Upgrade to Pro — share decks privately, control downloads, hide ads and more …

1 User, 10 Places, 100 Seconds #appsecapac2014

OWASP Japan
March 20, 2014
0
260

1 User, 10 Places, 100 Seconds #appsecapac2014

OWASP Japan

March 20, 2014
Tweet

More Decks by OWASP Japan

See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
320
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
930
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
880
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.1k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
220
elegance_of_OWASP_Top10_2017
owaspjapan
2
500

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
180
21k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Happy Clients
brianwarren
98
6.7k
Documentation Writing (for coders)
carmenintech
65
4.4k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k

Transcript

  1. Talks: 1 User, 10 Places, 100 Seconds © Copyright 2013

    Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 User, 10 Places, 100 Seconds

  2. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 2

  3. Alarms go off at the IT Security Operations Center (IT

    SOC), right? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

  4. Not really… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 4

  5. OS, databases, storage IPS, routers, switches, firewalls, DLP Why not?

    Security Information and Event Management solution © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Servers, IAM, networking Applications Application Logs: • Few or uninteresting details • For debugging purposes • Not security related • Require custom connectors IT SOC Management solution

  6. % of breaches that occur are application Why should we

    care about the applications? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. % application related *Gartner, 2013

  7. Question? Application © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 7

  8. How to make the application produce security logs? 1 Sniff

    traffic, or layer 7 interception Very incomplete © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 Application Source Code Developer Insert: • Log.warning(…) • Log.error(…) 2 Lot of work! In business and data layer

  9. How to make the application produce security logs? Bottom line,

    need a mechanisms to: 3 Agent technology Agent per language © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 Bottom line, need a mechanisms to: public …{ … userLogin(username, password) … } public …{ … if( userLogin(username, password) ) Log.info(“User :”+username+” logged in!”); else Log.info(“User :”+username+” failed login!”); … }

  10. Various options to do the implementation: Agents, how do they

    work? Aspect Oriented Instrumentation © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Debugging Profiling Link time code rewriting

  11. What to gather with the agent? http://link... WS Call(…) Web-service

    activity Calling external pages © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 File activity Database activity

  12. Interesting internal activity Security Exceptions © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 12 Crypto Exceptions

  13. Up and running… what now? Applications © Copyright 2013 Hewlett-Packard

    Development Company, L.P. The information contained herein is subject to change without notice. 13

  14. Need some visuals! © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 14 About what? Scenarios please!

  15. Geo Location Discrepancy is trivial to detect now Action: login

    User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 User Visibility User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

  16. … and knowing what that person did in the app

    Action: login User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

  17. Multiple Authentications from the same IP Events Action: login User:

    eddie Action: login User: gary Action: login © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 User Visibility Action: login User: geoff …

  18. Brute force password attack Events Action: login: Failed User: eddie

    Action: login: Failed User: eddie Action: login: Failed © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 User Visibility Action: login: Failed User: eddie Action: login: Successful User: eddie …

  19. Who leaked classified docs? Events Action: access trade secrets User:

    eddie Trade secrets Action: - User: kate Action: - User: matt © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 User Visibility User: matt Trade secrets ?

  20. Forensics © Copyright 2013 Hewlett-Packard Development Company, L.P. The information

    contained herein is subject to change without notice. 20 User Visibility Events

  21. Examples please? Demo application: Riches © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 21 Real application: Apache Ofbiz

  22. Let’s start easy: Get logs in to SIEM without Agents…

    Solution: write parser © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 Bottom line: A lot is missing... Key information around the user Severity Message

  23. So, write an agent … example: Aspect Oriented Programming ©

    Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23

  24. Let’s start easy… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 24

  25. Without Agent Authentication Example Nothing! © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 25 With Agent

  26. Example: Apache Example please! © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 26 End Users

  27. Screen shot regular logging from Apache Ofbiz Not security related

    at all © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 And if it’s security related, it’s incomplete…

  28. Application View: What did we get: What applications? Logging syslog

    © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 What did we get: • Log messages automatically • Track users logging in • Track everything user does in the application • Track exceptions thrown in the application • …

  29. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 29 29

  30. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 30 30

  31. Tracking users… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 31

  32. Tracking their behavior… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 32

  33. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 33

  34. Thank you © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice.