App sec - code insecurity basics
Download as PPTX, PDF0 likes397 views
This document summarizes an app security workshop presented by Chris Hamm. The workshop covers basics of information security including availability, integrity, and confidentiality. It discusses threat modeling and common security threats like DDoS attacks and injections. The workshop also examines insecure coding practices like injectable code and spoofing vulnerabilities. It provides examples of these issues and defenses to code securely, such as input validation and session management. Attendees are encouraged to consider how to code with security in mind rather than coding insecurely.
App sec - code insecurity basics
- 1. App Sec Workshop by Chris Hamm
- 2. Background Name: Chris Hamm Life before CNET » Was in 151st/387th Infantry and MP unit for Army National Guard – Training in intelligence gathering and physical security. » Research and development for University of Louisville ITRC working on communication package for Public Safety funded by DHS. Familiarized with DoD/NSA/FBI security measures, standards, and equipment. Now » General interest in infoSec » Member of 502Sec group
- 3. Agenda » Basics in Security » Why you should you be worried? - Threat modeling » Code in security - examples of » Tools? » Questions
- 4. Basics in Info Security - All Info security revolves around managing 3 things » Availability – Can you get to your sh*t? » Integrity – Can you believe what you see? » Confidentiality – Anything we don’t want others knowing about The denial or disruption of any of these items and an attacker was basically successful. So what happens is there must be a ranking of how much of an impact something has in order to prioritize it.
- 5. Basics in Info Security - It is all about risk management » Vulnerability * Probability * Impact = RISK » How do you gather this information to determine RISK? » Answer = Threat Modeling » Understanding the threats will help you see how important security and how you might mitigate(*control) the risk of said threat.
- 6. Threat Modeling - Starting point » Threat statement » $ACTOR » does $ACTION » to $ASSET » resulting in $OUTCOME » because of $MOTIVATION
- 7. Threat Modeling - $ACTOR » NATION State » Organized Crime » Insiders » Hackavist - LulzSec » Script Kiddie » Competing Sites and bloggers » ..... {Exercise: Insert Here}.....
- 8. Threat Modeling - $ACTION » DDoS » Injections – OS level – SQL » XSS » ..... {Exercise: Insert Here}.....
- 9. Threat Modeling - $ASSET » Content » Subscription Service » User log in » NGINX » Varnish » Mongo » ..... {Exercise: Insert Here}.....
- 10. Threat Modeling - $OUTCOME » Release of code » Spoofing as us » Tampering with existing content » Gain foothold to Pivot » ..... {Exercise: Insert Here}.....
- 11. Threat Modeling - $MOTIVATION » Make money » Gain notability » ..... {Exercise: Insert Here}.....
- 12. Code in security - INSECURE Framework » Injectable » Spoofable » Errors and Exceptions (un/ms- handled) » Unsafe/Unused functions/Routines » Reversible » Elevated Privileges
- 13. Code in security - Injectable » Inadequate or improperly input validation/sanitization » Input (data) can be executed » Dynamic query construction using user input » Examples: – OS level executable code – SQL/DB injection
- 14. Code in security - Spoofable » Allows Identity Impersonation » Credentials – Weak – Hard coded – Cached » Predictable Session Identifiers – Hacking and Replay
- 15. Code in security - Errors and Exceptions (un/ms- handled) » Verbose Error Messages » Unhandled Exception (No catch at all) » Throwing stack trace » Fail open - (*you allow authentication anyway)
- 16. Code in security - Unsafe/Unused functions/Routines » Banned/Insecure APIs » Unknown APIs and Interfaces » Vestigial functions (*CMD - C/X, CMD - P) » Easter Eggs
- 17. Code in security - Reversible » Unobfuscated » Textual information » Symbolic Information
- 18. Code in security - Elevated Privileges » Carry out functions or access items that should only be allowed by administrator. » Runs privileged operations without authorization checks
- 19. Code in security - Defenses » Injection defense – Input validation/ Sanitization – Parameterization of Queries – Don’t allow to exec » Spoofing defense – Avoid impersonation context code – Do not hardcode credentials – Session management - Non guessable/ non predictable session ids. » Errors & Exception mis/un - handling defense – Simple to the point error messages without unsafe info – Catch-all exception handle – Redirect to unified error handling place
- 20. Code in security - Defenses Cont » Unsafe/Unused Functions defense – Replace banned API with safer one – Delete unused functions/procedures – Delete Dangling Code (don’t just comment out) – Easter Egg Hunt » Reversible Code defense – Obfuscate – Application hardening - Remove textual and sym information » Elevated Privileges defense – Check authorization before allowing privilege ops – Non-admin accounts used for code execution – Test code in simulated environments
- 21. Code in security - Conclusion » By knowing how to Code insecurity can impact us we can can look at Coding in Security. » Are you going to – Code Insecurely (or) – Code In Security
- 22. References » Common Weakness Enumeration – http://cwe.mitre.org/index.html » How to write insecure code - Source OWASP – https://www.owasp.org/index.php/How_to_write_insecure_code » Code Insecurity or Code in Security by Mano dash4rk Paul - DerbyCon 4.0 – https://www.youtube.com/watch?v=fu4_7sJv-ro& index=96&list=PLNhlcxQZJSm8o9c_2_iDDTV6tCPdMp5dg » Threat Modeling for Realz by Bruce Potter - DerbyCon 4.0 – https://www.youtube.com/watch?v=WKgD305OFAQ&index=101&list=PLNhlcxQZJ Sm8o9c_2_iDDTV6tCPdMp5dg
- 23. Questions??