© copyright 2015 denim group - all rights reserved it’s no longer the network – now it’s all...
TRANSCRIPT
© Copyright 2015 Denim Group - All Rights Reserved
It’s No Longer the Network – Now It’s All About the Apps
Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Information Security Forum for Texas Government
May 20, 2015
© Copyright 2015 Denim Group - All Rights Reserved 2
Presentation Overview
• Traditional Network Security Activities Versus the New Reality
• Basic Application Security (AppSec) Fundamentals
• Risks Associated With Vulnerable Applications
• Mobile (In)Security • Review Some Actual Vulnerability Data• What Can You Do to Help? • Tools and Resources to Assess and Audit
AppSec Maturity
© Copyright 2015 Denim Group - All Rights Reserved 3
Traditional Network Security Centric Approach
Policies and
Procedures
Patching and Configuration
Changes
Logging and Monitoring
Firewalls
Network Intrusion Detection/Prevention Systems
Anti-Virus and Endpoint Security
Security Info Event Systems
© Copyright 2015 Denim Group - All Rights Reserved 4
Myth #1 – I Don’t Need Application Security Because My Network is Secure
Technical Rationale Non-Technical Rationale
© Copyright 2015 Denim Group - All Rights Reserved 5
Application Security Fundamentals • Application security includes measures taken
throughout an application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.*
• The primary focus is on Layer 7 of the OSI Model• AppSec should be part of an organization’s or
vendor’s Software (or System) Development Life-Cycle (SDLC)
• A key component of application security should be for developers and their managers to be aware of basic AppSec requirements, common threats and effective countermeasures
• AppSec knowledge and maturity is significantly lower today than traditional network security
* Wikipedia
© Copyright 2015 Denim Group - All Rights Reserved 6
Risks Associated With Vulnerable Applications
• Unauthorized access to sensitive citizen or organizational data• Theft of sensitive data to conduct identity theft, credit card fraud or
other crimes• Defacement of websites; strong potential for brand/reputation damage• Manipulation of data impacting data integrity, quality and
organization’s reputation• Redirection of users to malicious web sites; phishing and malware
distribution• Denial of service; availability of data • Attackers can assume valid user identities • Access to hidden web pages using forged URLs• Attacker’s hostile data can trick the interpreter to execute unintended
commands
© Copyright 2015 Denim Group - All Rights Reserved 7
The Attack Profile Continues to Change
Top Attacks By Product Type Infrastructure 41.9%
Application 32.6%
ICS-SCADA 11.6%
Content Management Systems 11.6%
SSL/TLS 2.3 % (Heartbleed)
Most Exploited OpenSSL TLS/DTLS Heartbleed
GNU Bash Variable Content
GNU Bash Variable Function Definitions
Drupal Core SQL Injection
Adobe Flash Player Remote Code Execution
Source: Cisco 2015 Annual Security Report
© Copyright 2015 Denim Group - All Rights Reserved 8
Let’s Look at Mobile Applications
• Today’s large companies each spend an average of $34 million annually to develop mobile apps we use to shop, bank and more. However, only an average of 5.5% of this immense budget is spent on securing these apps against hackers and security.
• Forty percent of companies do not scan the code in their mobile apps for security vulnerabilities
• Fifty percent of companies have zero budget specifically earmarked for any security of their mobile applications
Source: March 2015 Ponemon/IBM Report of 400 Companies
© Copyright 2015 Denim Group - All Rights Reserved 9
Example High Risk Web Vulnerability
Reflected Cross Site Scripting
The application contains a page which renders data included in its URL in a manner that does not encode or otherwise filter injected client-side script. The page is vulnerable to reflected cross-site scripting (XSS) attacks. Below is a screenshot of the administrative login page:
When invalid credentials are submitted, the application responds with the error message “Wrong username or password. Please try again.” Denim Group observed the error message is included as a query string argument in the URL for the associated page: https://application/index.php?state=login_small&state2=admin&go_to_state=admin&go_to_state2=&errormessage=Wrong%20username%20or%20password.%20Please%20try%20again.
© Copyright 2015 Denim Group - All Rights Reserved 10
Brute Force Attack Vulnerability
Inadequate Account Lockout
The application does not impose restrictions on the number of failed login attempts. An attacker can repeatedly submit invalid credentials without the account becoming disabled, allowing brute force attacks until the account is compromised. Weaknesses in the application’s password policy contribute to the potential for an attacker to successfully compromise victim’s accounts. Vulnerability Description A brute force attack is an attempt by a malicious user to gain access to the application by sending a large number of possible passwords and/or usernames. Since this technique involves a large amount of login attempts, an application that does not limit the number of allowed false login requests is vulnerable to these attacks. If the site does not lock the account after several false attempts, the attacker may eventually discover the account password and use it to impersonate the account's legitimate user.
© Copyright 2015 Denim Group - All Rights Reserved 11
Poor Application Password Management
Reflected Cross-Site Scripting
The application does not implement recommended industry practices in its password management. Failure to impose a rigorous password policy eases the efforts of an attacker to circumvent the authentication mechanism. Weaknesses include:
Users are not required to change passwords upon receiving new ones Users are not notified by email when their passwords have been changed Passwords (at minimum) must be six characters in length. However, the policy does not enforce
the inclusion of integers or symbols. This policy allows for users to set passwords which are at risk of being cracked by a brute force attack. The application does not implement countermeasures to prevent these forms of attack.
