPilot – GPS – 220,000 RecordsSentara HealthCare – 5,000 Patient recordsDeep Root Analytics – 198,000,000 recordsEquifax – 143,000,000+ Records!

Human attack surface to reach 6 billion people by 2022.

Page 6: Web security – everything we know is wrong   cloud version

Its (not) the $$$$Information

security spend

Security incidents

(business impact)

Page 7: Web security – everything we know is wrong   cloud version

“There’s Money in them there webapps”

“Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of

records) attack vector.”

- Verizon Data Breach Investigations Report

Page 8: Web security – everything we know is wrong   cloud version

Accountability in the CloudApplication

App Server/DB/Web

Computing

Network

Storage

Application

App Server/DB/Web

Computing

Network

Storage

SaaS

PaaS

Cloud Provider

Cloud Consumer

Acc

ou

nta

ble

Acco

un

table

54% of breaches are via the application Layer

*

* Few exceptions

You can outsource hosted services but you cannot outsource accountability

Page 9: Web security – everything we know is wrong   cloud version

But we are approaching this problem completely wrong and have been for years…..

Page 10: Web security – everything we know is wrong   cloud version

Problem # 1

Asymmetric Arms Race

Page 11: Web security – everything we know is wrong   cloud version

A traditional end of cycle / Annual pentest only gives minimal security…..

Page 12: Web security – everything we know is wrong   cloud version

There are too many variables and too little time to ensure “real security”.

Page 13: Web security – everything we know is wrong   cloud version

An inconvenient truth

Two weeks of ethical hacking

Ten man-years of development

Business Logic Flaws

Code Flaws

Security Errors

Page 14: Web security – everything we know is wrong   cloud version

Make this more difficult: Lets change the application code once a month.

Keeping Pace with: DevSecOpsNew VulnerabilitiesContinuous patching requirementsNew Deployments (Services, Systems)

Continuous Testing

Page 15: Web security – everything we know is wrong   cloud version

"Risk comes from not knowing what you're doing." - Warren Buffet

Page 16: Web security – everything we know is wrong   cloud version

Automated Review

A fool with a tool, is still a fool”…..?

In two weeks:

Consultant “tune tools”Use multiple tools – verify issuesCustomize Attack Vectors to technology stackAchieve 80-90 application functionality coverage

How experienced is the consultant?

Are they as good as the bad guys?They certainly need to be, they only have 2 weeks, right!!?

Code may be pushed to live soon after the test.Potential window of Exploitation could be until the next pen test.

6 mths, 9 mths, 1 year?

Page 17: Web security – everything we know is wrong   cloud version

Some of the problem has moved (back) to the client.

Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing.

Many tools can’t adequately assess certain technologies

• Node/Angular• API’s • Flex/Flash/Air• Native Mobile Web Apps – Data Storage, leakage, malware.• DOM XSS – JQuery, CSS, Attribute, Element, URL fragments• Uploaded client-side/Javascript malware (Gzip/deflate/Hex encoded etc).• Logical/Business Logic Vulnerabilities.

Scanning in not enough anymore. Intelligence is required. Orchestration is required.

Tools Alone – They don’t work well without strong operations and orchestration

Page 18: Web security – everything we know is wrong   cloud version

“We need an Onion”

SDL – Design review

Threat Modeling

Code review/SAST

Negative use/abuse cases/Fuzzing/DAST

Live/Ongoing - Continuous/Frequent monitoring / Testing

Manual Validation

Vulnerability Intelligence & Priority

Dependency Management ….

Situational Awareness / Alerting

We need more than Automated Scanning.

Page 19: Web security – everything we know is wrong   cloud version

Problem # 2

You are what you eat

Page 20: Web security – everything we know is wrong   cloud version

Software food chain

20

Application Code

COTS (Commercial off

the shelf

Outsourced development Sub-

Contractors

Bespoke outsourced

development

Bespoke Internal development

Third Party API’s

Third Party Components & Systems

Degrees of trust

You may not let some of the people who have developed your code into your offices!!

