Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Application Security Ponzi Scheme

The Application Security Ponzi Scheme

Discussing a different approach to application security where, rather than layering tools on top of applications, we focus on improving the tools developers use to built them.

D8077ba4ca770fa9669263c3633237d8?s=128

Jarret Raim

October 23, 2012
Tweet

Transcript

  1. Stop paying for security failure 1 The Application Security Ponzi

    Scheme November 21, 2013
  2. RACKSPACE® HOSTING | WWW.RACKSPACE.COM WHO AM I? Jarret Raim –

    Cloud Security Product Manager 2 DEVELOPER ACADEMIC APPLICATION SECURITY SECURITY CONSULTANT SECURITY PRODUCTS jarret.raim@rackspace.com!
  3. RACKSPACE® HOSTING | WWW.RACKSPACE.COM WHO IS HE? Matt Tesauro –

    Cloud Application Security Guy + OWASP 3 matt.tesauro@rackspace.com! matt.tesauro@owasp.org! Racker since October 2011! Rackspace’s Cloud Product Group! Work with developers and QE! OWASP International Foundation Board
 Member and Treasurer ! Project Leader of OWASP Live CD & 
 OWASP WTE projects!
  4. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 4 Anyone else have the feeling

    that we aren’t doing a great job?
  5. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Cenzic Vulnerability Report 5 QL¿FDQWGHFUHDVHLQQRWLQ nerabilities.

    Consistently, reported JQL¿FDQWDEDWHPHQWIRUWKHFRPLQJ   on /,QMHFWLRQUHSRUWHGPRVWIUHTXHQWO\ WKDWERWKW\SHVRIYXOQHUDELOLWLHV RIGHYHORSPHQWH[SHULHQFHDQG :KLOHWKHVXUSDVVLQJRIGHPDQG LWGRHVQ¶WH[SODLQZK\,76HFXULW\ ROHDYHWKHEXLOGLQJ Web Vulnerabilities as Percentage of Total Application Vulnerabilities 57% Q3-4 2010 2011 Q1 2012 57% 59% Q1 - 2012 2011 SSOLFDWLRQOD\HUYXOQHUDELOLWLHVGRPLQDWHZLWK64/,QMHFWLRQUHSRUWHGPRVWIUHTXHQWO\ H6FULSWLQJ ;66 IUHTXHQWDQGLQFUHDVLQJ*LYHQWKDWERWKW\SHVRIYXOQHUDELOLWLHV SURFHGXUHVIRU¿[HVLWFDOOVLQWRTXHVWLRQWKHOHYHORIGHYHORSPHQWH[SHULHQFHDQG HQHVVLQFRPSDQLHVSXVKLQJRXWZHEDSSOLFDWLRQV:KLOHWKHVXUSDVVLQJRIGHPDQG IZHEGHYHORSHUVPLJKWH[SODLQGH¿FLWVLQFRGLQJLWGRHVQ¶WH[SODLQZK\,76HFXULW\ WHDUHDOORZLQJXQWHVWHGDQGXQVHFXUHGVRIWZDUHWROHDYHWKHEXLOGLQJ WLHURIYXOQHUDELOLWLHVUHSRUWHG QLDORI6HUYLFH 'R6 &URVV6LWH HU\ &65) DQG5HPRWH)LOH &65)LVHVSHFLDOO\WURXEOLQJ use attacks can go unreported, XVHWKH\FDQEHH[WUHPHO\ 7KHMXPSLQUHSRUWHG&65) VLQWKH¿UVWWZRPRQWKVRI RWFRQFOXVLYHFRXOGLQGLFDWH ty or even an incentive for DFNHUVFDSDEOHRIWKDWOHYHORI VHYXOQHUDELOLWLHVDUHH[SORLWHG HDVLJQL¿FDQWHYROXWLRQLQWKH QRIZHEDSSOLFDWLRQWKUHDWV GRFXPHQWUHSRUWVRQWUHQGVGLVFRYHUHGWKURXJKDQDO\VLVRI¿QGLQJVE\&HQ]LF YLFHVUHVXOWVDQGYXOQHUDELOLWLHVUHSRUWHGWKURXJKSXEOLFFKDQQHOV QJWRQRWHWKDWYXOQHUDELOLWLHVDUHLQFUHDVLQJO\EHLQJUHSRUWHGLQWKH0RELOHVSDFH XSS SQL Injection RFI CSRF Q1 - 2012 2011 Code Execution DoS 0% 10% 20% 30% 40% 50% 60% 48% 37% 15%16% 8% 1% 7% 4% 6% 5% 4% 4%
  6. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Open Source Vulnerability Database 6

