application security on a dime: a practical guide to using functional open source tools to test,...
TRANSCRIPT
Application Security on a Dime
Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program POSSCON – Columbia, SC April 2015
Anyone run Wordpress?
Wordpress hacks are boun0ful. Secure them using latest hardening guidelines h9p://codex.wordpress.org/Hardening_WordPress
Test #WordPress using WPScan h9p://wpscan.org/; blackbox vuln scanner #posscon #appsec
And especially…..
A hacker’s gateway drug to online perdi0on......or just a really helpful search engine.
Who am I? Why should you listen | care? 20 years of IT / InfoSec experience
Utility | Fed | Banking | Retail | Healthcare | Information Services | Hosting | Financial Services | Manufacturing | Insurance | Real Estate
Former developer | sysadmin | network engineer | iso | security engineer | security architect | security assessor | security director | ciso |
Author ‘Risk Centric Threat Modeling’, Wiley Life Sciences 2015 – comprehensive walk through security principles
Started security consulting firm in 2007 – www.versprite.com Presentation based upon hands-on work and global travels working with both
large enterprises and SMB
SECURITY CULTURE BEGINS W/ GOVERNANCE
Establish a framework and ecosystem of security processes and tools.
Establish Governance Security Requirements & Resources Implementation of S-SDLC Use Security Frameworks Test and Test Early Track Defects
Before you begin, know inherent challenges
Challenges in AppSec Isolated SDLC Efforts Anti-Security Culture Expanding heterogeneous
tech stack Decentralizing management Security is not built into IT
functions early on Targeted attacks Open intel on application
components
Sound Solutions
Intro to OWASP
§ Open Web Application Security Project § Community driven; 11 years old § Dedicated to openness of all content & materials § International community focused on AppSec § X-cultural, X-industry related challenges exposed
and addressed. § Massively supportive and responsive. § Follow @OWASP
Intro to OWASP
§ Open Web Application Security Project § Community driven; 11 years old § Dedicated to openness of all content & materials § International community focused on AppSec § X-cultural, X-industry related challenges exposed
and addressed. § Massively supportive and responsive. § Follow @OWASP
…governance is the better starting point
Security
Governance
Opera0ons Risk Management
Compliance
Although a key business driver, don’t let Compliance eclipse Security. #POSSCON
Provides structure to a security program.
Makes security ac0onable but can be known to be black hole to security $$$.
Everyone’s security threat is not yours. Don’t believe the FUD; make risk based security decisions.
Policies, Standards, Guidelines
Policies provide accountability Standards govern technology Guidelines provide “best practices” Framework for enterprise operations Creates baseline of what is ‘secure’ and ‘acceptable’ in terms of risk
Each Security Component Can Warrant Governance {Program} Governance
Incident Response
Secure Development
Security Tes0ng
Security Awareness
NIST 800-‐100 NIST 800-‐39 OpenSAMM NIST 800-‐53r4
NIST 800-‐61r2 NIST CSF
NIST 800-‐100 NIST 800-‐39 OpenSAMM
OWASP ASVS OWASP Tes0ng Guide v4 PTES
Mostly tool based
OWASP Open SAMM ! The Software Assurance Maturity Model (SAMM) is an
open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
! Benefits " Evaluate your organization's existing software
security practices " Build a balanced software security program in well-
defined iterations. " Demonstrating concrete improvements
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
Wide Scope Covered by OpenSAMM
! Supports a Security Plan or Roadmap ! Establish governance ! Perform against assessments ! Test and Report ! Enhance Security Operations ! Building a S-SDLC Initiative ! Measures success/ shortcomings ! Provides metrics for reporting
http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project
OpenSAMM Key Links
Main link to OpenSAMM gateway of resources https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
Latest on the global initiative https://docs.google.com/document/d/1pC4har75olF1WPZaqRfXFG9T3SS_qoEUvHkEynE0iTI/edit
SECURE CODING & SECURITY ARCHITECTURE
Simple considerations of secure coding & security architecture can lay a foundation of
security for your development efforts.
OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet
C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF)
Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet .NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet
Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat
Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention
Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet
OWASP Developer References
Educate OWASP WebGoat • Exercise successful implementa0on of OWAPSP Countermeasures
OWASP Top Ten • Ranks top web app related risks • Serves as a good scope for ini0al tes0ng
Develop OWASP Code Review • Methodology for Source Code Reviews
OWASP Development Guide • Establishes a process for secure development efforts across various SDLCs
OWASP Cheat Sheet Series
OWASP Countermeasures • OWASP CSRFGuard • OWASP An0-‐Samy
Test OWASP Zed A9ack Proxy • Test against OWASP Top Ten • Use in conformance to Tes0ng Guide
OWASP YASCA • Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan
OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer?amount=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010.
Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }
OWASP AntiSamy
! OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. " API plus implementations " Java, .Net, Coldfusion, PHP (HTMLPurifier)
! Benefits " It helps you ensure that clients don't supply malicious
code into your application " A safer way to allow for rich content from an
application's users
http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
OWASP CSRFGuard
! OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. " Java, .Net and PHP implementations " CSRF is considered the app sec sleeping giant
! Benefits " Provides code to generate unique request tokens to
mitigate CSRF risks
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
Threat Modeling provides targeted scope
Purpose: Identify possible threat agents, threat motives, vulnerabilities in infrastructure, attack patterns, and possible countermeasures Risk Centric (Process for Attack Simulation & Threat Analysis) – http://versprite.com/docs/PASTA_Abstract.pdf Security Centric (e.g. - STRIDE threat categorization) Software Centric – Microsoft Threat Modeling Tool http://www.microsoft.com/en-us/download/details.aspx?id=42518
Some free solutions
! The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. " Covers automated and manual approaches for
external testing and code review techniques " Recently created and already adopted by several
companies and government agencies ! Benefits
" Standardizes the coverage and level of rigor used to perform app sec assessments
" Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP ASVS - Security Assurance Methodology
OWASP Top Ten
! The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. " Adopted by the Payment Card Industry (PCI) " Recommended as a best practice by many
government and industry entities ! Benefits
" Powerful awareness document for web application security
" Great starting point and reference for developers
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Prescriptive Advice for Testing
! Simplify!!! ! Create Roadmap ! Standardize Testing ! Follow a Methodology!!! ! Metrics are actually important. Really. ! Tools.
Sqlmap.py – Test for the dreaded SQLi
! Use in conjunction with Burp or Zed Attack Proxy. ! Capture POST request to web site via proxy ! Copy POST requests to text file ! http://sqlmap.org/
Static Analysis Options for Source Code Reviews
Product License Type Languages Features
FxCop 4 Open Source MS-PL
VS Plugin .NET Security-specific static analysis, UI built into Visual Studio
RIPS 7 Open-Source GPL
Standalone PHP Professional user-interface, Security-specific analysis
FlawFinder 19 Open-Source GPL
Standalone Text-based
C++ Security-specific analysis, Injections, Overflow, etc.
Dangerous function analysis
PreFast 20 Open-Source MS-PL
VS Plugin C++ General static analysis, UI built into Visual Studio
BrakeMan 21 Open-Source MIT
Standalone Text-based
Ruby Security-specific analysis Strong following
FlawFinder
Works on C++ source-code. Console-based and specifically targets security vulnerabilities. Uses a built-in database of C/C++ functions
(e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
RIPS
Written in PHP and for PHP specifically to find vulnerabilities.. Can create a program model of the source code. Detects vulnerable functions (sinks) that can be utilized by malicious user-input. Audit framework is provided for further analysis in an IDE-style.
Detects XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
Real Time Code Coverage during Black Box Testing
Follow your #blackbox web tes0ng efforts with source code weakness #visualiza0on h9ps://www.owasp.org/index.php/OWASP_Code_Pulse_Project #POSSCON #OWASP
SPARTA v1.0.2 Network Infra Testing Run nmap from SPARTA or import nmap XML output. Transparent staged nmap: get results quickly and achieve thorough coverage. Configurable context menu for each service. You can configure what to run on discovered
services. Any tool that can be run from a terminal, can be run from SPARTA. You can run any script or tool on a service across all the hosts in scope, just with a click of
the mouse. Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on
every ssl service). Default credentials check for most common services. Of course, this can also be
configured to run automatically. Identify password reuse on the tested infrastructure. If any usernames/passwords are
found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).
Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.
Website screenshot taker so that you don’t waste time on less interesting web servers.
Weeding out Bad Hash
Bad hashes have plagued news in recent #breaches. Validate your #hash http://code.google.com/p/hash-identifier/ #appsec Hash ID: Python
based hash validator
The Zed Attack Proxy • Released September 2010 • Ease of use a priority • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010
ZAP Overview • ZAP is:
Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!) Improving rapidly
The Main Features All the essentials for web application testing
• Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using OWASP JBroFuzz code)
The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling
ZAP Summary • ZAP has:
An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers
• ZAP is a key OWASP project • Security Tool of the Year 2013
BurpSuite • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help • More localization
(all offers gratefully received!) • Parameter analysis? • Technology detection?
Adopt a Robust Incident Response Framework
Computer Security Incident Handling Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Check security pages for respective Firewall companies on default DENY security configuration Integrating Forensic Analysis to Incident Handling
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
Guide to IDS Management http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
OSSEC – Host IDS (HIDS)
performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting active response.
A Word on OpenSource Adoption 1. Define scope of adoption
1. Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2. Use cases/ Abuse cases 3. Architecture
2. Set up controlled adoption 3. Test, decompile, review 4. Become involved in dev forums
More Tools • SET – Social Engineering Toolkit
(http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET))
• BeEF – Browser Exploitation Framework
(http://www.bindshell.net/tools/beef.html)
• Metasploit – http://www.metasploit.com/
• Kali - http://www.kali.org/
• Burp - http://portswigger.net/burp/
• Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng
• Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise
Closing Thoughts Leverage Open Source sources to INFLUENCE your security program
development/ management
Do NOT make your security program free and open, keep it close to the vest
Keep abreast of security news is a must – ever changing threat landscape
Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program.
Learn how to measure and improve your security program using metrics over time.