Web Application SecurityWeb Application Security

Presented byPresented by

Jay Jaeger and Kevin AckerJay Jaeger and Kevin Acker

OverviewOverview

Application vulnerabilities are serious: your data and Application vulnerabilities are serious: your data and infrastructure are at risk.   infrastructure are at risk.  

Web applications are involved in critical business Web applications are involved in critical business functions and access critical resources that contain functions and access critical resources that contain customers personal informationcustomers personal information

Unfortunately, your enemies have a lot more time at Unfortunately, your enemies have a lot more time at their disposal than you do, and the days of "script their disposal than you do, and the days of "script kiddies" are gone:  these folks meankiddies" are gone:  these folks mean business business -- they -- they are out to make money off of your vulnerabilities.are out to make money off of your vulnerabilities.

Web Applications Under SiegeWeb Applications Under Siege

Overall Issues/RisksOverall Issues/Risks

There are many different issues and risks that need There are many different issues and risks that need to be considered when looking at the bigger to be considered when looking at the bigger picture of web application security.picture of web application security.

Legacy web application security technology issuesLegacy web application security technology issues Don’t forget about those old versions of software still Don’t forget about those old versions of software still

running both mission critical and non-mission critical running both mission critical and non-mission critical web applications. These apps may need additional web applications. These apps may need additional protection/segmentation from the rest of the world.protection/segmentation from the rest of the world.

Orgs sometimes just focus on “securing” their Orgs sometimes just focus on “securing” their “mission critical” apps but a vulnerability in “mission critical” apps but a vulnerability in anyany app could let someone “in the door”.app could let someone “in the door”.

Overall Issues/Risks (cont.)Overall Issues/Risks (cont.)

If you are not designing and coding with care, you If you are not designing and coding with care, you certainlycertainly have have seriousserious vulnerabilities  vulnerabilities

Numerous kinds of vulnerabilities: SQL injection in Numerous kinds of vulnerabilities: SQL injection in input, overflows on field lengths, cross site scripting input, overflows on field lengths, cross site scripting attacks, etc. Refer to OWASP site for additional info.attacks, etc. Refer to OWASP site for additional info.

Overwhelming amount of information on web Overwhelming amount of information on web application security makes digesting the really application security makes digesting the really important pieces challenging.important pieces challenging.

Code review is expensive but necessary (especially for Code review is expensive but necessary (especially for externally facing web applications), and is cheaper than externally facing web applications), and is cheaper than being compromised later. Automated code review tools being compromised later. Automated code review tools can cut down on staff costs in this area.can cut down on staff costs in this area.

Overall Issues/Risks (cont.)Overall Issues/Risks (cont.)

Even if you are designing and coding with care, Even if you are designing and coding with care, you probably still have vulnerabilities you probably still have vulnerabilities

New ones show up all the time New ones show up all the time Doing this right is Doing this right is hardhard right now.  It takes skilled right now.  It takes skilled

people focused on this to do it as well as possible.people focused on this to do it as well as possible. Focus on “defensible” applications since it is nearly Focus on “defensible” applications since it is nearly

impossible to have an application that is free from all impossible to have an application that is free from all vulnerabilities, i.e. don’t forget due diligence.vulnerabilities, i.e. don’t forget due diligence.

Open source components and frameworks have bugs Open source components and frameworks have bugs just like proprietary software.just like proprietary software.

Overall Issues/Risks (cont.)Overall Issues/Risks (cont.) Keep up to date with patches both at the server and Keep up to date with patches both at the server and

application layers. This is hard to do due to the large application layers. This is hard to do due to the large number of "apps" that organizations have running on number of "apps" that organizations have running on their servers.their servers.

Don’t rely on vendors who include other products Don’t rely on vendors who include other products with their software to include security patches for with their software to include security patches for those products.those products.

Without good change management you may have Without good change management you may have applications in production you weren’t even aware of.applications in production you weren’t even aware of.

If exposing “test” environments to the internet they If exposing “test” environments to the internet they need to be hardened since they are entry points to the need to be hardened since they are entry points to the organization’s environment as well.organization’s environment as well.

Overall Issues/Risks (cont.)Overall Issues/Risks (cont.)

Infrastructure is necessary but is just part of the Infrastructure is necessary but is just part of the solutionsolution

Reverse proxies and proxy based firewalls can filter and Reverse proxies and proxy based firewalls can filter and validate HTTP traffic, some down to the field/parameter validate HTTP traffic, some down to the field/parameter level level

Defense in depth: avoiding dependence on single Defense in depth: avoiding dependence on single providers, called "mono cultures", i.e. watch out for providers, called "mono cultures", i.e. watch out for using the same vendor for all of your security layers.using the same vendor for all of your security layers.

