application security on a dime: a practical guide to using functional open source tools to test,...

Application Security on a Dime

Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015

Anyone run Wordpress?

Wordpress hacks are boun0ful. Secure them using latest hardening guidelines h9p://codex.wordpress.org/Hardening_WordPress

Test #WordPress using WPScan h9p://wpscan.org/; blackbox vuln scanner #posscon #appsec

Open Source Security Facilitated By…

And especially…..

A hacker’s gateway drug to online perdi0on......or just a really helpful search engine.

SECURITY CULTURE BEGINS W/ GOVERNANCE

Establish a framework and ecosystem of security processes and tools.

  Establish Governance   Security Requirements & Resources   Implementation of S-SDLC   Use Security Frameworks   Test and Test Early   Track Defects

Before you begin, know inherent challenges

Challenges in AppSec   Isolated SDLC Efforts   Anti-Security Culture   Expanding heterogeneous

tech stack   Decentralizing management   Security is not built into IT

functions early on   Targeted attacks   Open intel on application

components

Sound Solutions

A BIT ABOUT OWASP

Open Web Applica;on Security Project

Intro to OWASP

§  Open Web Application Security Project §  Community driven; 11 years old §  Dedicated to openness of all content & materials §  International community focused on AppSec §  X-cultural, X-industry related challenges exposed

and addressed. §  Massively supportive and responsive. §  Follow @OWASP

GOVERNANCE

Without governance, your security program will sink.

Unless you have this appear on all your servers…

…governance is the better starting point

Security

Governance

Opera0ons Risk Management

Compliance

Although a key business driver, don’t let Compliance eclipse Security. #POSSCON

Provides structure to a security program.

Makes security ac0onable but can be known to be black hole to security $$$.

Everyone’s security threat is not yours. Don’t believe the FUD; make risk based security decisions.

Policies, Standards, Guidelines

 Policies provide accountability  Standards govern technology  Guidelines provide “best practices”  Framework for enterprise operations  Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk

Each Security Component Can Warrant Governance {Program} Governance

Incident Response

Secure Development

Security Tes0ng

Security Awareness

NIST 800-‐100 NIST 800-‐39 OpenSAMM NIST 800-‐53r4

NIST 800-‐61r2 NIST CSF

NIST 800-‐100 NIST 800-‐39 OpenSAMM

OWASP ASVS OWASP Tes0ng Guide v4 PTES

Mostly tool based

OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an

open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.

! Benefits " Evaluate your organization's existing software

security practices " Build a balanced software security program in well-

defined iterations. " Demonstrating concrete improvements

http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

Wide Scope Covered by OpenSAMM

! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting

http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

OpenSAMM Key Links

 Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

 Latest on the global initiative https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit

SECURE CODING & SECURITY ARCHITECTURE

Simple considerations of secure coding & security architecture can lay a foundation of

security for your development efforts.

OWASP Developer Guide

https://github.com/OWASP/DevGuide

OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet

  C-Based Toolchain Hardening Cheat Sheet   Cross-Site Request Forgery (CSRF)

Prevention Cheat Sheet   Cryptographic Storage Cheat Sheet   DOM based XSS Prevention Cheat Sheet   Forgot Password Cheat Sheet   HTML5 Security Cheat Sheet   Input Validation Cheat Sheet   JAAS Cheat Sheet   Logging Cheat Sheet   .NET Security Cheat Sheet   OWASP Top Ten Cheat Sheet   Password Storage Cheat Sheet   Pinning Cheat Sheet   Query Parameterization Cheat Sheet   Ruby on Rails Cheat sheet   REST Security Cheat Sheet

 Session Management Cheat Sheet  SQL Injection Prevention Cheat Sheet  Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat

Sheet  User Privacy Protection Cheat Sheet  Web Service Security Cheat Sheet  XSS (Cross Site Scripting) Prevention

Cheat Sheet  Attack Surface Analysis Cheat Sheet  XSS Filter Evasion Cheat Sheet  REST Assessment Cheat Sheet  IOS Developer Cheat Sheet  Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender)  Virtual Patching Cheat Sheet

S-SDLC/ Building Security-In

OWASP Developer References

Educate OWASP WebGoat • Exercise successful implementa0on of OWAPSP Countermeasures

OWASP Top Ten • Ranks top web app related risks • Serves as a good scope for ini0al tes0ng

Develop OWASP Code Review • Methodology for Source Code Reviews

OWASP Development Guide • Establishes a process for secure development efforts across various SDLCs

OWASP Cheat Sheet Series

OWASP Countermeasures • OWASP CSRFGuard • OWASP An0-‐Samy

Test OWASP Zed A9ack Proxy • Test against OWASP Top Ten • Use in conformance to Tes0ng Guide

OWASP YASCA • Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan

OWASP Developer Guide

https://github.com/

OWASP/DevGuide

OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer?amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010.

Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }

OWASP XSS Cheat Sheet

OWASP AntiSamy

! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier)

! Benefits " It helps you ensure that clients don't supply malicious

code into your application " A safer way to allow for rich content from an

application's users

http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

OWASP CSRFGuard

! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant

! Benefits " Provides code to generate unique request tokens to

mitigate CSRF risks

http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

SECURITY TESTING

Testing insecurities before your adversaries do

Threat Modeling provides targeted scope

 Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures  Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf  Security Centric (e.g. - STRIDE threat categorization)  Software Centric – Microsoft Threat Modeling Tool http://www.microsoft.com/en-us/download/details.aspx?id=42518

 Some free solutions

Seasponge - http://mozilla.github.io/seasponge/#/draw

Octotrike - http://octotrike.org/

! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for

external testing and code review techniques " Recently created and already adopted by several

companies and government agencies ! Benefits

" Standardizes the coverage and level of rigor used to perform app sec assessments

" Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

OWASP ASVS - Security Assurance Methodology

OWASP Top Ten

! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many

government and industry entities ! Benefits

" Powerful awareness document for web application security

" Great starting point and reference for developers

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Prescriptive Advice for Testing

! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.

