Web Security – Everything we know is (Still) wrong (2017)
IT Summit – Nov 8th
Eoin Keary
• CEO edgescan.com
• OWASP GLOBAL BOARD MEMBER – 2009-2015
• OWASP Project Lead
edgescan
• Fullstack vulnerability management
• Continuous
• False Positive Free/Expert Validation
• 1000’s of systems every month
• Leader in “Gartner Peer Insights” Report
• PCI ASV Certified
4© 2012 WhiteHat Security, Inc.
HACKED
“(Cyber crime is the) second cause of economic crime experienced by the financial services sector” – PwC
“556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”
Globally, every second, 18 adults become victims of cybercrime- Symantec “The loss of industrial information and intellectual property through
cyber espionage constitutes the greatest transfer of wealth in history” - Gen. Keith Alexander
Cyber crime damage costs to hit $6 trillion annually by 2021
Eoin, I didn’t click it – My Grandma
“One hundred BILLION dollars” -Dr Evil
2017 – so farTrump – administration details leakedClash of Clans – 1,000,000Cellebrite – 900 GB of DataSWIFT – Fake Trade Documents - 3 banks – IndiaCoPilot – GPS – 220,000 RecordsSentara HealthCare – 5,000 Patient recordsDeep Root Analytics – 198,000,000 recordsEquifax – 143,000,000+ Records!
Human attack surface to reach 6 billion people by 2022.
Its (not) the $$$$Information
security spend
Security incidents
(business impact)
“There’s Money in them there webapps”
“Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of
records) attack vector.”
- Verizon Data Breach Investigations Report
Accountability in the CloudApplication
App Server/DB/Web
Computing
Network
Storage
Application
App Server/DB/Web
Computing
Network
Storage
SaaS
PaaS
Cloud Provider
Cloud Consumer
Acc
ou
nta
ble
Acco
un
table
54% of breaches are via the application Layer
*
* Few exceptions
You can outsource hosted services but you cannot outsource accountability
But we are approaching this problem completely wrong and have been for years…..
Problem # 1
Asymmetric Arms Race
A traditional end of cycle / Annual pentest only gives minimal security…..
There are too many variables and too little time to ensure “real security”.
An inconvenient truth
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code Flaws
Security Errors
Make this more difficult: Lets change the application code once a month.
Keeping Pace with: DevSecOpsNew VulnerabilitiesContinuous patching requirementsNew Deployments (Services, Systems)
Continuous Testing
"Risk comes from not knowing what you're doing." - Warren Buffet
Automated Review
A fool with a tool, is still a fool”…..?
In two weeks:
Consultant “tune tools”Use multiple tools – verify issuesCustomize Attack Vectors to technology stackAchieve 80-90 application functionality coverage
How experienced is the consultant?
Are they as good as the bad guys?They certainly need to be, they only have 2 weeks, right!!?
Code may be pushed to live soon after the test.Potential window of Exploitation could be until the next pen test.
6 mths, 9 mths, 1 year?
Some of the problem has moved (back) to the client.
Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing.
Many tools can’t adequately assess certain technologies
• Node/Angular• API’s • Flex/Flash/Air• Native Mobile Web Apps – Data Storage, leakage, malware.• DOM XSS – JQuery, CSS, Attribute, Element, URL fragments• Uploaded client-side/Javascript malware (Gzip/deflate/Hex encoded etc).• Logical/Business Logic Vulnerabilities.
Scanning in not enough anymore. Intelligence is required. Orchestration is required.
Tools Alone – They don’t work well without strong operations and orchestration
“We need an Onion”
SDL – Design review
Threat Modeling
Code review/SAST
Negative use/abuse cases/Fuzzing/DAST
Live/Ongoing - Continuous/Frequent monitoring / Testing
Manual Validation
Vulnerability Intelligence & Priority
Dependency Management ….
Situational Awareness / Alerting
We need more than Automated Scanning.
Problem # 2
You are what you eat
Software food chain
20
Application Code
COTS (Commercial off
the shelf
Outsourced development Sub-
Contractors
Bespoke outsourced
development
Bespoke Internal development
Third Party API’s
Third Party Components & Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More Less
2016- Open Source Security Statistics.
• 23% of the Components in the Average Software Application Contain Known Vulnerabilities
• 60% of businesses do not keep a complete inventory (bill of materials) of components being used in their applications.
- edgescan statistics November 2016
Struts - application development framework : downloaded 2 million times in the last year. –
Remote Code Execution attack CVE-2017-9805
Struts 2.1.2 - 2.3.33, 2.5 - 2.5.12
https://cwiki.apache.org/confluence/display/WW/S2-052
2.1.2 – 9 years old
2.3.33 – July 2017
2.5.x – May 2017
https://struts.apache.org/downloads.html
Do we test for "dependency“ issues?
NO
Does your patch management policy cover application dependencies?
Problem # 3
Bite off more than we chew
How can we manage vulnerabilities on a large scale….
“We can’t improve what we can’t measure”
Say 300 web applications:
300 Annual Penetration tests
10’s of different penetration testers?
300 reports
How do we consume this Data?
Enterprise Vulnerability Intelligence:
Consolidation of vulnerability data.
Continuous active monitoring & Visibility
Vulnerability Management Alerting
Situational Awareness
Problem # 4
Information flooding
(Melting a developers brain, White noise and “compliance”)
Doing things right != Doing the right things.
“Not all bugs/vulnerabilities are equal”(is HttpOnly important if there is no XSS?)
Contextualize Risk(is XSS /SQLi always High Risk?)
Do developers need to fix everything?- Limited time
- Finite Resources- Task Priority
- Pass internal audit?
White Noise
Compliance - GDPR
There’s Compliance:
EU directive:http://register.consilium.europa.eu/pdf/en/12/st05/st05853.en12.pdf
Article 23,24 & 79, - Administrative sanctions“The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0.5 % of its annual worldwide turnover, to anyone who, intentionally or negligently does not protect personal data”
Clear and Present Danger!!
…and there’s Compliance
Problem #5
Explain issues in “Developer speak” (AKA English)
Is Cross-Site Scripting the same as SQL injection?
Both are injection attacks -> code and data being confused by system.
LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc
Think old phone systems, Captain Crunch (John Draper).
Signaling data and voice data on same logical connection – Phone Phreaking
XSS causes the browser to execute user supplied input as code. The input breaks out of the "Data" context and becomes execution context.
SQLI causes the database or source code calling the database to confuse data [context] and ANSI SQL [ execution context].
Command injection mixes up data [context] and the command [context].
So….
We need to understand what we are protecting against.
We need to understand that a pentest alone is a loosing battle.
You can only improve what you can measure
Not all bugs are created equal.
Bugs are Bugs. Explain security issues to developers in “Dev speak”