Web Application Security - PowerPoint PPT Presentation

1 / 29
About This Presentation

Web Application Security


Web Application Security. ISSA Spring Security Summit 2009. Mike Parsons, CISSP, IAM, IEM – PowerPoint PPT presentation

Number of Views:353
Avg rating:3.0/5.0
Slides: 30
Provided by: mpar45


Transcript and Presenter's Notes

Title: Web Application Security

Web Application Security
  • ISSA Spring Security Summit 2009
  • Mike Parsons, CISSP, IAM, IEM

  • Why web application security
  • The value proposition
  • Who sets the standard
  • W3C
  • IETF
  • WASC
  • PCI
  • Remediation strategies
  • Some common threats and exploits

Why Worry?
  • Cenzic, Inc. reports in its Web Application
    Security Trends Report, Q3-Q4 2008 that total
    vulnerabilities up over 10 percent from the first
    half (of 2008) -- number of Web application
    vulnerabilities went up 80 percent.
  • At least 80 percent of applications tested
    suffering from severe vulnerabilities.
  • Most common vulnerabilities related to
    Information Leaks and Exposures, Cross-Site
    Scripting, and Session Management.

Whats Being Done??
  • However, the economic crisis is holding a number
    of organizations back from moving forward with
    this initiative. Whats surprising is that most
    of these companies are still spending money on
    network security. With 80 percent to 90 percent
    of Web applications vulnerable, and with 75
    percent of attacks occurring through the Web
    sites, this budget allocation defies logic. But,
    lack of awareness and understanding of the issues
    around application security are partly to blame.
  • Cenzic, Inc.

Web Applications on the Rise
  • Universal client pdas, netbooks, laptops, all
  • Graphical user interface
  • XML and its extended family provides common
    protocol stack from UI to backoffice
  • presentation,
  • business logic,
  • schema
  • Reduced development time
  • Provides systems integration fabric

The Value Proposition
  • Web applications on the rise
  • External facing web sites are the new company
  • Intrinsic impacts
  • Branding
  • Customer experience
  • Securing the data entrusted by partners,
    customers and employees
  • Cost impacts
  • Fines
  • Legal liability
  • Loss of business

Web Services and the Enterprise
  • ECommerce
  • Employee and partner portals
  • Federation
  • ERP applications
  • Unique branding and intellectual property issues
  • Cloud computing
  • Software as a Service
  • Hardware as a service

Compliance Affects More than Retail
  • Retail PCI, State privacy laws
  • Medical HIPAA, PCI, State privacy laws
  • Banking GLBA, PCI, State privacy laws
  • Education FERPA, PCI, State privacy laws

A Patchwork of Stakeholders
  • W3C
  • IETF
  • WASC
  • NIST
  • PCI

W3C display protocol owner
  • Purpose of the web find useful information
  • Evolution to ecommerce and eGovernment
  • Standards for SGML, HTML, XML
  • XML Signatures and Encryption
  • Platform for Privacy Preferences
  • Quality assurance through development of

IETF network and transport
  • Related organizations
  • ISOC Internet Society
  • IAB (Architectural Oversight),
  • IESG (Steering Group),
  • IETF (Standards and Practices),
  • IANA (Protocol parameters and addressing)
  • Sample standards and practices
  • TCP
  • UDP
  • HTTP
  • Cryptography

  • Open Web Application Security Project
  • Organization established to develop and
    distribute information related to application
  • OWASP top 10
  • Recognized in PCI DSS 1.2, Control 6.6
  • Tools like WebGoat and Scarab
  • There is a chapter in North Carolina

  • Develop open source and widely agreed upon
    best-practice security standards for the World
    Wide Web.
  • Projects
  • Web Application Security Scanner Evaluation
  • Web Hacking Incidents Database
  • Distributed Open Proxy Honeypots
  • Web Security Threat Classification
  • Web Application Firewall Evaluation Criteria
  • Web Application Security Statistics

  • Computer Security Division provides standards and
    technology to protect information systems against
    threats to the confidentiality, integrity, and
    availability of information, processes and
    services in order to build trust and confidence
    in (IT) systems.
  • Standards and guidelines of interest include
  • encryption,
  • web application scanners,
  • hashing algorithms,
  • digital signatures

  • Data Security Standard requirement 6.6 addresses
    Web Application Security specifically
  • References OWASP Top 10
  • Requires either
  • Web application firewall
  • Code review of all application code by qualified
  • Clarification issued in May that includes WAF
    evaluation criteria

OWASP Top 10 2007
Vulnerability Description
A1 - Cross Site Scripting (XSS) XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
A2 - Injection Flaws The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
A3 - Malicious File Execution Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
A4 - Insecure Direct Object Reference Attackers can manipulate direct object references to access other objects without authorization.
A5 - Cross Site Request Forgery (CSRF) Forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.
OWASP Top 10 2007 (Continued)
Vulnerability Description
A6 - Information Leakage and Improper Error Handling Applications unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems.
A7 - Broken Authentication and Session Management Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials.
A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users.
Remediation strategies
  • Educate your developers, systems engineers and
    business units
  • Know your infrastructure reduce the exposure
  • Have third party assess your security and
    application integrity
  • Evaluate tools and strategies
  • Code assessment
  • Web application firewalls

