Upload
dothuy
View
216
Download
0
Embed Size (px)
Citation preview
Securing Your Web Application
against security vulnerabilities
Ong Khai Wei, IT Specialist, Development Tools (Rational)
IBM Software Group
Agenda
• Security Landscape
• Vulnerability Analysis
• Automated Vulnerability Analysis
– IBM® Rational® AppScan Overview
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web
server
The Myth: “Our Site Is Safe”
We Have Firewalls and IPS in Place
Port 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Use SSL Encryption
Only protects data between site and user not the web
application itself
Reality: Security and Spending Are Unbalanced
of All Attacks on Information Security are
Directed to the Web Application Layer75%
of All Web Applications are Vulnerable2/3 **Gartner
Why Application Security is a High Priority
• Web applications are the #1 focus of hackers:
– 75% of attacks at Application layer (Gartner)
– XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
• Most sites are vulnerable:
– 90% of sites are vulnerable to application attacks (Watchfire)
– 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
– 80% of organizations will experience an application security incident by 2010 (Gartner)
• Web applications are high value targets for hackers:
– Customer data, credit cards, ID theft, fraud, site defacement, etc
• Compliance requirements:
– Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
The Security Landscape of the past
• Traditional Infrastructure was easier to protect . . .
• Concrete entities that were easy to understand
• Attack surface and vectors were very well-defined
• Application footprint very static
• Perimeter defense was king
Changing Security Landscape of Today
• “Webification” has changed everything ...
• Infrastructure is more abstract and less defined
• Everything needs a web interface
• Agents and heavy clients are no longer acceptable
• Traditional defenses no longer apply
High Level Web Application Architecture Review
(Presentation)App Server
(Business
Logic)
DatabaseClient Tier
(Browser)
Middle TierData Tier
Firewall
Sensitive
data is
stored here
SSL
Protects
Transport Protects Network
Customer
App is deployed
here
Internet
Perimeter IDS IPS
Intrusion
Detection
System
Intrusion
Prevention
System
Network Defenses for Web Applications
App Firewall
Application
Firewall
Firewall
System Incident Event Management (SIEM)
Security
Why Do Hackers Today Target Applications?
• Because they know you have firewalls
– So its not very convenient to attack the network anymore
– But they still want to attack „cos they still want to steal data …
• Because firewalls do not protect against app attacks!
– So the hackers are having a field day!
– Very few people are actively aware of application security issues
• Because web sites have a large footprint
– No need to worry anymore about cumbersome IP addresses
• Because they can!
– It is difficult or impossible to write a comprehensively robust application
• Developers are yet to have secure coding as second nature
• Developers think differently from hackers
• Cheap, Fast, Good – choose two, you can‟t have it all
• It is also a nightmare to manually QA the application
• “White-box” static code analyzers don‟t test for inter-app relationships
• Many companies today still do not have a software security QA policy or resource
Application Threat Negative Impact Example Impact
Cross-Site® scripting Identity Theft, Sensitive Information
Leakage, …
Hackers can impersonate legitimate users, and
control their accounts.
Injection Flaws Attacker can manipulate queries to the
DB / LDAP / Other system
Hackers can access backend database
information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up
to full control
Site modified to transfer all interactions to the
hacker.
Insecure Direct Object
Reference
Attacker can access sensitive files and
resources
Web application returns contents of sensitive file
(instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on
web applications, impersonating as a
trusted user
Blind requests to bank account transfer money to
hacker
Information Leakage and
Improper Error Handling
Attackers can gain detailed system
information
Malicious system reconnaissance may assist in
developing further attacks
Broken Authentication &
Session Management
Session tokens not guarded or
invalidated properly
Hacker can “force” session token on victim; session
tokens can be stolen after logout
Insecure Cryptographic
Storage
Weak encryption techniques may lead
to broken encryption
Confidential information (SSN, Credit Cards) can
be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over
insecure channel
Unencrypted credentials “sniffed” and used by
hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized
resources
Hacker can forcefully browse and access a page
past the login page
The OWASP Top 10 list
SECURITY TESTING IS PART OF SDLC QUALITY TESTING
TEAM SERVER
ManageTest Lab
CreatePlan
BuildTests
ReportResults
Collaborative Application Lifecycle Management
FunctionalTesting Performance
TestingWeb Service
Quality
CodeQuality
Security andCompliance
Test Management and Execution
SDLC Quality Assurance
Quality Dashboard
Open Lifecycle Service Integrations
DefectManagement
RequirementsManagement
Best Practice Processes
homegrown
Open Platform
JavaSystem z, iSAP
.NET
AppScan in the Rational Portfolio
Developer Test Functional Test
Automated Manual
Rational RequisitePro Rational ClearQuest Rational ClearQuest
Defects
Project Dashboards Detailed Test Results Quality Reports
Performance Test
SOFTWARE QUALITY SOLUTIONS
Test and Change Management
Test Automation
Quality Metrics
DE
VE
LO
PM
EN
T
OP
ER
AT
OIN
S
BUSINESS
Rational ClearQuest
Requirements Test Change
Rational PurifyPlus
Rational Test RealTime
Rational Functional Tester Plus
Rational Functional Tester
Rational Robot
Rational Manual Tester
Rational Performance Tester
Security and Compliance Test
AppScan
PolicyTester
Rational AppScan
• What is it?
– AppScan is an automated tool used to perform vulnerability assessments on
Web Applications
• Why do I need it?
– To simplify finding and fixing web application security problems
• What does it do?
– Scans web applications, finds security issues and reports on them in an
actionable fashion
• Who uses it?
– Security Auditors – main users today
– QA engineers – when the auditors become the bottle neck
– Developers – to find issues as early as possible (most efficient)
How does AppScan work?
• Approaches an application as a black-box
• Traverses a web application and builds the site model
• Determines the attack vectors based on the selected Test policy
• Tests by sending modified HTTP requests to the application and examining
the HTTP response according to validate rules
HTTP Request
Web Application
HTTP Response Web
Servers
Application
Databases