security testing & the depth behind owasp top 10tjscissp.€¦ · owasp top 10 2013 owasp top...
TRANSCRIPT
Security Testing & The Depth Behind OWASP Top 10
Yaniv Simsolo, CISSPImage: Hubble Telescope: The cat’s eye nebula
OWASP Top 10 2013OWASP Top 10 – 2013 has evolved:• 2013-A1 – Injection• 2013-A2 – Broken Authentication and Session
Management• 2013-A3 – Cross Site Scripting (XSS)• 2013-A4 – Insecure Direct Object References• 2013-A5 – Security Misconfiguration• 2013-A6 – Sensitive Data Exposure• 2013-A7 – Missing Function Level Access Control• 2013-A8 – Cross-Site Request Forgery (CSRF)• 2013-A9 – Using Known Vulnerable Components (NEW)• 2013-A10 – Unvalidated Redirects and Forwards
OWASP Top 10 2013
OWASP Top 10 – 2013 Resources:
• https://www.owasp.org/index.php/Top_10_2013-Top_10
• OWASP Top 10 2013 presentation by Dave Wichers, on the OWASP web site
Mapping Top 10: From 2010 to 2013
Source: OWASP Top 10 2013 presentation by Dave Wichers
Assumptions
• In Information Security – several top 10 exist
– OWASP Top 10 is dominant
• “Top 3”: we all know about XSS’s Injections, CSRF’s etc.
• Most organizations are well aware of these issues
Assumptions
• OK. What now?
• “Top 6” = (“Top 3”) + (“we test what we can”):
– Broken authentication and session management
– Unvalidated redirects and forwards
– Insecure direct object references
• Most organizations are aware of these issues
• OK, What now?
What did we miss?
• Security misconfiguration – A5.
• Missing Function Level access control – A7.
• Using known vulnerable components – A9
• A6 – sensitive data exposure now includes a merge of:
– Insufficient transport layer protection (2010 – A9)
– Insecure cryptographic storage (2010-A7)
What did we miss?
• Security misconfiguration – A5.
– (almost) not Web Application but: Application/system
• Missing Function Level access control – A7.
– Partial Web Application, Partial Application/system
• Using known vulnerable components – A9
– (almost) not Web Application but: Application/syste
What did we miss?
• A6 – sensitive data exposure now includes a merge of:
– Insufficient transport layer protection (2010 – A9)
– Insecure cryptographic storage (2010-A7)
• Is this just Web Application?
• Is the problem more severe once we look below the Web Layer?
What did we miss? Example
Security misconfiguration – A5
+
Using known vulnerable components – A9
=
Perimeter is not working
The Problem
Image: Hubble Telescope: The cat’s eye nebula
Over Complexity
• Too much data
• Endless attack possibilities
• Too many security solutions, vendors, products
• No homogenous approach
The Attack Vectors– Any system
– Any infrastructure
– Any communication
– Any language
– Any architecture
– Any component
– Any information, any data
– Any physical layer
– Any logical layer
– Any storage device / facility
– Any (communication) channel
– Any interface
– Any encryption
– Any environment
– Any site (including DR)
– Any transaction
– Any log and audit trail
– Any archive
– Any process (operations, ongoing, development)
The Attack Types– Any system
– Any infrastructure
– Any communication
– Any language
– Any architecture
– Any component
– Any information, any data
– Any physical layer
– Any logical layer
– Any storage device / facility
– Any (communication) channel
– Any interface
– Any encryption
– Any environment
– Any site (including DR)
– Any transaction
– Any log and audit trail
– Any archive
– Any process (operations, ongoing, development)
TakeoverData theft
Data tamperingSystem integrity disruption
Business Logic manipulationEavesdropping
Backdoors – built in by designBackdoors – creation by attackers
Unintentional attacksIntentional by authorized entities
Attacks by non-human entitiesDenial of Service
De Facto Denial of ServiceAuthorization bypass
Access bypassSmuggling, Splitting and evasion-type attacks
The Problem
Even the simplified security areas present a demanding challenge. For example - XSS:
• Very difficult to detect all variants in modern systems
• Almost impossible to retain high security level once achieved
Common Solutions
• Superficial security tests.
– Many “good reasons”:
• Budget
• Time constraints
• Lack of understanding
• Over complexity
Common Solutions
• Impacts of superficial security tests in the long run?
–Partial to no security
–Poor security practices
– These organizations effect the security market, pulling downwards!
– Loss or partial integrity of security professionals
–Worse still: false sense of security
Where Did That Got Us?
• Ludicrous security warnings:
– January 2013: Department of Homeland Security: Do not use Java. Remove the JRE.
– April 2014: Department of Homeland Security: Versions 6 – 11 of IE are not to be used.
– April 2014: OpenSSL is insecure
Where Did That Got Us?
• Poor security in design and architecture
• (Almost) no security in Agile/Continuous Delivery developed code
Modern Systems Common Pitfall• Modern systems are more secured. ???
20
Where Did That Got Us?
• Challenging security presentations:
– In-Depth Security is dead (RSA conference 2011)
– Security is dead (Rugged coding - RSA conference 2012)
• Ignorance is bliss….
Security Testing
Image: Hubble Telescope: The cat’s eye nebula
How to Test?
• This is messy. VERY messy.
• There are shortcuts
How to Test?
• Actually – most is quiet easy to test.
• Go back to theory.
• Forget about the payloads.
