application security in the real world what the owasp top 10 means to everyone n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Application Security In the Real World What the OWASP Top 10 means to everyone PowerPoint Presentation
Download Presentation
Application Security In the Real World What the OWASP Top 10 means to everyone

Loading in 2 Seconds...

play fullscreen
1 / 50

Application Security In the Real World What the OWASP Top 10 means to everyone - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

Application Security In the Real World What the OWASP Top 10 means to everyone. Lora Vaughn McIntosh Security Engineering Blue Cross Blue Shield of Alabama Lora.McIntosh@bcbsal.org (205)220-2181. About Me. BS Computer Science from Birmingham-Southern College

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Application Security In the Real World What the OWASP Top 10 means to everyone' - bree


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
application security in the real world what the owasp top 10 means to everyone
Application Security In the Real WorldWhat the OWASP Top 10 means to everyone

Lora Vaughn McIntosh

Security Engineering

Blue Cross Blue Shield of Alabama

Lora.McIntosh@bcbsal.org

(205)220-2181

about me
About Me
  • BS Computer Science from Birmingham-Southern College
  • Formerly employed at Accenture, National Security Agency, Regions Bank
  • Certifications:
    • Certified Information Systems Security Professional (CISSP)
    • EnCase Certified Examiner (EnCE)
agenda
Agenda
  • What’s an OWASP?
  • Why should I care?
  • Security myths
  • Hacks in the news
  • OWASP Top 10 in 10 minutes or less
  • Legacy and third party applications
  • Defense in depth
  • Where do you start?
owasp who
OWASP Who???
  • Open Web Application Security Project
  • 501c3 not-for-profit
  • Focused on improving the security of application software
  • Release Top 10 List periodically
    • 2010
    • 2007
    • 2004
progress you can t have it all
Progress—You can’t have it all
  • Business demands more bells and whistles
  • Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet
  • Increasing complexity of software
  • Rush software out without adequate testing
  • Poor security training and awareness
things have changed
Things Have Changed
  • Threats have evolvedas the Internet and our world have evolved
  • Any website you visit could infect your browser—even a Google search
  • An infected browser can do anything you can do
  • An infected browser can scan, infect, spread

Source: owasp.org

regulations
Regulations
  • If you’re lucky enough to NOT need to meet
    • PCI
    • SOX
    • HIPAA
    • GLBA
    • Etc….

That’s nice, BUT what about

  • Your proprietary data?
  • Customer confidence?
  • Impact to operations?
  • Data integrity?

You still need to consider security. Period.

After all, you may just be one congressional session way from a new regulation.

so what
So What???
  • Defacement
  • Phishing
  • Denial of Service
  • Data Loss
  • Bot Infection
  • Loss of <fill in the blank>
  • Legal action
  • ...

See the Web Hacking Incidents Database on

http://www.webappsec.org/projects/whid/

ok you ve got me there
Ok, you’ve got me there…

How about I throw some money at the problem? Buy some tools!

well tools can t fix everything
Well…. Tools Can’t Fix Everything

MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE)

They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

Source: owasp.org

the trouble with firewalls
The Trouble with Firewalls
  • Joe User says: “But we have a firewall”!
    • 75% of Internet Vulnerabilities are at the application layer, not the network layer
    • Gartner
    • Firewalls have to allow some things through, and attackers have adapted.
slide14

The Trouble with Firewalls Illustrated

Source: Jeremiah Grossman, BlackHat 2001

Source: owasp.org

but but we use ssl
But… But… We use SSL!
  • SSL only secures data in transit
  • Does not solve vulnerabilities on:
    • Applications
    • Web server
    • Browser
  • If you exploit the application, any data at rest encryption is useless too.
slide16

SSL Illustrated

Source: Jeremiah Grossman, BlackHat 2001

Source: owasp.org

myth my perimeter will save me
Myth – my perimeter will save me

Your security “perimeter” has huge holes at the application layer

Custom Developed Application Code

Application Layer

Databases

Legacy Systems

Web Services

Directories

Human Resrcs

Billing

APPLICATIONATTACK

App Server

Web Server

Hardened OS

Network Layer

Firewall

Firewall

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Source: owasp.org

real life application hacks
Real Life Application (?) Hacks
  • CitiGroup
    • May 2011
    • Approximately 210,000 credit card holders
    • “Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account”
  • StuxNet
    • Targeted Siemens SCADA systems of Iranian nuclear facilities
    • Stolen encryption keys used to sign infected drivers
  • Zappos
    • January 2012
    • 24+ Million customer accounts
    • Name, e-mail, billing and shipping addresses, phone numbers, last 4 of credit card, encrypted passwords
  • TJ Maxx
    • 2007
    • 45.7 million credit/debit cards
owasp top 10 risk rating methodology
OWASP Top 10 Risk Rating Methodology