More Less

Page 21: Web security – everything we know is wrong   cloud version

2016- Open Source Security Statistics.

• 23% of the Components in the Average Software Application Contain Known Vulnerabilities

• 60% of businesses do not keep a complete inventory (bill of materials) of components being used in their applications.

- edgescan statistics November 2016

Page 22: Web security – everything we know is wrong   cloud version

Struts - application development framework : downloaded 2 million times in the last year. –

Remote Code Execution attack CVE-2017-9805

Struts 2.1.2 - 2.3.33, 2.5 - 2.5.12

https://cwiki.apache.org/confluence/display/WW/S2-052

2.1.2 – 9 years old

2.3.33 – July 2017

2.5.x – May 2017

https://struts.apache.org/downloads.html

Page 23: Web security – everything we know is wrong   cloud version

Do we test for "dependency“ issues?

NO

Does your patch management policy cover application dependencies?

Page 24: Web security – everything we know is wrong   cloud version

Problem # 3

Bite off more than we chew

Page 25: Web security – everything we know is wrong   cloud version

How can we manage vulnerabilities on a large scale….

Page 26: Web security – everything we know is wrong   cloud version
Page 27: Web security – everything we know is wrong   cloud version

“We can’t improve what we can’t measure”

Page 28: Web security – everything we know is wrong   cloud version

Say 300 web applications:

300 Annual Penetration tests

10’s of different penetration testers?

300 reports

How do we consume this Data?

Page 29: Web security – everything we know is wrong   cloud version

Enterprise Vulnerability Intelligence:

Consolidation of vulnerability data.

Continuous active monitoring & Visibility

Vulnerability Management Alerting

Situational Awareness

Page 30: Web security – everything we know is wrong   cloud version

Problem # 4

Information flooding

(Melting a developers brain, White noise and “compliance”)

Page 31: Web security – everything we know is wrong   cloud version

Doing things right != Doing the right things.

“Not all bugs/vulnerabilities are equal”(is HttpOnly important if there is no XSS?)

Contextualize Risk(is XSS /SQLi always High Risk?)

Do developers need to fix everything?- Limited time

- Finite Resources- Task Priority

- Pass internal audit?

White Noise

Page 32: Web security – everything we know is wrong   cloud version

Compliance - GDPR

There’s Compliance:

EU directive:http://register.consilium.europa.eu/pdf/en/12/st05/st05853.en12.pdf

Article 23,24 & 79, - Administrative sanctions“The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0.5 % of its annual worldwide turnover, to anyone who, intentionally or negligently does not protect personal data”

Page 33: Web security – everything we know is wrong   cloud version

Clear and Present Danger!!

…and there’s Compliance

Page 34: Web security – everything we know is wrong   cloud version

Problem #5

Explain issues in “Developer speak” (AKA English)

Page 35: Web security – everything we know is wrong   cloud version

Is Cross-Site Scripting the same as SQL injection?

Both are injection attacks -> code and data being confused by system.

LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc

Think old phone systems, Captain Crunch (John Draper).

Signaling data and voice data on same logical connection – Phone Phreaking

Page 36: Web security – everything we know is wrong   cloud version

XSS causes the browser to execute user supplied input as code. The input breaks out of the "Data" context and becomes execution context.

SQLI causes the database or source code calling the database to confuse data [context] and ANSI SQL [ execution context].

Command injection mixes up data [context] and the command [context].

Page 37: Web security – everything we know is wrong   cloud version

So….

We need to understand what we are protecting against.

We need to understand that a pentest alone is a loosing battle.

You can only improve what you can measure

Not all bugs are created equal.

Bugs are Bugs. Explain security issues to developers in “Dev speak”

Page 38: Web security – everything we know is wrong   cloud version

Thanks for listening!!

[email protected]

@eoinkeary

@edgescan

www.edgescan.com