New Technologies New Risks

1
New TechnologiesNew Risks
2
Technology and Security EvolutionMainframe

• Technology
• Single host
• Limited Trusted users

• Security
• Internal user authentication
• Access Control List on single host

3
Technology and Security EvolutionNetwork

• Technology
• Multiple Trusted hosts
• Multiple Trusted users

• Security
• Access Control Lists on multiple trusted hosts
• Internal user authentication
• Network segmentation

4
Technology and Security EvolutionInternet

• Technology
• Large number of untrusted users
• Untrusted network
• Complexity
• Network
• Configuration

• Security
• Access Control Lists on multiple untrusted hosts
• External user authentication
• Network segmentation and filtering (Firewalls)

5
Technology Evolution E-commerce and Web services

• Critical Data
• Complexity
• Network
• Configuration
• Development

• Business 2 Business (B2B)
• Business 2 Clients (B2C)

6
E-commerce and Web servicesNew Risks
7
Access to Critical data over trusted
communication ports
8
Rapid development Complex Development Framework

• Competitive Market
• Development Cost
• Automation Tools

9
High level language for complex tasks

• New languages hide complexity
• Development Complexity is hidden
• Template and Wizards
• Distributed Programming Architecture

10
Scripting language

• Not compiled
• Process flow can be modified at run time
• Rely on compiled languages
• Used in untrusted environment to access critical
  data

11
Dynamic Environment

• High level of customization
• Different integration requirements
• Custom development

12
How web application works?
13
Web Application Process
14
Terminology

• Script Argument
• http//somesite.com/script?argument1somedata

• Script Argument Data
• http//somesite.com/script?argument1somedata1

15
Web communication

• GET
• Most widely used request method used.
• Simplest request method.
• Consist of resource and argument
• Example
• http//server/file?
• argument1data

• POST
• Used to transfer data with server.
• Mostly used in conjunction with HTML form

16
Current Attack Methods
17
SQL Injection

• SQL injection is the process of modifying the
  internal SQL query of the server side script to
  perform actions not intended by the developers.
• SQL injection can have serious security
  implications from data loss to full infiltration
  of your internal network.
• Widely used and most documented type of web
  application attack
• Can be used against most language used to develop
  web applications
• Only impact application using back end SQL server
  to store data

18
Code Injection

• Code injection is the process of injecting code
  that will be processed by the server.
• Code injection is extremely dangerous since the
  remote attacker can make the server run is code..
• Code injection is not widely used and is cause by
  file access abstraction.
• Not all programming language are affected.

19
Application Discovery with Program Error

• Like normal applications, web application will
  display error messages when something goes wrong
• Error messages will often display a lot of
  information on the environment and the cause of
  the error.
• Often the information displayed give to much
  information
• Error messages are often used by attackers to
  help them gain a better understanding of the
  environment they are attacking and can help them
  construct very precise attacks.

20
Error Reporting Example
21
Development Considerationsto Prevent Attacks
22
Dealing with Hostile Environment

• All incoming data should be threaded as
  potentially invalid
• All outgoing data should be documented and all
  undocumented data should not be sent to the
  client
• All error messages should be standardized

23
Dealing with Error Reporting

• All error should be catched by the application
• When an error occur, the user should be directed
  to a standard page indicating an that an error as
  occurred.
• The full error message should be sent to the
  development team.

24
Programming Language - Application Programming
Interface

• Developers and Software engineer should review
  all functions used and the full impact they might
  have.
• A detailed list of valid characters should be
  made and all other should be rejected.

25
Platform Configuration

• Administrators should read the documentation of
  the specified platform used to run the web
  applications.
• Administrators and developers should be aware of
  the types of internal and external communication
  it may use with other applications (single sign
  on, data base, LDAP, ...).

26
Network Configuration

• Only port used by your web server (often 80(HTTP)
  and 443(HTTP-SSL) should be allowed as incoming
  communication.
• Outgoing communication should be restricted to
  limit many types of attack.
• All communication between the various servers
  used in your environment should be documented and
  all other types of communication should be
  restricted.
• For added security, all traffic between servers
  that should not be talking to each other should
  be flagged and investigated immediately.

27
PricewaterhouseCoopers GRMS
28
GRMS - Information Security Solutions

• Web Application Assessment
• Input Validation
• Configuration
• Assessment of platform
• Attack and Penetration
• Network Security Assessment
• Penetration Tests
• Host Security Assessment

• Source Code review
• Security Architecture review
• Identification of vulnerable functions calls
• Integrity