web application security diane fraiman vice president
TRANSCRIPT
Web Application SecurityWeb Application SecurityDiane Fraiman
Vice President
2
The Facts Reviewed….The Facts Reviewed….
• Code Red infected 359,000 servers in less than 14 hours – at the peak, it infected more than 2,000 new hosts/minute – estimated cost? $2.6B (Computer Economics)
• Within 24 hours of NIMDA hitting, 50% of the infected hosts went offline (CNet)
• 1 vulnerability exists in every 1500 lines of code (IBM’s Watson Research Lab) ; Windows XP has 45M lines of code; W2K has 35M lines of code; MS code lines double every 866 days….
• $18 billion in sales is expected to be lost due to concerns about online security in 2002 (FTC)
• Between 65-90% companies experienced some sort of security breach in 2000 (CSI/FBI)
3
Cyber crime on the RiseCyber crime on the Rise
0
20
40
60
1998 1999 2000 2001 2002
In T
hous
ands
Source: CERT, incidents reportedNote: 2002 Interpolation
0
5
10
15
20
1999 2000 2001 2002
In M
illio
ns
Source: CSI/FBI, U.S. companies surveyed only (excluding wiretapping)Note: 2002 Interpolation
Avg Cost of Cyber crime/Company
Number of Hacks
4
The Problem is RealThe Problem is Real
• 3 out of 4 business websites are vulnerable to attack (Gartner)
• Internet fraud expected to exceed credit card fraud by 2003 (VNUnet)
• 75% of hacks occur at the Application level (Gartner)
The results of over 300 AppAudits conducted with AppScan:
97% Vulnerable 31% Full Control & Access to Info.
7% Hijack Transaction
23% e-Shoplifting
3% Delete Web Site
4% Minor Breach
7% Modify Information
25% Privacy Breach
5
The Fourth Level of Web SecurityThe Fourth Level of Web Security
Security
Behavior
Antivirus
Disruption
Desktop
1
Encryption
Interception
Transport
2
Manual Patching
Perversion
WebApplications
4
Firewall
Illegal Access
3
NetworkNetwork
6
What is a Web Application?What is a Web Application?
Without any protection, holes and backdoors exist at every layer waiting to be exploited
Web Server
User Interface Code
Front end Application
Backend Application
Database
Data Invalid Data can
exploit weakness in the application acting as escape holes resulting in
access to unauthorized accounts, O/S
network, sensitive data and may
even result in an application denial
of serviceValid InputHTML/HTTP
Browser
Invalid InputHTML/HTTP
7
From Sanctum AuditsFrom Sanctum Audits
• Top 5 banks– Took root control of system, listed all sys admins & signed up 2 Senior VPs for credit cards at -129%– Found cross-site scripting, hidden fields & parameter tampering allowing access to all backend systems – Hundreds of servers out for weeks with Nimda– Broke into Peoplesoft Purchasing and HR applications; also broke into broker/dealer application
• Major Regional Banks– Took control of ISS web server
• Top 5 Mutual Fund– “Code Red gave us a bloody nose; Nimda tore off body parts” – Hundreds of servers out for weeks with Nimda
• Top 2 Credit Card companies– Forceful browsing accessed Netegrity Siteminder directory: got userid/password file
• Airline– Download source code; cookie poisoning = identity theft; accessed all employee schedules (still did not buy solution –
thought they could solve it manually!)
• Healthcare– Accessed all patient files and altered information
• Telco– Entire customer billing record database available
8
• Hidden Field Manipulation - eShoplifting
• Parameter Tampering - access OS or sensitive data; fraud
• Backdoors and Debug Options – access code/application as developer or admin
• Cookie Poisoning - identity theft, illegal transactions
• Stealth Commanding - access OS or control application at OS level, site defacement
• Forceful Browsing - access sensitive data
• Cross-Site Scripting - server-side exploitation, access sensitive data; eHijacking
• Buffer Overflow - access sensitive data, or crash site/application
• 3rd-Party Misconfiguration - access OS or data
• Published/Known Vulnerabilities- access OS; crash site; access sensitive data
Ten Types of Application HacksTen Types of Application Hacks
9
Hidden Field ManipulationHidden Field Manipulation
• Vulnerability explanationVulnerability explanation:The application sends data to the client using a hidden field in a form.
