application security : going quicker - isaca excellium.pdfapplication security : going quicker ......

59
Application security : going quicker The web application firewall example Agenda

Upload: dothu

Post on 29-Mar-2018

233 views

Category:

Documents


5 download

TRANSCRIPT

Page 1: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Application security : going quicker

The web application firewall example

Agenda

Page 2: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 3: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context

• Who am I ?

• A web application firewall friend

• A pentester

• A developer

• Responsible of the appsec and pentest dpt at Excellium

Page 4: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

From the Verizon DataBreach report

Intro Context

Page 5: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context

While the malwares are more

related to the users…….

… the hacking side is more

related to the servers

Page 6: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context : all begin here

Page 7: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Historical approach : the magic box theory (WAF)

Intro Context

• Managed by the infrastructure

• Not understanding HTTP

• Positive and negative security models

• Block 100% of the attacks (as the vendor said)

• Block more than 100% of the attacks in reallity

Team : Infra

Page 8: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context

• Quality oriented

• Limited by the reviewer knowledge

• Slow

Historical approach : peer programming

Team : Dev

Page 9: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context

Y

• Microsoft : up to 100 k€ / bug

• Google : up to 100 k€ / bug

• Facebook up to 15 k€ / bug

• Performed by security experts

• Only the visible surface

• No knowledge of the enterprise strengths/weaknesses

• How can the attacker be trusted or not ?

Bug bounty programs

Team : Red team

Page 10: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context

Historical approach : SDLC enhancement

Team : Risk and Compliance

Page 11: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Application Security costs

Page 12: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context : all begin here

Page 13: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context : the beginning

• Infrastructure team

• Production team

• Development team

• System team

• Testing team

• Architecture team

• GRC team

• Middleware team

• Business team

Page 14: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context : the beginning

• Infrastructure team

• Production team

• Development team

• System team

• Testing team

• Architecture team

• GRC team

• Middleware team

• Business team

Page 15: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Intro Context : the beginning

• Infrastructure team

• Production team

• Development team

• System team

• Testing team

• Architecture team

• GRC team

• Middleware team

• Business team

Page 16: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 17: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the enterprise view

• How to assess the security if the application

changes continuously ?

• How to stay in the budget ?

• How to protect an application we don’t know ?

Page 18: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the enterprise view

Infra

WAF

Rewriting engine

Signatures

Whitelist

Virtual patching

Code quality

Injections

Insecure crypto issue

Libraries analysis

Dynamic langagues

Dynamic frameworks

Vulnerability scanner

Bad configuration checks

Infrastructure checks

Generic vulnerabilities

SAST DAST

Page 19: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Network and security devices Application components

Web/Application servers

Application containers

Frameworks and libraries

Middlewares

Database

Business logic

Custom code

Communication channel

ob

fusc

ati

on

level

How to protect : the enterprise view

Page 20: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 21: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the dev view

Code quality

Injections

Insecure crypto issue

Libraries analysis

Dynamic langagues

Dynamic frameworks

SAST

Page 22: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Frameworks

Can the security tools automate the tests for each kind of stacks ?

Knowing the frameworks are hidding the vulnerabilities (GWT…. )

Page 23: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the dev view

Page 24: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the dev view

Page 25: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the dev view

Pro Cons

Automated Not fully security oriented

Ran for each change Doesn’t test the environment

Quick But slow if manual

Knowledge of the frameworks Not controlled by the security teams

Integrated with the repository

Page 26: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 27: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the infra view

Infra

WAF

Rewriting engine

Signatures

Whitelist

Virtual patching

Page 28: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the infra view

Web Attack types (from OWASP)

Client side Session side Server side Programming

language side

Application

side

Data

side

XSS

Reflective

Persistant

DOM based

CSIT

Flash

Applets

(HTML5 Web

Sockets)

Clickjacking

Cookie fixation

Cookie stealing

Cookie guessing

CSRF

SOP bypass (HTML5)

