Slide 1

ISSA Spring Security Summit 2009 Mike Parsons, CISSP, IAM, IEM

Slide 2

Why web application security The value proposition Who sets the standard W3C IETF OWASP WASC PCI Remediation strategies Some common threats and exploits

Slide 3

Cenzic, Inc. reports in its Web Application Security Trends Report, Q3-Q4 2008 that total vulnerabilities up over 10 percent from the first half (of 2008) -- number of Web application vulnerabilities went up 80 percent. At least 80 percent of applications tested suffering from severe vulnerabilities. Most common vulnerabilities related to Information Leaks and Exposures, Cross-Site Scripting, and Session Management.

Slide 4

However, the economic crisis is holding a number of organizations back from moving forward with this initiative. Whats surprising is that most of these companies are still spending money on network security. With 80 percent to 90 percent of Web applications vulnerable, and with 75 percent of attacks occurring through the Web sites, this budget allocation defies logic. But, lack of awareness and understanding of the issues around application security are partly to blame. Cenzic, Inc.

Slide 5

Universal client pdas, netbooks, laptops, all OSs Graphical user interface XML and its extended family provides common protocol stack from UI to backoffice presentation, business logic, schema Reduced development time Provides systems integration fabric

Slide 6

Web applications on the rise External facing web sites are the new company storefronts Intrinsic impacts Branding Customer experience Securing the data entrusted by partners, customers and employees Cost impacts Fines Legal liability Loss of business

Slide 7

ECommerce Employee and partner portals Federation ERP applications Unique branding and intellectual property issues Cloud computing Software as a Service Hardware as a service

Slide 8

Retail PCI, State privacy laws Medical HIPAA, PCI, State privacy laws Banking GLBA, PCI, State privacy laws Education FERPA, PCI, State privacy laws

Slide 9

W3C IETF OWASP WASC NIST PCI

Slide 10

Purpose of the web find useful information Evolution to ecommerce and eGovernment Standards for SGML, HTML, XML XML Signatures and Encryption Platform for Privacy Preferences Quality assurance through development of validators

Slide 11

Related organizations ISOC Internet Society IAB (Architectural Oversight), IESG (Steering Group), IETF (Standards and Practices), IANA (Protocol parameters and addressing) Sample standards and practices TCP UDP HTTP Cryptography

Slide 12

Open Web Application Security Project Organization established to develop and distribute information related to application security OWASP top 10 Recognized in PCI DSS 1.2, Control 6.6 Tools like WebGoat and Scarab There is a chapter in North Carolina

Slide 13

Develop open source and widely agreed upon best-practice security standards for the World Wide Web. Projects Web Application Security Scanner Evaluation criteria Web Hacking Incidents Database Distributed Open Proxy Honeypots Web Security Threat Classification Web Application Firewall Evaluation Criteria Web Application Security Statistics

Slide 14

Computer Security Division provides standards and technology to protect information systems against threats to the confidentiality, integrity, and availability of information, processes and services in order to build trust and confidence in (IT) systems. Standards and guidelines of interest include encryption, web application scanners, hashing algorithms, digital signatures

Slide 15

Data Security Standard requirement 6.6 addresses Web Application Security specifically References OWASP Top 10 Requires either Web application firewall Code review of all application code by qualified reviewer Clarification issued in May that includes WAF evaluation criteria

Slide 16

VulnerabilityDescription A1 - Cross Site Scripting (XSS) XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. A2 - Injection Flaws The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. A3 - Malicious File Execution Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. A4 - Insecure Direct Object Reference Attackers can manipulate direct object references to access other objects without authorization. A5 - Cross Site Request Forgery (CSRF) Forces a logged-on victim's browser to send a pre- authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.

Slide 17

VulnerabilityDescription A6 - Information Leakage and Improper Error Handling Applications unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. A7 - Broken Authentication and Session Management Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users.

