1 / 37

Web Application Security Diane Fraiman Vice President

Web Application Security Diane Fraiman Vice President. The Facts Reviewed…. Code Red infected 359,000 servers in less than 14 hours – at the peak, it infected more than 2,000 new hosts/minute – estimated cost? $2.6B (Computer Economics)

keon
Download Presentation

Web Application Security Diane Fraiman Vice President

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security Diane Fraiman Vice President

  2. The Facts Reviewed…. • Code Red infected 359,000 servers in less than 14 hours – at the peak, it infected more than 2,000 new hosts/minute – estimated cost? $2.6B (Computer Economics) • Within 24 hours of NIMDA hitting, 50% of the infected hosts went offline (CNet) • 1 vulnerability exists in every 1500 lines of code (IBM’s Watson Research Lab) ; Windows XP has 45M lines of code; W2K has 35M lines of code; MS code lines double every 866 days…. • $18 billion in sales is expected to be lost due to concerns about online security in 2002 (FTC) • Between 65-90% companies experienced some sort of security breach in 2000 (CSI/FBI)

  3. Cyber crime on the Rise Number of Hacks Source: CERT, incidents reported Note: 2002 Interpolation Avg Cost of Cyber crime/Company Source: CSI/FBI, U.S. companies surveyed only (excluding wiretapping) Note: 2002 Interpolation

  4. The Problem is Real • 3 out of 4 business websites are vulnerable to attack (Gartner) • Internet fraud expected to exceed credit card fraud by 2003 (VNUnet) • 75% of hacks occur at the Application level (Gartner) • The results of over 300 AppAudits conducted with AppScan: • 97% Vulnerable 31% Full Control & Access to Info. 4% Minor Breach 7% Modify Information 7% Hijack Transaction 25% Privacy Breach 23% e-Shoplifting 3% Delete Web Site

  5. 1 2 3 4 Desktop Transport WebApplications Network Security Behavior Antivirus Disruption Encryption Interception Firewall Illegal Access Manual Patching Perversion The Fourth Level of Web Security

  6. Valid Input HTML/HTTP Invalid Input HTML/HTTP Browser What is a Web Application? Invalid Data can exploit weakness in the application acting as escape holes resulting in access to unauthorized accounts, O/S network, sensitive data and may even result in an application denial of service Data Database Backend Application Front end Application User Interface Code Web Server Without any protection, holes and backdoors exist at every layer waiting to be exploited

  7. From Sanctum Audits • Top 5 banks • Took root control of system, listed all sys admins & signed up 2 Senior VPs for credit cards at -129% • Found cross-site scripting, hidden fields & parameter tampering allowing access to all backend systems • Hundreds of servers out for weeks with Nimda • Broke into Peoplesoft Purchasing and HR applications; also broke into broker/dealer application • Major Regional Banks • Took control of ISS web server • Top 5 Mutual Fund • “Code Red gave us a bloody nose; Nimda tore off body parts” • Hundreds of servers out for weeks with Nimda • Top 2 Credit Card companies • Forceful browsing accessed Netegrity Siteminder directory: got userid/password file • Airline • Download source code; cookie poisoning = identity theft; accessed all employee schedules (still did not buy solution – thought they could solve it manually!) • Healthcare • Accessed all patient files and altered information • Telco • Entire customer billing record database available

  8. Ten Types of Application Hacks • Hidden Field Manipulation - eShoplifting • Parameter Tampering - access OS or sensitive data; fraud • Backdoors and Debug Options – access code/application as developer or admin • Cookie Poisoning - identity theft, illegal transactions • Stealth Commanding - access OS or control application at OS level, site defacement • Forceful Browsing - access sensitive data • Cross-Site Scripting - server-side exploitation, access sensitive data; eHijacking • Buffer Overflow - access sensitive data, or crash site/application • 3rd-Party Misconfiguration - access OS or data • Published/Known Vulnerabilities- access OS; crash site; access sensitive data

  9. Hidden Field Manipulation • Vulnerability explanation: The application sends data to the client using a hidden field in a form. Modifying the hidden field damages the data returning to the web application • Why Hidden Field Manipulation: Passing hidden fields is a simple and efficient way to pass information from one part of the application to another (or between two applications) without the use of complex backend systems. • As a result of this manipulation: The application acts according to the changed information and not according to the original data

  10. Hidden Manipulation - Example

  11. Hidden Manipulation - Example

  12. Hidden Manipulation - Example

  13. Hidden Manipulation - Example

  14. Hidden Manipulation - Example

  15. Parameter Tampering • Vulnerability explanation: Parameters are used to obtain information from the client. This information can be changed in a site’s URL parameter • Why Parameter Tampering: Developers focus on the legal values of parameters and how they should be utilized. Little if any attention is given to the incorrect values • As a result of this manipulation: The application can perform a function that was not intended by its developer like giving access to customer information

  16. Parameter Tampering - Example

  17. Parameter Tampering - Example

  18. What is a Viable Solution? • VIABLE = Positive Security Model: • Vulnerability Assessment tools: bullet-proof applications before they go into production • Application Firewalls: block, log and alert against known/unknown attacks • Behavioral/ Policy-based • Automatically builds a policy in real time for the site • Allows only intended business interactions • Maintains intended application behavior • e.g., Code Red and Nimda blocked without updates or rules • Not Viable = Negative Security Model: • Signature/Rules-based – Blocks known attacks based on signatures, heuristics or rules. • e.g., - need patch installed or signatures written to block Code Red & Nimda

