Web Applications – The Hacker’s New Target · Web Applications – The Hacker’s New Target Hacking 102: Integrating Web Application Security Testing into Development 1. Ross

© 2009 IBM Corporation

IBM Software Group

An IBM Proof of Technology

Web Applications –

The Hacker’s New Target

Hacking 102: Integrating Web Application Security Testing into Development 1

Ross TangIBM Rational Software


IBM Software Group

Are you phished?

2

http://www.myfoxny.com/dpp/your_money/consumer/090304_Facebook_Security_Breaches


IBM Software Group

Facebook Worm

3


IBM Software Group



IBM Software Group



IBM Software Group

http://www.marketwatch.com/investing/stock/STAN?countrycode=UK

6


IBM Software Group

http://www.marketwatch.com/tools/quotes/lookup.asp?lookup=_Funny_Behaviour_&country=us

7


IBM Software Group

http://www.marketwatch.com/investing/stock/UK:STAN?countrycode=

UK

8


IBM Software Group



IBM Software Group

10

We Use Network Vulnerability Scanners Neglect the security of the

software on the network/web server

We Use Network Vulnerability ScannersNeglect the security of the

software on the network/web server

The Myth: “Our Site Is Safe”

We Have Firewalls in Place

Port 80 & 443 are open for the right reasons

We Have Firewalls in Place

Port 80 & 443 are open for the right reasons

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

SecuritySecurity

We Use SSL EncryptionOnly protects data between site and user not the web

application itself

We Use SSL EncryptionOnly protects data between site and user not the web

application itself


IBM Software Group

11

Desktop Firewall IDS/IPS Web Applications

Manual Patchingand Code Review

The WEAKEST Link: Web Application –

last layer of defense

SQL Injection

Cross Site Scripting

Pattern- based Attack

Web Server Known

Vulnerabilities

Parameter Tampering

Cookie Poisoning

Port Scanning

DoS

Anti- spoofing


IBM Software Group

12

Network Server

WebApplications

The Reality: Security and Spending Are Unbalanced

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information Security Are Directed to the Web Application Layer

75%75%of All Web Applications Are Vulnerable2/32/3

•Buffer Overflow•Cookie Poisoning

•Hidden Fields•Cross Site Scripting•Stealth Commanding•Parameter Tampering

•Forceful Browsing•SQL Injection

•Etc…


IBM Software Group

Black-box (Discovering SQL Injection)

13

‘

******

SELECT * from tUsers where userid=‘’’ AND password=‘foobar’


IBM Software Group

14

Example : Cross Site Scripting –

The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’scookie and session

information without the user’s consent or knowledge

5) Evil.org uses stolensession information to

impersonate user


IBM Software Group

IBM Rational AppScan End-to-End Application Security

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD SECURITYSECURITY PRODUCTIONPRODUCTIONQAQA

AppScan StandardAppScan Tester

Security Requirements Definition

AppScan onDemand (SaaS)

AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting)

Security / compliance testing incorporated into

testing & remediation workflows

Security requirements defined

before design & implementation

Outsourced testing for security audits &

production site monitoring

Security & Compliance

Testing, oversight, control, policy,

audits

Build security testing into the IDE

Application Security Best Practices

Automate Security / Compliance testing in the Build Process

AppScan Source


IBM Software Group

How Internet Banking is secure



IBM Software Group

17

Nearly 1000 Companies Depend On Watchfire

8 of the Top 108 of the Top 10TechnologyTechnology

BrandsBrands

7 of the Top 107 of the Top 10Pharma / ClinicalPharma / Clinical

CompaniesCompanies

Multiple LargeMultiple LargeGovernmentGovernment

AgenciesAgencies

9 of the Top 10 9 of the Top 10 Largest U.S. RetailLargest U.S. Retail

BanksBanks

Veteran’s Affairs

NavyArmy

Air Force Marines

Large, Complex Web Sites Extensive Customer DataHighly Regulated High User Volume

http://images.google.com/imgres?imgurl=www.bioplanet.com/images/corp_logos/wyeth.gif&imgrefurl=http://www.bioplanet.com/employlinks.htm&h=98&w=227&sz=4&tbnid=QA-thchObb8J:&tbnh=44&tbnw=101&start=2&prev=/images%3Fq%3Dwyeth%2Bcorporate%2Blogo%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.isn2004hkconference.org/images/Novartis_Logo.jpg&imgrefurl=http://www.isn2004hkconference.org/sponsorship.html&h=289&w=1525&sz=51&tbnid=Na_lkdlBz0UJ:&tbnh=28&tbnw=147&start=36&prev=/images%3Fq%3Dnovartis%2Blogo%26start%3D20%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.settimanacervello.ch/04/images/logo_astrazeneca.jpg&imgrefurl=http://www.settimanacervello.ch/04/sponsor.php&h=60&w=228&sz=20&tbnid=boPL8ix0CE4J:&tbnh=27&tbnw=102&start=30&prev=/images%3Fq%3Dastrazeneca%2Blogo%26start%3D20%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.researchamerica.org/Logos/Aventis_Logo.gif&imgrefurl=http://www.researchamerica.org/programs/awards04.html&h=650&w=1181&sz=22&tbnid=QzM_AxGVlzEJ:&tbnh=82&tbnw=148&start=5&prev=/images%3Fq%3Daventis%2Blogo%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN

