Preventing Security Vulnerabilities in a Web Application

PREVENTING SECURITY
VULNERABILITIES IN A
WEB APPLICATION
ALEXIUS DIONYSIUS T. DIAKOGIANNIS
Senior JAVA Solutions Architect / European Investment Bank
Tech Advisory Board Member / Packt Publishing
Blogging on: JEE.gr
Twitting on: @Diakogiannis
LinkedIn: @Diakogiannis 13/10/2023

View Slide

WHO AM I?
ü Senior JAVA Architect / Team
Leader over 20 years of experience
ü I have designed very complex
secure applications eg. e-Banking
Systems
ü Packt Tech Advisory Board member
ü Soon to be a writer
ü Volunteer by principal
ü Mentor by principal
Blogging on: JEE.gr
LinkedIn: @Diakogiannis
Senior JAVA Solutions Architect & Squad Leader / EIB
15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS
DIAKOGIANNIS
2

View Slide

Introduction
15/10/2023
DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
ALEXIUS DIONYSIUS DIAKOGIANNIS
3

View Slide

Introduction
Companies with web applications invest significant resources to defend them from malicious users and
hackers.
To achieve this, companies should implement a Software Development Life Cycle (SDLC) that includes
review iterations before the software is released to the public, as well as ongoing security checks after it
is in production.
I will present a complete process of secure production and control of an application as follows:
• The process is based on the Rational Unified Process (RUP) analysis and production process but it is
applicable to any other process.
• I will help you with calculating the risk
• I will then describe methods for securely writing code and educate your team
• I will show how to use AI in development
• I will show to monitor your code after it is in production
15/10/2023
4

View Slide

Back to Basics!
What is a Web
Application?
🙄
15/10/2023
5

View Slide

We are focusing on the security and delivery of this part
The Structure of a Web n-tiered Web Application
•Typically there is:
•A Client (usually a browser)
•A web server
•A application servers
•Data storage (DB, MDM etc)
•Communication
15/10/2023
6

View Slide

Challenges in Web Application Security
•Most web standards are informal Request For Comments (RFCs)*
•These standards are usually not well defined
•The internet is vast
•This situation makes modelling the web almost impossible.
•But can we somehow model the process of how we can secure a web app?
15/10/2023
7
*A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet

View Slide

RUP - RATIONAL
UNIFIED PROCESS
METHODOLOGY FOR THE ANALYSIS AND SECURITY OF THE
APPLICATION
15/10/2023
DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
DIONYSIUS DIAKOGIANNIS
8

View Slide

Intro on the Rational Unified Process
•The Rational Unified Process is a Software Engineering process that provides a disciplined approach
to assigning tasks and responsibilities within an organization's development. Its goal is to ensure the
production of high quality software that meets the needs of its end users within a predictable
schedule and budget.
•RUP divides the software development lifecycle into four phases:
• Inception: The team defines the project's goals and scope.
• Elaboration: The team develops a detailed plan for the project, including the architecture and requirements.
• Construction: The team develops and tests the software.
• Transition: The software is deployed to production and supported.
•RUP also defines six core development disciplines:
• Business modelling: The team understands the business needs and requirements.
• Requirements: The team defines the specific requirements of the software system.
• Analysis and design: The team designs the architecture and components of the software system.
• Implementation: The team develops the software code.
• Testing: The team tests the software to ensure that it meets the requirements.
• Deployment: The team deploys the software to production and provides support.
15/10/2023
9

View Slide

Approach
Business
modelling &
Requirements
(What)
Design /
Implement
QA/Test
Continues
Review/
Feedback
Change
15/10/2023
10

View Slide

Where Do We Start?
•Security in web applications starts with:
• Penetration Testing?
• Code Reviews?
• Code Scanners?
• Firewalls?
•It starts with SECURE REQUIREMENTS!
15/10/2023
11

