Upgrade to Pro — share decks privately, control downloads, hide ads and more …

1 User, 10 Places, 100 Seconds #appsecapac2014

OWASP Japan
March 20, 2014
0
220

1 User, 10 Places, 100 Seconds #appsecapac2014

OWASP Japan

March 20, 2014
Tweet

More Decks by OWASP Japan

See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
300
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
830
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
770
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
2.9k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
200
elegance_of_OWASP_Top10_2017
owaspjapan
2
470

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
58
7.1k
Optimising Largest Contentful Paint
csswizardry
7
2.3k
Visualization
eitanlees
135
14k
Clear Off the Table
cherdarchuk
82
310k
How STYLIGHT went responsive
nonsquared
92
4.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Building Applications with DynamoDB
mza
88
5.6k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Side Projects
sachag
451
41k

Transcript

  1. Talks: 1 User, 10 Places, 100 Seconds © Copyright 2013

    Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 User, 10 Places, 100 Seconds

  2. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 2

  3. Alarms go off at the IT Security Operations Center (IT

    SOC), right? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

  4. Not really… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 4

  5. OS, databases, storage IPS, routers, switches, firewalls, DLP Why not?

    Security Information and Event Management solution © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Servers, IAM, networking Applications Application Logs: • Few or uninteresting details • For debugging purposes • Not security related • Require custom connectors IT SOC Management solution

  6. % of breaches that occur are application Why should we

    care about the applications? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. % application related *Gartner, 2013

  7. Question? Application © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 7

  8. How to make the application produce security logs? 1 Sniff

    traffic, or layer 7 interception Very incomplete © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 Application Source Code Developer Insert: • Log.warning(…) • Log.error(…) 2 Lot of work! In business and data layer

  9. How to make the application produce security logs? Bottom line,

    need a mechanisms to: 3 Agent technology Agent per language © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 Bottom line, need a mechanisms to: public …{ … userLogin(username, password) … } public …{ … if( userLogin(username, password) ) Log.info(“User :”+username+” logged in!”); else Log.info(“User :”+username+” failed login!”); … }

  10. Various options to do the implementation: Agents, how do they

    work? Aspect Oriented Instrumentation © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Debugging Profiling Link time code rewriting

  11. What to gather with the agent? http://link... WS Call(…) Web-service

    activity Calling external pages © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 File activity Database activity

  12. Interesting internal activity Security Exceptions © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 12 Crypto Exceptions

  13. Up and running… what now? Applications © Copyright 2013 Hewlett-Packard

    Development Company, L.P. The information contained herein is subject to change without notice. 13

  14. Need some visuals! © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 14 About what? Scenarios please!

  15. Geo Location Discrepancy is trivial to detect now Action: login

    User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 User Visibility User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

  16. … and knowing what that person did in the app

    Action: login User: eddie Action: login User: eddie Events © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 User: eddie Login time: 1/1/13, 10:00pm Place: Sunnyvale, CA, USA User: eddie Login time: 1/1/13, 10:05pm Place: Shanghai, China

  17. Multiple Authentications from the same IP Events Action: login User:

    eddie Action: login User: gary Action: login © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 User Visibility Action: login User: geoff …

  18. Brute force password attack Events Action: login: Failed User: eddie

    Action: login: Failed User: eddie Action: login: Failed © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 User Visibility Action: login: Failed User: eddie Action: login: Successful User: eddie …

  19. Who leaked classified docs? Events Action: access trade secrets User:

    eddie Trade secrets Action: - User: kate Action: - User: matt © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 User Visibility User: matt Trade secrets ?

  20. Forensics © Copyright 2013 Hewlett-Packard Development Company, L.P. The information

    contained herein is subject to change without notice. 20 User Visibility Events

  21. Examples please? Demo application: Riches © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 21 Real application: Apache Ofbiz

  22. Let’s start easy: Get logs in to SIEM without Agents…

    Solution: write parser © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 Bottom line: A lot is missing... Key information around the user Severity Message

  23. So, write an agent … example: Aspect Oriented Programming ©

    Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23

  24. Let’s start easy… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 24

  25. Without Agent Authentication Example Nothing! © Copyright 2013 Hewlett-Packard Development

    Company, L.P. The information contained herein is subject to change without notice. 25 With Agent

  26. Example: Apache Example please! © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 26 End Users

  27. Screen shot regular logging from Apache Ofbiz Not security related

    at all © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 And if it’s security related, it’s incomplete…

  28. Application View: What did we get: What applications? Logging syslog

    © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 What did we get: • Log messages automatically • Track users logging in • Track everything user does in the application • Track exceptions thrown in the application • …

  29. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 29 29

  30. Exceptions thrown (but catched) © Copyright 2013 Hewlett-Packard Development Company,

    L.P. The information contained herein is subject to change without notice. 30 30

  31. Tracking users… © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice. 31

  32. Tracking their behavior… © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 32

  33. What’s your location? © Copyright 2013 Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice. 33

  34. Thank you © Copyright 2013 Hewlett-Packard Development Company, L.P. The

    information contained herein is subject to change without notice.