http://www.gene.com/gene/

http://images.google.com/imgres?imgurl=www.pny-europe.com/images/logo-sony.gif&imgrefurl=http://www.pny-europe.com/de/pny_oem.asp&h=150&w=250&sz=2&tbnid=PKdqHNUoKI4J:&tbnh=62&tbnw=105&start=3&prev=/images%3Fq%3Dsony%2Blogo%26hl%3Den%26lr%3D%26ie%3DUTF-8

http://www.cisco.com/en/US/hmpgs/index.html

http://www.usps.com/welcome.htm?from=global&page=0001home1

http://images.google.com/imgres?imgurl=http://www.ssa.gov/pressoffice/image1.gif&imgrefurl=http://www.ssa.gov/pressoffice/research_grants.html&h=320&w=320&sz=6&tbnid=QbSRLF6hWBsJ:&tbnh=113&tbnw=113&start=2&prev=/images%3Fq%3Dssa%2Blogo%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN

http://www.navy.mil/

http://images.google.com/imgres?imgurl=http://www.flag-works.com/images/Patches_misc/military-us-army.jpg&imgrefurl=http://www.flag-works.com/patches.htm&h=300&w=300&sz=33&hl=en&start=2&tbnid=u3RlZ3vn0Sh33M:&tbnh=116&tbnw=116&prev=/images%3Fq%3Dus%2Barmy%26gbv%3D2%26svnum%3D10%26hl%3Den%26sa%3DG

http://www.watchfire.com/customers/customers.asp

http://www.jpmorgan.com/


IBM Software Group

18

Security Industry Leaders Use and/or work with Watchfire solutions in their work

Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies

More …EDS

_______________________________________

http://images.google.com/imgres?imgurl=http://schema-root.org/commerce/corporations/business_process_outsourcing/accenture/accenture.gif&imgrefurl=http://schema-root.org/commerce/corporations/business_process_outsourcing/accenture/&h=157&w=300&sz=10&tbnid=rnhKcnkoGgiEKM:&tbnh=58&tbnw=111&hl=en&start=5&prev=/images%3Fq%3Daccenture%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en%26sa%3DN

http://images.google.com/imgres?imgurl=http://channel.fujitsupc.com/traffic/photogallery/media_images/fujitsu_logo.jpg&imgrefurl=http://www.computers.us.fujitsu.com/www/media.shtml%3Fnews/media/products&h=959&w=1551&sz=206&tbnid=AtB7f8xcFX2jjM:&tbnh=92&tbnw=150&hl=en&start=1&prev=/images%3Fq%3Dfujitsu%2Blogo%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en

http://www.symantec.com/region/se/seresc/download/4colour_cmyk_black_text.zip

http://www.bmc.com/

http://images.google.com/imgres?imgurl=http://www.trisc.org/images/verisign_logo.jpg&imgrefurl=http://www.trisc.org/sponsors.htm&h=539&w=1050&sz=84&tbnid=__R16xSrRCsJ:&tbnh=77&tbnw=150&hl=en&start=1&prev=/images%3Fq%3Dverisign%2Blogo%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.quantrimang.com/images/isslogo.jpg&imgrefurl=http://www.quantrimang.com/details.asp%3Fpage_id%3D104%26Cat_ID%3D2%26Cat_Sub_ID%3D0&h=210&w=210&sz=8&tbnid=LJ_6sXzYybsJ:&tbnh=100&tbnw=100&hl=en&start=5&prev=/images%3Fq%3Disslogo%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en

http://images.google.com/imgres?imgurl=http://www.security-assessment.com/images/Qualys_Logo.gif&imgrefurl=http://www.security-assessment.com/partners.html&h=200&w=187&sz=11&tbnid=qpns76Sy7H8J:&tbnh=99&tbnw=92&hl=en&start=2&prev=/images%3Fq%3Dqualys%2Blogo%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en

http://images.google.com/imgres?imgurl=http://www.geekcoffee.net/images/articles/trendlogo.gif&imgrefurl=http://www.geekcoffee.net/archives/software/&h=163&w=158&sz=4&tbnid=1hlnlYaJ8_DH9M:&tbnh=92&tbnw=89&hl=en&start=2&prev=/images%3Fq%3Dtrend%2Bmicro%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLD,GGLD:2005-01,GGLD:en%26sa%3DN

http://www.ey.com/global/content.nsf/International/Home

http://www.ca.com/

http://www.ibm.com/us/


IBM Software Group

Trojan Software cost $99

●Constructor/Turko jan

●V.4 New featuresRemote DesktopWebcam StreamingAudio StreamingRemote passwordsMSN SnifferRemote ShellAdvanced File ManagerOnline & Offline keyloggerInformation about remote computerEtc..

Documents

Web Applications – The Hacker’s New Target · Web Applications – The Hacker’s New Target Hacking 102: Integrating Web Application Security Testing into Development 1. Ross