Security testing the depth behind owasp top 10
Sponsored Links
This presentation is the property of its rightful owner.
1 / 45

Security Testing & The Depth Behind OWASP Top 10 PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on
  • Presentation posted in: General

Security Testing & The Depth Behind OWASP Top 10. Yaniv Simsolo , CISSP. Image: Hubble Telescope: The cat’s eye nebula. OWASP Top 10 2013. OWASP Top 10 – 2013 has evolved: 2013-A1 – Injection 2013-A2 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)

Download Presentation

Security Testing & The Depth Behind OWASP Top 10

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security Testing & The Depth Behind OWASP Top 10

Yaniv Simsolo, CISSP

Image: Hubble Telescope: The cat’s eye nebula


OWASP Top 10 2013

OWASP Top 10 – 2013 has evolved:

  • 2013-A1 – Injection

  • 2013-A2 – Broken Authentication and Session Management

  • 2013-A3 – Cross Site Scripting (XSS)

  • 2013-A4 – Insecure Direct Object References

  • 2013-A5 – Security Misconfiguration

  • 2013-A6 – Sensitive Data Exposure

  • 2013-A7 – Missing Function Level Access Control

  • 2013-A8 – Cross-Site Request Forgery (CSRF)

  • 2013-A9 – Using Known Vulnerable Components (NEW)

  • 2013-A10 – Unvalidated Redirects and Forwards


OWASP Top 10 2013

OWASP Top 10 – 2013 Resources:

  • https://www.owasp.org/index.php/Top_10_2013-Top_10

  • OWASP Top 10 2013 presentation by Dave Wichers, on the OWASP web site


Mapping Top 10: From 2010 to 2013

Source: OWASP Top 10 2013 presentation by Dave Wichers


Assumptions

  • In Information Security – several top 10 exist

    • OWASP Top 10 is dominant

  • “Top 3”: we all know about XSS’s Injections, CSRF’s etc.

  • Most organizations are well aware of these issues


Assumptions

  • OK. What now?

  • “Top 6” = (“Top 3”) + (“we test what we can”):

    • Broken authentication and session management

    • Unvalidated redirects and forwards

    • Insecure direct object references

  • Most organizations are aware of these issues

  • OK, What now?


What did we miss?

  • Security misconfiguration – A5.

  • Missing Function Level access control – A7.

  • Using known vulnerable components – A9

  • A6 – sensitive data exposure now includes a merge of:

    • Insufficient transport layer protection (2010 – A9)

    • Insecure cryptographic storage (2010-A7)


What did we miss?

  • Security misconfiguration – A5.

    • (almost) not Web Application but: Application/system

  • Missing Function Level access control – A7.

    • Partial Web Application, Partial Application/system

  • Using known vulnerable components – A9

    • (almost) not Web Application but: Application/syste


What did we miss?

  • A6 – sensitive data exposure now includes a merge of:

    • Insufficient transport layer protection (2010 – A9)

    • Insecure cryptographic storage (2010-A7)

  • Is this just Web Application?

  • Is the problem more severe once we look below the Web Layer?


What did we miss? Example

Security misconfiguration – A5

+

Using known vulnerable components – A9

=

Perimeter is not working


The Problem

Image: Hubble Telescope: The cat’s eye nebula


Over Complexity

  • Too much data

  • Endless attack possibilities

  • Too many security solutions, vendors, products

  • No homogenous approach


The Attack Vectors

  • Any system

  • Any infrastructure

  • Any communication

  • Any language

  • Any architecture

  • Any component

  • Any information, any data

  • Any physical layer

  • Any logical layer

  • Any storage device / facility

  • Any (communication) channel

  • Any interface

  • Any encryption

  • Any environment

  • Any site (including DR)

  • Any transaction

  • Any log and audit trail

  • Any archive

  • Any process (operations, ongoing, development)


