Application Security

Application SecurityIS 380Functionality Over SecuritySecurity must be included from the beginningStrap-on security is an invitation to disasterM&M syndromeDevelopers and security engineers are different fieldsRush to marketCustomarily sell now, patch it laterReliance on perimeter protectionShifting from Reactive to ProactiveP9233Secure ImplementationHow the software/OS is set upFeaturesConfigurationSecurity policiesGroup/user permissions

Should default to uninstalled/no accessDatabaseWhere all the data goesCentral locationBehind multiple firewallsAccess control, views, etc.Easy to backupLikely contains the most sensitive data

Database TypesHierarchicalNetworkRelationalObject OrientedP9336DatabaseSocial sec #NameAddress111-22-3333Tom Thompson123b Whatever St.444-55-6666Sue Slackley8 Hill RoadAttributeTupleCellPrimary KeyFileDatabase (cont)IncomeAgeSocial Sec #1200019111-22-33337800056444-55-6666Social sec #NameAddress111-22-3333Tom Thompson123b Whatever 444-55-6666Sue Slackley8 Hill RoadForeign KeyRecord collection of related data itemsView restricts data visibilitySchema database structureData Dictionary repository of data relationshipsDatabase cross-referenced data collectionIndex fast way to search dataP9348Database issuesConcurrency changes overwritten making data inaccurate.Fixed with locksSemantic integrity makes sure structure and semantic rules enforced.Referential integrity all foreign keys reference existing recordsEntity integrity tuples uniquely identified by primary key values.

Database activitiesRollback transaction(s) cancelled, database switched to an earlier versionCommit completes a transaction, database updatedSavepoints allow recovery in the event of a crash or error

Database Security issuesAggregation combining information to glean unauthorized informationInference deduction of information from bits of information (result of aggregation) (Pizza and CIA)Aggregation attack preventionContent-dependent access control the more sensitive the data the fewer people can accessContext-dependent AC keeps trace of previous attempts, makes sure the request makes senseCell suppression hides sensitive cellsPartitioning divides the database upNoise and perturbation inserts bogus informationDatabase views DAC/MAC restricts access to data based on permission(s)Polyinstantiation like noise and perturbation, only different data is substituted based on DAC/MAC. ship destination

P94312Other Database StuffOLTP online transaction processing fault tolerance, high performance, distributedMore susceptible to attackData Warehousing combine disparate databases into one large one for analysisBusiness forecastingTrendingData mining find associations/correlationsMetadata finding unseen relationships in the dataSystem DevelopmentP95114Security & DevelopmentSecurity plan created at the start of the projectLook at security integration at each stage of the lifecycleSystems development lifecycle P95416Project InitiationConceptual definition of the projectAre there existing products?User needsBasic security objectives (C.I.A.)Risk management The design itself should have security integratedRisk analysis identify risks and consequences

Functional Design Analysis and PlanningFunctional baseline what the product is expected to do/ featuresTest plan createdSecurity requirementsSecurity controls to be implementedIdentify other weaknesses and minimizeCreate the design documentMake sure to share it with the customer - no surprises

P95618System design specificationsRequirements Information model type and how information should be processedFunctional model tasks the application carries out.Behavioral model states of the application during and after transitions.Data structures, structural componentsSystem functionality broken down into more detailInteroperability, modularityAccess control, rights and permissions, IPC, integrity of system.p95819Software DevelopmentInsert programmers and developers hereSecure codingCheck input lengthsAllow only proper data types sanitize inputsPrevent covert channelsDebugging, code reviewsDocument, document, documentUnit testing each chunk of code is testedSeparation of duties different people do input testing, validationRemove any maintenance hooks/backdoorsInstallation/ImplementationHow to use and operate the applicationProtection configuredFunctionality and performance testingDocument configurationCertification processAccreditation formal acceptance by management.Operational MaintenanceInsert the system info the environmentConduct periodic vulnerability tests.Recertify/accredit after any major changes/updates.DisposalArchive, destroy, migrate dataOverwrite/degauss or physically destroy mediaDisposal can be difficultMigrating data / changing data formatCompletely uninstalling software

P96323PostmortemLessons learnedDont ever use that vendor again :PWhat mistakes were madeWhat should we look out for next time?Streamlining process for the next projectOne thing not mentionedThe change request

NIST SDLC: http://csrc.nist.gov/groups/SMA/sdlc/index.html

Secure DevelopmentVulnerabilities cheaper to fix earlierRegular code reviewsIdentify vulnerabilitiesArchitectural problemsAutomatic code auditing toolsCentralized code repositoryVersion controlReversion available if necessaryMinimize undocumented changes, code injections ,etc.