  7. RACKSPACE® HOSTING | WWW.RACKSPACE.COM HP: 2011 Top Cyber Security Risks

    Report 7 Figure 13: Total full-year attacks measured by the HP TippingPoint IPS, 2009–2011 Year by year, attacks increased but it should be noted that Web application attacks grew almost 50 percent from 2010 to 2011. Web application attacks also made up 13 percent of the total attacks observed by the HP TippingPoint IPS. This is an increase from 2010, during which the HP TippingPoint IPS measured Web application Attacks Seen from IDS/IPS attacks making up 10 percent of overall attacks. The next section will go into more detail about the Web application attacks seen in 2011. Figure 14: Total Web application attacks measured by the HP TippingPoint IPS, 2009–2011 Figure 15: Breakdown of attacks measured by the HP TippingPoint IPS, 2011 Web Attacks Seen from IDS/IPS
  8. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Veracode State of Security Report 8

    re 10 provides trend data for mean Veracode Security Quality Score over the past eight quarters. The red “best fit” via least squares regression to the set of plotted blue points, one blue point for each quarter. T he red line is slightly smaller than that for the previous volume of this report and the p-value4 has increase o .543. Both of these results are consistent as indicators that the trend is flat—no increase or decrease i ication quality, as measured by the Veracode Security Quality Score, in our dataset since 4Q2009. 2009-4 2010-1 2010-2 2010-3 2010-4 2011-1 2011-2 2011-3 QUARTER 80 79 78 77 76 75 74 MEAN VERACODE SECURITY QUALITY SCORE Veracode Security Quality Score Trend by Quarter pvalue = 0.543: Statistically, the trend is flat. Figure 10: Veracode Security Quality Score Trend by Quarter
  9. RACKSPACE® HOSTING | WWW.RACKSPACE.COM It isn’t working 9 Traditional scanning

    & signature schemes are only effective in limited scenarios Many vulnerability classes have no defined answer other than ‘training’ New technologies are not making the issue better
  10. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 10

  11. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Defense in Depth 11 •  Endpoint

    Security / AV •  Firewall •  Intrusion Detection / Prevention •  Web Application Firewall •  Physical Access Control •  Authentication / Authorization •  Logging & Auditing •  Vulnerability Scanning •  Dynamic & Static Code Analysis •  Training Firewall WAF Scanning WAF Log & Audit Auth & Auth App
  12. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Defense in Breadth 12 •  Malware

    •  Hardware Access Attacks •  Known Application Attacks •  Network Attacks Firewall WAF Endpoint / AV Physical Access Control
  13. RACKSPACE® HOSTING | WWW.RACKSPACE.COM We aren’t preventing new vulnerability introductions,

    even for well-known classes. 13 Our tools aren’t keeping up with change.
  14. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 14

  15. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Veracode State of Security Report 15

    Vulnerabilities by Language Distribution VERACODE STATE OF SOFTWARE SECURITY REPORT: VOLUME 4 100 80 60 40 20 0 2009-1 2009-2 2009-3 2009-4 2010-1 2010-2 2010-3 2010-4 QUARTER PERCENTAGE OF WEB APPLICATIONS AFFECTED Quarterly Trend for SQL Injection pvalue = 0.048: Statistically, the trend is down. Figure 23: Quarterly Trend for SQL Injection
  16. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Some General Success Stories 16 • Buffer

