Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security
ISM 6124
JOE PARTLOW
JONATHAN ECHAVARRIA
Who are we?
Static Application Security Testing (SAST) - Static analysis is software analysis performed
without actually executing, or running, the software.
Analysis of source code
Analysis of byte code on interpreted language (java, C#)
Analysis of raw binaries of compiled application (C/C++)
Dynamic Application Security Testing (DAST) - Dynamic analysis is the testing and
evaluation of a program by executing data in real-time.
Input/output validation: (Cross-Site Scripting, SQL Injection, etc.)
Specific application problems
Server configuration mistakes/errors
Whitebox (code review) & Blackbox
S-SDLC Prerequisites
http://www.swsec.com/resources/touchpoints/
S-SDLC Methodologies – Cont.
CMMI Development
(Evolved from the SEI Team
Software Process)
https://cmmiinstitute.com/cmmi/dev
S-SDLC Methodologies – Cont.
https://www.bsimm.com
S-SDLC Methodologies – Cont.
https://www.microsoft.com/en-us/SDL
S-SDLC Methodologies – Cont.
https://www.owasp.org/index.php/OWASP_SAMM_Project
Agile S-SDLC in Practice
SQL injection
Cross site scripting
Insecure cryptographic storage/use
Vulnerable third party components
Sensitive data exposure
Insecure/Incorrect authentication & session management
Plaintext/hardcoded credentials
Finding Application Vulnerabilities
User Access
Commonly a web form with application users in a DB
Internal apps mostly use LDAP (Active Directory)
Authentication
Watch for Weak controls, methods or non-centralized user mgmt.
Make sure these are over secure channel so can’t get intercepted (ie. FTP)
Don’t use easy to guess default creds
Use Captchas and maximum tries to avoid brute forcing
Session Mgmt – Handles variables and tokens server side and tracks the user’s
interaction
Should be set to timeout after reasonable period (ie. Banking apps, shopping carts)
Don’t use predicable user IDs or tokens
Access Control – could be for DB tables or admin-protected areas of the site
Attacking & Defending
User Input
Many built-in validation controls available (type, length, special characters)
Don’t use only client side
Many client side controls could by proxied and modified
Sanitize and mask sensitive data in form fields, sessions and cookies (ie. Credit
cards, SSN)
Web Application Firewall (WAF) is a good technology to catch many of these
bad requests, but also should be used a report back to developers so they can
fix root cause.
Attacking & Defending
Databases
Use stored procedures versus in-line SQL against injection (not foolproof but
raises the bar)
Database Activity Monitoring (DAM) technologies perform many checks (similar
to WAF) for the front end
Looks for large results returned, select *, etc.
Again, good front line defense but DBAs need to correct findings
Information Disclosure
Hide error messages with splash page
Try not to put connection string, query info in debug info just in case ( old .inc files)
Database alerts also (ie. Admin user inserted that regular audit logs wouldn’t
catch)
Exploitation Demos
redirection.elf
A demonstration of a simple exploiting buffer overflow vulnerability to access a
normally unreachable function within an application
keygen.elf
A demonstration of analyzing a key authentication algorithm and how to exploit it to
bypass it
Web application demos
Various attacks commonly done against a web application
Monitoring Applications
Application logging and monitoring is the most commonly missed log source
being ingested into most SIEM/logging tools, but certainly one of the most
important since they often are the “crown jewels”
Most of our issues we see in production environments fall to one of the following
categories, each with their own challenges:
Configuration or procedure errors
Actual Insecure coding practices
Monitoring Use Cases
There are many hindrances to getting visibility into applications and effective
monitoring outside of actual code practices:
Lack of complete inventory of applications in use
Undocumented third party components
Unidentified service accounts in use (also overly permissive or reused)
Third party/outsourced development teams
Insufficient testing time/resources
Codebase Difficulties
There are also many hindrances related to the actual codebase affecting
monitoring:
Lack of consistent logging across platforms or within same-application components
No common logging architecture (log4j, log4net, nlog, serilog, etc.)
Excessive debug messages
Inconsistent log message formats that cause parsing issues (multiline, improper XML, etc.)
Additional Resources
Many of these companies also have very good whitepapers or blogs around application security:
Veracode - https://www.veracode.com
Whitehat Security - https://www.whitehatsec.com
Burp Suite - https://portswigger.net
IBM - https://www.ibm.com/security/application-security/appscan
Microfocus - https://software.microfocus.com/en-us/solutions/application-security
Rapid7 - https://www.rapid7.com/products/InsightAppSec
IDA - https://www.hex-rays.com/index.shtml
Checkmarx - https://www.checkmarx.com
Qualys - https://www.qualys.com/solutions/web-app/
Acunetix - https://www.acunetix.com
Questions?
Thank You!