Slide 1

Slide 1 text

Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program Great Wide Open – Atlanta, GA April 2014

Slide 2

Slide 2 text

Navigational Map Speaker Profile Security Challenges Intro to OWASP Security Voltron Concept Governance Development Security Testing More Nefarious Ideas Closing Remarks 2

Slide 3

Slide 3 text

Speaker Profile Cornell University graduate Beginnings commercial finance consulting Transitioned to IT across multiple roles (System Administration, Development, Network Engineering, Support Operations, Implementation) Worked for top global companies across multiple sectors (Healthcare, Finance, Information Services, Government, Telecommunications, Banking, Consumer Electronics, Hospitality (F&B, Hotel, Tourism), BPO, Shared Service Models) Founder, CEO at VerSprite, Inc.

Slide 4

Slide 4 text

SECURITY CHALLENGES How to get to saying…. ‘I GOT 99 PROBS BUT SECURITY AIN’T ONE’

Slide 5

Slide 5 text

or ‘I got 99 problems & their all security!’ Challenges in AppSec Isolated SDLC Efforts Anti-Security Culture Expanding heterogeneous tech stack Decentralizing management Security is not built into IT functions early on Targeted attacks Open intel on application components Sound Solutions Establish Governance Security Requirements & Resources Implementation of S- SDLC Use Security Frameworks Test and Test Early Track Defects 5

Slide 6

Slide 6 text

OWASP Open Web Application Security Project

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Intro to OWASP  Open Web Application Security Project  Community driven; 11 years old  Dedicated to openness of all content & materials  International community focused on AppSec  X-cultural, X-industry related challenges exposed and addressed.  Massively supportive and responsive.  Follow @OWASP (local to ATL? > @OWASPATL 8

Slide 9

Slide 9 text

Core Values (from www.owasp.org)  OPEN – radical transparency; from finances to our code.  INNOVATION - encourages innovation for solutions to software security challenges.  GLOBAL – truly a global community.  INTEGRITY - truthful, vendor neutral, global community. 9

Slide 10

Slide 10 text

1 0

Slide 11

Slide 11 text

1 1

Slide 12

Slide 12 text

Security Voltron (n) (Latin) Legit security program formed by a collection of individual security components;

Slide 13

Slide 13 text

GOVERNANCE Without governance, your security program will sink.

Slide 14

Slide 14 text

Policies, Standards, Guidelines Policies govern people’s actions Standards govern technology Guidelines provide best practices What/ Where to start? Benefits Reproducible Standardized 14

Slide 15

Slide 15 text

Governing Secure Code Development Standardize security in software development Bookmark OWASP.org Cheat Sheets 15

Slide 16

Slide 16 text

16 OWASP ASVS - Security Assurance Methodology The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. Covers automated and manual approaches for external testing and code review techniques Recently created and already adopted by several companies and government agencies Benefits Standardizes the coverage and level of rigor used to perform app sec assessments Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Slide 17

Slide 17 text

17 OWASP Top Ten The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. Adopted by the Payment Card Industry (PCI) Recommended as a best practice by many government and industry entities Benefits Powerful awareness document for web application security Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Slide 18

Slide 18 text

18 OWASP Developer Guide https://github.co m/OWASP/DevG uide

Slide 19

Slide 19 text

19 OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet .NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet

Slide 20

Slide 20 text

20 OWASP Open SAMM The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Benefits Evaluate your organization's existing software security practices Build a balanced software security program in well- defined iterations. Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

Slide 21

Slide 21 text

2 1

Slide 22

Slide 22 text

22 Wide Scope Covered by OpenSAMM Supports a Security Plan or Roadmap Establish governance Perform against assessments Test and Report Enhance Security Operations Building a S-SDLC Initiative Measures success/ shortcomings Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

Slide 23

Slide 23 text

23

Slide 24

Slide 24 text

24 OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues. , (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

Slide 25

Slide 25 text

S-SDLC Building Security In Software Development

Slide 26

Slide 26 text

26 S-SDLC/ Building Security-In

Slide 27

Slide 27 text

OWASP Developer References Educate OWASP WebGoat • Exercise successful implementation of OWAPSP Countermeasures OWASP Top Ten • Ranks top web app related risks • Serves as a good scope for initial testing Develop OWASP Code Review •Methodology for Source Code Reviews OWASP Development Guide •Establishes a process for secure development efforts across various SDLCs OWASP Cheat Sheet Series OWASP Countermeasures • OWASP CSRFGuard • OWASP Anti-Samy Test OWASP Zed Attack Proxy • Test against OWASP Top Ten • Use in conformance to Testing Guide OWASP YASCA • Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan

Slide 28

Slide 28 text

28 OWASP Developer Guide https://github.co m/OWASP/DevG uide

Slide 29

Slide 29 text

29 OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer?amou nt=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }

Slide 30

Slide 30 text

OWASP XSS Cheat Sheet

Slide 31

Slide 31 text

DHTML 5 Cheat Sheet Sample

Slide 32

Slide 32 text

32 OWASP AntiSamy OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. API plus implementations Java, .Net, Coldfusion, PHP (HTMLPurifier) Benefits It helps you ensure that clients don't supply malicious code into your application A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

Slide 33

Slide 33 text

33 OWASP CSRFGuard OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. Java, .Net and PHP implementations CSRF is considered the app sec sleeping giant Benefits Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

Slide 34

Slide 34 text

34 OWASP ESAPI OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application. API is fully documented and online Implementations in multiple languages Benefits Provides a great reference Implementation can be adapted/used directly Provides a benchmark to measure frameworks http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Slide 35

Slide 35 text

SECURITY TESTING Testing insecurities before your adversaries do

Slide 36

Slide 36 text

36

Slide 37

Slide 37 text

37 Prescriptive Advice for Testing Simplify!!! Create Roadmap Standardize Testing Follow a Methodology!!! Metrics are actually important. Really. Tools.

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

40 Free SSH Security Tool - CryptoAuditor Like SSL, SSH implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices. http://www.ssh.com/products/crypto-auditor (Free upon fake registration)

Slide 41

Slide 41 text

41 Sqlmap.py – Test for the dreaded SQLi Use in conjunction with Burp or Zed Attack Proxy. Capture POST request to web site via proxy Copy POST requests to text file http://sqlmap.org/

Slide 42

Slide 42 text

42

Slide 43

Slide 43 text

43

Slide 44

Slide 44 text

44 Free SSH Security Tool - CryptoAuditor Like SSL, SSH implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices.

Slide 45

Slide 45 text

45 Plug those JS Leaks – Leak Finder Free python based tool (https://code.google.com/p/leak- finder-for-javascript/) helps web application developers find memory leaks in their JavaScript programs. In garbage-collected languages, such as JavaScript, you cannot have traditional memory leaks by forgetting to free memory: when all references to an object are dropped, the object is garbage-collected and the memory is freed However, JavaScript programs can leak memory by unintentionally retaining references to objects. EX: JavaScript library Closure

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

47 Web Testing via Proxies Web Fiddler Extension – Intruder21 Fiddler2 Extension for fuzzing web apps (inspired by Burp Intruder feature in BurpSuite) Great tool for fuzzing, selecting automatic payloads (SQLi, XSS, etc) http://yamagata.int21h.jp/tool/BurplikeInspector/BurplikeI nspector-ver0_02.zip

Slide 48

Slide 48 text

48 Web Fiddler Extension – Intruder21

Slide 49

Slide 49 text

49 Web Fiddler Extension – Intruder21

Slide 50

Slide 50 text

50 Test that Hash (Hash ID)  Python based hash validator http://code.go ogle.com/p/h ash-identifier/

Slide 51

Slide 51 text

51 NiX – Brute Forcer (the beast)  Parallel login brute-forcer  Demonstrate the importance of choosing strong passwords  Current features: Basic Authorization & FORM support HTTP/SOCKS 4 and 5 proxy support FORM auto-detection & Manual FORM input configuration. It is multi-threaded Integrated proxy randomization to defeat certain protection mechanisms Wordlist shuffling via macros Advanced coding and timeout settings makes it outperform any other brute forcer http://myproxylists.com/nix-brute-force

Slide 52

Slide 52 text

5 The Zed Attack Proxy • Released September 2010 • Ease of use a priority • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010

Slide 53

Slide 53 text

ZAP Overview • ZAP is: Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!) Improving rapidly 5

Slide 54

Slide 54 text

Where is ZAP being used? United States Japan Spain United Kingdom Germany China 5

Slide 55

Slide 55 text

5 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using OWASP JBroFuzz code)

Slide 56

Slide 56 text

5 The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

Slide 57

Slide 57 text

5 The Future • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help • More localization (all offers gratefully received!) • Parameter analysis? • Technology detection?

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

ZAP Summary • ZAP has: An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers • ZAP is a key OWASP project • Security Tool of the Year 2013 5

Slide 60

Slide 60 text

A Word on OpenSource Adoption 1. Define scope of adoption 1. Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2. Use cases/ Abuse cases 3. Architecture 2. Set up controlled adoption 3. Test, decompile, review 4. Become involved in dev forums 6

Slide 61

Slide 61 text

FROM CAPTAIN TO PIRATE Open Source Tools for more nefarious voyages in AppSec Testing

Slide 62

Slide 62 text

More Tools • SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) • BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) • Metasploit – http://www.metasploit.com/ • Kali - http://www.kali.org/ • Burp - http://portswigger.net/burp/ • Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng • Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise

Slide 63

Slide 63 text

Closing Thoughts • Leverage Open Source sources to INFLUENCE your security program development/ management • Do NOT make your security program free and open, keep it close to the vest • Keep abreast of security news is a must – ever changing threat landscape • Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. • Diversify your security program.

Slide 64

Slide 64 text

To Get More Out of OWASP, start here> www.owasp.org #FollowThenLead @t0nyuv @versprite @OWASPATL Email: [email protected] [email protected] 64