FOSS Application Security Building secure applications

1
FOSS Application SecurityBuilding secure
applications

• Kalyan Varma
• Secuprise Consulting

2
Introduction

• Contents Lessons learnt on how to build secure
  applications based on past exploits
• My Goal To make you understand best security
  practices when using foss tools
• Its not rocket science, its just common sense.

3
What you already know

• Cryptography
• Encryption algo's
• SSL / Certs / VPN etc.
• Secure Programming
• Buffer Overflows
• Programming language issues
• Network security
• Firewalls, IDS etc
• OS security
• file permissions, access controls

4

• But do you really know how to implement them and
  deploy them in real life application ?

5
Cryptography ...

• What algo do you use ?
• It does not matter, its how you use it
• What key size do you use ?
• Large keys More CPU cycles
• Where do you store them ?
• How do you use your hashes ?
• They need to be signed most of the time

6
Cryptography ...

• Crypto is never broken, its always bypassed
• Crypto gives you a false sense of security
• SSL protects data only in the transmission
  medium. Not at the entry/exit points.
• 80 of the ecom sites leave everything to SSL.
• Dont design your own algorithm
• Dont waste time learning crypto, spend time
  trying to learn how to apply it well )

7
View of an Application
Program
Program Internals
Validate all inputs
Judicious output
Careful call out to other resources
8
Validate all Input

• Validate all inputs.. never trust the user/client
  
• Your programing framework will not do it for you.
• Every language does it in a different way.
• PHP vs Perl
• Determine what's legal, reject the non-matches
• allow A-Z,a-z,0-9
• Don't do the reverse. There's always another
  illegal value
• disallow !_at_()_
• Limit input length

9
SQL Injection

• Unsafe SELECT x FROM database WHERE useruser
  and password pass
• pass as or 11
• Safe SELECT x FROM database WHERE user'user'
  and password 'pass'
• pass as ' or 11 ?
• Defence ?
• PHP mysql_escape_string()
• Perl Prepare Statements

10
HTML Injection

• JavaScript Root of all Evil
• tag is enough to take over your machine,
  write a worm.
• No easy solution
• Lot of regex in real world
• Its all about handling data
• alert(document.cookie)

11
Program Internals

• Avoid Buffer Overflow
• Secure the Interface ( can't circumvent it )
• Check the return values
• Log.. Log .. Log.. everything possible
• timestamp , action , user, IP , program
• Minimise prevliges
• Drop them if you don't need them

12
Output Judiciously

• Minimize feedback
• Wrong Password
• Database not found
• Don't include comments
• / select from jobs where companyibm /
• Handle disk full/core dump responses
• Sanitize data before displaying
• sql injections, XSS issues.
• Security by Obscurity works

13
Web Security

• Watch out for Cross site scripting (XSS)
• alert(document.cookie)
• Always sign important hidden variables
• Maintain state/info on the server
• All actions must be POST not GET
• 2000act93523434

14

• It's over, you can wake up now
• or
• Q/A if you wish )