Security Testing & The

Depth Behind OWASP

Top 10

Image: Hubble Telescope: The cats eye nebula

Yaniv Simsolo, CISSP

OWASP Top 10 2013

OWASP Top 10 2013 has evolved:
2013-A1 Injection
2013-A2 Broken Authentication and Session
Management
2013-A3 Cross Site Scripting (XSS)
2013-A4 Insecure Direct Object References
2013-A5 Security Misconfiguration
2013-A6 Sensitive Data Exposure
2013-A7 Missing Function Level Access Control
2013-A8 Cross-Site Request Forgery (CSRF)
2013-A9 Using Known Vulnerable Components
(NEW)
2013-A10 Unvalidated Redirects and Forwards

OWASP Top 10 2013

OWASP Top 10 2013 Resources:
https://www.owasp.org/index.php/Top
_10_2013-Top_10
OWASP Top 10 2013 presentation by
Dave Wichers, on the OWASP web site

Mapping Top 10: From 2010 to 2013

Source: OWASP Top 10 2013 presentation by Dave Wichers

Assumptions
In Information Security several top
10 exist
OWASP Top 10 is dominant

Top 3: we all know about XSSs

Injections, CSRFs etc.
Most organizations are well aware of
these issues

Assumptions
OK. What now?
Top 6 = (Top 3) + (we test what
we can):
Broken authentication and session
management
Unvalidated redirects and forwards
Insecure direct object references

Most organizations are aware of

these issues
OK, What now?

What did we miss?

Security misconfiguration A5.
Missing Function Level access control
A7.
Using known vulnerable components
A9
A6 sensitive data exposure now
includes a merge of:
Insufficient transport layer protection
(2010 A9)
Insecure cryptographic storage (2010A7)

What did we miss?

Security misconfiguration A5.
(almost) not Web Application but:
Application/system

Missing Function Level access control

A7.
Partial Web Application, Partial
Application/system

Using known vulnerable components

A9
(almost) not Web Application but:
Application/syste

What did we miss?

A6 sensitive data exposure now
includes a merge of:
Insufficient transport layer protection
(2010 A9)
Insecure cryptographic storage (2010A7)

Is this just Web Application?

Is the problem more severe once we
look below the Web Layer?

What did we miss?

Example
Security misconfiguration A5
+
Using known vulnerable components
A9
=

Perimeter is not working

The Problem

Image: Hubble Telescope: The cats eye nebula

Over Complexity
Too much data
Endless attack possibilities
Too many security solutions, vendors,
products
No homogenous approach

The Attack Vectors

Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any

system
infrastructure
communication
language
architecture
component
information, any data
physical layer
logical layer
storage device / facility
(communication) channel
interface
encryption
environment
site (including DR)
transaction
log and audit trail
archive
process (operations, ongoing, development)

The Attack Types

Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any

Takeover
system
infrastructure
Data theft
communication
Data tampering
language
System integrity disruption
architecture
component
Business Logic manipulation
information, any dataEavesdropping
physical layer
Backdoors built in by design
logical layer
Backdoors
storage
device / facility creation by attackers
(communication)
channel
Unintentional
attacks
interface
Intentional by authorized entities
encryption
Attacks by non-human entities
environment
site (including DR) Denial of Service
transactionDe Facto Denial of Service
log and audit trail
Authorization bypass
archive
Access
bypass
process (operations, ongoing,
development)

Smuggling, Splitting and evasion-type attacks

The Problem
Even the simplified security areas
present a demanding challenge. For
example - XSS:
Very difficult to detect all variants in
modern systems
Almost impossible to retain high
security level once achieved

Common Solutions
Superficial security tests.
Many good reasons:

Budget
Time constraints
Lack of understanding
Over complexity

Common Solutions
Impacts of superficial security
tests in the long run?
Partial to no security
Poor security practices
These organizations effect the
security market, pulling
downwards!
Loss or partial integrity of security
professionals
Worse still: false sense of security

Where Did That Got Us?

Ludicrous security warnings:
January 2013: Department of Homeland
Security: Do not use Java. Remove the
JRE.
April 2014: Department of Homeland
Security: Versions 6 11 of IE are not to
be used.
April 2014: OpenSSL is insecure

Where Did That Got Us?

Poor security in design and
architecture
(Almost) no security in
Agile/Continuous Delivery developed
code

Modern Systems
Common
Pitfall
Modern systems are more
secured. ???

20

Where Did That Got Us?

Challenging security presentations:
In-Depth Security is dead (RSA
conference 2011)
Security is dead (Rugged coding - RSA
conference 2012)

Ignorance is bliss.

Security Testing

Image: Hubble Telescope: The cats eye nebula

How to Test?
This is messy. VERY messy.
There are shortcuts

How to Test?
Actually most is quiet easy to test.
Go back to theory.
Forget about the payloads.

The Fallback Common

Option

Test the GUI

Black Box testing methodology
Exclude the difficult stuff from scope
This is a good solution: it fits
organizations and security
professionals

The Fallback Common

Option

The greatest enemy of knowledge is

not ignorance, it is the illusion of
knowledge.
Stephen Hawking
Testing just the GUI illusion of
knowledge
Testing just the FE illusion of
security
Increasingly often we are requested
to test much less than the actual
scope.

How to test?
Supreme excellence consists in breaking
the enemy's resistance without fighting.
Sun Tzu
Common Mobile WCF architecture
Where is the presentation layer?
Which entities are granted access to business
logic?

How to test?
OWASP top 10 mobile:

Source: OWASP Top 10 Mobile project

The Oracle Exadata

Example

Oracle Exadata simplified:

Data Warehouse platform
Consolidation/Grid platform
Storage platform

Exadata security best practices

consist of:
The regular stuff
Database standard security
Data Warehouse specialized
security
Consolidation/Grid specialized

The Oracle Exadata

Example

Oracle Exadata (as a database

platform) Security Testing Benchmark:
Organization A tested:

The
The
The
The

databases
environments
Data Warehouse specialized security
Exadata itself

Organization B tested:
Just some deployed databases
Partial security testing for each database
Worse still: Exadata not to be tested as a policy

Who said: 2013-A5 Security

Misconfiguration?

Testing A5, A7, A9

If you know the enemy and know
yourself you need not fear the results
of a hundred battles, Sun Tzu
Do we really know ourselves?
Where are A5, A7 and A9
implemented?
Not testing the BE illusion of
knowing

The Windows XP
Example

Organization C, defines and enforces

strict development and deployment
security standards towards all its
suppliers/customers.
Over 60 pages of procedures and
instructions.
Insisting on supporting Windows XP
based systems.
Who said: 2013-A9 Using Known
Vulnerable Components?

2013-A9 Using known Vulnerable Components

A vendor offers DBAAS

Excellent: beat the market offering *AAS
something...

How can the organization trust the

security of DBAAS?
Will separation be enforced?
Will compartmentalization be enforced?

Did we really tested and can trust

the Cloud on which the DBAAS is
based?

Declarative Security
What?
One of the foundations of modern
languages run-time security.
Mostly ignored or bypassed.
Who said: Security misconfiguration
A5, Missing Function Level access
control A7?

Declarative Security
Deployment descriptors must provide
certain structural information for each
component if this information has not
been provided in annotations or is not to
be defaulted. (Oracle docs.)

Declarative Security
Engage people with what they expect;
it is what they are able to discern and
confirms their projections. It settles
them into predictable patterns of
response, occupying their minds while
you wait for the extraordinary moment
that which they cannot anticipate.
Sun Tzu
Lack or weak declarative security: Once
code access achieved the
extraordinary will be feasible.

Declarative Security
Poor design due to no design
Cancelling off declarative security or
ignoring declarative security revoking
language security fundamentals.
Common real life deployment
descriptors:
// Do what you will. Totally permissive policy file.
grant {
permission java.security.AllPermission;
};

Killing my own code!

Reverse Engineering (A5,

A6, A9)
What for?
Why for Mobile security testing
ONLY?
From Wikipedia:

Reverse engineering is the process of

discovering the technological principles
of a device, object, or system through
analysis of its structure, function, and
operation.

Testing A2, A5, A6

2013 A6 Sensitive data exposure

2013 A5 Security misconfiguration
2013 A2 Broken authentication
Too much use of third singulars
The actual minute details of the tested
object dissolve

2013-A5 Security
Misconfiguration
There is no external

access!
The intended users will
only perform intended
actions
Virtualization
Separation

40

2013-A5 Security
Misconfiguration

How do organizations secure legacy

unsecured systems?
Install terminals (e.g. Citrix) as the
presentation layer / access control layer.
Challenge: manage multiple users across
multiple systems.
Result: the terminals are partially secure.
Too many terminals to manage over long periods
Some insecure
The insecure terminals are the attacker entry
points.

Critical Thinking
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any

Takeover
system
infrastructure
Data theft
communication
Data tampering
language
System integrity disruption
architecture
component
Business Logic manipulation
information, any dataEavesdropping
physical layer
Backdoors built in by design
logical layer
Backdoors
storage
device / facility creation by attackers
(communication)
channel
Unintentional
attacks
interface
Intentional by authorized entities
encryption
Attacks by non-human entities
environment
site (including DR) Denial of Service
transactionDe Facto Denial of Service
log and audit trail
Authorization bypass
archive
Access
bypass
process (operations, ongoing,
development)

Smuggling, Splitting and evasion-type attacks

Critical Thinking
Critical thinking is the ability to think clearly
and rationally. This requires reflective and
independent thinking. (Philosophy field)
For organization security is too difficult:
over complexity, too much to orchestrate,
etc.
Increasingly often we are requested to test
much less than the actual scope.
Some organizations will not be educated.
Push the industry back up with those
organizations that can be educated.

Critical Thinking
For the security professionals,
security is a challenge. Hence,
always employ critical thinking and
review the process of testing itself.
Flexibility under varying technologies
Use automated testing tools to the max
AND be always aware of their limitations
Scoping accurately is mandatory

Qustions?

Image: Hubble Telescope: The cats eye nebula

Yaniv Simsolo, CISSP