1

2

3

Injection Example

1.66 weighted risk rating

Source: owasp.org

owasp top ten 2010 edition
OWASP Top Ten (2010 Edition)

http://www.owasp.org/index.php/Top_10

Source: owasp.org

a1 injection
A1 – Injection

Source: owasp.org

sql injection
SQL Injection
  • A common issue in most applications
  • Can only occur when the application is building dynamic SQL that contains a string that is tainted with user supplied data

http://xkcd.com/327/

insecure direct object references illustrated
Insecure Direct Object References Illustrated
  • Attacker notices his acct parameter is 6065

?acct=6065

  • He modifies it to a nearby number

?acct=6066

  • Attacker views the victim’s account information
  • Look familiar???

https://www.onlinebank.com/user?acct=6065

Source: owasp.org

legacy application problems
Legacy Application Problems

Old Frameworks + Old Code + Old Vulnerabilities

= Low hanging fruit

We didn’t even know about some of these attacks 10 years ago

How old are your apps?

don t forget 3 rd party apps
Don’t forget 3rd Party Apps
  • Think
    • Frameworks
    • HR software
    • Data analytics tools
    • Cloud
defense in depth
Defense in Depth
  • Multiple layers of protection reduces the likelihood that an attacker will be successful
  • Firewall, IDS, etc? Useful technologies, but not as your sole defense
  • Penetration testing
  • Code analysis
  • Security training for your developers
write secure code in the first place
Write secure code in the first place
  • Build procedures into the process to mitigate risk (SDLC)
  • Create standards that will assist in answering FAQs
  • Libraries and best practices for coding
    • Follow the best practices in OWASP’s Guide to Building Secure Web Applications
      • http://www.owasp.org/index.php/Guide
    • Use OWASP’s Application Security Verification Standard as a guide to what an application needs to be secure
      • http://www.owasp.org/index.php/ASVS
    • Use standard security components that are a fit for your organization
      • Use OWASP’s ESAPI as a basis for your standard components
      • http://www.owasp.org/index.php/ESAPI

Don’t reinvent the wheel. If you try to write your own cleansing functions, you WILL miss something. Unless you’re a coding God, but even then…

but that ship already sailed so know your data
But that ship already sailed, so…Know your data
  • What data do you care about?
    • Regulations help – PCI, GLBA, HIPAA
    • Proprietary data—What’s your “secret sauce”?
    • What types of data do you have?
  • Where is that data?
    • Is it encrypted? Should it be?
    • How about backups?
    • Are you sure it’s not sitting on Susan’s workstation because “it’s easier if I don’t have to log on to the server”?
  • Who has access to that data?
    • Should they have access to it?
    • What happens when they change roles or jobs?
baby steps policy
Baby Steps - Policy
  • State that you intend to write secure code
  • Policy for remediating legacy code
  • Get security into the overall procurement and development cycle
baby steps standards
Baby Steps - Standards
  • Incorporate secure development standards (Start with OWASP?)
  • Require minimums
  • In the lifecycle, get stop points in place – QA cycle?
baby steps procedures
Baby Steps - Procedures
  • Pre-deployment checklists--a low cost approach to building application security in
  • Code reviews
  • Formal application security testing
  • Remediation plans
tools and services
Tools and Services
  • Review Your Applications
    • In house manual code review
      • Not a bad idea, but how many of your developers know the ins and outs of every single application vulnerability and exploit?
      • Application assisted static code analysis
        • Look into products like HP Fortify, Rational, Veracode, etc.
        • Most of these offer cloud and local solutions
        • Large amounts of tuning required to make sure your environment is reflected
    • Have an expert team or service review your applications
    • Review your applications yourselves following OWASP Guidelines
      • OWASP Code Review Guide: http://www.owasp.org/index.php/Code_Review_Guide
      • OWASP Testing Guide: http://www.owasp.org/index.php/Testing_Guide
options web application firewalls
Options: Web Application Firewalls
  • Can you spend the money?
  • Do you have the staff to manage one?
  • OWASP has great resources on when and where to use them
code analysis
Code Analysis
  • Dynamic, static, or both?
    • Each type can miss things
    • A combination is probably best, but can be costly
  • On premise, hosted, or hybrid?
    • Do you have the staff to implement?
    • Plans to remediate findings?
tools again
Tools… again

Dynamic Analysis

Static Analysis

  • Vendors
    • Accunetix
    • Cenzic
    • HP Fortify
    • IBM
    • Veracode
  • Open Source (free or lower cost)
    • WebScarab
    • Nikto
    • Paros
  • Vendors
    • Coverity
    • IBM
    • HP Fortify
    • Veracode
  • Open Source (free or lower cost)
    • FindBugs (Java only)
    • Other options, but mostly targeting specific vulnerabilities like
you have tools now what
You have tools – now what???
  • Back to the people side
    • Sell it (much easier if you have regulations behind you)
    • Training
      • User
      • Administrator
    • Team to administer
    • Audit
      • Make sure developers are following procedures and using the tool
      • Ensure new vulnerabilities aren’t added – think “No new critical flaws”
  • Reporting
    • Can save you in an audit
    • Good place for metrics
    • . . .
    • Profit!!!

Source: owasp.org