Don’t just depend on your hardware firewall to protect Don’t just depend on your hardware firewall to protect you.you.

Infrastructure Helps – SomeInfrastructure Helps – Some

Overall Issues/Risks (cont.)Overall Issues/Risks (cont.)

Developers should work with infrastructure support Developers should work with infrastructure support staff to learn what infrastructure security pieces are in staff to learn what infrastructure security pieces are in place to help protect applications and their data.place to help protect applications and their data.

Integration with a 3rd party account provisioning and Integration with a 3rd party account provisioning and management application can help reduce potential management application can help reduce potential security exposures from attempting to roll your own in security exposures from attempting to roll your own in this space.this space.

Even with “perfect” infrastructure security you still Even with “perfect” infrastructure security you still need to secure the application itself.need to secure the application itself.

Mitigation StrategiesMitigation Strategies There are a number of areas that can be used to mitigate some There are a number of areas that can be used to mitigate some

of the risks and issues associated with web application security.of the risks and issues associated with web application security.

"Constant Vigilance!!" "Constant Vigilance!!" Always drink from your hip flask:Always drink from your hip flask:  Never trust   Never trust anythinganything that comes that comes

from the web browser / client (even from applets/.NET client side from the web browser / client (even from applets/.NET client side controls you wrote and distributed) controls you wrote and distributed)

Use your "dark detectors": Use your "dark detectors":  If you are not monitoring your firewall, If you are not monitoring your firewall, system and application logs (not just security logs) system and application logs (not just security logs) and following upand following up you are more vulnerable you are more vulnerable

Use your "foe glass": Use your "foe glass":  If you are not following bug reports, you are If you are not following bug reports, you are more vulnerable more vulnerable

Complacency and overconfidence are your enemies. Don’t ever pretend Complacency and overconfidence are your enemies. Don’t ever pretend that problems don’t exist. “Constant Vigilance!!”that problems don’t exist. “Constant Vigilance!!”

Mitigation Strategies (cont.)Mitigation Strategies (cont.)

Whether or not to use proxy accounts to access Whether or not to use proxy accounts to access back-end resources back-end resources Can make auditing more difficult, but allows clean Can make auditing more difficult, but allows clean

separation of security domains. separation of security domains. Always necessary for "public" web applications Always necessary for "public" web applications Protecting credentials cannot be air-tight since the Protecting credentials cannot be air-tight since the

application still needs to get at the data.application still needs to get at the data. Isolate components into appropriate security Isolate components into appropriate security

zoneszones

Protecting the Crown JewelsProtecting the Crown Jewels

Internet Firewall

Production Database Access Firewall

Test and/or Unrelated

Applications

Prod. Applications

Use Security Zones to constrain access to appropriate

places.

Mitigation Strategies (cont.)Mitigation Strategies (cont.)

Testing is critically importantTesting is critically important Regression test after changes. Regression test after changes. Recognize that regardless of testing, some flaws will slip Recognize that regardless of testing, some flaws will slip

thruthru Automated tools can help test for security flawsAutomated tools can help test for security flaws

Validate server certificates when connecting to web Validate server certificates when connecting to web servicesservices

Whether using back-end “proxy” accounts for Whether using back-end “proxy” accounts for applications, or direct user-provided accounts, give applications, or direct user-provided accounts, give the accounts access to only the views of data that are the accounts access to only the views of data that are required to accomplish the necessary transactions.required to accomplish the necessary transactions.

Sensitive Data All Over !!!Sensitive Data All Over !!!

SS

S

S

S

Transaction Data Customer Data

Application Server, Application Components

Session Data

Browser

S

S

Network Transmissions

Network Transmissions

S

S

Mitigation Strategies (cont.)Mitigation Strategies (cont.)

Minimize where you store sensitive dataMinimize where you store sensitive data Encrypt sensitive data in storage (especially Encrypt sensitive data in storage (especially

sensitive information stored in application sensitive information stored in application configuration files) and in transit over the network.configuration files) and in transit over the network.

Avoid storing credit card numbers, account Avoid storing credit card numbers, account numbers or other sensitive information in a numbers or other sensitive information in a database or even in an object that is persistent database or even in an object that is persistent within the application. within the application.

Protect That Data !!!Protect That Data !!!

SH K

S

H

One-Way Hash of Sensitive Data

Normalized Customer Data

Application Server, Application Components

Session Data

Browser

S

S

Encrypted Network Transmissions

Encrypted Network Transmissions

S

K K

Mitigation Strategies (cont.)Mitigation Strategies (cont.)

