Test and Verification Solutions

Application Security: What Can You Do?

Delivering Tailored Solutions for Hardware Verification and Software

Testing

BCS – Bristol9th March 2015 Declan

O’Riordan

Copyright TVS Limited | Private & Confidential | Page 2

What is driving security?

Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX

Copyright TVS Limited | Private & Confidential | Page 3

Threat growth

Source: Verizon

2014 - Commercial cyber security spending $46 billion

2013 - 20% more breaches

2012 - 30% higher cost per breach

Copyright TVS Limited | Private & Confidential | Page 4

Why is Application Security important?

Make that 153m accounts/

Copyright TVS Limited | Private & Confidential | Page 5

What is Application Security?

It is NOT Building, or Network Security! 

84% of attacks target the applications (Source: HP)90% of sites are vulnerable to application attacks (Watchfire)

1.7% of security budget is spent on Applications.

(OWASP 2014)

Copyright TVS Limited | Private & Confidential | Page 6

Reactive Perimeter Defencesw.w.w. data is exploding: 2010 = 1.2 zettabytes2015 = 7.9 zettabytes2020 = 40 zettabytes?

1.2 million variants of malware per day

20%-30% of malware iscaught by anti-virus

Copyright TVS Limited | Private & Confidential | Page 7

The Security Testing Lifecycle

Review SDLC ProcessReview

PolicyReview Standards

Review Requirements

Review Design

Create / Review Models

Review Code

Code Walkthrough

Unit & System Test

PenetrationTest

Config. Mgt.Review

Unit & SystemTest

AcceptanceTest

Change Verification

Health Checks

Operational Reviews

Regression Tests

Before Development

Definition & Design

Development

Deployment

Maintenance

Copyright TVS Limited | Private & Confidential | Page 8

‘The’ OWASP Top 10 Web-App Risks

Copyright TVS Limited | Private & Confidential | Page 9

Free Application Security Testing Procedures

& Development Guidelines

Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX

Copyright TVS Limited | Private & Confidential | Page 10

Threat Assessment

Copyright TVS Limited | Private & Confidential | Page 11

Compliance with the Standard

Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX

Copyright TVS Limited | Private & Confidential | Page 12

Verify 168 security checkpoints

Copyright TVS Limited | Private & Confidential | Page 13

The login screen

Copyright TVS Limited | Private & Confidential | Page 14

Authentication: What can you do now? Bad passwords Insecure storage of credentials Verbose failure messages Password change functionality Forgotten password functionality User impersonation functionality Non-unique usernames Predictable usernames Incomplete validation of

credentials

Copyright TVS Limited | Private & Confidential | Page 15

Incomplete validation of credentials

Full validation of all password characters

1. Length2. Case3. Unusual characters

Copyright TVS Limited | Private & Confidential | Page 16

Authentication: What may need help?

Vulnerable credentials transmission

“Remember me” functionality Predictable initial passwords Insecure distribution of

credentials Fail-open login mechanisms Multi-stage login defects Brute-forcible login

(failedlogins=1)

Copyright TVS Limited | Private & Confidential | Page 17

Access controls: What can you do now?

Completely unprotected functionality Direct access to methods Identifier-based functions Multi-stage functions Static files Platform mis-configuration Insecure access control methods Parameter / referer / location-based

access control

Copyright TVS Limited | Private & Confidential | Page 18

Completely unprotected functionality

No one will know that sensitive function / resource URL. It’s secret!

But URLs appear in logs, browser histories, and are displayed on-screen. They can be emailed, bookmarked, and written down.

Attackers find them in client-side JavaScript, brute-force the names / identifiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server.

Copyright TVS Limited | Private & Confidential | Page 19

Session Management: who does what?

Disclosure of session tokens in logs Vulnerable session termination Weak session token generation Weak session token handling Disclosure of tokens Meaningful tokens Encrypted tokens ECB & CBC ciphers Vulnerable token mapping Client exposure to token hijacking Liberal cookie scope Predictable session tokens

Copyright TVS Limited | Private & Confidential | Page 20

Meaningful session tokens

HTTP is stateless. Each request-response message pair is an independent transaction.

Dynamic web-application functionality requires a SESSION to link user requests.

Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests.

Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35

user=declan;app=admin;date=05/07/2015

Copyright TVS Limited | Private & Confidential | Page 21

Predictable session tokens

Concealed sequencesWeak random number generationTime dependencies56543-142479825411556544-1424798303925?56546-1424798337916

The first component is an incrementing sequence.The second component is the time in milliseconds.The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.

Copyright TVS Limited | Private & Confidential | Page 22

Make efficient use of experts & tools

Copyright TVS Limited | Private & Confidential | Page 23

What Testers can do

Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX

• Security skills are within the project team capability• Recognize which security tests you can do now• Effectively manage the experts who are helping you