1 Copyright. Armorize Technologies. 2007. Secure Web Applications A Black AND White Approach Presented to OWASP, Ottawa Presented to OWASP, Ottawa July 15, 2008 July 15, 2008 John Linehan John Linehan Senior Security Consultant Senior Security Consultant [email protected][email protected]
54
Embed
Secure Web Applications A Black AND White Approach
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1Copyright. Armorize Technologies. 2007.
Secure Web Applications
A Black AND White Approach
Presented to OWASP, OttawaPresented to OWASP, Ottawa
• Russian Business Network - The baddest of the bad (Verisign June 2006).
• Bank of India hack - injected malicious iFrame
Military Backed Operations • China seeks Taiwan spy for computer hacking
• International Herald tribune October 2007
• China Accuses Taiwan of owning thousands of their servers
• China Times, October 2007
• Estonia hit by Moscow cyber war
• BBC.co.uk May 2007
• China’s cyber army is preparing to march on America, says Pentagon
• timesonline.co.uk (Sept 2007)
• Anti-Israel hackers deface central bank site
• register.co.uk April 2008
• USAF Considers Creation of Military Botnet
• Slashdot May 12 2008
12Copyright. Armorize Technologies. 2007.
Military Backed Operations
Col. Charles W. Williamson III• “The world has abandoned a fortress mentality in the real world, and we need
to move beyond it in cyberspace.
• “America needs a network that can project power by building a [botnet] that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.
• “America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.
• “The time for fortresses on the Internet also has passed, even though America has not recognized it.
• “Now, the only consequence for an adversary who intrudes into or attacks our networks is to get kicked out — if we can find him and if he has not installed a hidden back door.
• “That is not enough. America must have a powerful, flexible deterrent that can reach far outside our fortresses and strike the enemy while he is still on the move”
Armed Forces Journal – Carpet bombing in cyberspace
http://www.armedforcesjournal.com/2008/05/3375884
13Copyright. Armorize Technologies. 2007.
Taiwan Malware Report
135,000+ URLs
582 pages with links to malicious code
221 pages that actively push malicious code to browser
72 different spyware types
Source broken down by country
• Over 70% from one source
14Copyright. Armorize Technologies. 2007.
Jeremiah Grossman on Taiwan Cyber Issues
“Taiwan cyber crime environment is MUCH different and WAY more serious than anything I’ve ever been exposed to in the U.S or elsewhere.
“Experience thus far has everything to do with criminals attempting to monetize. In Taiwan it’s an environment of true military supported cyber warfare as a result of an intense political climate with China.
“Both sides are extremely well organized, funded, motivated, their actions unrestricted.
“Daily computing life filled with 0-days, single person target rootkits, trojanhorses, malware-laced spam, and attacks designed not to monetize or embarrass but for militaristic espionage with command and control goals.
“They view their exploit code more like weapons and munitions than anything else.
“The private and government sectors are in close, open, and bi-directional communication. This might have something to do with their mandatory military service so relationships between the two are more natural”
Don’t be driven by compliance• Should fear lack of Security
17Copyright. Armorize Technologies. 2007.
Compliance
MITS 16.4.11
• OS and Application security best practices.
• Must “harden” software exposed to the Internet
PCI 6.6 – Security
• Option 1:
• Source code Analysis (Manual or Automated)
• Vulnerability Assessment (Manual or Automated)
• Option 2:
• WAF
PCI - 11.3 – Penetration Testing
• Annually or after modifications
• Network and Application Layer
18Copyright. Armorize Technologies. 2007.
Malware and our favorite search engine
Ghost in the Browser (May 2007)
• Google anti-malware team (Niels Provos)
All your iFrames point to us (Feb 2008)
• 3 million malicious URLs hosted on over 180,000 sites
• 1.3% of incoming Search Queries return at least one URL with malicious code
Google Flagging malicious URLs from search
• Request http://www.stopbadware.org/ to remove Google warnings
• If you are not in Google – you don’t exist
What is the impact in your business if you do not show up a Google Search?
19Copyright. Armorize Technologies. 2007.
Mandatory Industry Analyst Quotes
“More than 70% of attacks against a company are at the application layer, not the network layer”- Gartner 2006
“Protecting networks is not enough. Applications are the real target for hackers” - IDC 2006
Instead of bolting security on as an afterthought, Security 3.0 integrates compliance, risk assessment and business continuity into every process and application - register.co.uk, 2007
“Developers don’t go to security conferences .... IT Security people expect developers to come to us and be shown the light, perhaps it should be the other way around - Jeremiah
Grossman June 16, 2008
20Copyright. Armorize Technologies. 2007.
Securing Web applications
21Copyright. Armorize Technologies. 2007.
Securing Web applications
Security Testing
• Part of compliance process
• Often automated tool with human analysis
• Time saving should not be offset by False Positives or IT Overhead
Black Box Testing
• Assumes no prior knowledge of the infrastructure to be tested