To Audit or Use an Appliance
PCI DSS Requirements Testing Procedure
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods ?? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes ?? Installing a web-application firewall in front of public-facing web applications 6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows ?? Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows - At least annually - After any changes - By an organization that specializes in application security - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections ?? Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.
Code assessment
  • Qualified organizations that specialize in
    application security are difficult to find and
    process is expensive
  • 3rd party development or COTS poses problems
  • Access to source code and developers the issue
  • Can be used for in-house development
  • Expertise in secure coding practice
  • Review takes place outside of development
  • Can you review all code changes

Managed services and SAAS
  • WhiteHat Sentinel,
  • AppScan OnDemand Comprehensive
  • Cenzic Click to Secure services
  • Trustwave Managed Security Services
  • Qualys more generic, but has web services

Application Scanners
  • Accunetix WVS
  • IBM Rational Appscan
  • HP Webinspect (Formerly Spi Dynamics)
  • Cenzic Hailstorm
  • N-Stalker (has free edition)
  • NCircle WebApp 360

Web Application Firewall
  • No Magic Quadrant. Gartner has issued various
    notes on the subject
  • Consider WAFEC criteria to evaluate
  • Consider DSS criteria to evaluate
  • Enterprise architecture is a governing factor
  • In-line vs out-of-line
  • Javascript vs XML vs Ajax vs Web Services 2.0
  • Webserver strategy
  • Look for additional value such as positive
    security model and application integrity
  • Look for management interface, flexibility in
    blocking traffic, scalability

WASC Evaluation Criteria
  • WAFEC addresses the following areas in Version
    1.0 (2006)
  • Deployment Architecture
  • HTTP Support
  • Detection Techniques
  • Protection Techniques
  • Logging
  • Reporting
  • Management
  • Performance
  • XML
  • Future releases to address following areas
  • Compliance, certifications, and interoperability.
  • Increase coverage of performance issues
    (especially on the network level).
  • Increase coverage of the XML-related

WAF Evaluation Points -- DSS
  • Meet all applicable PCI DSS requirements
    pertaining to system components
  • React appropriately (defined by active policy or
    rules) to threats against relevant
    vulnerabilities as identified, at a minimum, in
    the OWASP Top Ten and/or PCI DSS Requirement 6.5.
  • Based on the active policy or rules, and log
    actions taken.
  • Inspect web application input and respond
    appropriately (allow, block, and/or alert)
  • Prevent data leakagemeaning have the ability to
    inspect web application output and respond
    appropriately(allow, block, mask and/or alert)
  • Enforce both positive and negative security
  • Inspect both web page content, e.g. Hypertext
    Markup Language (HTML), Dynamic HTML (DHTML), and
    Cascading Style Sheets (CSS), and the underlying
    transport protocols that deliver content, e.g.
    Hypertext Transport Protocol (HTTP) and Hypertext
    Transport Protocol over SSL (HTTPS).
  • Inspect web services messages, if web services
    are exposed to the public Internet. E.g. Simple
    Object Access Protocol (SOAP) and eXtensible
    Markup Language (XML), both document- and
    RPC-oriented models, in addition to HTTP.
  • Inspect any protocol or data construct that is
    used to transmit data to or from a web
  • Defend against threats that target the WAF
  • Support SSL and/or TLS termination, or be
    positioned such that encrypted transmissions are
    decrypted before being inspected by the WAF.

Web Application Firewalls
  • Barracuda Application Gateway
  • Breach Security
  • WebDefend
  • ModSecurity
  • Citrix Netscaler Application Security Firewall
  • F5 Application Security Manager
  • Fortinet Web Application /XML Firewall Appliance
  • FortiWeb
  • FortiDB
  • Imperva SecureSphere
  • Web Application Firewall
  • Database Firewall

Other sources of threats and exploits
  • WASC Statistics
  • SecurityFocus
  • Mitre Corporation
  • CERT
  • W3C
  • WebGoat Demo Environment
  • Managed Service Providers e.g. Trustwave, Cenzic

Stakeholder Websites
Stakeholder Website
WASC http//www.webappsec.org/
OWASP http//www.owasp.org
IETF http//www.ietf.org
W3C http//www.w3c.org
NIST http//csrc.nist.gov/mission/index.html
PCI https//www.pcisecuritystandards.org/
Thank you for your attention Mike
Parsons Security Consultant Carolina Advanced
Digital 336-403-9710 mike_at_cadinc.com
Write a Comment
User Comments (0)
About PowerShow.com