Embed Size (px)
Citation preview
WebAppSEC 101 - OWASP
By: John Patrick Lita – OWASP Manila President
OWASP FOUNDATION
• Manila Chapter President
ElearnSecurity
• Founding Instructor @Cluster 9 Project
Philippine Institute of Cyber Security Professionals
• Member / Instructor
• Information Security Instructor at Philippine Army
GeekTalks Philippines
• Founder & Managing Director
Business Profile.Inc
• Information Security Consultant
ABOUT ME
Who is OWASP?
The Open Web Application Security Project
(OWASP) is an online community dedicated to
web application security. The OWASP
community includes corporations, educational
organizations and individuals from around the
world. This community works to create freely-
available articles, methodologies,
documentation, tools, and technologies.
www.owasp.org
OWASP Projects & Tools
• Detect
– OWASP TOP 10
– OWASP Code Review Guide
– OWASP Testing Guide
– OWASP Cheat Sheet Series
– OWASP Appsec Tutorials
– OWASP ASVS
– OWASP live CD
– OWASP ZAP Proxy
• Protect
– OWASP ESAPI
– OWASP ModSecurity
• Life Cycle
– Web Goat
– OWASP Security Sheperd
What is WebAppSec?
Web application security is a branch of
Information Security that deals specifically with
security of websites, web applications and web
services. At a high level, Web application
security draws on the principles of application
security but applies them specifically to Internet
and Web systems.
WHAT IS WEB APP SECURITY TESTING?
• A Security test is a method of evaluating the
security of a computer system or network by
methodically validating and verifiying the
effectiveness of application security controls.
• A web application security test is focuses only
on evaluating the security of a web
application.
TYPICAL WEB SETUP
Browser WebServer
WebServer
Databases Access Control Authentication
FireWall
Click-Jacking
XSS CSRF
Tampering Sniffing
Directory Traversal
XML Injection
SQL Injection
DirectObject Reference
Forged Token
WEB APP IN DAILY LIFE
EMAIL Social Networking Online Shopping
Research Online Banking Multimedia
TERMINOLOGIES
THREAT
• A threat is anything (Malicous extenal attackers, an internal user, a system instability, etc..) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability
VULNERABILITY
• Existence of a weakness, design, or implementation error that can lead to an expected, undesirable event compromising the security of the System/Application
EXPLOIT
• Exploit is a code which allow an attacker to take advantage of a vulnerable system
THE NUMBERS
• Every second, 12 adults become a victim of cyber crime – that’s more than one million cyber crime victims each day globally – Symantec 2014
CYBER CRIMES
• Costing the global economy approximately $113 Billion per year – Symantec 2014
LOSSES
IT’S (NOT) THE $$$
INFORMATION SECURITY SPEND
SECURITY INCIDENT (BUSINESS IMPACT)
YOU’RE WRONG
BUT WE ARE APPROCHING THIS
PROBLEM COMPLETELY WRONG AND HAVE BEEN
FOR YEARS
TRADITIONAL END CYCLE/ANNUAL PENTEST
AN INCONVENIENT TRUTH
TWO WEEKS OF ETHICAL HACKING
TEN MAN-YEARS OF DEVELOPMENT
WHO HAS THE EDGE?
TIME
ATTACKER SCHEDULE
ANNUAL PENTESTING
AUTOMATED VS MANUAL
HTTP Manipulation – Scanning – Is Not Enough Problem has moved (back) to the client. Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing. AJAX Flex/Flash/Air Native Mobile Web Apps – Data Storage, Leakage, Malware. DOM XSS – Sinks & Sources in client script -> no HTTP required Scanning in not enough anymore. We need DOM security assessment. Javascript parsing / Taint Analysis / String Analysis / Manual Validation Windows.location=http://example.com/a/page.ext?par=val#javascript:alert(1)jQuery.globalEval(userContent): http://code.google.com/p/domxsswiki/
AUTOMATED TESTING IS DUMP
• We can’t test what we don’t understand – Business Logic
• Automated Scanners are: – No Idea of business State or State Transitions
– No Clue about Horizontal or Vertical authorization / roles
– No clue about business context
• We test applications for security issues without knowing the business process
• We cant “BREAK” logic – I ea i g ful way we do ’t u dersta d
SCANNING, SCANNING, SCANNING
• Running a $30,000.00 scanning tool against
your mission critical application?
• Will this find flaws in your business logic or
state machine?
We need human itelligence
& verification!
ROBOTS vs. HUMAN
SDL Design review
Threat Modeling
Code review/SAST/CI
Negative use/abuse cases/fuzzing/DAST
Live/ Continuous/Frequent Monitoring / Testing
Ongoing Manual Validation
Vulnerability Management & Priority
Dependency Management
“Robots are good at detecting known unknowns”
“Human are good at detecting unknown unknowns”
OUTSOURCING IS?
INFORMATION FLOODING
SO WERE DO WE GO NOW?
• Doing things right! = Doing the right things
• Not all bugs/vulne ability a e e ual
(is HTTPOnly important if there is no XSS?)
• Contextualize Risk
(Is XSS/SQLi always High Risk?)
DEVELOPERS = RESPONSE TEAM?
• Do developers need to fix everything?
• Limited Time
• Limited Resource
• Task Priority
• Pass Internal Audit?
WORK FORCE
• Annual Pentesting Amount – An annual study performed by the Ponemon Institute using real
companies who experienced a security breach, puts the cost of a
breach at $194.00 per record. If a business has just 5000 sensitive
records, the Ponemon Institute report puts the cost of a breach
involving those records at $970,000.00. These costs consider
detection, remediation, notification, fines and resolution of the
breach, but do not reflect lost business.
Source: http://www.highbitsecurity.com/penetrationtesting-cost.php
WORKFORCE – RESPONSE TEAM
• Response Team / Support Team
DO YOU CARE OR NOT?
Data Loss
Information leakage
Reputational damage
Lost of Money
DEVELOPERS RESOURCE?
• Application Security Requeirements – OWASP ASVS
• Application Security Architecture – OWASP Developers Guide, prevention Cheat sheets
• Standard Security Controls – OWASP ESAPI
• Secure Development Lifecycle – OWASP Software Assurance Maturity Model (SAMM)
• Application Security Education – OWASP Education Project
www.owasp.org
REMINIDERS!
Cliern Side Protection
• You need to focus protecting client side, because this interface is available to public.
Server Side Protection
• Proper Configuration of Firewall, and proper validarion(Sever Side Script)
Malicous User
• Any malicous user will look for different way to harm or to get information in other user using your own application