View Slide

How to Collect Secure Requirements
•Involve security experts early in the process. They can help you identify potential security risks
and ensure that the requirements are secure by involving your experts in the inception cycle.
•Use a risk-based approach. Use a risk-based approach to prioritize the security requirements
and focus on the ones that pose the greatest risk.
•Consider the different types of attacks. Consider the different types of attacks that your
application may be vulnerable to and make sure that the requirements address these risks and
don’t violate in principle the OWASP TOP-10 (yes business requirements can violate OWASP
TOP-10)
15/10/2023
12

View Slide

Use Secure Design Patterns and Practices
Defense in Depth Use multiple layers of security to protect your
application. This can be done by using different security controls, such as
authentication, authorization, and encryption.
Least Privilege: This is a security principle that states that users should
only have the permissions they need to do their job.
Deny by Default Principle: Everything is denied unless instructed
otherwise
Zero Trust: This is a security model that assumes that no user or device
is trusted by default.
Threat Modeling: This is the process of identifying and evaluating the
threats to your application.
15/10/2023
13

View Slide

How to Collect Secure Requirements
•Document the security requirements. The security requirements should be documented in a
clear and concise way so that they can be easily understood by the developers.
•Review the security requirements with the stakeholders. Once the security requirements have
been documented, they should be reviewed with the stakeholders (if they are not already
involved in the process) to ensure that they are complete and accurate and don’t create
business implications.
15/10/2023
14

View Slide

Some Thumb Rules
Some thumb rules when gathering requirements:
• Be aware of the different types of sensitive data that will be stored or processed by the
application.
• Consider the different ways that this data could be compromised and prepare for the worst
• Make sure that the requirements specify how the data will be protected, such as through
encryption or access control.
• Consider the different ways that the application could be used to attack other systems or
networks.
• Make sure that the requirements also specify how the application will be secured against
these attacks.
• Don’t forget to audit trail 🤨
By taking these steps, you can help to ensure that the security requirements for your web
application are comprehensive and effective.
15/10/2023
15

View Slide

Our Holy Grail the OWASP TOP 10
The OWASP Top 10 is a list of the 10 most
common application vulnerabilities. These are:
üBroken Access Control
üCryptographic Errors
üInjection Attacks
üInsecure Design
üSecurity Misconfiguration
üVulnerable Outdated Components
üIdentification and Authentication Failures
üSoftware and Data Integrity Failures
üSecurity Logging and Monitoring
üServer Side Request Forgering
15/10/2023
16

View Slide

OWASP Risk Rating Methodology
•Online applications may have many vulnerabilities, so we must be able to assess the risk of each
vulnerability. To help companies assess risk, OWASP uses a risk assessment methodology to
judge how dangerous any given vulnerability is.
Identification
• Who is she;
• What attack is being
performed?
• What factors are
involved?
• How much damage
can it do?
• What is the
potential business
impact?
What are the threat
factors?
• How much skill is
required?
• What motivation is
needed?
• What opportunities
are necessary for its
exploitation
• How much attacker
volume is needed?
What are the factors
of vulnerability?
• Ease of discovery.
• Ease of use.
• Intrusion detection.
What are the technical
factors of the impact
of an attack
• Loss of
confidentiality
• Loss of integrity
• Loss of availability
• Loss of responsibility
What are the business
impact factors of an
attack?
• Financial cost
• Damage to
reputation
• Non compliance
• Invasion of privacy
15/10/2023
17

View Slide

OWASP Risk Rating Methodology
•LOW
•MEDIUM
•HIGH
Determination
of risk severity
Deciding what
needs to be
fixed
Model
adjustment if
needed
15/10/2023
18

View Slide

Development
GOD HELP US…
15/10/2023
19

View Slide

How The Team Should Develop
Secure Coding
Standards
Code Reviews
Secure
Deployments
Debt
Improvement
15/10/2023
20
The path to glory…

View Slide

Secure Coding & Code
Review
MIX AND MATCH
15/10/2023
21

View Slide

Why Do We Need Software Quality?
High Quality
Software
Is (most likely) a
SECURE Software
15/10/2023
22

