Web Application Security

1
Web Application Security

• ISSA Spring Security Summit 2009
• Mike Parsons, CISSP, IAM, IEM

2
Agenda

• Why web application security
• The value proposition
• Who sets the standard
• W3C
• IETF
• OWASP
• WASC
• PCI
• Remediation strategies
• Some common threats and exploits

3
Why Worry?

• Cenzic, Inc. reports in its Web Application
  Security Trends Report, Q3-Q4 2008 that total
  vulnerabilities up over 10 percent from the first
  half (of 2008) -- number of Web application
  vulnerabilities went up 80 percent.
• At least 80 percent of applications tested
  suffering from severe vulnerabilities.
• Most common vulnerabilities related to
  Information Leaks and Exposures, Cross-Site
  Scripting, and Session Management.

4
Whats Being Done??

• However, the economic crisis is holding a number
  of organizations back from moving forward with
  this initiative. Whats surprising is that most
  of these companies are still spending money on
  network security. With 80 percent to 90 percent
  of Web applications vulnerable, and with 75
  percent of attacks occurring through the Web
  sites, this budget allocation defies logic. But,
  lack of awareness and understanding of the issues
  around application security are partly to blame.
• Cenzic, Inc.

5
Web Applications on the Rise

• Universal client pdas, netbooks, laptops, all
  OSs
• Graphical user interface
• XML and its extended family provides common
  protocol stack from UI to backoffice
• presentation,
• business logic,
• schema
• Reduced development time
• Provides systems integration fabric

6
The Value Proposition

• Web applications on the rise
• External facing web sites are the new company
  storefronts
• Intrinsic impacts
• Branding
• Customer experience
• Securing the data entrusted by partners,
  customers and employees
• Cost impacts
• Fines
• Legal liability
• Loss of business

7
Web Services and the Enterprise

• ECommerce
• Employee and partner portals
• Federation
• ERP applications
• Unique branding and intellectual property issues
• Cloud computing
• Software as a Service
• Hardware as a service

8
Compliance Affects More than Retail

• Retail PCI, State privacy laws
• Medical HIPAA, PCI, State privacy laws
• Banking GLBA, PCI, State privacy laws
• Education FERPA, PCI, State privacy laws

9
A Patchwork of Stakeholders

• W3C
• IETF
• OWASP
• WASC
• NIST
• PCI

10
W3C display protocol owner

• Purpose of the web find useful information
• Evolution to ecommerce and eGovernment
• Standards for SGML, HTML, XML
• XML Signatures and Encryption
• Platform for Privacy Preferences
• Quality assurance through development of
  validators

11
IETF network and transport

• Related organizations
• ISOC Internet Society
• IAB (Architectural Oversight),
• IESG (Steering Group),
• IETF (Standards and Practices),
• IANA (Protocol parameters and addressing)
• Sample standards and practices
• TCP
• UDP
• HTTP
• Cryptography

12
OWASP

• Open Web Application Security Project
• Organization established to develop and
  distribute information related to application
  security
• OWASP top 10
• Recognized in PCI DSS 1.2, Control 6.6
• Tools like WebGoat and Scarab
• There is a chapter in North Carolina

13
WASC

• Develop open source and widely agreed upon
  best-practice security standards for the World
  Wide Web.
• Projects
• Web Application Security Scanner Evaluation
  criteria
• Web Hacking Incidents Database
• Distributed Open Proxy Honeypots
• Web Security Threat Classification
• Web Application Firewall Evaluation Criteria
• Web Application Security Statistics

14
NIST

• Computer Security Division provides standards and
  technology to protect information systems against
  threats to the confidentiality, integrity, and
  availability of information, processes and
  services in order to build trust and confidence
  in (IT) systems.
• Standards and guidelines of interest include
• encryption,
• web application scanners,
• hashing algorithms,
• digital signatures

15
PCI DSS

• Data Security Standard requirement 6.6 addresses
  Web Application Security specifically
• References OWASP Top 10
• Requires either
• Web application firewall
• Code review of all application code by qualified
  reviewer
• Clarification issued in May that includes WAF
  evaluation criteria

16
OWASP Top 10 2007
Vulnerability Description
A1 - Cross Site Scripting (XSS) XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
A2 - Injection Flaws The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
A3 - Malicious File Execution Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
A4 - Insecure Direct Object Reference Attackers can manipulate direct object references to access other objects without authorization.
A5 - Cross Site Request Forgery (CSRF) Forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.
17
OWASP Top 10 2007 (Continued)
Vulnerability Description
A6 - Information Leakage and Improper Error Handling Applications unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems.
A7 - Broken Authentication and Session Management Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials.
A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users.
18
Remediation strategies

