Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Proven Strategies for Web Application Security by Justin C. Klein Keane

OWASP Montréal
February 25, 2014
Technology
0
150

Proven Strategies for Web Application Security by Justin C. Klein Keane

OWASP Montreal - February 25th - Proven Strategies for Web Application Security

MAIN PRESENTER: Justin C. Klein Keane

ABSTRACT: The rising dominance of the web as an application delivery platform has focused attacker attention squarely on the security of dynamic web applications. Application security is a complex, and shifting, field. Learn about tested and successful techniques to build safer applications, find flaws before they become vulnerabilities, and deploy applications that can detect, and resist attack.

BIO: Justin C. Klein Keane is a security engineer and chapter leaders of OWASP in Philadelphia. For over a decade Justin has worked as a trainer, coder, and exploit developer. Justin is currently writing a book for NoStarch Press on hacking, speaks regularly at conferences, holds a masters degree in information technology from the University of Pennsylvania and is credited with hundreds of application vulnerability discoveries.

WHEN: February 25th 2014

OWASP Montréal

February 25, 2014
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170

Other Decks in Technology

See All in Technology
Cloudflare Workersで動的コンテンツをキャッシュする際の新たな選択肢
yoshiitaka
6
490
ソフトウェアセキュリティはAIの登場でどう変わるか - OWASP LLM Top 10
okdt
PRO
6
1.4k
3D震源マップJapan EQ Locatorはこう動いている!
nagix
0
160
ISUCON練習環境を最も簡単に用意する方法
koba789
2
1.5k
[Opening] DBRE Summit 2023
_awache
0
210
SRv6 対応の IPFIX exporter を開発した話 / Development of an IPFIX Exporter Supporting SRv6
nttcom
2
220
ECS on Fargate のセキュリティ対策は何をやるべき?開発者目線で考える/security-for-ecs-on-fargate-secjawsdays
tomoki10
5
1.8k
Flutterアプリの E2Eテストツール事情
mwakizaka
0
230
ゆる~くOffSec.の話でもするんDAWA
minanokawari
0
350
20230816_AprilTagを利用してARで物体を表示させてみた
kentaitakura
0
240
分解のススメ 第16回 「たまごっちユニ」のハードウエア概要
tomorrow56
0
270
20230815_ISTQB® Certified Tester Game Testing v1.0.1(CT-GaMe)に載っていないことの話
mixi_engineers
PRO
0
150

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
24
11k
Web Components: a chance to create the future
zenorocha
304
41k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Visualization
eitanlees
131
13k
How to Ace a Technical Interview
jacobian
271
22k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Producing Creativity
orderedlist
PRO
336
38k
Automating Front-end Workflow
addyosmani
1354
200k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Music & Morning Musume
bryan
37
5k
The Mythical Team-Month
searls
212
41k

Transcript

  1. Copyright Justin C. Klein Keane
    Proven Strategies for Web Application
    Security
    Justin C. Klein Keane
    University of Pennsylvania
    Web App Security

    View Slide

  2. Copyright Justin C. Klein Keane
    About Me

    Security Engineer for the
    University of Pennsylvania

    Chapter leader of Philadelphia
    OWASP

    Professional career as a web
    developer

    View Slide

  3. Copyright Justin C. Klein Keane
    Proven Strategies

    Sadly, I can't prove a negative

    Discussion followed by concrete
    examples from Penn

    Ideal solution may not meet all
    practical needs

    View Slide

  4. Copyright Justin C. Klein Keane
    Why are Web Apps Targets?

    Globally available

    Always on (esp when you're not watching)

    Client application available on most every
    platform

    Victims of the success of firewalls

    Browsers becoming nearly as valuable as OS
    targets

    View Slide

  5. Copyright Justin C. Klein Keane
    Choose a Standard

    Best advice for a secure
    environment

    It doesn't matter what you choose

    Base your choice on an evaluation
    – Best choice is the best match to your
    environment

    View Slide

  6. Copyright Justin C. Klein Keane
    Standardize on a Framework

    Choose one framework and invest in
    – Security
    – Support

    Develop expertise

    Enable all security features

    View Slide

  7. Copyright Justin C. Klein Keane
    Framework Security

    Each language has challenges

    No language is “insecure”

    Understand the business reasons for
    your platform

    Recognize, and use, safe libraries

    Keep your platform up to date

    Do security testing prior to deployment

    View Slide

  8. Copyright Justin C. Klein Keane
    Choosing a Framework that Fits

    Technology match

    Robust security team and lifecycle

    Long term support

    Availability of local talent

    Published material

    Lifespan

    Etc.