FingerPrinting

Exploit

Crowling

Path transversal

http methods

File Extension

Http spliting

Http smuggling

Error message

Exploit

File inclusion

Variable control

Variable Overwritting

Serialization

Error message

Business logic

Privilege

escalation

Replay

BufferOverFlow

Authentication

Code injection

WSDL

discovery

SOAP XML

DoS

XXE

Error message SQL

injection

SQL Wildcard

LDAP injection

XML injection

XPath injection

SMTP header

injection

Page 29: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the infra view

WAF Capabilities

Client side Session side Server side Programming

language side

Application

side

Data

side

XSS

Reflective

Persistant

DOM based

CSIT

Flash

Applets

(HTML5 Web

Sockets)

Clickjacking

Cookie fixation

Cookie stealing

Cookie guessing

CSRF

SOP bypass (HTML5)

FingerPrinting

Exploit

Crowling

Path transversal

http methods

File Extension

Http spliting

Http smuggling

Error message

Exploit

File inclusion

Variable control

Variable Overwritting

Serialization

Error message

Business logic

Privilege

escalation

Replay

BufferOverFlow

Authentication

Code injection

WSDL

discovery

SOAP XML

DoS

XXE

Error message SQL

injection

SQL Wildcard

LDAP injection

XML injection

XPath injection

SMTP header

injection

Page 30: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the infra view

WAF Capabilities

Client side Session side Server side Programming

language side

Application

side

Data

side

XSS

Reflective

Persistant

DOM based

CSIT

Flash

Applets

(HTML5 Web

Sockets)

Clickjacking

Cookie fixation

Cookie stealing

Cookie guessing

CSRF

SOP bypass (HTML5)

FingerPrinting

Exploit

Crowling

Path transversal

http methods

File Extension

Http spliting

Http smuggling

Error message

Exploit

File inclusion

Variable control

Variable Overwritting

Serialization

Error message

Business logic

Privilege

escalation

Replay

BufferOverFlow

Authentication

Code injection

WSDL

discovery

SOAP XML

DoS

XXE

Error message SQL

injection

SQL Wildcard

LDAP injection

XML injection

XPath injection

SMTP header

injection

Page 31: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the security team view

Pro Cons

Exhaustive (as a security component) No knowledge of the application changes

Controlled by the security teams Ruleset to maintain

Good false positive tuning capabilities Not aware of the application business logic

Protect the environment Not Integrated with the repository

Page 32: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the security team view

Vulnerability scanner

Bad configuration checks

Infrastructure checks

Generic vulnerabilities

DAST

Page 33: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the dev view

Page 34: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

How to protect : the security team view

Pro Cons

Automated No knowledge of the application changes

Controlled by the security teams Lack of framework support (JavaScript)

Quick Not aware of the application business logic

Test the environment Limited to known vulnerability patterns

Integrated with the repository

Page 35: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 36: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Before

Design

Implementation

+ Unit testing

Integration

testing

Business testingExternal security

audit

Fix issues

Go live

Security

validation arrives

only at the end !

Page 37: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

SDLC enhancement

DesignDesign

Security

review

Implementation +

Unit testing

Security code

and

configuration

review

Fix issues

Integration

testing

Business

testingInternal

Security audit

Risk analysis

validation

Fix issues

Security audit

Fix issues

(only small

issues here)

Go liveThe audit validates the complete stack,

Can it be automated ?

What about the time for a vulnerability

to be integrated in this cycle ?

Is it possible to follow the cycle for

more than 16000 vulnerabilities per year ?

Page 38: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

SDLC enhancement

DesignDesign

Security

review

Implementation +

Unit testing

Security code

and

configuration

review

Fix issues

Integration

testing

Business

testingInternal

Security audit

Risk analysis

validation

Fix issues

Security audit

Fix issues

(only small

issues here)

Go liveBut the release has to be quicker

With more feature

With less bugs

…..

Page 39: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

Release Management as sprint implies quicker….

• Patch management

• Risk analysis

• Security policy update/definition

• Roll back capabilities

Page 40: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

Page 41: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

What to fight against ?

Get shell on the server

Retrieve exploit and tools

Get admin crendential and

maintain

Step1

•CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

•CAPEC-88: OS Command Injection

Step2

•CSC 5-1: No antivirus deployed.

•CSC 11-7 Lack of filtering on the network/application firewalls

Step3

•MS14-58 Vulnerabilities in Kernel-Mode Driver Allow Remote Code Execution

•Plaintext password stored in memory

•CSC 16-8: Weak or inexistant password policy

•CWE-262: Not Using Password Aging (krbtgt account)

Page 42: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agenda

o Intro

o Application security

o The dev team approach

o The infra team approach

o Impact of the agility

o The WAF

Page 43: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Application Security

Secure software requirement

Compliance ISO 27001

Security requirements

Compliance with clients, asking for security proofs

Intrusion tests result and release postponed

Data privacy

Page 44: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update

• Quick release

• Less vulnerabilities

• Less false positives

• Detect the vulnerabilities quicker

Page 45: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test -> the dev team knows how to automate

• Quick security policy update

• Quick release

• Less vulnerabilities

• Less false positives

• Detect the vulnerabilities quicker

Page 46: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update -> the dev team knows how to automate (continuous integration)

• Quick release

• Less vulnerabilities

• Less false positives

• Detect the vulnerabilities quicker

Page 47: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update

• Quick release -> (dev team problem !)

• Less vulnerabilities

• Less false positives

• Detect the vulnerabilities quicker

Page 48: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update

• Quick release

• Less vulnerabilities -> (the infrastructure team has the DAST tools)

• Less false positives

• Detect the vulnerabilities quicker

Page 49: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update

• Quick release

• Less vulnerabilities

• Less false positives -> (the security team knows the attacks)

• Detect the vulnerabilities quicker

Page 50: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test

• Quick security policy update

• Quick release

• Less vulnerabilities

• Less false positives

• Detect the vulnerabilities quicker -> (the security team knows the attacks, the infrastructure team has the

SAST tools)

Page 51: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

What do we want ?

• Continuous security test -> the dev team knows how to automate

• Quick security policy update -> the dev team knows how to automate (devops)

• Quick release (dev team)

• Less vulnerabilities (the infrastructure team has the DAST tools)

• Less false positives (the security team knows the attacks)

• Detect the vulnerabilities quicker (the security team knows the attacks, the infrastructure team has the SAST

tools)

Page 52: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Can we automate ?

• Static tests

• Dynamic tests

• Regression tests

• WAF policy tests

• Behavior driven tests

How to reduce the vulnerability window?

Can we see the infrastructure as a software component of the application?

Kind of security tests :

We don’t automated

We don’t have time

Because Because

Page 53: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Can we automate ?

• Static tests

• Dynamic tests

• Regression tests

• WAF policy tests

• Behavior driven tests

How to reduce the vulnerability window?

Can we see the infrastructure as a software component of the application?

Kind of security tests :

We don’t automated

We don’t have time

Because Because

Page 54: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Security dev

Jenkins

SonarQube IIS / TomcatOWASP Dependency

CheckOWASP Zap

Page 55: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Security infrastructure : EyeWAF

Visitor

HTTP(s)

WAF

Tester

Application Server

Testing Server

Page 56: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

Can we imagine ?

• The dev team handling the dev and helping in the automation ?

• The infrastructure handling the infrastructure rules based on the other team input

• The security team controlling what is done and creating the policies

Page 57: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

Page 58: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Agility Impact

Page 59: Application security : going quicker - ISACA Excellium.pdfApplication security : going quicker ... CSRF SOP bypass (HTML5) FingerPrinting ... SonarQube IIS / Tomcat OWASP Dependency

Excellium Services S.A.

Thank you!