Modifying the hidden field damages the data returning to the web application
• Why Hidden Field ManipulationWhy Hidden Field Manipulation:Passing hidden fields is a simple and efficient way to pass information from
one part of the application to another (or between two applications) without the use of complex backend systems.
• As a result of this manipulationAs a result of this manipulation :The application acts according to the changed information and not
according to the original data
Hidden Manipulation - Example
Hidden Manipulation - Example
Hidden Manipulation - Example
Hidden Manipulation - Example
Hidden Manipulation - Example
15
Parameter TamperingParameter Tampering
• Vulnerability explanationVulnerability explanation:Parameters are used to obtain information from the client. This
information can be changed in a site’s URL parameter
• Why Parameter TamperingWhy Parameter Tampering:Developers focus on the legal values of parameters and how they should
be utilized. Little if any attention is given to the incorrect values
• As a result of this manipulationAs a result of this manipulation :The application can perform a function that was not intended by its
developer like giving access to customer information
Parameter Tampering - Example
Parameter Tampering - Example
18
What is a Viable Solution?What is a Viable Solution?
• VIABLE = Positive Security Model:
– Vulnerability Assessment tools: bullet-proof applications before they go into production
– Application Firewalls: block, log and alert against known/unknown attacks
– Behavioral/ Policy-based
• Automatically builds a policy in real time for the site• Allows only intended business interactions • Maintains intended application behavior
– e.g., Code Red and Nimda blocked without updates or rules
• Not Viable = Negative Security Model:
– Signature/Rules-based – Blocks known attacks based on signatures, heuristics or rules.
– e.g., - need patch installed or signatures written to block Code Red & Nimda
•
19
Traditional (Manual) Vulnerability AssessmentTraditional (Manual) Vulnerability Assessment
• Issues:– process is complex– security knowledge needed for performing successful audit
• The process– Manual coverage of relevant business process– Full inspection of client side scripts and comments– Full inspection of application interfaces– Manual analysis of potential vulnerabilities– Manual testing of potential vulnerabilities– Check for installation of known patches
• The knowledge– Complete understanding of application logic– Complete knowledge of application manipulation methods– Memory of all known patches issues– Complete understanding of most secure configuration of all tools
20
Traditional Auditing – the problemTraditional Auditing – the problem
• Multiple points of people failure– Development, QA, Operations, Vendor software, Outsourcing
• New third party bugs discovered every day– site exposed during patch latency
• Site Complexity– many lines of code and application interactions
• Compressed application development cycle– time to market needs will impact development and QA
• Distributed Knowledge– No single person has all the knowledge needed for a full audit
Never ending, time consuming and expensive!Never ending, time consuming and expensive!
21
Automatic Application VulnerabilityAutomatic Application VulnerabilityAssessmentAssessment
• Explore - automatically explore the site, discover potential vulnerabilities, & dynamically create tests to evaluate
• Test –test and validate potential vulnerabilities and assign success and severity ratings
• Report – generate custom reports with information targeted at specific levels of security expertise and functionsThis process can be repeated as often as
necessary. Once a week, once a month, or only one time.
22
Automatic Application VulnerabilityAutomatic Application VulnerabilityAssessment: BenefitsAssessment: Benefits
• Explore– Automation enables coverage of application
– Automatic extraction of information from application
– Deploys knowledgebase of possible vulnerabilities
– Automatically cover all potential holes
• Test– Automatically identify successful attack
– Coverage of all potential vulnerabilities
– Refinement stage (multi-attack correlation)
• Reporting – Automatically generate findings report
– Supply solution recommendations
Automation = less time & more coverage.Expert system = reduce the needed knowledge
23
Vulnerability assessment toolsVulnerability assessment tools
• Application VulnerabilityApplication Vulnerability AssessmentAssessment
– Sanctum / AppScan
• Network & KnownNetwork & Known Vulnerability ScannersVulnerability Scanners
– ISS / Internet Scanner
– NAI / CyberCop
– eEye / Retina
• Known VulnerabilityKnown Vulnerability ScannersScanners
- Whisker
- Nessus
• Proxy ScannersProxy Scanners– Achilles– HTTPush– RFProxy– WebSleuth
CommercialCommercial Public DomainPublic Domain
24
Full Online Application ProtectionFull Online Application ProtectionICSA Requirements: Application FirewallICSA Requirements: Application Firewall
• Functions at the application level - ISO model layer 7 – Understands inbound and outbound requests– Block invalid requests without terminating entire user session
• Designed to recognize & protect against application threats– Signature & Non-signature attacks
• Dynamic and Accurate– Understands application logic
• Compatible with Web application technologies– Designed with real world environment in mind – code/content changes every day
• Works in Real Time– Addresses threats before they reach the server
• Provide Application Level Forensics – Logging & Alerting
• Single Point of Administration– One solution to protect all application components
25
How an Application Firewall WorksHow an Application Firewall Works
The Security Policy is built dynamically in real time as pages are requested by the user
Browser Web Server
Dynamic PolicyRecognition Engine*
*Sanctum, Inc. Patented Technology
26
How an Application Firewall WorksHow an Application Firewall WorksHidden ManipulationHidden Manipulation
27
How an Application Firewall WorksHow an Application Firewall WorksHidden ManipulationHidden Manipulation
28
How an Application Firewall WorksHow an Application Firewall WorksHidden ManipulationHidden Manipulation
29
How an Application Firewall WorksHow an Application Firewall WorksHidden ManipulationHidden Manipulation
30
How an Application Firewall WorksHow an Application Firewall WorksBlocking the AttackBlocking the Attack
31
Application Level ForensicsApplication Level Forensics
32
Web Application Protection SolutionsWeb Application Protection Solutions
• Content Integrity– TripWire/TripWire
– Gilian/G-Server
• Network Separation– Whale/eGap
– SpearHead/AirGap
• Access Control– Netegrity/SiteMinder
– RSA-Securant/ClearTrust
• Protected OS– Argus/PitBull
– HP/Virtual Vault
• Known Attack Detection– Entercept/Entercept WS
– Okena
– eEye/SecureIIS
• Web Application Firewall– Sanctum/AppShield: only app
firewall certified by ISCAlabs
33
Protecting at the OS level:Protecting at the OS level:Host Intrusion PreventionHost Intrusion Prevention
Host Intrusion Prevention Solutions:
• Reside at the OS level only (i.e.red wrapper)
• Prevent any OS vulnerabilities from being exploited
• Resides on both network servers (ie mail and ftp) and/or web servers
34
Even with OS holes plugged, the applications remain
unprotected
But, But, the Applications Remain Vulnerablethe Applications Remain Vulnerable
35
Sanctum
• Sanctum is the recognized industry leader for Web application security solutions
– 200 customers: 54 of the F100– 8 of the top 10 financial institutions in the U.S. use Sanctum solutions– Global Leadership: Japan and Europe– Intellectual property leadership: 3 patented, 4 patent-pending technologies– Financial Srvs, retail, healthcare, media, telecom & utilities industries, government
• Strategic Partnerships – PWC; IBM Global Services; Netegrity; ATT; Perot Systems; Accenture, E&Y
• Sanctum is the only company that provides automatic enforcement of intended business processes, ensuring the protection of core information and data
– AppShield – Web application firewall: full online prevention
– AppScan – automated vulnerability assessment solution
36
Summary
• Web Perversion is a huge problem:– $18 Billion in lost sales forecasted due to security concerns in 2002 (FTC)
– 75% of attacks are at the Application level (Gartner Group)
– Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI)
• Security is an urgent management issue and a mandatory Core Value:– Your Web applications are at the heart of your business
– Security is a Business Driver
• Protecting Your Web Applications is Enterprise Equivalent of National Security:
– Performing application level audits and/or application level prevention and detection is crucial– Automation must be fought with automation
SANCTUM is the Recognized Leader for
Web Application Security Solutions
www.SanctumInc.com
SAVE YOUR SITE
GET