Copyright © 2008, McAfee, Inc.

Presented ByMike Andrews

Introduction

WebSec 101

mike.andrews@foundstone.commike@mikeandrews.com

Intro Music by DoKashiteru via CCMixter

Introductions…

► About me…

The way the world is

► The wheel of IT► More software being pushed to the web

● Netcraft Webserver Survey

► Systems are getting more complex

ThenNow

Bad news…

► It seems to be getting much easier to find vulns in web-based software● 63% of all vulns disclosed 2008 were in web apps [Symantec Internet Security Threat Report Trends for 2008]

► Where are the vulns?

► Why?The total number of publicly reported web application vulnerabilities has risen sharply, to the point where they have overtaken buffer overflows. This is probably due to ease of detection and exploitation of web vulnerabilities, combined with the proliferation of low-grade software applications written by inexperienced developers. In 2005 and 2006, cross-site scripting (XSS) was number 1, and SQL injection was number 2.

…Good news

► Window of exposure

► The “instant service pack”

Traditional App

Web App

…The somewhat better news

► Vendors are securing systems “out the box”

► Developers are starting to hear about the problems

► Lots more info in the main IT press● SQL injection and XSS

● Cross-site request forgery is hardly being talked about! (save this for another webcast)

No silver bullet?

► Jack and the beanstalk…

► Are there silver bullets?● Education● SDLC

− TM, CR, PT, Policy, Sec response, …

● Frameworks

Upcoming

► The purpose of this webcast is to…► Generate more awareness of the main issues

in having secure web apps● Webapps are the most common dev platform● “That’s where the money is” – Willie Sutton

● We’re still making stupid/simple mistakes

► Looking at auditing webapps for basic security mistakes. Black-box, mostly for two reasons

− Is how most people are testing (security or otherwise for good or bad)

− Try to be language/system agnostic, although will mostly focus on LAMP and WISA

● Knowledge transfer● Generate discussion on trends/news● Short! -- ~20 minutes.

Bugs vs. Flaws vs. “Top N’s”

► In (web)appsec we’ve focused a lot on “bugs”

► Flaws are just (more?) important, and harder to find

► Top-N lists are “bug parades”● Useful for awareness/education● Can change quickly (and miss things)● Only scratch the surface

► Taxonomies or frameworks?● Best practices

General Structure

► Follow a “security frame”● Configuration● Authentication● Authorization● User management● Session management● Data (more than one webcasts on this topic)

● Privacy● [ your choice… ]

► Some “other” topics● Techniques - Automated vs. Manual testing● Technologies, and what they are good for (e.g. WAF’s)● Consulting, outsourcing, etc, (insider knowledge on how to

use/manage)

● May move into things like SDL (given enough interest)

● Keep this going into code?

Topics

► Each topic should…● Introduce the basics of the area/attack/technology

− Will not be “all you need to know”, but more of a starting point

− Attacks always get better, they never get worse− It’s an infinite space, and your own brain in your best tool

● Discuss why it’s a good/bad thing● Examples● Mitigation techniques (if appropriate)● Point to some of what I think are the seminal

articles/posts/papers that you should follow up with

► I’m up for going back and either re-recording or writing follow-up posts with more detail if needed

Follow-on

► Some homework if anyone is interested :)

● http://www.securitybloggers.net/ ● http://www.securosis.com/blog/new-release-

building-a-web-application-security-program● http://ha.ckers.org● http://jeremiahgrossman.blogspot.com

• “How to Break Web Software” - Mike Andrews & James Whittaker• “XSS Exploits: Cross Site Scripting Attacks and Defense” - Seth Fogie et

al• “Hacking Exposed - Web Applications” – Joel Scambray et al• “Innocent Code” – Sverre Huseby• “19 Deadly Sins of Software Security” – Michael Howard et al• “Improving Web Application Security: Threats and Countermeasures” -

J.D. Meier et al

Next Up: Configuration

Credits/References

► Number of servers on the internet● http://news.netcraft.com/archives/

web_server_survey.html

► Window of exposure● http://www.schneier.com/crypto-gram-

0009.html

► SQL injection and XSS mentions● www.google.com/trends

► http://www.bsi-mm.com