The Attack Types

Takeover

Data theft

Data tampering

System integrity disruption

Business Logic manipulation

Eavesdropping

Backdoors – built in by design

Backdoors – creation by attackers

Unintentional attacks

Intentional by authorized entities

Attacks by non-human entities

Denial of Service

De Facto Denial of Service

Authorization bypass

Access bypass

Smuggling, Splitting and evasion-type attacks

  • Any system

  • Any infrastructure

  • Any communication

  • Any language

  • Any architecture

  • Any component

  • Any information, any data

  • Any physical layer

  • Any logical layer

  • Any storage device / facility

  • Any (communication) channel

  • Any interface

  • Any encryption

  • Any environment

  • Any site (including DR)

  • Any transaction

  • Any log and audit trail

  • Any archive

  • Any process (operations, ongoing, development)


The Problem

Even the simplified security areas present a demanding challenge. For example - XSS:

  • Very difficult to detect all variants in modern systems

  • Almost impossible to retain high security level once achieved


Common Solutions

  • Superficial security tests.

    • Many “good reasons”:

      • Budget

      • Time constraints

      • Lack of understanding

      • Over complexity


Common Solutions

  • Impacts of superficial security tests in the long run?

    • Partial to no security

    • Poor security practices

    • These organizations effect the security market, pulling downwards!

    • Loss or partial integrity of security professionals

    • Worse still: false sense of security


Where Did That Got Us?

  • Ludicrous security warnings:

    • January 2013: Department of Homeland Security: Do not use Java. Remove the JRE.

    • April 2014: Department of Homeland Security: Versions 6 – 11 of IE are not to be used.

    • April 2014: OpenSSL is insecure


Where Did That Got Us?

  • Poor security in design and architecture

  • (Almost) no security in Agile/Continuous Delivery developed code


Modern Systems Common Pitfall

  • Modern systems are more secured. ???


Where Did That Got Us?

  • Challenging security presentations:

    • In-Depth Security is dead (RSA conference 2011)

    • Security is dead (Rugged coding - RSA conference 2012)

  • Ignorance is bliss….


Security Testing

Image: Hubble Telescope: The cat’s eye nebula


How to Test?

  • This is messy. VERY messy.

  • There are shortcuts


How to Test?

  • Actually – most is quiet easy to test.

  • Go back to theory.

  • Forget about the payloads.


The Fallback Common Option

  • Test the GUI

  • Black Box testing methodology

  • Exclude the difficult stuff from scope

  • This is a “good” solution: it fits organizations and security professionals


The Fallback Common Option

  • “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”― Stephen Hawking

  • Testing just the GUI illusion of knowledge

  • Testing just the FE illusion of security

  • Increasingly often we are requested to test much less than the actual scope.

  • Consider carefully prior to testing – what should be the actual testing scope


How to test?

  • “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu

  • Common Mobile WCF architecture

    • Where is the presentation layer?

    • Which entities are granted access to business logic?

  • “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu

  • Common Mobile WCF architecture

    • Where is the presentation layer?

    • Which entities are granted access to business logic?


How to test?

  • OWASP top 10 – mobile:

Source: OWASP Top 10 Mobile project


The Oracle Exadata Example

  • Oracle Exadata simplified:

    • Data Warehouse platform

    • Consolidation/Grid platform

    • Storage platform

  • Exadata security best practices consist of:

    • The “regular stuff”

    • Database standard security

    • Data Warehouse specialized security

    • Consolidation/Grid specialized security


The Oracle Exadata Example

  • Oracle Exadata (as a database platform) Security Testing Benchmark:

    • Organization A tested:

      • The databases

      • The environments

      • The Data Warehouse specialized security

      • The Exadata itself

    • Organization B tested:

      • Just some deployed databases

      • Partial security testing for each database

      • Worse still: Exadata not to be tested as a policy

  • Who said: 2013-A5 Security Misconfiguration?


Testing A5, A7, A9

  • “If you know the enemy and know yourself you need not fear the results of a hundred battles”, Sun Tzu

  • Do we really know ourselves?