• Educate your developers, systems engineers and
  business units
• Know your infrastructure reduce the exposure
  window
• Have third party assess your security and
  application integrity
• Evaluate tools and strategies
• Code assessment
• Web application firewalls

19
To Audit or Use an Appliance
PCI DSS Requirements Testing Procedure
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods ?? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes ?? Installing a web-application firewall in front of public-facing web applications 6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows ?? Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows - At least annually - After any changes - By an organization that specializes in application security - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections ?? Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.
20
Code assessment

• Qualified organizations that specialize in
  application security are difficult to find and
  process is expensive
• 3rd party development or COTS poses problems
• Access to source code and developers the issue
• Can be used for in-house development
• Expertise in secure coding practice
• Review takes place outside of development
• Can you review all code changes

21
Managed services and SAAS

• WhiteHat Sentinel,
• AppScan OnDemand Comprehensive
• Cenzic Click to Secure services
• Trustwave Managed Security Services
• Qualys more generic, but has web services
  component

22
Application Scanners

• Accunetix WVS
• IBM Rational Appscan
• HP Webinspect (Formerly Spi Dynamics)
• Cenzic Hailstorm
• N-Stalker (has free edition)
• NCircle WebApp 360

23
Web Application Firewall

• No Magic Quadrant. Gartner has issued various
  notes on the subject
• Consider WAFEC criteria to evaluate
• Consider DSS criteria to evaluate
• Enterprise architecture is a governing factor
• In-line vs out-of-line
• Javascript vs XML vs Ajax vs Web Services 2.0
• Webserver strategy
• Look for additional value such as positive
  security model and application integrity
  remediation
• Look for management interface, flexibility in
  blocking traffic, scalability

24
WASC Evaluation Criteria

• WAFEC addresses the following areas in Version
  1.0 (2006)
• Deployment Architecture
• HTTP Support
• Detection Techniques
• Protection Techniques
• Logging
• Reporting
• Management
• Performance
• XML
• Future releases to address following areas
• Compliance, certifications, and interoperability.
• Increase coverage of performance issues
  (especially on the network level).
• Increase coverage of the XML-related
  functionality.

25
WAF Evaluation Points -- DSS

• Meet all applicable PCI DSS requirements
  pertaining to system components
• React appropriately (defined by active policy or
  rules) to threats against relevant
  vulnerabilities as identified, at a minimum, in
  the OWASP Top Ten and/or PCI DSS Requirement 6.5.
• Based on the active policy or rules, and log
  actions taken.
• Inspect web application input and respond
  appropriately (allow, block, and/or alert)
• Prevent data leakagemeaning have the ability to
  inspect web application output and respond
  appropriately(allow, block, mask and/or alert)
• Enforce both positive and negative security
  models.
• Inspect both web page content, e.g. Hypertext
  Markup Language (HTML), Dynamic HTML (DHTML), and
  Cascading Style Sheets (CSS), and the underlying
  transport protocols that deliver content, e.g.
  Hypertext Transport Protocol (HTTP) and Hypertext
  Transport Protocol over SSL (HTTPS).
• Inspect web services messages, if web services
  are exposed to the public Internet. E.g. Simple
  Object Access Protocol (SOAP) and eXtensible
  Markup Language (XML), both document- and
  RPC-oriented models, in addition to HTTP.
• Inspect any protocol or data construct that is
  used to transmit data to or from a web
  application,
• Defend against threats that target the WAF
  itself.
• Support SSL and/or TLS termination, or be
  positioned such that encrypted transmissions are
  decrypted before being inspected by the WAF.

26
Web Application Firewalls

• Barracuda Application Gateway
• Breach Security
• WebDefend
• ModSecurity
• Citrix Netscaler Application Security Firewall
• F5 Application Security Manager
• Fortinet Web Application /XML Firewall Appliance
• FortiWeb
• FortiDB
• Imperva SecureSphere
• Web Application Firewall
• Database Firewall

27
Other sources of threats and exploits

• WASC Statistics
• SecurityFocus
• Mitre Corporation
• CERT
• W3C
• WebGoat Demo Environment
• Managed Service Providers e.g. Trustwave, Cenzic

28
Stakeholder Websites
Stakeholder Website
WASC http//www.webappsec.org/
OWASP http//www.owasp.org
IETF http//www.ietf.org
W3C http//www.w3c.org
NIST http//csrc.nist.gov/mission/index.html
PCI https//www.pcisecuritystandards.org/
29
Questions
Thank you for your attention Mike
Parsons Security Consultant Carolina Advanced
Digital 336-403-9710 mike_at_cadinc.com