    View Slide

  9. Copyright Justin C. Klein Keane
    Benefit of Framework

    View Slide

  10. Copyright Justin C. Klein Keane
    Our Choice

    School of Arts & Sciences chose
    Drupal and Symfony

    Our environment is largely PHP,
    MySQL and Linux based

    Lots of local Drupal developers

    Prior to choice we had no Drupal
    sites

    View Slide

  11. Copyright Justin C. Klein Keane
    Harden the App Layer

    Enable all the language security
    features

    Disable dangerous features
    altogether

    Customize your build to remove
    tools only useful to attackers

    View Slide

  12. Copyright Justin C. Klein Keane
    Our Solutions

    Customized PHP to limit unsafe functions

    Required Drupal modules to:
    – Audit logins for brute force
    – Audit configuration for security issues
    – Enforce password strength
    – Allow for the use of CAPTCHA
    – Logging to syslog

    Enforce safe database libraries (MySQLi, Doctrine, Drupal db)

    Security testing is a published component of the app deployment
    process

    View Slide

  13. Copyright Justin C. Klein Keane
    Harden the Full Stack

    Every stack has multiple layers

    Utilize the security of each layer to
    the fullest

    View Slide

  14. Copyright Justin C. Klein Keane
    OS Hardening

    Limit file system privileges

    Isolate your web or application server

    Install a host based intrusion
    detection system

    Limit shell access and require secure
    connections

    View Slide

  15. Copyright Justin C. Klein Keane
    Our Solution

    Key based SSH for developers to
    access hosted environments

    Centralized, active response
    enabled, OSSEC HIDS
    (ossec.net)

    Web server has very limited write
    capabilities

    View Slide

  16. Copyright Justin C. Klein Keane
    Isolate your Server

    Application compromise often leads to
    application server compromise

    Limit the privileges of the server process

    If possible isolate applications from one
    another

    Ensure uniform data sensitivity across
    each server install

    View Slide

  17. Copyright Justin C. Klein Keane
    Our Solution

    When possible one codebase runs all
    applications

    Developers cannot change that code base

    Application server privileges limited (php.ini
    customization)

    Diverse applications get dedicated servers

    View Slide

  18. Copyright Justin C. Klein Keane
    Database Security

    Limit application privileges to least necessary

    Isolate data in separate databases

    If possible make use of:
    – stored procedures
    – Parameterized queries

    Use safe interaction libraries (like an ORM)

    Eliminate remote DB connections

    View Slide

  19. Copyright Justin C. Klein Keane
    Our DB Practice

    When developers start an app:
    – New app specific database provisioned
    – Two accounts

    one for developers most privileges

    one for the application with least privilege
    – App password obfuscated in code
    – Stored procedures for sensitive functions
    – DB is accessed over SSH

    View Slide

  20. Copyright Justin C. Klein Keane
    People Standards

    Train your developers

    Establish secure coding baselines

    Publish approved libraries and tools

    Insist that applications meet the baseline
    – Then provide support!

    Training helps, but try to make vulnerabilities
    deliberate

    View Slide

  21. Copyright Justin C. Klein Keane
    Our Solution

    Constant push to refine security of our
    platforms

    Published coding standards

    Trained developers perform code level
    reviews prior to deployment

    All changes are vetted before deployment

    View Slide

  22. Copyright Justin C. Klein Keane
    Automated Tools

    You should run them!

    You should realize they mostly
    suck!

    Best testing tool: a person
    – Penultimate – a person with tools and
    source code

    View Slide

  23. Copyright Justin C. Klein Keane
    Layer 8 Security

    Personnel charged with security
    should be developers

    One of these statements is
    dangerous:
    crsr.execute(“SELECT * FROM table where id = %s” % id)
    crsr.execute(“SELECT * FROM table where id = %s” , id)

    View Slide

  24. Copyright Justin C. Klein Keane
    Tools We Use

    W3af

    OWASP ZAP

    Firefox Tamper Data Plugin

    Eclipse

    Custom Python scripts

    View Slide

  25. Copyright Justin C. Klein Keane
    Detect Compromises

    Audit filesystem changes
    – Automated integrity checking

    Scan uploads for malware

    Build logging into your applications

    Perform automated log analysis

    View Slide

  26. Copyright Justin C. Klein Keane
    Detection We Use

    OSSEC
    – File integrity and log monitoring
    – Custom decoders and rules
    – Alerts sent via e-mail to security staff

    Clam AV

    View Slide

  27. Copyright Justin C. Klein Keane
    Respond Quickly

    Have backups

    Using version control is an
    excellent way to be able to recover
    from a compromise

    View Slide

  28. Copyright Justin C. Klein Keane
    Tools We Use

    Regular backups (nightly)

    CVS and Git for version control

    Separate development, staging
    and production environments

    Automated deployments

    View Slide

  29. Copyright Justin C. Klein Keane
    Conclusion

    Choose a tool and make it work

    Understand security options and enable them

    Secure each layer of the app stack

    Use isolation and monitoring to your
    advantage

    Enforce use of safe libraries

    Make security testing a requirement for
    deployment

    Have intrusion detection and incident response
    plans in place

    View Slide

  30. Copyright Justin C. Klein Keane
    Thank You
    Questions?

    View Slide