The Fallback Common Option
• Test the GUI
• Black Box testing methodology
• Exclude the difficult stuff from scope
• This is a “good” solution: it fits organizations and security professionals
The Fallback Common Option
• “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”― Stephen Hawking
• Testing just the GUI illusion of knowledge
• Testing just the FE illusion of security
• Increasingly often we are requested to test much less than the actual scope.
• Consider carefully prior to testing – what should be the actual testing scope
How to test?• “Supreme excellence consists in breaking the enemy's
resistance without fighting.” Sun Tzu
• Common Mobile WCF architecture
– Where is the presentation layer?
– Which entities are granted access to business logic?
• “Supreme excellence consists in breaking the enemy's resistance without fighting.” Sun Tzu
• Common Mobile WCF architecture
– Where is the presentation layer?
– Which entities are granted access to business logic?
How to test?
• OWASP top 10 – mobile:
Source: OWASP Top 10 Mobile project
The Oracle Exadata Example
• Oracle Exadata simplified:
– Data Warehouse platform
– Consolidation/Grid platform
– Storage platform
• Exadata security best practices consist of:
– The “regular stuff”
– Database standard security
– Data Warehouse specialized security
– Consolidation/Grid specialized security
The Oracle Exadata Example
• Oracle Exadata (as a database platform) Security Testing Benchmark:– Organization A tested:
• The databases
• The environments
• The Data Warehouse specialized security
• The Exadata itself
– Organization B tested:• Just some deployed databases
• Partial security testing for each database
• Worse still: Exadata not to be tested as a policy
• Who said: 2013-A5 Security Misconfiguration?
Testing A5, A7, A9
• “If you know the enemy and know yourself you need not fear the results of a hundred battles”, Sun Tzu
• Do we really know ourselves?
• Where are A5, A7 and A9 implemented?
• Not testing the BE illusion of knowing
The Windows XP Example
• Organization C, defines and enforces strict development and deployment security standards towards all its suppliers/customers.
• Over 60 pages of procedures and instructions.
• Insisting on supporting Windows XP based systems.
• Who said: 2013-A9 Using Known Vulnerable Components?
2013-A9 Using known Vulnerable Components
• A vendor offers DBAAS
– Excellent: beat the market offering *AAS something...
• How can the organization trust the security of DBAAS?
– Will separation be enforced?
– Will compartmentalization be enforced?
• Did we really tested and can trust the Cloud on which the DBAAS is based?
Declarative Security
• What?
• One of the foundations of modern languages run-time security.
• Mostly ignored or bypassed.
• Who said: Security misconfiguration – A5, Missing Function Level access control – A7?
Declarative Security
• “Deployment descriptors must provide certain structural information for each component if this information has not been provided in annotations or is not to be defaulted.” (Oracle docs.)
Declarative Security
• “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.” Sun Tzu
• Lack or weak declarative security: Once code access achieved – the extraordinary will be feasible.
Declarative Security
• Poor design due to no design
• Cancelling off declarative security or ignoring declarative security revoking language security fundamentals.
• Common real life deployment descriptors:
• Killing my own code!
// Do what you will. Totally permissive policy file.grant {
permission java.security.AllPermission;};
Reverse Engineering (A5, A6, A9)
• What for?
• Why for Mobile security testing ONLY?
• From Wikipedia:
– Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.
Testing A2, A5, A6
• 2013 A6 – Sensitive data exposure
• 2013 A5 – Security misconfiguration
• 2013 A2 – Broken authentication
• Too much use of “third singulars”
– The actual minute details of the tested object dissolve
2013-A5 Security Misconfiguration• There is no external access!
• The intended users will only perform intended actions…
• Virtualization Separation
40
2013-A5 Security Misconfiguration
• How do organizations secure legacy unsecured systems?
• Install terminals (e.g. Citrix) as the presentation layer / access control layer.
• Challenge: manage multiple users across multiple systems.
• Result: the terminals are partially secure.
– Too many terminals to manage over long periods
– Some insecure
– The insecure terminals are the attacker entry points.
Critical Thinking– Any system
– Any infrastructure
– Any communication
– Any language
– Any architecture
– Any component
– Any information, any data
– Any physical layer
– Any logical layer
– Any storage device / facility
– Any (communication) channel
– Any interface
– Any encryption
– Any environment
– Any site (including DR)
– Any transaction
– Any log and audit trail
– Any archive
– Any process (operations, ongoing, development)
TakeoverData theft
Data tamperingSystem integrity disruption
Business Logic manipulationEavesdropping
Backdoors – built in by designBackdoors – creation by attackers
Unintentional attacksIntentional by authorized entities
Attacks by non-human entitiesDenial of Service
De Facto Denial of ServiceAuthorization bypass
Access bypassSmuggling, Splitting and evasion-type attacks
Critical Thinking
• Critical thinking is the ability to think clearly and rationally. This requires reflective and independent thinking. (Philosophy field)
• For organization security is too difficult: over complexity, too much to orchestrate, etc.
• Increasingly often we are requested to test much less than the actual scope.
• Some organizations will not be educated.
• Push the industry back up with those organizations that can be educated.
Critical Thinking
• For the security professionals, security is a challenge. Hence, always employ critical thinking and review the process of testing itself.
– Flexibility under varying technologies
– Use automated testing tools to the max AND be always aware of their limitations
– Scoping accurately is mandatory
Qustions?
Yaniv Simsolo, CISSPImage: Hubble Telescope: The cat’s eye nebula