web application security diane fraiman vice president

Web Application SecurityWeb Application SecurityDiane Fraiman

Vice President

2

The Facts Reviewed….The Facts Reviewed….

• Code Red infected 359,000 servers in less than 14 hours – at the peak, it infected more than 2,000 new hosts/minute – estimated cost? $2.6B (Computer Economics)

• Within 24 hours of NIMDA hitting, 50% of the infected hosts went offline (CNet)

• 1 vulnerability exists in every 1500 lines of code (IBM’s Watson Research Lab) ; Windows XP has 45M lines of code; W2K has 35M lines of code; MS code lines double every 866 days….

• $18 billion in sales is expected to be lost due to concerns about online security in 2002 (FTC)

• Between 65-90% companies experienced some sort of security breach in 2000 (CSI/FBI)

3

Cyber crime on the RiseCyber crime on the Rise

0

20

40

60

1998 1999 2000 2001 2002

In T

hous

ands

Source: CERT, incidents reportedNote: 2002 Interpolation

0

5

10

15

20

1999 2000 2001 2002

In M

illio

ns

Source: CSI/FBI, U.S. companies surveyed only (excluding wiretapping)Note: 2002 Interpolation

Avg Cost of Cyber crime/Company

Number of Hacks

4

The Problem is RealThe Problem is Real

• 3 out of 4 business websites are vulnerable to attack (Gartner)

• Internet fraud expected to exceed credit card fraud by 2003 (VNUnet)

• 75% of hacks occur at the Application level (Gartner)

The results of over 300 AppAudits conducted with AppScan:

97% Vulnerable 31% Full Control & Access to Info.

7% Hijack Transaction

23% e-Shoplifting

3% Delete Web Site

4% Minor Breach

7% Modify Information

25% Privacy Breach

5

The Fourth Level of Web SecurityThe Fourth Level of Web Security

Security

Behavior

Antivirus

Disruption

Desktop

1

Encryption

Interception

Transport

2

Manual Patching

Perversion

WebApplications

4

Firewall

Illegal Access

3

NetworkNetwork

6

What is a Web Application?What is a Web Application?

Without any protection, holes and backdoors exist at every layer waiting to be exploited

Web Server

User Interface Code

Front end Application

Backend Application

Database

Data Invalid Data can

exploit weakness in the application acting as escape holes resulting in

access to unauthorized accounts, O/S

network, sensitive data and may

even result in an application denial

of serviceValid InputHTML/HTTP

Browser

Invalid InputHTML/HTTP

7

From Sanctum AuditsFrom Sanctum Audits

• Top 5 banks– Took root control of system, listed all sys admins & signed up 2 Senior VPs for credit cards at -129%– Found cross-site scripting, hidden fields & parameter tampering allowing access to all backend systems – Hundreds of servers out for weeks with Nimda– Broke into Peoplesoft Purchasing and HR applications; also broke into broker/dealer application

• Major Regional Banks– Took control of ISS web server

• Top 5 Mutual Fund– “Code Red gave us a bloody nose; Nimda tore off body parts” – Hundreds of servers out for weeks with Nimda

• Top 2 Credit Card companies– Forceful browsing accessed Netegrity Siteminder directory: got userid/password file

• Airline– Download source code; cookie poisoning = identity theft; accessed all employee schedules (still did not buy solution –

thought they could solve it manually!)

• Healthcare– Accessed all patient files and altered information

• Telco– Entire customer billing record database available

8

• Hidden Field Manipulation - eShoplifting

• Parameter Tampering - access OS or sensitive data; fraud

• Backdoors and Debug Options – access code/application as developer or admin

• Cookie Poisoning - identity theft, illegal transactions

• Stealth Commanding - access OS or control application at OS level, site defacement

• Forceful Browsing - access sensitive data

• Cross-Site Scripting - server-side exploitation, access sensitive data; eHijacking

• Buffer Overflow - access sensitive data, or crash site/application

• 3rd-Party Misconfiguration - access OS or data

• Published/Known Vulnerabilities- access OS; crash site; access sensitive data

Ten Types of Application HacksTen Types of Application Hacks

9

Hidden Field ManipulationHidden Field Manipulation

• Vulnerability explanationVulnerability explanation:The application sends data to the client using a hidden field in a form.

