Protecting your Applications and Data in an Evolving risk Environment Motaz Alturayef Head of Engineering, KSA and North Africa F5 Networks
Protecting your Applications and Data in anEvolving risk Environment
Motaz AlturayefHead of Engineering, KSA and North Africa
F5 Networks
What is anApplication?
Web ApplicationAttacks
What HappensWhen Apps AreAttacked?
Agenda
ProtectingApplications
haveibeenpwned.com
2%
17%
20%
24%
25%
50%
63%
68%
Other
Cross-site Request Forgery
Clickjack
SQL Injection
Cross-site Scripting
Web Fraud
DDoS
Cred Theft
F5 Ponemon Survey
Applicationsare the
business
Applicationsare the
gateway toyour data
Sub domains hostingother versions of the main
application site
Dynamic webpage
generators
HTTPheaders
and cookies
Admininterfaces Apps/files linked
to the app
Web servicemethods
Helper appson client
(java, flash)
Server-side featuressuch as search
How AreApplicationsTargeted?
Web pagesand directories
Shells,Perl/PHP
Data entryforms
Administrative andmonitoring stubs
and toolsEvents of theapplication—
triggeredserver-side code
Backend connectionsthrough the server
(injection)
APIs
Cookies/statetracking
mechanisms
Data/active content pools—the data that populates and
drives pages
SERVICES
ACCESS
TLS/SSL
DNS
NETWORK
How Can WeOrganize ThisBetter?
Sub domains hostingother versions of the main
application site
Dynamic webpage
generators
HTTPheaders
and cookies
Admininterfaces Apps/files linked
to the app
Web servicemethods
Helper appson client
(java, flash)
Server-side featuressuch as search
Web pagesand directories
Shells,Perl/PHP
Data entryforms
Administrative andmonitoring stubs
and toolsEvents of theapplication—
triggeredserver-side code
Backend connectionsthrough the server
(injection)
APIs
Cookies/statetracking
mechanisms
Data/active content pools—the data that populates and
drives pages
Public cloudPrivate cloud
SaaS
Co-location
On-premises
Containers
Containers
ContainersContainers
of web appsconsideredmission critical
AppsImportance 34% 760 9.93
web appsin use in anorganization
web appenvironments/frameworksin use
How does thismatch up with yourorganization?
1%6%
9%13%
16%32%
51%57%
62%74%
81%
OtherNone of the Above
Project ManagementDeveloper Tools
Financial Apps (Banking/eCommerce)Social Apps
Backup and StorageOffice Suites
Document Management and CollaborationRemote Access
Communication Apps (Email/Texting)
F5 Ponemon Survey
$6.56
$7.18
$8.53
$9.07Leakage of Confidentialor Sensitive Information
Tampering and UnauthorizedModifications to Apps
The Hack Resulted in the Failure to AccessData and/or Apps
Leakage of Personally-Identifiable InformationAbout Customers, Consumers or Employees
F5 Ponemon Survey
2%
7%
10%
12%
13%
13%
14%
30%
Insider Attack
Point-of-Sale Attacks
Physical Breach
Malware
Credential Theft
Accidental Breach
Phishing
F5 & Whatcom CC
Web Attacks
Web Attacks
F5 & Whatcom CC
Card-StealingWeb Injection
70%WebsiteHacking
26%DatabaseHacking
4%
Web Attacks
Stolen data exfiltratedvia HTTPS to a
drop server
Card Stealing Web Injects
Targeted SiteMaliciousPHP Code
Payment CardInfo Breached
Injects usually due toweak input filters common
in PHP, JS, CMS sysCan add fakefields to page
InjectionsContinuingto MakeHeadlines
https://devcentral.f5.com/articles/anatomy-of-code-injection
2013 OWASP Top 101. Injection
2. Broken authentication and sessionmanagement
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with knownvulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 101. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with knownvulnerabilities
10. Insufficient loggingand monitoring
2013 OWASP Top 101. Injection
2. Broken authentication and sessionmanagement
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with knownvulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 101. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with knownvulnerabilities
10. Insufficient loggingand monitoring
In the last 8 years more than7.1 billion identities have beenexposed in data breaches
70MILLIONaccounts
427MILLIONaccounts
150MILLIONaccounts
3BILLIONaccounts
117MILLIONaccounts
1. Symantec Internet Security Threat Report, April 20172. https://www.entrepreneur.com/article/246902#
Nearly 3 out of 4 consumersuse duplicate passwords,many of which have not beenchanged in five years or more.
3 out of 4
Credential Stuffing
USERNAME Credit CardData
USERNAME IntellectualProperty
USERNAME HealthcareData
USERNAME PassportData
USERNAME FinancialData
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
USERNAME USERNAME
https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
A PHP forum uses PHP object serialization to save a “super” cookie,containing the user’s user ID, role, password hash, and other state
a:4:{i:0;i:132;i:1;s:7: “Bob”;1:2;s:4:“ “use ”;i:3;s:32:b6a8b3bea87fe0e05022f8f3c88bc960”;}
Deserialization
An attacker changes the serialized objectto give themselves admin privileges:
useradmin
3
1 12 2
32
13
2007 2008 2009 2010 2013 2014 2015 2016 2017
Published Deserialization Exploits
0
16%22% 24%
38%
Very Confident Confident Somewhat Confident No Confidence
F5 Ponemon Survey
2%
3%
4%
5%
6%
7%
8%
19%
20%
28%
Other Network Security Controls
Next-Generation Firewall
Web Fraud Detection
Traditional Network Firewall
Intrusion Prevention System (IPS)
Anti-DDoS
Anti-Malware Software
Application Scanning
Penetration Testing
Web App Firewall (WAF)
F5 Ponemon Survey
PrioritizeDefensesBased onAttacks
ReduceYour AttackSurface
UnderstandYourEnvironment
SelectFlexible andIntegratedDefenseTools
IntegrateSecurity intoDevelopment
1 2 3 4 5
Analysis ofUS Attorney BreachData Records
Analysis of Exploit DB
12 months of web appsecurity vulnerabilitydata (DAST & SAST)
12 months of globalattack web app data
App Security survey of3,135 IT sec pros
US, Canada, UnitedKingdom, Brazil, China,Germany, India
Across 14 industries
Additional Research
Articles Threat BlogCISO to CISOThought Leadership Blog
General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)