SOA may also provide help SOA may also provide help Provides a natural security boundaryProvides a natural security boundary However, issues with exposing data via web However, issues with exposing data via web

services to other applications contains another set services to other applications contains another set of security risks since your data is no longer of security risks since your data is no longer completely under your controlcompletely under your control

Mitigation Strategies (cont.)Mitigation Strategies (cont.) Sharing and collaboration of information within the state and Sharing and collaboration of information within the state and

across government entities.across government entities.

Should we have a common site for collaborating / two way information flow Should we have a common site for collaborating / two way information flow about these topics within the state or across government entities? about these topics within the state or across government entities?

Share the load on following bug reports, but avoid single individuals being the Share the load on following bug reports, but avoid single individuals being the only ones looking at any given information source. only ones looking at any given information source.

Collaborate on design patterns, mitigation strategies. App Best Practices group Collaborate on design patterns, mitigation strategies. App Best Practices group will be re-forming to help with some of this.will be re-forming to help with some of this.

There is a fair amount of duplication of effort across government with respect There is a fair amount of duplication of effort across government with respect to checking for and remediating security issues.to checking for and remediating security issues.

Web Application Security – Java Web Application Security – Java FocusFocus

Java has some characteristics that are helpful  Java has some characteristics that are helpful  Virtual machine Virtual machine

Garbage Collection model avoids many memory re-use bug Garbage Collection model avoids many memory re-use bug scenarios scenarios

Pointer restrictions -- prevents many kinds of coding errorsPointer restrictions -- prevents many kinds of coding errors

Object Oriented -- introduces thought discipline Object Oriented -- introduces thought discipline "Java 2 Security Sandbox" "Java 2 Security Sandbox"

Allows you to recognize and disallow aberrant behavior Allows you to recognize and disallow aberrant behavior Though most Java shops don't use it for server side Though most Java shops don't use it for server side

applications, they probably should.applications, they probably should.

Web Application Security – Java Web Application Security – Java Focus (cont.)Focus (cont.)

Shared components and frameworks Shared components and frameworks Others can test more thoroughly than you can Others can test more thoroughly than you can Introduces repeatability into the development Introduces repeatability into the development

processprocess But still, some bugs can still remainBut still, some bugs can still remain

Open source Open source cancan end up with more "good" end up with more "good" eyes looking for security issues -- but that is eyes looking for security issues -- but that is not necessarily always true.not necessarily always true.

Web Application Security - .NET Web Application Security - .NET FocusFocus

Application Pools in IIS - Run under the least privileged Application Pools in IIS - Run under the least privileged account possible. Avoid running applications under the account possible. Avoid running applications under the System if at all possible. System if at all possible.

NTFS Permissions on files – Always use the least permissions NTFS Permissions on files – Always use the least permissions possible on the application and system files.possible on the application and system files.

Tools: Tools: Many utilities from Microsoft and other vendors such as IIS Trace, Many utilities from Microsoft and other vendors such as IIS Trace,

Debug Diagnostics, etc. allow you to look at real-time and historical Debug Diagnostics, etc. allow you to look at real-time and historical activity to determine if/when security problems occurred.activity to determine if/when security problems occurred.

Other tools such as CAT.NET and TAM-E (both still under Other tools such as CAT.NET and TAM-E (both still under development within Microsoft) will allow for deeper code analysis and development within Microsoft) will allow for deeper code analysis and threat modeling.threat modeling.

Web Application Security - .NET Web Application Security - .NET Focus (cont.)Focus (cont.)

In ASP.NET, the semi-equivalent of the In ASP.NET, the semi-equivalent of the "sandbox" in Java is called Code Access "sandbox" in Java is called Code Access Security and almost no one uses it.Security and almost no one uses it.

Common Configuration File Security IssuesCommon Configuration File Security Issues Custom Errors DisabledCustom Errors Disabled Leaving Tracing and Debugging EnabledLeaving Tracing and Debugging Enabled Cookie related issuesCookie related issues Hard-coded Credentials UsedHard-coded Credentials Used

Web Application Security ResourcesWeb Application Security Resources

OWASP web site is a great place for information on OWASP web site is a great place for information on all types of web application security issues – all types of web application security issues – http://www.owasp.orghttp://www.owasp.org Top 10 current vulnerabilities that people building web Top 10 current vulnerabilities that people building web

applications need to be aware of - applications need to be aware of - http://www.owasp.org/index.php/Top_10_2007http://www.owasp.org/index.php/Top_10_2007

The Web Application Security Consortium (WASC) The Web Application Security Consortium (WASC) is an international group of experts, industry is an international group of experts, industry practitioners, and organizational representatives who practitioners, and organizational representatives who produce open source and widely agreed upon best-produce open source and widely agreed upon best-practice security standards for the World Wide Web – practice security standards for the World Wide Web – http://www.webappsec.org/http://www.webappsec.org/