Securing Applications

  • View
    1.619

  • Download
    0

Embed Size (px)

Text of Securing Applications

  • Securing Applications

    A Practical Primer for Developers

    Burak DayoluYour security, your future

  • About the presenter

  • Application Security Today

  • Holistic Approach to SecurityPort blockingFilteringEncryptionUpdatesIIS hardeningACLsCASLoggingLeast privilegeAccount mgmt.ValidationHashingEncryptionSecrets mgmt.Cookie mgmt.Session mgmt.Error handlingSpoofed packets, etc.Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc.NetworkHostApplicationDefend the networkDefend the hostDefend the application

  • Hacking with Google

  • Security in the Development LifecycleRequirements AssessmentDesign CompleteTest Plans CompleteCode CompleteShipPost Ship

  • Guiding Design PrinciplesSecure the weakest linkPractice defense in depthFail securelyFollow the principle of least privilegeCompartmentalizeKeep it simpleRemember that hiding secrets is hardBe reluctant to trust

  • Attack Surface Reduction (ASR)A system's attack surface is the set of ways in which an attacker can enter and potentially cause damage to the systemThe measure of a system's attack surface is an indication of the system's securityThe larger the attack surface, the more insecure the system

  • Reducing the Attack SurfaceReduce the amount of running code80% of your users actually use the functionality? If not, turn it off

    Reduce entry pointsIf you can do the same with less ports, sockets, service entry points etc., then just do it

    Reduce access to entry points by untrusted usersRestrict access to network endpoints used by your application to the local subnet or IP range

  • Input ValidationAll data coming from untrusted sources should be validated before being processedIt might be possible to tamper application flow and/or behaviour with invalid dataWhat you can trust depends on the application contextUsersApplications on same hostShared libraries (.so, .dll etc.)OS interfacesOther modules in the same app.

  • Blacklisting is BadEndless security issues with PHF (mid 1990s)Command injection (improper input validation)Fix through blacklistingCommand injection, round 2 (in just two days)Fix through blacklistingCommand injection, round 2 (in just another day)Fix through whitelisting (Problem solved)

    Command injection, SQL injection, LDAP injection etc.

  • Sample SQL InjectionSample vulnerable code fragment

    When criteria is SECURITY

    When criteria is ; DELETE FROM news--$query = SELECT title FROM newsWHERE body LIKE % . $criteria . %;SELECT title FROM news WHERE body LIKE %SECURITY%SELECT title FROM news WHERE body LIKE %; DELETE FROM news--%

  • What would be the Query?

    Select * from users where username = _1_ and password = _2_;

  • Cross-Site Scripting (XSS)

  • Web is just a messaging protocol

  • HTML Form Tampering

  • Validating Form Data in BrowserClient side validations can be bypassed or tampered

    Client Side Validation Example

  • Error MessagesError messages might reveal sensitive information to a potential attackerPortions of an SQL statementError message that includes brand/version of database or directory serverError message for a file that doesnt open upHandle all failure cases that you can foresee, configure the environment to log (and not display) verbose error messages

  • Filesystem Operations and SecurityAny component that operates on files is of high riskIf input validation is broken somehowArbitrary files might be readArbitrary files might be overwrittenArbitrary files might be uploaded & executedBeware critical symbols for filesystem objects and the OS shell. .. && || > < *; null (%00)

  • Easy to Guess Files and DirectoriesThere are things to discover by just educated guessing/CVS/admin/testREADMEINSTALLbackup.zip

  • Backup FilesWould one of them be left somewhere?mycode.jsp~mycode.jsp.OLDmycode.jsp.ORIGmycode.jsp.BACKmycode.jsp.BAK

  • Directory ListingsDirectory listings should be turned-off for all servers/sites

  • Thank you!

    burak.dayioglu@pro-g.com.tr

    Twitter: dayioglu FriendFeed: dayioglu

    http://www.burakdayioglu.netYour security, your future