App sec - code insecurity basics

  • View

  • Download

Embed Size (px)


My presentation on the basics of app security. Gave on 11/12/2014 as part of a series of talks.

Text of App sec - code insecurity basics

  • 1. App Sec Workshopby Chris Hamm

2. BackgroundName: Chris HammLife before CNET Was in 151st/387th Infantry and MP unit for Army National Guard Training in intelligence gathering and physical security. Research and development for University of Louisville ITRC working on communicationpackage for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI securitymeasures, standards, and equipment.Now General interest in infoSec Member of 502Sec group 3. Agenda Basics in Security Why you should you be worried? - Threat modeling Code in security - examples of Tools? Questions 4. Basics in Info Security - All Info security revolves around managing 3 things Availability Can you get to your sh*t? Integrity Can you believe what you see? Confidentiality Anything we dont want others knowing aboutThe denial or disruption of any of these items and an attacker was basically successful. Sowhat happens is there must be a ranking of how much of an impact something has in order toprioritize it. 5. Basics in Info Security - It is all about risk management Vulnerability * Probability * Impact = RISK How do you gather this information to determine RISK? Answer = Threat Modeling Understanding the threats will help you see how important securityand how you might mitigate(*control) the risk of said threat. 6. Threat Modeling - Starting point Threat statement $ACTOR does $ACTION to $ASSET resulting in $OUTCOME because of $MOTIVATION 7. Threat Modeling - $ACTOR NATION State Organized Crime Insiders Hackavist - LulzSec Script Kiddie Competing Sites and bloggers ..... {Exercise: Insert Here}..... 8. Threat Modeling - $ACTION DDoS Injections OS level SQL XSS ..... {Exercise: Insert Here}..... 9. Threat Modeling - $ASSET Content Subscription Service User log in NGINX Varnish Mongo ..... {Exercise: Insert Here}..... 10. Threat Modeling - $OUTCOME Release of code Spoofing as us Tampering with existing content Gain foothold to Pivot ..... {Exercise: Insert Here}..... 11. Threat Modeling - $MOTIVATION Make money Gain notability ..... {Exercise: Insert Here}..... 12. Code in security - INSECURE Framework Injectable Spoofable Errors and Exceptions (un/ms- handled) Unsafe/Unused functions/Routines Reversible Elevated Privileges 13. Code in security - Injectable Inadequate or improperly input validation/sanitization Input (data) can be executed Dynamic query construction using user input Examples: OS level executable code SQL/DB injection 14. Code in security - Spoofable Allows Identity Impersonation Credentials Weak Hard coded Cached Predictable Session Identifiers Hacking and Replay 15. Code in security - Errors and Exceptions (un/ms- handled) Verbose Error Messages Unhandled Exception (No catch at all) Throwing stack trace Fail open - (*you allow authentication anyway) 16. Code in security - Unsafe/Unused functions/Routines Banned/Insecure APIs Unknown APIs and Interfaces Vestigial functions (*CMD - C/X, CMD - P) Easter Eggs 17. Code in security - Reversible Unobfuscated Textual information Symbolic Information 18. Code in security - Elevated Privileges Carry out functions or access items that should only be allowed byadministrator. Runs privileged operations without authorization checks 19. Code in security - Defenses Injection defense Input validation/ Sanitization Parameterization of Queries Dont allow to exec Spoofing defense Avoid impersonation context code Do not hardcode credentials Session management - Non guessable/ non predictable sessionids. Errors & Exception mis/un - handling defense Simple to the point error messages without unsafe info Catch-all exception handle Redirect to unified error handling place 20. Code in security - Defenses Cont Unsafe/Unused Functions defense Replace banned API with safer one Delete unused functions/procedures Delete Dangling Code (dont just comment out) Easter Egg Hunt Reversible Code defense Obfuscate Application hardening - Remove textual and sym information Elevated Privileges defense Check authorization before allowing privilege ops Non-admin accounts used for code execution Test code in simulated environments 21. Code in security - Conclusion By knowing how to Code insecurity can impact us we can can look at Coding in Security. Are you going to Code Insecurely (or) Code In Security 22. References Common Weakness Enumeration How to write insecure code - Source OWASP Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0 Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0 23. Questions??