Modifying the hidden field damages the data returning to the web application

• Why Hidden Field ManipulationWhy Hidden Field Manipulation:Passing hidden fields is a simple and efficient way to pass information from

one part of the application to another (or between two applications) without the use of complex backend systems.

• As a result of this manipulationAs a result of this manipulation :The application acts according to the changed information and not

according to the original data

Hidden Manipulation - Example

15

Parameter TamperingParameter Tampering

• Vulnerability explanationVulnerability explanation:Parameters are used to obtain information from the client. This

information can be changed in a site’s URL parameter

• Why Parameter TamperingWhy Parameter Tampering:Developers focus on the legal values of parameters and how they should

be utilized. Little if any attention is given to the incorrect values

• As a result of this manipulationAs a result of this manipulation :The application can perform a function that was not intended by its

developer like giving access to customer information

Parameter Tampering - Example

18

What is a Viable Solution?What is a Viable Solution?

• VIABLE = Positive Security Model:

– Vulnerability Assessment tools: bullet-proof applications before they go into production

– Application Firewalls: block, log and alert against known/unknown attacks

– Behavioral/ Policy-based

• Automatically builds a policy in real time for the site• Allows only intended business interactions • Maintains intended application behavior

– e.g., Code Red and Nimda blocked without updates or rules

• Not Viable = Negative Security Model:

– Signature/Rules-based – Blocks known attacks based on signatures, heuristics or rules.

– e.g., - need patch installed or signatures written to block Code Red & Nimda

•

19

Traditional (Manual) Vulnerability AssessmentTraditional (Manual) Vulnerability Assessment

• Issues:– process is complex– security knowledge needed for performing successful audit

• The process– Manual coverage of relevant business process– Full inspection of client side scripts and comments– Full inspection of application interfaces– Manual analysis of potential vulnerabilities– Manual testing of potential vulnerabilities– Check for installation of known patches

• The knowledge– Complete understanding of application logic– Complete knowledge of application manipulation methods– Memory of all known patches issues– Complete understanding of most secure configuration of all tools

20

Traditional Auditing – the problemTraditional Auditing – the problem

• Multiple points of people failure– Development, QA, Operations, Vendor software, Outsourcing

• New third party bugs discovered every day– site exposed during patch latency

• Site Complexity– many lines of code and application interactions

• Compressed application development cycle– time to market needs will impact development and QA

• Distributed Knowledge– No single person has all the knowledge needed for a full audit

Never ending, time consuming and expensive!Never ending, time consuming and expensive!

21

Automatic Application VulnerabilityAutomatic Application VulnerabilityAssessmentAssessment

• Explore - automatically explore the site, discover potential vulnerabilities, & dynamically create tests to evaluate

• Test –test and validate potential vulnerabilities and assign success and severity ratings

• Report – generate custom reports with information targeted at specific levels of security expertise and functionsThis process can be repeated as often as

necessary. Once a week, once a month, or only one time.

22

Automatic Application VulnerabilityAutomatic Application VulnerabilityAssessment: BenefitsAssessment: Benefits

• Explore– Automation enables coverage of application

– Automatic extraction of information from application

– Deploys knowledgebase of possible vulnerabilities

– Automatically cover all potential holes

• Test– Automatically identify successful attack

– Coverage of all potential vulnerabilities

– Refinement stage (multi-attack correlation)

• Reporting – Automatically generate findings report

– Supply solution recommendations

Automation = less time & more coverage.Expert system = reduce the needed knowledge

23

Vulnerability assessment toolsVulnerability assessment tools

• Application VulnerabilityApplication Vulnerability AssessmentAssessment

– Sanctum / AppScan

• Network & KnownNetwork & Known Vulnerability ScannersVulnerability Scanners

– ISS / Internet Scanner

– NAI / CyberCop

– eEye / Retina

• Known VulnerabilityKnown Vulnerability ScannersScanners

- Whisker

- Nessus

• Proxy ScannersProxy Scanners– Achilles– HTTPush– RFProxy– WebSleuth

CommercialCommercial Public DomainPublic Domain

24

Full Online Application ProtectionFull Online Application ProtectionICSA Requirements: Application FirewallICSA Requirements: Application Firewall

• Functions at the application level - ISO model layer 7 – Understands inbound and outbound requests– Block invalid requests without terminating entire user session

• Designed to recognize & protect against application threats– Signature & Non-signature attacks

• Dynamic and Accurate– Understands application logic

• Compatible with Web application technologies– Designed with real world environment in mind – code/content changes every day

• Works in Real Time– Addresses threats before they reach the server

• Provide Application Level Forensics – Logging & Alerting

• Single Point of Administration– One solution to protect all application components

25

How an Application Firewall WorksHow an Application Firewall Works

The Security Policy is built dynamically in real time as pages are requested by the user

Browser Web Server

Dynamic PolicyRecognition Engine*

*Sanctum, Inc. Patented Technology

26

How an Application Firewall WorksHow an Application Firewall WorksHidden ManipulationHidden Manipulation

27


28


29


30

How an Application Firewall WorksHow an Application Firewall WorksBlocking the AttackBlocking the Attack

31

Application Level ForensicsApplication Level Forensics

32

Web Application Protection SolutionsWeb Application Protection Solutions

• Content Integrity– TripWire/TripWire

– Gilian/G-Server

• Network Separation– Whale/eGap

– SpearHead/AirGap

• Access Control– Netegrity/SiteMinder

– RSA-Securant/ClearTrust

• Protected OS– Argus/PitBull

– HP/Virtual Vault

• Known Attack Detection– Entercept/Entercept WS

– Okena

– eEye/SecureIIS

• Web Application Firewall– Sanctum/AppShield: only app

firewall certified by ISCAlabs

33

Protecting at the OS level:Protecting at the OS level:Host Intrusion PreventionHost Intrusion Prevention

Host Intrusion Prevention Solutions:

• Reside at the OS level only (i.e.red wrapper)

• Prevent any OS vulnerabilities from being exploited

• Resides on both network servers (ie mail and ftp) and/or web servers

34

Even with OS holes plugged, the applications remain

unprotected

But, But, the Applications Remain Vulnerablethe Applications Remain Vulnerable

35

Sanctum

• Sanctum is the recognized industry leader for Web application security solutions

– 200 customers: 54 of the F100– 8 of the top 10 financial institutions in the U.S. use Sanctum solutions– Global Leadership: Japan and Europe– Intellectual property leadership: 3 patented, 4 patent-pending technologies– Financial Srvs, retail, healthcare, media, telecom & utilities industries, government

• Strategic Partnerships – PWC; IBM Global Services; Netegrity; ATT; Perot Systems; Accenture, E&Y

• Sanctum is the only company that provides automatic enforcement of intended business processes, ensuring the protection of core information and data

– AppShield – Web application firewall: full online prevention

– AppScan – automated vulnerability assessment solution

36

Summary

• Web Perversion is a huge problem:– $18 Billion in lost sales forecasted due to security concerns in 2002 (FTC)

– 75% of attacks are at the Application level (Gartner Group)

– Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI)

• Security is an urgent management issue and a mandatory Core Value:– Your Web applications are at the heart of your business

– Security is a Business Driver

• Protecting Your Web Applications is Enterprise Equivalent of National Security:

– Performing application level audits and/or application level prevention and detection is crucial– Automation must be fought with automation

SANCTUM is the Recognized Leader for

Web Application Security Solutions

www.SanctumInc.com

SAVE YOUR SITE

GET

web application security diane fraiman vice president

Documents