  • Where are A5, A7 and A9 implemented?

  • Not testing the BE  illusion of knowing


The Windows XP Example

  • Organization C, defines and enforces strict development and deployment security standards towards all its suppliers/customers.

  • Over 60 pages of procedures and instructions.

  • Insisting on supporting Windows XP based systems.

  • Who said: 2013-A9 Using Known Vulnerable Components?


2013-A9 Using known Vulnerable Components

  • A vendor offers DBAAS

    • Excellent: beat the market offering *AAS something...

  • How can the organization trust the security of DBAAS?

    • Will separation be enforced?

    • Will compartmentalization be enforced?

  • Did we really tested and can trust the Cloud on which the DBAAS is based?


Declarative Security

  • What?

  • One of the foundations of modern languages run-time security.

  • Mostly ignored or bypassed.

  • Who said: Security misconfiguration – A5, Missing Function Level access control – A7?


Declarative Security

  • “Deployment descriptors must provide certain structural information for each component if this information has not been provided in annotations or is not to be defaulted.” (Oracle docs.)


Declarative Security

  • “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.” Sun Tzu

  • Lack or weak declarative security: Once code access achieved – the extraordinary will be feasible.


Declarative Security

  • Poor design due to no design

  • Cancelling off declarative security or ignoring declarative security  revoking language security fundamentals.

  • Common real life deployment descriptors:

  •  Killing my own code!

  • // Do what you will. Totally permissive policy file.

  • grant {

  • permission java.security.AllPermission;

  • };


Reverse Engineering (A5, A6, A9)

  • What for?

  • Why for Mobile security testing ONLY?

  • From Wikipedia:

    • Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.


Testing A2, A5, A6

  • 2013 A6 – Sensitive data exposure

  • 2013 A5 – Security misconfiguration

  • 2013 A2 – Broken authentication

  • Too much use of “third singulars”

    • The actual minute details of the tested object dissolve


2013-A5 Security Misconfiguration

  • There is no external access!

  • The intended users will only perform intended actions…

  • Virtualization  Separation


2013-A5 Security Misconfiguration

  • How do organizations secure legacy unsecured systems?

  • Install terminals (e.g. Citrix) as the presentation layer / access control layer.

  • Challenge: manage multiple users across multiple systems.

  • Result: the terminals are partially secure.

    • Too many terminals to manage over long periods

    • Some insecure

    • The insecure terminals are the attacker entry points.


Critical Thinking

Takeover

Data theft

Data tampering

System integrity disruption

Business Logic manipulation

Eavesdropping

Backdoors – built in by design

Backdoors – creation by attackers

Unintentional attacks

Intentional by authorized entities

Attacks by non-human entities

Denial of Service

De Facto Denial of Service

Authorization bypass

Access bypass

Smuggling, Splitting and evasion-type attacks

  • Any system

  • Any infrastructure

  • Any communication

  • Any language

  • Any architecture

  • Any component

  • Any information, any data

  • Any physical layer

  • Any logical layer

  • Any storage device / facility

  • Any (communication) channel

  • Any interface

  • Any encryption

  • Any environment

  • Any site (including DR)

  • Any transaction

  • Any log and audit trail

  • Any archive

  • Any process (operations, ongoing, development)


Critical Thinking

  • Critical thinking is the ability to think clearly and rationally. This requires reflective and independent thinking. (Philosophy field)

  • For organization security is too difficult: over complexity, too much to orchestrate, etc.

  • Increasingly often we are requested to test much less than the actual scope.

  • Some organizations will not be educated.

  • Push the industry back up with those organizations that can be educated.


Critical Thinking

  • For the security professionals, security is a challenge. Hence, always employ critical thinking and review the process of testing itself.

    • Flexibility under varying technologies

    • Use automated testing tools to the max AND be always aware of their limitations

    • Scoping accurately is mandatory


Qustions?

Yaniv Simsolo, CISSP

Image: Hubble Telescope: The cat’s eye nebula


  • Login