Upload
christopher-hamm
View
74
Download
0
Tags:
Embed Size (px)
DESCRIPTION
My presentation on the basics of app security. Gave on 11/12/2014 as part of a series of talks.
Citation preview
App Sec Workshop
by Chris Hamm
Background
Name: Chris HammLife before CNET » Was in 151st/387th Infantry and MP unit for Army National Guard
– Training in intelligence gathering and physical security.» Research and development for University of Louisville ITRC working on communication
package for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI security measures, standards, and equipment.
Now» General interest in infoSec» Member of 502Sec group
Agenda
» Basics in Security» Why you should you be worried? - Threat modeling» Code in security - examples of » Tools?» Questions
Basics in Info Security - All Info security revolves around managing 3 things
» Availability– Can you get to your sh*t?
» Integrity– Can you believe what you see?
» Confidentiality– Anything we don’t want others knowing about
The denial or disruption of any of these items and an attacker was basically successful. So what happens is there must be a ranking of how much of an impact something has in order to prioritize it.
Basics in Info Security - It is all about risk management
» Vulnerability * Probability * Impact = RISK» How do you gather this information to determine RISK?» Answer = Threat Modeling» Understanding the threats will help you see how important security
and how you might mitigate(*control) the risk of said threat.
Threat Modeling - Starting point
» Threat statement» $ACTOR» does $ACTION» to $ASSET» resulting in $OUTCOME» because of $MOTIVATION
Threat Modeling - $ACTOR
» NATION State» Organized Crime» Insiders» Hackavist - LulzSec » Script Kiddie» Competing Sites and bloggers» ..... {Exercise: Insert Here}.....
Threat Modeling - $ACTION
» DDoS» Injections
– OS level– SQL
» XSS» ..... {Exercise: Insert Here}.....
Threat Modeling - $ASSET
» Content» Subscription Service» User log in» NGINX» Varnish» Mongo» ..... {Exercise: Insert Here}.....
Threat Modeling - $OUTCOME
» Release of code» Spoofing as us» Tampering with existing content» Gain foothold to Pivot» ..... {Exercise: Insert Here}.....
Threat Modeling - $MOTIVATION
» Make money» Gain notability» ..... {Exercise: Insert Here}.....
Code in security - INSECURE Framework
» Injectable» Spoofable» Errors and Exceptions (un/ms- handled)» Unsafe/Unused functions/Routines» Reversible» Elevated Privileges
Code in security - Injectable
» Inadequate or improperly input validation/sanitization» Input (data) can be executed» Dynamic query construction using user input» Examples:
– OS level executable code – SQL/DB injection
Code in security - Spoofable
» Allows Identity Impersonation» Credentials
– Weak– Hard coded– Cached
» Predictable Session Identifiers– Hacking and Replay
Code in security - Errors and Exceptions (un/ms- handled)
» Verbose Error Messages» Unhandled Exception (No catch at all)» Throwing stack trace» Fail open - (*you allow authentication anyway)
Code in security - Unsafe/Unused functions/Routines
» Banned/Insecure APIs» Unknown APIs and Interfaces» Vestigial functions (*CMD - C/X, CMD - P)» Easter Eggs
Code in security - Reversible
» Unobfuscated» Textual information» Symbolic Information
Code in security - Elevated Privileges
» Carry out functions or access items that should only be allowed by administrator.
» Runs privileged operations without authorization checks
Code in security - Defenses
» Injection defense– Input validation/ Sanitization– Parameterization of Queries – Don’t allow to exec
» Spoofing defense– Avoid impersonation context code– Do not hardcode credentials– Session management - Non guessable/ non predictable session
ids.» Errors & Exception mis/un - handling defense
– Simple to the point error messages without unsafe info– Catch-all exception handle– Redirect to unified error handling place
Code in security - Defenses Cont
» Unsafe/Unused Functions defense– Replace banned API with safer one– Delete unused functions/procedures– Delete Dangling Code (don’t just comment out)– Easter Egg Hunt
» Reversible Code defense– Obfuscate– Application hardening - Remove textual and sym information
» Elevated Privileges defense– Check authorization before allowing privilege ops– Non-admin accounts used for code execution– Test code in simulated environments
Code in security - Conclusion
» By knowing how to Code insecurity can impact us we can can look at Coding in Security.» Are you going to
– Code Insecurely (or)– Code In Security
References
» Common Weakness Enumeration– http://cwe.mitre.org/index.html
» How to write insecure code - Source OWASP– https://www.owasp.org/index.php/How_to_write_insecure_code
» Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0– https://www.youtube.com/watch?v=fu4_7sJv-
ro&index=96&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg» Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0
– https://www.youtube.com/watch?v=WKgD305OFAQ&index=101&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg
Questions??