Securing Your Web Application against security … Application Security is a High Priority • Web applications are the #1 focus of hackers: – 75% of attacks at Application layer

Securing Your Web Application

against security vulnerabilities

Ong Khai Wei, IT Specialist, Development Tools (Rational)

IBM Software Group

Agenda

• Security Landscape

• Vulnerability Analysis

• Automated Vulnerability Analysis

– IBM® Rational® AppScan Overview

We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web

server

The Myth: “Our Site Is Safe”

We Have Firewalls and IPS in Place

Port 80 & 443 are open for the right reasons

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Use SSL Encryption

Only protects data between site and user not the web

application itself

Reality: Security and Spending Are Unbalanced

of All Attacks on Information Security are

Directed to the Web Application Layer75%

of All Web Applications are Vulnerable2/3 **Gartner

Hacking Stage 6— Wikipedia, Feb 9 2007

The Alarming Reality

Why Application Security is a High Priority

• Web applications are the #1 focus of hackers:

– 75% of attacks at Application layer (Gartner)

– XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)

• Most sites are vulnerable:

– 90% of sites are vulnerable to application attacks (Watchfire)

– 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)

– 80% of organizations will experience an application security incident by 2010 (Gartner)

• Web applications are high value targets for hackers:

– Customer data, credit cards, ID theft, fraud, site defacement, etc

• Compliance requirements:

– Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,

The Security Landscape of the past

• Traditional Infrastructure was easier to protect . . .

• Concrete entities that were easy to understand

• Attack surface and vectors were very well-defined

• Application footprint very static

• Perimeter defense was king

Changing Security Landscape of Today

• “Webification” has changed everything ...

• Infrastructure is more abstract and less defined

• Everything needs a web interface

• Agents and heavy clients are no longer acceptable

• Traditional defenses no longer apply

High Level Web Application Architecture Review

(Presentation)App Server

(Business

Logic)

DatabaseClient Tier

(Browser)

Middle TierData Tier

Firewall

Sensitive

data is

stored here

SSL

Protects

Transport Protects Network

Customer

App is deployed

here

Internet

Perimeter IDS IPS

Intrusion

Detection

System

Intrusion

Prevention

System

Network Defenses for Web Applications

App Firewall

Application

Firewall

Firewall

System Incident Event Management (SIEM)

Security

What Can Happen?

Why Do Hackers Today Target Applications?

• Because they know you have firewalls

– So its not very convenient to attack the network anymore

– But they still want to attack „cos they still want to steal data …

• Because firewalls do not protect against app attacks!

– So the hackers are having a field day!

– Very few people are actively aware of application security issues

• Because web sites have a large footprint

– No need to worry anymore about cumbersome IP addresses

• Because they can!

– It is difficult or impossible to write a comprehensively robust application

• Developers are yet to have secure coding as second nature

• Developers think differently from hackers

• Cheap, Fast, Good – choose two, you can‟t have it all

• It is also a nightmare to manually QA the application

• “White-box” static code analyzers don‟t test for inter-app relationships

• Many companies today still do not have a software security QA policy or resource

Vulnerability Analysis

Application Threat Negative Impact Example Impact

Cross-Site® scripting Identity Theft, Sensitive Information

Leakage, …

Hackers can impersonate legitimate users, and

control their accounts.

Injection Flaws Attacker can manipulate queries to the

DB / LDAP / Other system

Hackers can access backend database

information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up

to full control

Site modified to transfer all interactions to the

hacker.

Insecure Direct Object

Reference

Attacker can access sensitive files and

resources

Web application returns contents of sensitive file

(instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on

web applications, impersonating as a

trusted user

Blind requests to bank account transfer money to

hacker

Information Leakage and

Improper Error Handling

Attackers can gain detailed system

information

Malicious system reconnaissance may assist in

developing further attacks

Broken Authentication &

Session Management

Session tokens not guarded or

invalidated properly

Hacker can “force” session token on victim; session

tokens can be stolen after logout

Insecure Cryptographic

Storage

Weak encryption techniques may lead

to broken encryption

Confidential information (SSN, Credit Cards) can

be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over

insecure channel

Unencrypted credentials “sniffed” and used by

hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized

resources

Hacker can forcefully browse and access a page

past the login page

The OWASP Top 10 list

Automated Vulnerability Analysis

IBM® Rational® AppScan

SECURITY TESTING IS PART OF SDLC QUALITY TESTING

TEAM SERVER

ManageTest Lab

CreatePlan

BuildTests

ReportResults

Collaborative Application Lifecycle Management

FunctionalTesting Performance

TestingWeb Service

Quality

CodeQuality

Security andCompliance

Test Management and Execution

SDLC Quality Assurance

Quality Dashboard

Open Lifecycle Service Integrations

DefectManagement

RequirementsManagement

Best Practice Processes

homegrown

Open Platform

JavaSystem z, iSAP

.NET

AppScan in the Rational Portfolio

Developer Test Functional Test

Automated Manual

Rational RequisitePro Rational ClearQuest Rational ClearQuest

Defects

Project Dashboards Detailed Test Results Quality Reports

Performance Test

SOFTWARE QUALITY SOLUTIONS

Test and Change Management

Test Automation

Quality Metrics

DE

VE

LO

PM

EN

T

OP

ER

AT

OIN

S

BUSINESS

Rational ClearQuest

Requirements Test Change

Rational PurifyPlus

Rational Test RealTime

Rational Functional Tester Plus

Rational Functional Tester

Rational Robot

Rational Manual Tester

Rational Performance Tester

Security and Compliance Test

AppScan

PolicyTester

Rational AppScan

• What is it?

– AppScan is an automated tool used to perform vulnerability assessments on

Web Applications

• Why do I need it?

– To simplify finding and fixing web application security problems

• What does it do?

– Scans web applications, finds security issues and reports on them in an

actionable fashion

• Who uses it?

– Security Auditors – main users today

– QA engineers – when the auditors become the bottle neck

– Developers – to find issues as early as possible (most efficient)

How does AppScan work?

• Approaches an application as a black-box

• Traverses a web application and builds the site model

• Determines the attack vectors based on the selected Test policy

• Tests by sending modified HTTP requests to the application and examining

the HTTP response according to validate rules

HTTP Request

Web Application

HTTP Response Web

Servers

Application

Databases

AppScan Goes Beyond Pointing out Problems

Scanning in Progress

Identify Vulnerabilities

Actionable Fix Recommendations

Reports