8. Strategies for Web Application Security
Andy Hoernecke
Sr. Application Security Consultant
April 13th, 2011
9. Agenda
Background
Tool Introduction
Web Application Scanning Strengths/Weaknesses
Where Scanning Makes Sense
SDL Integration
Supplemental Security Measures
9 Neohapsis Confidential
10. Background
~96% of records breached involved “hacking” or
malware
~92% of records stolen through “hacking” involved a web
application
Most commonly exploited web application vulnerabilities
include:
SQL Injection
Brute Force Attacks
OS Commanding
Default/Guessable Credentials
Cross-Site Scripting
Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team
10 Neohapsis Confidential
11. Tool Introduction-Dynamic Analysis
Tests running web applications by making requests as a
normal user would
Examples:
IBM AppScan
HP WebInspect
WhiteHat
Scanning phases generally include
Spidering
Fault Injection
Analysis
11 Neohapsis Confidential
12. Tool Introduction-Static Analysis
Tests through the analysis of source or object code
Examples:
Fortify
Veracode
Capabilities vary greatly
May require compilable code
May only handle certain languages
Not currently as widely adopted
12 Neohapsis Confidential
13. Dynamic Analysis Strengths
Performing tedious tests (Fuzzing)
XSS
File Path manipulation
SSL issues
Signature Based Tests
Known vulnerabilities in common applications
Sensitive Information Checks
Default files/scripts
Certain types of information disclosure (internal IP addresses)
Configuration Issues
Parameter based fault injection
13 Neohapsis Confidential
14. Dynamic Analysis Weaknesses
Logic Bugs
Example: Negative Pricing/Quantity
Authentication Issues
SSO Related
Authorization Problems
User Role Enforcement
Forced Browsing
Vulnerabilities part of complex/multi-step processes
Identifying discrete pages in “rewritten URLs”
Results can vary greatly based on configuration and
scanner in use
14 Neohapsis Confidential
15. Percent Vulnerabilities Identified
Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)
15 Neohapsis Confidential
16. Experience Needed
Web application scanners are not like antivirus tools
Most will require tuning and customization to get good results
Login and session management can often cause problems
There WILL be false positives
Tuning and interpretation of results requires application
security knowledge
Unlikely that canned reports can be handed off to average
developers without some additional explanation
16 Neohapsis Confidential
17. Where Scanning Makes Sense
Application Scanning is a piece of the overall SDL
Most standard web applications using HTTP/HTTPS
Modern scanners provide decent JavaScript parsing
Mostly platform/language independent
As the first stage of a manual assessment
17 Neohapsis Confidential
18. Where Scanning Makes Doesn’t Sense
Applications heavily reliant on client side code
Non-HTTP applications
CORBA
RMI
Proprietary protocols
Results could be limited for:
Web Services/SOAP APIs
Very AJAX intensive applications
Other client-side technologies
Flash
Silverlight
Completely static sites
18 Neohapsis Confidential
19. Application Scanning and SDL
Web application scanners are valuable as part of the Secure
Development Lifecycle
Variables include:
How frequently to scan
Dependent on several factors:
Application/Data sensitivity
Development Cycle
Business Criticality
Available Resources
Which environments to scan?
Production
Generally the most important code base to be secure
Requires the most care as outages are generally not well received
QA, Staging, Development
Good to catch vulnerabilities before rolled into production
Many development groups have hands full fixing issues in production
19 Neohapsis Confidential
20. Application Scanning and SDL
Dynamic scanning has
limitations
Won’t be able to find
everything a code review
could find
Can provide finding
relatively quickly and help
focus on potentially
insecure areas of an
application
20 Neohapsis Confidential
21. Supplementing Application Scanning
Periodic manual testing for sensitive applications
Blackbox, Greybox, Whitebox
May be targeted to certain functionality
Standard IT best practices
Separation of duties
Defense in depth
Working in security during earlier development phases
Security requirements
Architecture review
Developer security training/awareness
21 Neohapsis Confidential