View Slide

Secure Coding and Code Review
You need to review code exactly like the way you should write it. Regardless what you write you
need to be able to answer the following
qAm I able to understand the code easily?
qIs the code written according to company standards/guidelines?
qIs the same code repeated more than once?
qCan I easily test/debug the code to find the root cause of a problem?
qHave I written tests for at least 65% of the code and more that 80% of the if/case statements?
qIs this method or class too big? If so, does the function or class have too many responsibilities?
qDoes it violate any of the OWASP TOP 10 rules?
qDoes it violate any secure coding principles?
15/10/2023
23
This also applies
to Low Code No Code
Platforms like
PEGA, OutSystems etc

View Slide

How do we Code Review?
It is a process that is actively run by a moderator or a group of moderators together with the
developers at the time the code is written. The methodologies are:
•A moderator sits next to the developer or asks him/her to share screen and asks him to walkthrough his code. As the
facilitator "looks over the developer's code" and explains his or her mindset and approach, he or she tries to identify
potential issues and advises the developer on best practices.
OVER-THE-SHOULDER REVIEW
•A Reviewer is assigned automatically
GIT NOTIFICATION
•Pair programming is a flexible software development technique in which two programmers work together on a workstation
(or a shared screen). One, the driver, writes code, while the other, the observer, examines each line of code as it is typed
Pair Programming
•Authors and moderators use their integrated development environment (IDE) plug-ins to connect directly to analyzers and
analyze their code on the fly.
Static Code Analysis and SAST tools
15/10/2023
24

View Slide

The Golden Rule of Code Review
15/10/2023
25

View Slide

The Golden Rule of Code Review Algorithm
15/10/2023
26
•IF ( a code reviewer is ){
•Aggressive in his comments
•Making bad examples out of people
•Has a GOD attitude
}
•THEN {
REMOVE HIM/HER EVEN IF HE/SHE IS THE BEST RESOURCE YOU HAVE
•}

View Slide

Happy & Bonded Teams Create Quality Software
•Happy developers are more collaborative. Happy developers are more likely to share their
knowledge and expertise with their colleagues. This can lead to better team communication,
problem-solving, and innovation.
•Happy developers are more likely to be security champions. Security champions are employees
who are passionate about security and who are willing to go the extra mile to help their
company improve its security posture.
•Developer happiness leads to better code. When developers are happy, they are more likely to
be engaged and productive. This leads to better code quality, fewer bugs, and faster
development cycles.
•Happy developers are more likely to stay with their company. Developer turnover is disruptive.
Happy developers are less likely to leave, which saves the company money and time and
education investment.
15/10/2023
27
Creating a positive and supportive work environment → Better and more Secure Software

View Slide

Specific Secure Coding Guidelines
•Validate and sanitize all inputs including data from URLs, and APIs to prevent injections. Use whitelist
approach when you can.
•Use a secure and centralized authentication mechanisms (like OAuth, OpenID etc) AND implement a
proper authorization to enforce access controls and permissions. Avoid custom implementations.
•Always secure sensitive data using hashing and encryption techniques even if they exist only in
memory.
•Prefer using UUIDs over increments on your data sets to prevent enumerations.
•Enforce session timeouts
•Secure your queries even if you use ORM frameworks like Hibernate.
• Always use prepared statements or parameterized queries. In the extreme case you can’t, always use prepared
statements or parameterized even if you trust your source
• Always use secure DB connections
•Have a logging strategy
• Avoid exposing detailed error messages to users
• Log securely and not excessively
• Sanitize variable output when you log to prevent system attacks
• Nice to have: Your logging media has anti forgery measures
15/10/2023
28

View Slide

Don’t Forget to
•Implement audit trails and logging for critical security-related events within the application. This
includes logging both Success and Failures (e.g. Log-Ins).
•Enforce within your application secure communications (TLS/SLL)
•Implement Rate Limiters and Exponential backoff with jitter reconnection algorithms for your
endpoints (to be discussed later).
• Implement CSRF tokens to protect against CSRF attacks in web applications.
•Configure HTTP Security Headers(e.g., Content Security Policy, X-Content-Type-Options,CORS) to
enhance browser security
•Encrypt your passwords
•Remove commented code
•If your application handles file uploads, validate and restrict file types NOT ONLY BY THEIR
EXTENSION (use Apache Tika), and store uploaded files in a secure location. Also keep in mind
your file system limitations and implement pseudo-random folder structures. Also don’t forget
to virus scan (use your provides AV service or just ClamAV from within your app).
15/10/2023
29