Slide 18

Educate your developers, systems engineers and business units Know your infrastructure; reduce the exposure window Have third party assess your security and application integrity Evaluate tools and strategies Code assessment Web application firewalls

Slide 19

PCI DSS RequirementsTesting Procedure 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications 6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows: Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows: - At least annually - After any changes - By an organization that specializes in application security - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web- based attacks.

Slide 20

Qualified organizations that specialize in application security are difficult to find and process is expensive 3 rd party development or COTS poses problems Access to source code and developers the issue Can be used for in-house development Expertise in secure coding practice Review takes place outside of development Can you review all code changes

Slide 21

WhiteHat Sentinel, AppScan OnDemand Comprehensive Cenzic Click to Secure services Trustwave Managed Security Services Qualys more generic, but has web services component

Slide 22

Accunetix WVS IBM Rational Appscan HP Webinspect (Formerly Spi Dynamics) Cenzic Hailstorm N-Stalker (has free edition) NCircle WebApp 360

Slide 23

No Magic Quadrant. Gartner has issued various notes on the subject Consider WAFEC criteria to evaluate Consider DSS criteria to evaluate Enterprise architecture is a governing factor In-line vs out-of-line Javascript vs XML vs Ajax vs Web Services 2.0 Webserver strategy Look for additional value such as positive security model and application integrity remediation Look for management interface, flexibility in blocking traffic, scalability

Slide 24

WAFEC addresses the following areas in Version 1.0 (2006) Deployment Architecture HTTP Support Detection Techniques Protection Techniques Logging Reporting Management Performance XML Future releases to address following areas Compliance, certifications, and interoperability. Increase coverage of performance issues (especially on the network level). Increase coverage of the XML-related functionality.

Slide 25

Meet all applicable PCI DSS requirements pertaining to system components React appropriately (defined by active policy or rules) to threats against relevant vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI DSS Requirement 6.5. Based on the active policy or rules, and log actions taken. Inspect web application input and respond appropriately (allow, block, and/or alert) Prevent data leakagemeaning have the ability to inspect web application output and respond appropriately(allow, block, mask and/or alert) Enforce both positive and negative security models. Inspect both web page content, e.g. Hypertext Markup Language (HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the underlying transport protocols that deliver content, e.g. Hypertext Transport Protocol (HTTP) and Hypertext Transport Protocol over SSL (HTTPS). Inspect web services messages, if web services are exposed to the public Internet. E.g. Simple Object Access Protocol (SOAP) and eXtensible Markup Language (XML), both document- and RPC-oriented models, in addition to HTTP. Inspect any protocol or data construct that is used to transmit data to or from a web application, Defend against threats that target the WAF itself. Support SSL and/or TLS termination, or be positioned such that encrypted transmissions are decrypted before being inspected by the WAF.

Slide 26

Barracuda Application Gateway Barracuda Application Gateway Breach Security Breach Security WebDefend ModSecurity Citrix Netscaler Application Security Firewall Citrix Netscaler Application Security Firewall F5 Application Security Manager F5 Application Security Manager Fortinet Web Application /XML Firewall Appliance Fortinet Web Application /XML Firewall Appliance FortiWeb FortiDB Imperva SecureSphere Imperva SecureSphere Web Application Firewall Database Firewall

Slide 27

WASC Statistics WASC Statistics SecurityFocus SecurityFocus Mitre Corporation Mitre Corporation CERT CERT W3C W3C WebGoat Demo Environment WebGoat Demo Environment Managed Service Providers e.g. Trustwave, Cenzic

Slide 28

StakeholderWebsite WASChttp://www.webappsec.org/ OWASPhttp://www.owasp.org IETFhttp://www.ietf.org W3Chttp://www.w3c.org NISThttp://csrc.nist.gov/mission/index.html PCIhttps://www.pcisecuritystandards.org/

Slide 29

Thank you for your attention Mike Parsons Security Consultant Carolina Advanced Digital 336-403-9710 mike@cadinc.com