Passwords can be reused Passwords are sent to users via email in plaintext Old passwords are not validated in the Change Password form
© Copyright 2015 Denim Group - All Rights Reserved 12
Value and Risk Are Not Equally Distributed
• Some Applications Matter More Than Others– Value and character of data being managed– Value of the transactions being processed– Cost of downtime and breaches
• Therefore All Applications Should Not Be Treated the Same– Allocate different levels of resources to assurance– Select different assurance activities– Also must often address compliance and regulatory
requirements
© Copyright 2015 Denim Group - All Rights Reserved 13
First Step – Application Inventory and Risk Ranking
• The best place to begin any application security assessment is to obtain (or create) an inventory of all applications used by your organization. Include custom built, COTS, mobile, web, 3rd party developed and SaaS.
• Risk rank the applications based on their criticality to the organization, the sensitivity of the data processed/stored and compliance requirements
• Attempt to determine if the applications have been tested for security vulnerabilities and when. Examine contracts for 3rd party applications.
© Copyright 2015 Denim Group - All Rights Reserved 14
Next Step – Implement a Risk Based Approach
• Determine the size and complexity of critical applications
• Determine the underlying technology (Java, .net, Ruby, etc.)
• Research the kinds of attacks directed against your types of applications
• Perform or commission application security scanning coupled with manual testing
• Prioritize the vulnerabilities and create a remediation plan
• Follow up to determine that vulnerabilities are being remediated
© Copyright 2015 Denim Group - All Rights Reserved 15
Myth #2 – An Automated Scanner Can Find All The Application Vulnerabilities That Exist
• There is no “silver bullet” for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means.
• Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do.
• But wait, there’s more…………
© Copyright 2015 Denim Group - All Rights Reserved 16
Unauthenticated Automated Scan
What Goes Into An Application Test?
Automated Source Code Scanning
Blind Penetration Testing
Manual Source Code Review
Authenticated Automated Scan
Informed Manual Testing
Automated Binary Analysis
Manual Binary Analysis
Application security goes well beyond simply running a scanning tool. For critical or high value applications, or those that process sensitive data, thorough testing may actually include a combination of several methods.
© Copyright 2015 Denim Group - All Rights Reserved 17
AppSec – What Can You Do and Why?
Information Security Professionals
• Promote AppSec awareness in your organization
• Confirm that application security testing is part of your overall security program
• Demand that all applications developed by 3rd parties be tested and remediated prior to being placed in production
• Get all developers and their managers trained on AppSec
• Obtain and review the SDLC from a security perspective
IT Auditors
• Influence your leaders to include AppSec in the organization’s annual risk assessment or audit plan
• Increase your relevance and value to your organization by identifying risks associated with poorly coded applications
• Conduct a simple initial audit to assess what controls are in place
• Conduct a subsequent audit to determine the effectiveness of those controls; measure time to fix
© Copyright 2015 Denim Group - All Rights Reserved 18
Tools and Resources • Open Software Assurance Maturity Model
(OpenSAMM) – A freely available open source framework that organizations can use to build and assess their software security programs www.opensamm.org
• The Open Web Application Security Project (OWASP) – Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources www.owasp.org
• Open Source or Low Cost Application Security Scanners – OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work
© Copyright 2015 Denim Group - All Rights Reserved 19
The OWASP Top 10
• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
© Copyright 2015 Denim Group - All Rights Reserved 20
The OWASP 2014 Top 10 For Mobile
• M1 Weak Server Side Controls • M2 Insecure Data Storage• M3 Insufficient Transport Layer Security • M4 Unintended Data Leakage • M5 Poor Authorization and Authentication• M6 Broken Cryptography• M7 Client Side Injection • M8 Security Decisions Via Untrusted Inputs • M9 Improper Session Handling • M10 Lack of Binary Protections
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
© Copyright 2015 Denim Group - All Rights Reserved 21
Example AppSec Audit Work Program Software Assurance Maturity Model (SAMM) Scorecard
Level 1
Maturity Level
Activity
Business Functions # Security Practices/Phase A B
Governance
1 Strategy & Metrics 0.5 0 1
2 Policy & Compliance 0.5 0 1
3 Education & Guidance 0 0 0
Construction
4 Threat Assessment 0 0 0
5 Security Requirements 0.5 0 1
6 Secure Architecture 0 0 0
Verification
7 Design Review 0.5 0 1
8 Code Review 0 0 0
9 Security Testing 0 0 0
Deployment
10 Vulnerability Management 1 1 1
11 Environment Hardening 1 1 1
12 Operational Enablement 0 0 0
SAMM Valid Maturity Levels0 Implicit starting point representing the activities in the Practice being unfulfilled
1 Initial understanding and ad hoc provision of Security Practice
2 Increase efficiency and/or effectiveness of the Security Practice
3 Comprehensive mastery of the Security Practice at scale
Legend
Objective Activity was met.
Objective Activity was not met.
Example AppSec Audit Work Program
© Copyright 2015 Denim Group - All Rights Reserved 22
Questions / Contact Information
Joe KrullDirector
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com