View Slide

Rate Limits and Exponential backoff with jitter
!Imagine you are trying to connect to a service, but the service is down. You could keep trying to
connect over and over again, but that might not work also making it even harder for every other
service to connect. If the service comes up again it will probably fail again because of the big
demand.
!Also imagine a service out of your control that decides to request e.g. from your service 100.000
contracts using a loop asking for one contract at the time.
15/10/2023
30
Use libraries like: Resilience4j Bucket4j Apache APISIX OR a Gateway API like Kong or ask your provider

View Slide

AI Code Generators
WHAT SORCERY IS THIS?
15/10/2023
31

View Slide

AI For Security & Productivity
AI code generators can be used in various ways
•Productivity:
• Auto-completion (ex. writing boilerplate code, Unit test skeletons or implementing common design patterns)
• Code-refactoring
• Create documentation (improve code readability, reduce code duplication, and eliminate unnecessary
complexity)
•Security:
• Vulnerability detection
• Suggest secure coding practices
•Main players
• GitHub Copilot
• Tabnine
• ChatGPT
• Ask Codi
• AWS CodeWhisperer
• Google Bard
15/10/2023
32

View Slide

AI Code Generator Comparison
Feature GitHub Copilot Tabnine ChatGPT Ask Codi Google Bard
AWS
CodeWhisperer
Code completion Yes Yes Yes Yes Yes Yes
Code generation Yes Yes Yes Yes Yes Yes
Code review Yes Yes Yes Yes Yes Yes
Security Features Yes Yes Yes Yes Yes Yes
IDE integration
Yes (Visual Studio
Code, JetBrains,
Neovim, Visual
Studio)
Yes (Visual Studio
Code, Sublime
Text, JetBrains,
Eclipse, and
others)
No No No
Yes (Visual Studio
Code, JetBrains,
Cloud9, AWS
Lambda console)
Pricing
$10/month or
$100/year for
individuals,
$19/month per
user for business
Free for open
source projects,
$60/year for
individuals,
$120/year per
user for teams
Free for research
purposes, paid
plans available for
enterprise users
Free for open
source projects,
paid plans
available for
enterprise users
Paid plans
available for
enterprise users
Free for
individuals,
$19/month per
user for business
15/10/2023
33

View Slide

AI Pitfalls
Be aware of the limitations of AI code generators. They are still under development and may not
be able to generate perfect code all the time.
üAlways test code that is generated by AI code generators before using it in UAT or Production.
üUse AI code generators in conjunction with other security tools and practices, such as code
review and static analysis.
15/10/2023
34
Never put your eggs in one basket using
AI Code Generators → NEVER bypass
manual code reviews
DEV
AI
PROD

View Slide

Static Code Analysis
WHAT SORCERY IS THIS?
15/10/2023
35

View Slide

Benefits of Static Code Analyzers
Static code analyzers (SASTs) are important because they can help you to detect bugs and
vulnerabilities in your code before you deploy it to production. This can save you time and
money, and it can also help to protect your users from security threats.
SASTs help you by:
• Detect bugs and vulnerabilities early
• Improve code quality
• Reduce risk of security breaches
• Increase confidence in your code
• Improve compliance with regulations
Usually they integrated in the CI lifecycle and within the IDE or they are triggered with branch
merging
15/10/2023
36
THE GOAL: Educate the team → Produce Secure Software
However you should also use them within the development process to educate developers.
ü Group the significant findings and organize a retrospective with your team to produce lessons
learned
ü Take milestone findings of a young developer and do a 1-1 education session