  19. Traditional (Manual) Vulnerability Assessment • Issues: • process is complex • security knowledge needed for performing successful audit • The process • Manual coverage of relevant business process • Full inspection of client side scripts and comments • Full inspection of application interfaces • Manual analysis of potential vulnerabilities • Manual testing of potential vulnerabilities • Check for installation of known patches • The knowledge • Complete understanding of application logic • Complete knowledge of application manipulation methods • Memory of all known patches issues • Complete understanding of most secure configuration of all tools

  20. Traditional Auditing – the problem • Multiple points of people failure • Development, QA, Operations, Vendor software, Outsourcing • New third party bugs discovered every day • site exposed during patch latency • Site Complexity • many lines of code and application interactions • Compressed application development cycle • time to market needs will impact development and QA • Distributed Knowledge • No single person has all the knowledge needed for a full audit Never ending, time consuming and expensive!

  21. Automatic Application VulnerabilityAssessment • Explore- automatically explore the site, discover potential vulnerabilities, & dynamically create tests to evaluate • Test –test and validate potential vulnerabilities and assign success and severity ratings • Report– generate custom reports with information targeted at specific levels of security expertise and functions This process can be repeated as often as necessary. Once a week, once a month, or only one time.

  22. Automatic Application VulnerabilityAssessment: Benefits • Explore • Automation enables coverage of application • Automatic extraction of information from application • Deploys knowledgebase of possible vulnerabilities • Automatically cover all potential holes • Test • Automatically identify successful attack • Coverage of all potential vulnerabilities • Refinement stage (multi-attack correlation) • Reporting • Automatically generate findings report • Supply solution recommendations Automation = less time & more coverage. Expert system = reduce the needed knowledge

  23. Application Vulnerability Assessment Sanctum / AppScan Network & Known Vulnerability Scanners ISS / Internet Scanner NAI / CyberCop eEye / Retina Known Vulnerability Scanners Whisker Nessus Proxy Scanners Achilles HTTPush RFProxy WebSleuth Vulnerability assessment tools Commercial Public Domain

  24. Full Online Application ProtectionICSA Requirements: Application Firewall • Functions at the application level - ISO model layer 7 • Understands inbound and outbound requests • Block invalid requests without terminating entire user session • Designed to recognize & protect against application threats • Signature & Non-signature attacks • Dynamic and Accurate • Understands application logic • Compatible with Web application technologies • Designed with real world environment in mind – code/content changes every day • Works in Real Time • Addresses threats before they reach the server • Provide Application Level Forensics • Logging & Alerting • Single Point of Administration • One solution to protect all application components

  25. How an Application Firewall Works The Security Policy is built dynamically in real time as pages are requested by the user Dynamic Policy Recognition Engine* Browser Web Server *Sanctum, Inc. Patented Technology

  26. How an Application Firewall WorksHidden Manipulation

  27. How an Application Firewall WorksHidden Manipulation

  28. How an Application Firewall WorksHidden Manipulation

  29. How an Application Firewall WorksHidden Manipulation

  30. How an Application Firewall WorksBlocking the Attack

  31. Application Level Forensics

  32. Content Integrity TripWire/TripWire Gilian/G-Server Network Separation Whale/eGap SpearHead/AirGap Access Control Netegrity/SiteMinder RSA-Securant/ClearTrust Protected OS Argus/PitBull HP/Virtual Vault Known Attack Detection Entercept/Entercept WS Okena eEye/SecureIIS Web Application Firewall Sanctum/AppShield: only app firewall certified by ISCAlabs Web Application Protection Solutions

  33. Protecting at the OS level:Host Intrusion Prevention • Host Intrusion Prevention Solutions: • Reside at the OS level only (i.e.red wrapper) • Prevent any OS vulnerabilities from being exploited • Resides on both network servers (ie mail and ftp) and/or web servers

  34. But, the Applications Remain Vulnerable Even with OS holes plugged, the applications remain unprotected

  35. Sanctum • Sanctum is the recognized industry leader for Web application security solutions • 200 customers: 54 of the F100 • 8 of the top 10 financial institutions in the U.S. use Sanctum solutions • Global Leadership: Japan and Europe • Intellectual property leadership: 3 patented, 4 patent-pending technologies • Financial Srvs, retail, healthcare, media, telecom & utilities industries, government • Strategic Partnerships • PWC; IBM Global Services; Netegrity; ATT; Perot Systems; Accenture, E&Y • Sanctum is the only company that provides automatic enforcement of intended business processes, ensuring the protection of core information and data • AppShield – Web application firewall: full online prevention • AppScan – automated vulnerability assessment solution

  36. Summary • Web Perversion is a huge problem: • $18 Billion in lost sales forecasted due to security concerns in 2002 (FTC) • 75% of attacks are at the Application level(Gartner Group) • Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI) • Security is an urgent management issue and a mandatory Core Value: • Your Web applications are at the heart of your business • Security is a Business Driver • Protecting Your Web Applications is Enterprise Equivalent of National Security: • Performing application level audits and/or application level prevention and detection is crucial • Automation must be fought with automation SANCTUM is the Recognized Leader for Web Application Security Solutions www.SanctumInc.com

  37. SAVE YOUR SITE GET

More Related