App Sec Workshop

by Chris Hamm

Background

Name: Chris HammLife before CNET » Was in 151st/387th Infantry and MP unit for Army National Guard

– Training in intelligence gathering and physical security.» Research and development for University of Louisville ITRC working on communication

package for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI security measures, standards, and equipment.

Now» General interest in infoSec» Member of 502Sec group

Agenda

» Basics in Security» Why you should you be worried? - Threat modeling» Code in security - examples of » Tools?» Questions

Basics in Info Security - All Info security revolves around managing 3 things

» Availability– Can you get to your sh*t?

» Integrity– Can you believe what you see?

» Confidentiality– Anything we don’t want others knowing about

The denial or disruption of any of these items and an attacker was basically successful. So what happens is there must be a ranking of how much of an impact something has in order to prioritize it.

Basics in Info Security - It is all about risk management

» Vulnerability * Probability * Impact = RISK» How do you gather this information to determine RISK?» Answer = Threat Modeling» Understanding the threats will help you see how important security

and how you might mitigate(*control) the risk of said threat.

Threat Modeling - Starting point

» Threat statement» $ACTOR» does $ACTION» to $ASSET» resulting in $OUTCOME» because of $MOTIVATION

Threat Modeling - $ACTOR

» NATION State» Organized Crime» Insiders» Hackavist - LulzSec » Script Kiddie» Competing Sites and bloggers» ..... {Exercise: Insert Here}.....

Threat Modeling - $ACTION

» DDoS» Injections

– OS level– SQL

» XSS» ..... {Exercise: Insert Here}.....

Threat Modeling - $ASSET

» Content» Subscription Service» User log in» NGINX» Varnish» Mongo» ..... {Exercise: Insert Here}.....

Threat Modeling - $OUTCOME

» Release of code» Spoofing as us» Tampering with existing content» Gain foothold to Pivot» ..... {Exercise: Insert Here}.....

Threat Modeling - $MOTIVATION

» Make money» Gain notability» ..... {Exercise: Insert Here}.....

Code in security - INSECURE Framework

» Injectable» Spoofable» Errors and Exceptions (un/ms- handled)» Unsafe/Unused functions/Routines» Reversible» Elevated Privileges

Code in security - Injectable

» Inadequate or improperly input validation/sanitization» Input (data) can be executed» Dynamic query construction using user input» Examples:

– OS level executable code – SQL/DB injection

Code in security - Spoofable

» Allows Identity Impersonation» Credentials

– Weak– Hard coded– Cached

» Predictable Session Identifiers– Hacking and Replay

Code in security - Errors and Exceptions (un/ms- handled)

» Verbose Error Messages» Unhandled Exception (No catch at all)» Throwing stack trace» Fail open - (*you allow authentication anyway)

Code in security - Unsafe/Unused functions/Routines

» Banned/Insecure APIs» Unknown APIs and Interfaces» Vestigial functions (*CMD - C/X, CMD - P)» Easter Eggs

Code in security - Reversible

» Unobfuscated» Textual information» Symbolic Information

Code in security - Elevated Privileges

» Carry out functions or access items that should only be allowed by administrator.

» Runs privileged operations without authorization checks

Code in security - Defenses

» Injection defense– Input validation/ Sanitization– Parameterization of Queries – Don’t allow to exec

» Spoofing defense– Avoid impersonation context code– Do not hardcode credentials– Session management - Non guessable/ non predictable session

ids.» Errors & Exception mis/un - handling defense

– Simple to the point error messages without unsafe info– Catch-all exception handle– Redirect to unified error handling place

Code in security - Defenses Cont

» Unsafe/Unused Functions defense– Replace banned API with safer one– Delete unused functions/procedures– Delete Dangling Code (don’t just comment out)– Easter Egg Hunt

» Reversible Code defense– Obfuscate– Application hardening - Remove textual and sym information

» Elevated Privileges defense– Check authorization before allowing privilege ops– Non-admin accounts used for code execution– Test code in simulated environments

Code in security - Conclusion

» By knowing how to Code insecurity can impact us we can can look at Coding in Security.» Are you going to

– Code Insecurely (or)– Code In Security

References

» Common Weakness Enumeration– http://cwe.mitre.org/index.html

» How to write insecure code - Source OWASP– https://www.owasp.org/index.php/How_to_write_insecure_code

» Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0– https://www.youtube.com/watch?v=fu4_7sJv-

ro&index=96&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg» Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0

– https://www.youtube.com/watch?v=WKgD305OFAQ&index=101&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg

Questions??