Application Security - Myth or Fact Slides
- 1. Application Security Myth or Fact? Dave Ferguson @dfgrumpy dave@dkferguson.com blog.dkferguson.com www.cfhour.com
- 2. Obligatory “About Me” Slide Working in field for a long, long time (15+ years) Using ColdFusion since version 1.5 Adobe Community Professional Sr. Developer for Nonfat Media One of the voices of the <CFHour> ColdFusion podcast w/ Scott Stroz ( @boyzoid )
- 3. If you have a question please ask it anytime
- 4. Why should you care about APPLICATION SECURITY? (isn’t that the network guy’s problem?)
- 5. At its core, Security is about risk management
- 6. Security is fundamentally about protecting “assets”
- 7. Most applications don’t have enough protection
- 8. Any protection in place is probably insufficient
- 9. Security implementation is usually in place to protect server / network, not application
- 10. Using captcha to protect a form is not the same as anti-intrusion
- 11. Once you understand the perceived value of your application, you will better understand how to protect it
- 12. What does it mean to have a secured application?
- 13. Some stuff for the “Network Guy” Viruses Worms Network intrusion OS Compromise
- 14. OWASP Open Web Application Security Project
- 15. OWASP Top 10 (as of 2010) • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards
- 16. GAME TIME!
- 17. “I use SSL so my application is secure”
- 18. MYTH SSL encrypts data in transit. Entry and exit points are still unprotected. Think of a tunnel through a mountain. Anyone can enter either side but once inside you can only interact with what is in the tunnel. SSL will prevent some things, such as a “man in the middle” attack.
- 19. “My application is secure because I have a login screen”
- 20. MYTH (for the most part) If not implemented correctly, then this becomes a myth. Demo time…
- 21. “I don’t need to worry about security because I am using (insert framework here)”
- 22. MYTH Frameworks give structure to code. Frameworks make writing secure software easier by inherently enforcing certain coding best practices. Code written in a framework can still have the same security holes as non-framework code Frameworks can add some complexity which requires developers to be more vigilant when looking for possible attack vectors.
- 23. “Our data access layer is ORM so we are safe from sql injection”
- 24. MYTH Properly implemented ORM does protect against injection. However, utilizing HQL can expose the system to injection. Demo Time…
- 25. “We don’t need to worry about security because our site has nothing of value“
- 26. MYTH Value is perceptual. The true value of your application is what others deem its value is. If an intruder believes your application is hiding something of value, they may try to find it. Your site may only contain trivial data. However, does it contain data that could allow an attacker to get into other systems? Storing any data about a person makes your site a target.
- 27. “The Global Script Protection setting in the ColdFusion admin is sufficient”
- 28. MYTH The keyword there is “sufficient”. Relying on script protection to save you is a fool’s errand. Thesetting will strip out some things but should not be treated as a silver bullet. Demo Time…
- 29. “Our URL / form variables are encrypted so they can’t be tampered with”
- 30. MYTH If a loose encryption is used, the encryption could be predicted.
- 31. “Thinking like an attacker will help protect my system”
- 32. FACT Keep up to date on current security trends. Takea step back when writing code and evaluate it for possible intrusion. Remember that security is a practice or frame of mind, not a “once in a while” type thing.
- 33. “We are using anti-intrusion software so we are just fine”
- 34. MYTH Anti-intrusion software blocks known intrusion patterns. They act as a filter to incoming data to stop potentially harmful requests from being processed. Not 100% effective, as intruders will attempt to bypass blocking software. Examples: ModSecurity SecureIIS FuseGuard Demo time…
- 35. Tips for the future: A Couple of things to always think about when writing code
- 36. If a section is supposed to be secure, make sure security is checked on all pages, not just entry points
- 37. Compartmentalize your application to minimize exposure if system is compromised
- 38. Reduce the attack surface and remove unused sections or code
- 39. Don’t rely on a single security layer, use “defense in depth” and employ multiple security layers
- 40. Treat all data from a client as bad until ... Forever.
- 41. Don’t leave security for the other guy to handle
- 42. Security by obscurity gives you a false sense of security
- 43. Thank You Any Questions? Dave Ferguson @dfgrumpy dave@dkferguson.com http://blog.dkferguson.com http://www.cfhour.com
Editor's Notes
- #2: Site notes:http://msdn.microsoft.com/en-us/library/ff648636.aspxhttps://www.owasp.org/index.php/Main_PageSetup:Close all task bar notifiers, chat, tweetdeckCFBuilder: Twister_preso workspaceMake sure font is at 18Select demo app and “go into”Open a cfc and a cfm just to init builder… then close files.Have no code opened.. But have task window availableOpen chrome to demo site http://local.demoapp.com/Open tab to local cfadminOpen firefox to demo site (then hide)
- #6: Reducing downtime,
- #7: An asset can be anything, database data, files on a server, the server itself.
