Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Test and Verification Solutions
Application Security: What Can You Do?
Delivering Tailored Solutions for Hardware Verification and Software
Testing
BCS – Bristol9th March 2015 Declan
O’Riordan
Copyright TVS Limited | Private & Confidential | Page 2
What is driving security?
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
Copyright TVS Limited | Private & Confidential | Page 3
Threat growth
Source: Verizon
2014 - Commercial cyber security spending $46 billion
2013 - 20% more breaches
2012 - 30% higher cost per breach
Copyright TVS Limited | Private & Confidential | Page 4
Why is Application Security important?
Make that 153m accounts/
Copyright TVS Limited | Private & Confidential | Page 5
What is Application Security?
It is NOT Building, or Network Security!
84% of attacks target the applications (Source: HP)90% of sites are vulnerable to application attacks (Watchfire)
1.7% of security budget is spent on Applications.
(OWASP 2014)
Copyright TVS Limited | Private & Confidential | Page 6
Reactive Perimeter Defencesw.w.w. data is exploding: 2010 = 1.2 zettabytes2015 = 7.9 zettabytes2020 = 40 zettabytes?
1.2 million variants of malware per day
20%-30% of malware iscaught by anti-virus
Copyright TVS Limited | Private & Confidential | Page 7
The Security Testing Lifecycle
Review SDLC ProcessReview
PolicyReview Standards
Review Requirements
Review Design
Create / Review Models
Review Code
Code Walkthrough
Unit & System Test
PenetrationTest
Config. Mgt.Review
Unit & SystemTest
AcceptanceTest
Change Verification
Health Checks
Operational Reviews
Regression Tests
Before Development
Definition & Design
Development
Deployment
Maintenance
Copyright TVS Limited | Private & Confidential | Page 8
‘The’ OWASP Top 10 Web-App Risks
Copyright TVS Limited | Private & Confidential | Page 9
Free Application Security Testing Procedures
& Development Guidelines
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
Copyright TVS Limited | Private & Confidential | Page 10
Threat Assessment
Copyright TVS Limited | Private & Confidential | Page 11
Compliance with the Standard
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
Copyright TVS Limited | Private & Confidential | Page 12
Verify 168 security checkpoints
Copyright TVS Limited | Private & Confidential | Page 13
The login screen
Copyright TVS Limited | Private & Confidential | Page 14
Authentication: What can you do now? Bad passwords Insecure storage of credentials Verbose failure messages Password change functionality Forgotten password functionality User impersonation functionality Non-unique usernames Predictable usernames Incomplete validation of
credentials
Copyright TVS Limited | Private & Confidential | Page 15
Incomplete validation of credentials
Full validation of all password characters
1. Length2. Case3. Unusual characters
Copyright TVS Limited | Private & Confidential | Page 16
Authentication: What may need help?
Vulnerable credentials transmission
“Remember me” functionality Predictable initial passwords Insecure distribution of
credentials Fail-open login mechanisms Multi-stage login defects Brute-forcible login
(failedlogins=1)
Copyright TVS Limited | Private & Confidential | Page 17
Access controls: What can you do now?
Completely unprotected functionality Direct access to methods Identifier-based functions Multi-stage functions Static files Platform mis-configuration Insecure access control methods Parameter / referer / location-based
access control
Copyright TVS Limited | Private & Confidential | Page 18
Completely unprotected functionality
No one will know that sensitive function / resource URL. It’s secret!
But URLs appear in logs, browser histories, and are displayed on-screen. They can be emailed, bookmarked, and written down.
Attackers find them in client-side JavaScript, brute-force the names / identifiers (response codes 302, 400, 401, 403, 500), inference from published content, search engines, web archives, and leveraging the web server.
Copyright TVS Limited | Private & Confidential | Page 19
Session Management: who does what?
Disclosure of session tokens in logs Vulnerable session termination Weak session token generation Weak session token handling Disclosure of tokens Meaningful tokens Encrypted tokens ECB & CBC ciphers Vulnerable token mapping Client exposure to token hijacking Liberal cookie scope Predictable session tokens
Copyright TVS Limited | Private & Confidential | Page 20
Meaningful session tokens
HTTP is stateless. Each request-response message pair is an independent transaction.
Dynamic web-application functionality requires a SESSION to link user requests.
Typically this is implemented by issuing each user a unique session token which is resubmitted by the user to link sequences of requests.
Set-Cookie: ASP.NET_SessionId=75 73 65 72 3d 64 65 63 6c 61 6e 3b 61 70 70 3d 61 64 6d 69 6e 3b 64 61 74 65 3d 30 35 2f 30 37 2f 32 30 31 35
user=declan;app=admin;date=05/07/2015
Copyright TVS Limited | Private & Confidential | Page 21
Predictable session tokens
Concealed sequencesWeak random number generationTime dependencies56543-142479825411556544-1424798303925?56546-1424798337916
The first component is an incrementing sequence.The second component is the time in milliseconds.The missing value was issued to another user and can be predicted / brute forced within the range of possibilities.
Copyright TVS Limited | Private & Confidential | Page 22
Make efficient use of experts & tools
Copyright TVS Limited | Private & Confidential | Page 23
What Testers can do
Firewalls / IDS / IPS based upon pattern-matching ‘known bad’ REGEX
• Security skills are within the project team capability• Recognize which security tests you can do now• Effectively manage the experts who are helping you