View Slide

How to Choose the Right Static Code Analyzer
Tool License
Scanning
Performance
Easy
Interpreted
Results
Man. Code
Review Cap
Performance
in Security
Findings
Performance
in Security
Findings
Online Only
Checkmarx
CxSAST
Commercial Normal Normal Yes Very Good Very Good No
Klocwork
Commercial Normal Very Easy No Good Good No
Fortify
Commercial Normal Normal No Very Good Very Good No
SonarQube
Opensource Can be Slow Normal Yes Good Good No
Semgrep
Opensource Fast Can be Hard No Good Good No
Synopsys Code
Sight
Veracode
Qodana
Opensource Fast Can be Hard Yes Good Good Yes
Snyk
Commercial Can be Slow Very Easy No Good Good Yes
15/10/2023
37
G2 Crowd: Best Static Application Security Testing (SAST) Software: https://www.g2.com/categories/static-application-security-testing-sast
OWASP Foundation: Static Application Security Testing: https://owasp.org/www-community/Source_Code_Analysis_Tools
Mend: Best SAST Tools: Top 7 Solutions Compared: https://www.mend.io/blog/best-sast-tools/

View Slide

How to Choose the Right Static Code Analyzer
15/10/2023
38
SAST
Opensource
Online Only Qodana
Online/Offline
Sonarqube
Semgrep (for
advanced usr)
Commercial
Medium Budget
Online Only Snyk
Online/Offline None L
High Budget
Checkmarx
CxSAST
Klocwork
Fortify
Synopsys Code
Sight
Veracode

View Slide

Software Composition
Analysis (SCA)
WHAT IS THAT?
15/10/2023
39

View Slide

What is SCA?
•Software composition analysis (SCA) is a process of identifying and analyzing the third party
components and dependencies used in a software application. SCA tools can scan source code,
binary files, and container images to identify components, their versions, and any known
vulnerabilities or licensing issues.
Benefits of SCA:
•Improved security: SCA can help organizations identify and fix vulnerabilities in the software
they use, which can reduce the risk of security breaches and data leaks.
•Compliance: SCA can help organizations ensure that they are complying with legal and licensing
requirements for the software they use, which can reduce the risk of legal issues and fines.
•Reduced risk: SCA can help organizations identify and mitigate risks associated with using
software dependencies, such as security vulnerabilities, licensing issues, and supply chain
attacks.
•Increased visibility: SCA can provide organizations with a comprehensive inventory of all the
open source components used in their software, which can help them to better understand their
software supply chain and make informed decisions about risk management.
15/10/2023
40

View Slide

Common SCA Tools
SCA Tool Cost Ease of Use Cons
Sonatype Nexus IQ Paid ($10,000+/year) Moderate Expensive, complex to use
Synopsys Black Duck Paid ($20,000+/year) Moderate Expensive, complex to use
WhiteSource Bolt Paid ($9,000+/year) Easy
May not offer as many features
and capabilities as the more
mature SCA tools
Snyk Free (for open source projects) Easy
mature SCA tools
Dependency Track Open source Easy
mature SCA tools
Dependabot
Free (for public GitHub
repositories) Easy
Only available for public GitHub
repositories, does not support
all programming languages and
package managers
OWASP Dependency Checker Free Easy Lacks a lot of functionality
15/10/2023
41

View Slide

Common SCA Tools
15/10/2023
42
SCA
Free
Others Dependency Track
Opensource
OWASP Dep
Snyk
Dependabot
Paid
Low Budget
Snyk
WhiteSource Bolt
High Budget
Sonatype Nexus
IQ
Synopsys Black
Duck

View Slide

Penetration Testing
THE BAD GUYS
15/10/2023
43

View Slide

Penetration Testing and DAST Tools
•To ensure that the project produced is safe and of high quality, we perform Penetration Test
using a suitable application.
•Penetration Testing and DAST tools attempt to identify insecure processes, loose security
settings or other weaknesses that an attacker could exploit. Examples of such instances include
the transmission of unencrypted passwords, forgotten and unencrypted credentials etc.
Penetration testing tools try to identify these vulnerabilities.
•These tests need not be conducted as frequently but should be repeated on a regular basis.
•The Penetration Tests can be automated and integrated to the development lifecycle, however
DAST tools have some limitations, for example, they cannot detect all vulnerabilities, and they
can be slow to scan large applications. This is why a developer can use these tools to test parts
of the functionality he/she has developed, for ex a set of endpoints, and not the complete
application.
•Pen test may not detect business issues, this is why you need secure requirements
•Pen test may not detect bad design, this is why you need secure design & code reviews
15/10/2023
44

