![……we are approaching this problem
[software <in>Security] completely wrong and
have been for years…..](https://image.slidesharecdn.com/web-security-everything-we-know-is-wrong-eoin-keary-131217205147-phpapp02/85/Web-security-everything-we-know-is-wrong-eoin-keary-7-320.jpg)
![Cheeseburger Security
We know they are bad for us, but who cares, right?
If we eat too many we may get a heart attack? …sound familiar
We also write [in]secure code until we get hacked
The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you
deliberately take even knowing the consequences, until those consequences
actually come to pass.”](https://image.slidesharecdn.com/web-security-everything-we-know-is-wrong-eoin-keary-131217205147-phpapp02/85/Web-security-everything-we-know-is-wrong-eoin-keary-18-320.jpg)
![XSS causes the browser to execute user
supplied input as code. The input breaks out of
the [data context] and becomes [execution
context].
SQLI causes the database or source code
calling the database to confuse [data context]
and ANSI SQL [ execution context].
Command injection mixes up [data context]
and the [execution context].](https://image.slidesharecdn.com/web-security-everything-we-know-is-wrong-eoin-keary-131217205147-phpapp02/85/Web-security-everything-we-know-is-wrong-eoin-keary-37-320.jpg)
Web security-–-everything-we-know-is-wrong-eoin-keary
- 1. Web Security – Everything we know is wrong
- 2. Eoin Keary • CTO BCCRISKADVISORY.COM • OWASP GLOBAL BOARD MEMBER • OWASP Reboot & Code Review Project Lead
- 3. HACKED 3
- 4. Last Week (11th November): “Loyaltybuild” BREACH 1,100,000 30 $$$
- 5. Globally, 2012 Cyber Crime every second, 18 • US $20.7 billion in direct losses • Global $110 billion in direct losses adults • Global $338 billion + downtime become victims of “The loss of industrial information and intellectual cybercrime property through cyber espionage constitutes the - Symantec greatest transfer of wealth in history” - Keith “One hundred BILLION dollars” Dr Evil Alexander Almost 1 trillion USD was spent in 2012 protecting against cybercrime Eoin, I didn’t click it – My Grandma “556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”
- 6. Its (not) the $$$$ Information security spend Security incidents (business impact)
- 7. ……we are approaching this problem [software <in>Security] completely wrong and have been for years…..
- 9. A traditional end of cycle / Annual pentest only gives minimal security…..
- 10. There are too many variables and too little time to ensure “real security”.
- 11. Two weeks of ethical hacking Business Logic Flaws Security Errors Code Flaws Ten man-years of development
- 12. Make this more difficult: Lets change the application code once a month.
- 13. "Risk comes from not knowing what you're doing." - Warren Buffet
- 14. Time Limited: Consultant “tune tools” Use multiple tools – verify issues Customize Attack Vectors to technology stack Achieve 80-90 application functionality coverage A fool with a tool, is still a fool”…..? Experience As good as the bad guys? Code may be pushed frequently: Erosion of Penetration test? Window of Exploitation?
- 15. Tools with Tunnel Vision: Problem has moved (back) to the client. Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing. AJAX Flex/Flash/Air Native Mobile Web Apps – Data Storage, leakage, malware. DOM XSS – Sinks & Sources in client script -> no HTTP required Scanning in not enough anymore. We need DOM security assessment. - Javascript parsing/ Taint analysis/ String analysis http://code.google.com/p/domxsswiki/
- 16. “We need an Onion” SDL Design review Threat Modeling Code review/SAST Negative use/abuse cases/Fuzzing/DAST Live/ Ongoing Continuous/Frequent monitoring / Testing Manual Validation Vulnerability management & Priority Dependency Management …. “Robots are good at detecting known unknowns” “Humans are good at detecting unknown unknowns”
- 17. You are what you eat
- 18. Cheeseburger Security We know they are bad for us, but who cares, right? If we eat too many we may get a heart attack? …sound familiar We also write [in]secure code until we get hacked The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences actually come to pass.”
- 19. Software food chain COTS (Commercial off the shelf Application Code Outsourced development SubContractors Third Party API’s Bespoke outsourced development Third Party Components & Systems Bespoke Internal development More Degrees of trust Less You may not let some of the people who have developed your code into your offices!! 19
- 20. 2012- Study of 31 popular open source libraries. - 19.8 million (26%) of the library downloads have known vulnerabilities. - Today's applications may use up to 30 or more libraries - 80% of the codebase
- 21. Spring - application development framework : downloaded 18 million times by over 43,000 organizations in the last year. – Vulnerability: Information leakage CVE-2011-2730 http://support.springsource.com/security/cve-2011-2730 In Apache CXF– application framework: 4.2 million downloads.- Vulnerability: high risk CVE2010-2076 & CVE 2012-0803 http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf http://cxf.apache.org/cve-2012-0803.html
- 22. Do we test for "dependency“ issues? NO Does your patch management policy cover application dependencies? Check out: https://github.com/jeremylong/DependencyCheck
- 23. Bite off more than we chew
- 24. “We can’t improve what we can’t measure”
- 25. How can we manage vulnerabilities on a large scale….
- 27. Say 300 web applications: 300 Annual Penetration tests 10’s of different penetration testers? 300 reports How do we consume this Data?
- 28. Enterprise Security Intelligence: Consolidation of vulnerability data. Continuous active monitoring Vulnerability Management solutions Delta Analysis is Key: Initial testing is most work. Subsequent testing is easier we focus on delta/change.
- 29. Metrics: We can measure what problems we have Measure: We cant improve what we cant measure Priority: If we can measure we can prioritise Delta: If we can measure we can detect change Apply: We can apply our (limited) budget on the right things Improve: We can improve where it matters…… Value: Demonstrate value to our business Answer the question: “Are we secure?” <- a little better
- 30. Information flooding (Melting a developers brain, White noise and “compliance”)
- 31. Doing things right != Doing the right things. “Not all bugs/vulnerabilities are equal” (is HttpOnly important if there is no XSS?) Context is important! Contextualize Risk (is XSS /SQLi always High Risk?) Do developers need to fix everything? - Limited time - Finite Resources - Task Priority - Pass internal audit? Dick Tracy White Noise
- 32. Compliance There’s Compliance: EU directive: http://register.consilium.europa.eu/pdf/en/12/st05/st05853. en12.pdf Article 23,24 & 79, - Administrative sanctions “The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0.5 % of its annual worldwide turnover, to anyone who, intentionally or negligently does not protect personal data”
- 33. …and there’s Compliance Clear and Present Danger!!
- 34. Update: Kinder eggs are now legal in the USA. You’re Welcome!!
- 35. Problem Explain issues in “Developer speak” (AKA English)
- 36. Is Cross-Site Scripting the same as SQL injection? Both are injection attacks -> code and data being confused by system. LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc
- 37. XSS causes the browser to execute user supplied input as code. The input breaks out of the [data context] and becomes [execution context]. SQLI causes the database or source code calling the database to confuse [data context] and ANSI SQL [ execution context]. Command injection mixes up [data context] and the [execution context].
- 38. To Conclude…. We need to understand what we are protecting against. We need to understand that a pentest alone is a loosing battle. You can only improve what you can measure Not all bugs are created equal. Bugs are Bugs. Explain security issues to developers in “Dev speak”
- 39. Thanks for Listening eoin@bccriskadvisory.com Eoin.Keary@owasp.org @eoinkeary www.bccriskadvisory.com © BCC Risk Advisory Ltd 2013 .. All rights reserved.
Editor's Notes
- #17: If you don’t understand the business, you cant see the flaws in the business logic