Sqlmap.py – Test for the dreaded SQLi

! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/

Static Analysis Options for Source Code Reviews

Product License Type Languages Features

FxCop 4 Open Source MS-PL

VS Plugin .NET Security-specific static analysis, UI built into Visual Studio

RIPS 7 Open-Source GPL

Standalone PHP Professional user-interface, Security-specific analysis

FlawFinder 19 Open-Source GPL

Standalone Text-based

C++ Security-specific analysis, Injections, Overflow, etc.

Dangerous function analysis

PreFast 20 Open-Source MS-PL

VS Plugin C++ General static analysis, UI built into Visual Studio

BrakeMan 21 Open-Source MIT

Standalone Text-based

Ruby Security-specific analysis Strong following

FlawFinder

 Works on C++ source-code.  Console-based and specifically targets security vulnerabilities.  Uses a built-in database of C/C++ functions

  (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19

RIPS

 Written in PHP and for PHP specifically to find vulnerabilities..  Can create a program model of the source code.  Detects vulnerable functions (sinks) that can be utilized by malicious user-input.  Audit framework is provided for further analysis in an IDE-style.

 Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.

Real Time Code Coverage during Black Box Testing

Follow your #blackbox web tes0ng efforts with source code weakness #visualiza0on h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project #POSSCON #OWASP

SPARTA v1.0.2 Network Infra Testing   Run nmap from SPARTA or import nmap XML output.   Transparent staged nmap: get results quickly and achieve thorough coverage.   Configurable context menu for each service. You can configure what to run on discovered

services. Any tool that can be run from a terminal, can be run from SPARTA.   You can run any script or tool on a service across all the hosts in scope, just with a click of

the mouse.   Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on

every ssl service).   Default credentials check for most common services. Of course, this can also be

configured to run automatically.   Identify password reuse on the tested infrastructure. If any usernames/passwords are

found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).

  Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.

  Website screenshot taker so that you don’t waste time on less interesting web servers.

Weeding out Bad Hash

  Bad hashes have plagued news in recent #breaches. Validate your #hash http://code.google.com/p/hash-identifier/ #appsec   Hash ID: Python

based hash validator

The Zed Attack Proxy •  Released September 2010 •  Ease of use a priority •  Comprehensive help pages •  Free, Open source •  Cross platform •  A fork of the well regarded Paros Proxy •  Involvement actively encouraged •  Adopted by OWASP October 2010

ZAP Overview •  ZAP is:

 Easy to use (for a web app pentest tool;)  Ideal for appsec newcomers  Ideal for training courses  Being used by Professional Pen Testers  Easy to contribute to (and please do!)  Improving rapidly

The Main Features   All the essentials for web application testing

•  Intercepting Proxy •  Active and Passive Scanners •  Spider •  Report Generation •  Brute Force (using OWASP DirBuster code) •  Fuzzing (using OWASP JBroFuzz code)

The Additional Features   Auto tagging   Port scanner   Smart card support   Session comparison   Invoke external apps   BeanShell integration   API + Headless mode   Dynamic SSL Certificates   Anti CSRF token handling

ZAP Test Drive (Demo)

ZAP Summary •  ZAP has:

 An active development community  An international user base  The potential to reach people new to OWASP and appsec, especially developers and functional testers

•  ZAP is a key OWASP project •  Security Tool of the Year 2013

BurpSuite •  Enhance scanners to detect more vulnerabilities •  Extend API, better integration •  Fuzzing analysis •  Easier to use, better help •  More localization

(all offers gratefully received!) •  Parameter analysis? •  Technology detection?

INCIDENT RESPONSE

Knowing what to do during a fire is more important than the right tool(s)

Adopt a Robust Incident Response Framework

 Computer Security Incident Handling Guide  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

 Check security pages for respective Firewall companies on default DENY security configuration   Integrating Forensic Analysis to Incident Handling

 http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

 Guide to IDS Management  http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf

Autopsy & The Sleuth Kit

OSSEC – Host IDS (HIDS)

 performs log analysis,   file integrity checking,  policy monitoring,   rootkit detection,   real-time alerting  active response.

TAKE-AWAYS

Only cost of security implementation is time and resources.

A Word on OpenSource Adoption 1.  Define scope of adoption

1.  Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2.  Use cases/ Abuse cases 3.  Architecture

2.  Set up controlled adoption 3.  Test, decompile, review 4.  Become involved in dev forums

More Tools •  SET – Social Engineering Toolkit

(http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET))

•  BeEF – Browser Exploitation Framework

(http://www.bindshell.net/tools/beef.html)

•  Metasploit – http://www.metasploit.com/

•  Kali - http://www.kali.org/

•  Burp - http://portswigger.net/burp/

•  Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng

•  Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise

Closing Thoughts   Leverage Open Source sources to INFLUENCE your security program

development/ management

  Do NOT make your security program free and open, keep it close to the vest

  Keep abreast of security news is a must – ever changing threat landscape

  Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.

  Learn how to measure and improve your security program using metrics over time.

Thanks!

Follow us/me on Twi2er: @versprite @t0nyuv

Blog: www.versprite.com/og