P97127Security TestingPrograms examined under simulated attackLooks for vulnerabilitiesBounds checkingData formatError handlingConfiguration settingsManual and automated testingSocial engineeringp97228Change ControlChanges can be:Request for additional functionalityNew requirementsPatches/updatesChanges must beTested ApprovedDocumented

p97229Software Escrow3rd party keeps a copy of the source codeCode is released to client in certain situations

LanguagesMachine codeAssembly languageHigh level languageVery high-level languageNatural languageLanguages (cont)Interpreters translate one command at a time - perlCompilers translate sections at a time - CAssemblers translate from assembly to machine code

OOP Object Oriented ProgrammingModular, reusableObjects are instances of classesNot all objects need to be individually developedCommon usageCode reuse inheritanceMethod activity an object performsMessages objects communicate to each other through API calls OOP (cont)Information hiding/ encapsulation only some data is shared between objectsAbstraction suppress some inherited propertiesPolymorphism when different objects react to the same input in different ways Distributed ComputingCORBA Common Object Request Broker Architecture Open standard. Wide Interoperability Objects communicate using pipes (RPC or ORBs)Microsoft COM /DCOM COM is local, DCOM is distributed.Proprietary EJB Enterprise Java BeansOLE Object linking and EmbeddingThe ability to place data in a foreign programExcel spreadsheet in a work documentP99436Expert Systems &Knowledge-Based SystemsEmulate human logic to solve problemsCollect know howRule-based programming if-then logicExpert systems KnowledgebaseInference engine - a set of algorithms and rules used to draw a conclusion from available facts.Codified knowledge from experts in the field

P99537Artificial Neural NetworksMimic the structure of interconnected neuronsRecognizes patterns (vision)Ability to generalize Capablity to learn

Web SecurityAttacks on web securityVandalismFinancial fraudPrivileged/Admin accessTheft of Transaction informationTheft of IP (via internal network)DoS attack

Defenses for web attacksWeb application firewalls (Deep packet inspection)IPSQuality assurance process/security reviewAuthentication and access controlSYN Proxyp100241Information GatheringGoogle searchCached web siteError messages on the web siteConfiguration, include files (incorrect permissions)This happened to wordpress just last week!100342Administrative interfaceAllows remote configuration and managementNot a good idea to enableIf you must, make it Out Of Band

p100543Authentication & Access ControlUsername and Password most commonOver a secure channelAccount lockouts

100544Configuration ManagementGet it working now, secure it laterTransferring test to productionInstalling an application/serviceDefault usernames/passwordsOnline documentationExample pages/databases/filesOften a kick me sign found with Google searchesConfiguration issues (open by default)

Bypassing web controlsPath or directory traversalUnicode/URL/Hex encodingCross site scripting (XSS)http://xss-proxy.sourceforge.net/Session hijacking/injectionhttp://www.bindshell.net/tools/odysseusServer side vs. client side input validation

P100846Web based codeJava bytecode, machine code, sandboxActiveX no sandbox, user allows, authenticodeJavascript/VBSFlash, SilverlightMalicious codeVirus user action requiredMeme virusWorms self reproductionBotnets, bots, bot herderLogic bombsTrojan horses RATs (BO, Sub7)Spam (Bayesian filtering)P101748Advanced Persistent Threat*:Perseverance & ResourcesAdvanced computer intrusion, conventional intelligence gathering, multiple attack methodologiesCovertEscalate intricacy based on defenders reactionFrom generic exploits to fully custom malwarePersistent do not immediately seek financial gain. Continuous monitoring.Low and slow, not smash and grabNot oppurtunisticThreat coordinated, not automated. There is a specific objective. Attackers are skilled, motivated, organized and careful**US air force coined the term in 2006http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.htmlhttp://www.mandiant.com/services/advanced_persistent_threat/http://www.hackingtheuniverse.com/infosec/isnews/advanced-persistent-threat49AntivurusLayered approachClient PCsServersE-mail serversProxys

Virus wallsp102750Patch managementA constant processTestDeploy (phased?)Verify deploymentRoll back or Validate and report

In class labYou are assigned to patch the OS with MS08-67Research the patchHow will you test it?How will you determine whether to roll back or complete deployment?Environment is 100 Windows XP SP 3, 10 Windows Server 2003, 10 OS X, 5 Red Hat Linux.

SQL injection in action