- #15: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
- #16: Slide 15 - I think you should point out that the Top 10 gets updated every three years. It was last updated in 2010. Perhaps bringing this up when you take about staying current later int he press would be a good place for it. Open Web Application Security Project (OWASP)
- #19: Slide 18 - Many times people forget that SSL is about more than just encrypting data. Using SSL to verify the authenticity of a server's identity is just as important as encrypting the data. I think it is impotent to point this out. And to point out that self-signed certs are only good for development. Even though they encrypt the data just as well, you lose the server identification that is so important.
- #21: First showing of demp app…. Explain basics of app (FW\\1, ORM, ColdSpring)FIXME: 20 LOGIN1: Login and show admin section.2: Logout and show how you can still get to admin3: Login protected the navigation… not the actual pages.4: Update code to check for login globally to prevent intrusion remove when done as future demo needs exploit available5: Show severity using session hijacking… login using chrome then copy cookies to firefox6: Click on "home" on menu. Login button should turn orange.7: Go to admin screen
- #23: Slide 22 - I think it would be accurate to say that frameworks (MVC, IoC, DI etc) do not typically provide any protection on their own, but they make writing secure software easier. The one exception to that would be ORM, which offers some built-in security, but that covers a small fraction of the vulnerabilities that code could contain.
- #25: Complicated demo.. Take your time…Make sure that CF console is showing in builder… need to show orm output1: Show search.. Show how using “;” in an injection string doesn’t work as orm hates it.2: inject into search to return all items… %' or 1 = 1 and 1 = '% Show query in console to see how it was built. Show code FIXME24 INJECTION Swap code out for param… should return nothing.. Show query to illustrate param3: using previous session hijack, go to admin in firefox. Go to delete screen and delete an item use url to add “ or 1 = 1” to url to wipe all data. go back to chrome and go to admin edit screen… should also show no recordsFIXME: 24.1INJECTION show how could have been avoided using entityload / delete or param
- #27: Slide 28 - I disagree with your assessment that this statement is fact (even kind). I think it should be Myth. What I point out to people is that if their site contains any kind of user data at all (even just email and a password) that it contains data that needs to be protected. Because we all know that 80% of those users are using the same password for your book club site and they are for their web mail. If your site is compromised, so could be many of your users email accounts, bank accounts, etc. Even if your site is a completely open, read-only system, I doubt that you want your data compromised or want your site DoS'd because of bad programming. If the site is dynamic then it needs to have protections in place, period.
- #29: No code to show in this demo1: Use previous session hijack to access admin (alternatively use a non-logged in browser to access admin)2: Show CFAdmin and make sure script protect is off.3: Create new weapon and add code below in name. Use code that would be blocked and create new weapon. search for weapon to show exploit4: enable script protection. Use blocked code first to show how script protect works.5: use unblocked code with protection still on to create weapon. load search screen to show it still made it though.6: disable script protect in admin at end.blocked<script>alert('congrats! you are a victom of XSS')"></script>not blocked<body onload="alert('congrats! you are a victom of XSS')"></body>
- #35: Now the demo fun begins.Without changing anything… First open up app cfc to enable fuseguard. FIXME34 FuseGuard1: got to home screen in chrome. Attempt to load home screen in FF… fuseguard should block request as a session hijack.2: on chrome with screen still at admin try same sql delete inject… should get blocked3: try directory traversal “../../” Should get blocked.4: Show XXS block when creating weapon Show both previously blocked and unblocked to show FG blocking both.4: Open FG manager and show intrusion blocks
- #40: Use multiple gatekeepers to keep attackers at bay. Defense in depth means you do not rely on a single layer of security, or you consider that one of your layers may be bypassed or compromised.
- #41: Your application's user input is the attacker's primary weapon when targeting your application. Assume all input is malicious until proven otherwise, and apply a defense in depth strategy to input validation, taking particular precautions to make sure that input is validated whenever a trust boundary in your application is crossed.Slide 40 - Treat data from the client as bad, always. I think saying "until proven otherwise" might encourage people to think that if they "sanitize" input that they can then go without properly encoding output. I don't think there is any point at which it is OK to stop treating user provided data as untrusted.Use previous XXS exploit as example. Bad data might have been added prior to protection being enabled.
- #44: Site notes:http://msdn.microsoft.com/en-us/library/ff648636.aspxhttps://www.owasp.org/index.php/Main_Page