    Overflow (Managed) • DEP / ASLR • Sandboxing / UAC • Banned APIs • SQLi (ORMs)
  17. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Microsoft SDL 17

  18. RACKSPACE® HOSTING | WWW.RACKSPACE.COM So what do these successes have

    in common? They change the default behavior of the system to make it hard or impossible to do the wrong thing. 18
  19. RACKSPACE® HOSTING | WWW.RACKSPACE.COM State of Ops 19 Development cycle

    time is decreasing.! Scale of machines and software is dramatically increasing.! Continuous Integration / Continuous Deployment is restricting / removing scanning & review windows.!
  20. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Security Goals 1.  Can’t prevent systems

    from going to production on their desired timeframes. 2.  Must provide sufficient evidence and coverage for various compliance regimes. 3.  Be capable of reacting as quickly as the development teams. 20
  21. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Test Driven Security 21 Security Weakness

    Identified Analyze & Score Write New Test Watch Test Fail Implement Fix Watch Test Pass
  22. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 22 Define how you want to

    the environment to be, don’t test for how it is.
  23. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Cloud Passage 23 {    

     "severity":  "critical",      "name":  "Protect  cron  spool  directory",      "checks":  [{          "acl":  "NOT:  **2,**3,**6,**7",          "type":  "Checks::DirAclCheck",          "targets":  [{              "name":  "/var/spool/cron"          }]      }]   }   Run Rules web-­‐01.dfw.rackspace.com   10.32.44.190   Ubuntu  12.04  LTS,  8GB   Cloud  Servers   Contact:  Jarret  Raim  
  24. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Gauntlt – BDD For Security 24

    #  nmap.attack   Feature:  nmap  attacks      Background:          Given  "nmap"  is  installed          And  the  target  hostname  is  "google.com"        Scenario:  Verify  server  is  available  on  standard  web  ports          When  I  launch  an  "nmap"  attack  with:              """              nmap  -­‐p  80,443  <hostname>              """          Then  the  output  should  contain:              """              80/tcp    open    http              443/tcp  open    https              """  
  25. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Configuration Management • Makes sense to spend

    time building a base image • Covers ‘hardening’ requirements for compliance • Can be used to fix vulnerabilities • Requires a mature organization 25
  26. RACKSPACE® HOSTING | WWW.RACKSPACE.COM A Day in the Life • Identifying

    vulnerabilities and writing tests to expose them • Hardening base Puppet / Chef scripts • Writing permanent configuration auditing • Reviewing results of automated config, app, network and vuln scans 26
  27. RACKSPACE® HOSTING | WWW.RACKSPACE.COM So that seems to help os

    security, how do we do the same thing for applications? 27
  28. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 28

  29. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Restrictive Security Products Fail 29 Security

    doesn’t drive choice in development tools.! Free as in speech and / or beer wins every time.! Security doesn’t drive framework design.!
  30. RACKSPACE® HOSTING | WWW.RACKSPACE.COM If you can’t beat ‘em… 30

    Security must be part of all frameworks as they gain popularity.! We must find a way to fund this work as ‘special’ distributions won’t work.! Security must be championed within framework design.!
  31. RACKSPACE® HOSTING | WWW.RACKSPACE.COM class  Order    attr_accessible  :id,  :order_number

       has_many  :lines    belongs_to  :user      …   end   class  Order    attr_accessible  :id,  :order_number    has_many  :lines    belongs_to  :user      access_control  :user      …   end   Let’s Talk Direct Object Reference 31 Model has no enforcement for access. Model know knows how to determine ownership. model  =  load_model(query)   if  model.owner.id  !=  current_user.id    throw  new  HttpError(401)   end     return  model   Framework can enforce access controls.
  32. RACKSPACE® HOSTING | WWW.RACKSPACE.COM $64,000 How do we fund developers

    to work with open source frameworks to champion and implement security features? 32 Some people going in the same direction Gauntlet: BDD for Security https://github.com/thegauntlet ThreadFix: Security Integration http://code.google.com/p/threadfix/
  33. 33 RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO,

    TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM