Application Security on a Dime Open Technologies, Tools, and Techniques for Running an Blossoming InfoSec Program Great Wide Open – Atlanta, GA April 2014

Navigational Map Speaker Profile Security Challenges Intro to OWASP Security Voltron Concept Governance Development Security Testing More Nefarious Ideas Closing Remarks 2

Speaker Profile Cornell University graduate Beginnings commercial finance consulting Transitioned to IT across multiple roles (System Administration, Development, Network Engineering, Support Operations, Implementation) Worked for top global companies across multiple sectors (Healthcare, Finance, Information Services, Government, Telecommunications, Banking, Consumer Electronics, Hospitality (F&B, Hotel, Tourism), BPO, Shared Service Models) Founder, CEO at VerSprite, Inc.

SECURITY CHALLENGES How to get to saying…. ‘I GOT 99 PROBS BUT SECURITY AIN’T ONE’

or ‘I got 99 problems & their all security!’ Challenges in AppSec Isolated SDLC Efforts Anti-Security Culture Expanding heterogeneous tech stack Decentralizing management Security is not built into IT functions early on Targeted attacks Open intel on application components Sound Solutions Establish Governance Security Requirements & Resources Implementation of S- SDLC Use Security Frameworks Test and Test Early Track Defects 5

OWASP Open Web Application Security Project

No content

Intro to OWASP  Open Web Application Security Project  Community driven; 11 years old  Dedicated to openness of all content & materials  International community focused on AppSec  X-cultural, X-industry related challenges exposed and addressed.  Massively supportive and responsive.  Follow @OWASP (local to ATL? > @OWASPATL 8

Core Values (from www.owasp.org)  OPEN – radical transparency; from finances to our code.  INNOVATION - encourages innovation for solutions to software security challenges.  GLOBAL – truly a global community.  INTEGRITY - truthful, vendor neutral, global community. 9

1 0

1 1

Security Voltron (n) (Latin) Legit security program formed by a collection of individual security components;

GOVERNANCE Without governance, your security program will sink.

Policies, Standards, Guidelines Policies govern people’s actions Standards govern technology Guidelines provide best practices What/ Where to start? Benefits Reproducible Standardized 14

Governing Secure Code Development Standardize security in software development Bookmark OWASP.org Cheat Sheets 15

16 OWASP ASVS - Security Assurance Methodology The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. Covers automated and manual approaches for external testing and code review techniques Recently created and already adopted by several companies and government agencies Benefits Standardizes the coverage and level of rigor used to perform app sec assessments Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

17 OWASP Top Ten The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. Adopted by the Payment Card Industry (PCI) Recommended as a best practice by many government and industry entities Benefits Powerful awareness document for web application security Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

18 OWASP Developer Guide https://github.co m/OWASP/DevG uide

19 OWASP Developer Cheat Sheets Clickjacking Defense Cheat Sheet C-Based Toolchain Hardening Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet Cryptographic Storage Cheat Sheet DOM based XSS Prevention Cheat Sheet Forgot Password Cheat Sheet HTML5 Security Cheat Sheet Input Validation Cheat Sheet JAAS Cheat Sheet Logging Cheat Sheet .NET Security Cheat Sheet OWASP Top Ten Cheat Sheet Password Storage Cheat Sheet Pinning Cheat Sheet Query Parameterization Cheat Sheet Ruby on Rails Cheat sheet REST Security Cheat Sheet Session Management Cheat Sheet SQL Injection Prevention Cheat Sheet Transport Layer Protection Cheat Sheet Unvalidated Redirects and Forwards Cheat Sheet User Privacy Protection Cheat Sheet Web Service Security Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet Attack Surface Analysis Cheat Sheet XSS Filter Evasion Cheat Sheet REST Assessment Cheat Sheet IOS Developer Cheat Sheet Mobile Jailbreaking Cheat Sheet OpSec Cheat Sheets (Defender) Virtual Patching Cheat Sheet

20 OWASP Open SAMM The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Benefits Evaluate your organization's existing software security practices Build a balanced software security program in well- defined iterations. Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

2 1

22 Wide Scope Covered by OpenSAMM Supports a Security Plan or Roadmap Establish governance Perform against assessments Test and Report Enhance Security Operations Building a S-SDLC Initiative Measures success/ shortcomings Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project

23

24 OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues. , (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)

S-SDLC Building Security In Software Development

26 S-SDLC/ Building Security-In

OWASP Developer References Educate OWASP WebGoat • Exercise successful implementation of OWAPSP Countermeasures OWASP Top Ten • Ranks top web app related risks • Serves as a good scope for initial testing Develop OWASP Code Review •Methodology for Source Code Reviews OWASP Development Guide •Establishes a process for secure development efforts across various SDLCs OWASP Cheat Sheet Series OWASP Countermeasures • OWASP CSRFGuard • OWASP Anti-Samy Test OWASP Zed Attack Proxy • Test against OWASP Top Ten • Use in conformance to Testing Guide OWASP YASCA • Leverages FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, RATS, and Pixy to scan

28 OWASP Developer Guide https://github.co m/OWASP/DevG uide

29 OWASP Cheat Sheet Snippet Insecure Direct object references It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: https://example.com/account/325365436/transfer?amou nt=$100.00&toAccount=473846376 In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. https://example.com/invoice/2362365 In this case, it would be possible to get a copy of all invoices. Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } }

OWASP XSS Cheat Sheet

DHTML 5 Cheat Sheet Sample

32 OWASP AntiSamy OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. API plus implementations Java, .Net, Coldfusion, PHP (HTMLPurifier) Benefits It helps you ensure that clients don't supply malicious code into your application A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

33 OWASP CSRFGuard OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. Java, .Net and PHP implementations CSRF is considered the app sec sleeping giant Benefits Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

34 OWASP ESAPI OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application. API is fully documented and online Implementations in multiple languages Benefits Provides a great reference Implementation can be adapted/used directly Provides a benchmark to measure frameworks http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

SECURITY TESTING Testing insecurities before your adversaries do

36

37 Prescriptive Advice for Testing Simplify!!! Create Roadmap Standardize Testing Follow a Methodology!!! Metrics are actually important. Really. Tools.

No content

No content

40 Free SSH Security Tool - CryptoAuditor Like SSL, SSH implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices. http://www.ssh.com/products/crypto-auditor (Free upon fake registration)

41 Sqlmap.py – Test for the dreaded SQLi Use in conjunction with Burp or Zed Attack Proxy. Capture POST request to web site via proxy Copy POST requests to text file http://sqlmap.org/

42

43

44 Free SSH Security Tool - CryptoAuditor Like SSL, SSH implementation goes bad often sometimes. Tool highlights known vulnerabilities in the environment, Basic stats on SSH keys deployed Specific violations of best current practices.

45 Plug those JS Leaks – Leak Finder Free python based tool (https://code.google.com/p/leak- finder-for-javascript/) helps web application developers find memory leaks in their JavaScript programs. In garbage-collected languages, such as JavaScript, you cannot have traditional memory leaks by forgetting to free memory: when all references to an object are dropped, the object is garbage-collected and the memory is freed However, JavaScript programs can leak memory by unintentionally retaining references to objects. EX: JavaScript library Closure

No content

47 Web Testing via Proxies Web Fiddler Extension – Intruder21 Fiddler2 Extension for fuzzing web apps (inspired by Burp Intruder feature in BurpSuite) Great tool for fuzzing, selecting automatic payloads (SQLi, XSS, etc) http://yamagata.int21h.jp/tool/BurplikeInspector/BurplikeI nspector-ver0_02.zip

48 Web Fiddler Extension – Intruder21

49 Web Fiddler Extension – Intruder21

50 Test that Hash (Hash ID)  Python based hash validator http://code.go ogle.com/p/h ash-identifier/

51 NiX – Brute Forcer (the beast)  Parallel login brute-forcer  Demonstrate the importance of choosing strong passwords  Current features: Basic Authorization & FORM support HTTP/SOCKS 4 and 5 proxy support FORM auto-detection & Manual FORM input configuration. It is multi-threaded Integrated proxy randomization to defeat certain protection mechanisms Wordlist shuffling via macros Advanced coding and timeout settings makes it outperform any other brute forcer http://myproxylists.com/nix-brute-force

5 The Zed Attack Proxy • Released September 2010 • Ease of use a priority • Comprehensive help pages • Free, Open source • Cross platform • A fork of the well regarded Paros Proxy • Involvement actively encouraged • Adopted by OWASP October 2010

ZAP Overview • ZAP is: Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!) Improving rapidly 5

Where is ZAP being used? United States Japan Spain United Kingdom Germany China 5

5 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using OWASP JBroFuzz code)

5 The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

5 The Future • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help • More localization (all offers gratefully received!) • Parameter analysis? • Technology detection?

No content

ZAP Summary • ZAP has: An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers • ZAP is a key OWASP project • Security Tool of the Year 2013 5

A Word on OpenSource Adoption 1. Define scope of adoption 1. Driven by _ _ _ _ _ _ _ (impact, criticality, etc.) 2. Use cases/ Abuse cases 3. Architecture 2. Set up controlled adoption 3. Test, decompile, review 4. Become involved in dev forums 6

FROM CAPTAIN TO PIRATE Open Source Tools for more nefarious voyages in AppSec Testing

More Tools • SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) • BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) • Metasploit – http://www.metasploit.com/ • Kali - http://www.kali.org/ • Burp - http://portswigger.net/burp/ • Recon-ng – full featured web recon framework tool that is text based and written in Python https://bitbucket.org/LaNMaSteR53/recon-ng • Twitter? Yes, Twitter, 2nd to Google, is hacker’s paradise

Closing Thoughts • Leverage Open Source sources to INFLUENCE your security program development/ management • Do NOT make your security program free and open, keep it close to the vest • Keep abreast of security news is a must – ever changing threat landscape • Need to tell management that security is a process, not a one time mountain climb. Keeping executive support of security is the most important thing for longevity of your security program. • Diversify your security program.

To Get More Out of OWASP, start here> www.owasp.org #FollowThenLead @t0nyuv @versprite @OWASPATL Email: tonyuv@versprite.com tonyuv@owasp.org 64