View Slide

Common Opensource DAST Tools
15/10/2023
45
Tool
Programming
languages supported
Attack types
supported
Scanning methods Features
ZAP Wide Wide Active, passive
Scripting, automation,
extensibility
W3AF Wide Wide Active, passive
extensibility
Nikto Limited Limited Active Limited
Intruder Wide Wide Active
extensibility
Burp Suite
Community Edition
Wide Wide Active, passive
extensibility
AppScan Open Wide Wide Active, passive
extensibility
Detectify Community
Edition
extensibility
Acunetix Community
Edition
extensibility
Astra Pentest
Community Edition
extensibility
EASY
Cloud
Based

View Slide

Is it Over?
AFTER I GO TO PRODUCTION?
15/10/2023
46

View Slide

So is it Over?
•After you go to production you need:
• Frequent SAST and SCA checks to ensure
your code is not in subject of new
vulnerabilities
• Regular penetration tests
• A solid monitoring process for the above
• A solid Risk management process to tackle
the potential vulnerabilities
15/10/2023
47

View Slide

My Counterexample
App
AND HOW THEY DID (ALMOST) EVERYTHING WRONG
15/10/2023
48

View Slide

A “Typical” Government Application
For the municipal and regional elections, the Greek government built an application for the
registration of political formations (parties) and candidates. The application has all the
phenotypic characteristics (looks alike) of an enterprise web application that you expect to be
secured.
§It was build by a major Greek company
§It has an SSO OAuth2 login based on you Tax credentials
§SSL secured
§Belonged to a swarm of similar applications like tax returns etc.
So I expected:
üA secure requirement gathering
üSecure Implementation
üSecurity testing
15/10/2023
49

View Slide

What it Does
•The main purpose was for the registration of political formations (parties) and candidates.
15/10/2023
50
A Candidate or a party logs
in through an SSO
Registers the party or
verifies that he is registered
Approves or rejects the his
nomination
SIMPLE? WHAT CAN GO WRONG RIGHT?

View Slide

What was the Problem
15/10/2023
51
URL: https://xxxxx-some url-xxxxxx/validations/edit/56099

View Slide

What was the Problem
15/10/2023
52
URL: https:// xxxxx-some url-xxxxxx /validations/edit/56000
I Could even
remove him/her
from the
Elections!

View Slide

Trying to FIX the Issue*
15/10/2023
53
•After several written communication attempts (including the minister) I got an answer from the
portal:
•THIS IS NOT OUR RESPONSIBILITY please contact ….
* The issue is fixed now after several written communications

View Slide

What Went Wrong
15/10/2023
54
Secure requirements
Secure Design
Code Review
SAST
Testing
DAST
Risk Assessment
NO
NO
NO
YES
MAYBE
MAYBE
NO

View Slide

Conclusion
15/10/2023
55

View Slide

Conclusion
•This process described, which is not one of the well-known standards such as NIST 800-64, MS
Security Development Lifecycle (MS SDL), OWASP CLASP differs in the fact that it does not
require the developer to be highly skilled to apply it and produce secure software but teaches
him/her how to write secure software and pushes him/her to evangelize these practices in his
environment. In other words it adds education and automation to the lifecycle aiming for hustle
free secure software creation.
15/10/2023
56
Secure Coding
Standards
Code Reviews
Secure
Deployments
Debt
Improvement
Educate
Educate
Automate Automate

View Slide

15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
57
Blogging on: JEE.gr
LinkedIn: @Diakogiannis
Senior JAVA Solutions Architect & Squad Leader / EIB

View Slide

Preventing Security Vulnerabilities in a Web Application

Preventing Security Vulnerabilities in a Web Application

Alexius DIAKOGIANNIS

Other Decks in Programming

Featured

Transcript