New TechnologiesNew Risks

PricewaterhouseCoopers

Technology and Security EvolutionMainframe

Technology– Single host– Limited Trusted users

Security– Internal user

authentication– Access Control List

on single host

PricewaterhouseCoopers

Technology and Security EvolutionNetwork

Technology– Multiple Trusted hosts– Multiple Trusted users

Security– Access Control Lists

on multiple trusted hosts

– Internal user authentication

– Network segmentation

PricewaterhouseCoopers

Technology and Security EvolutionInternet

Technology– Large number of

untrusted users– Untrusted network– Complexity

• Network• Configuration

Security

– Access Control Lists on multiple untrusted hosts

– External user authentication

– Network segmentation and filtering (Firewalls)

PricewaterhouseCoopers

Technology Evolution E-commerce and Web services

•Critical Data

•Complexity– Network– Configuration– Development

•Business 2 Business (B2B)

•Business 2 Clients (B2C)

E-commerce and Web services

New Risks

PricewaterhouseCoopers

Access to Critical data over trusted communication ports

Hackers

Port 80 – HTTP

Port 443 – HTTPS

Firewall

Server

Data

Apps

Server, OS

HTTP/HTTPS Requests

Server

Data

Apps HTTP/HTTPS requests go through open firewall port 80 or 443

Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability

1

2

Hackers

Port 80 – HTTP

Port 443 – HTTPS

Firewall

Server

Data

Apps

Server, OS

HTTP/HTTPS Requests

Server

Data

Apps HTTP/HTTPS requests go through open firewall port 80 or 443

Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability

Hackers Hackers

Port 80 – HTTP

Port 443 – HTTPS

Firewall

Server

Data

Apps

Server

Data

Apps

Server, OS Server, OS

HTTP/HTTPS Requests

Server

Data

Apps

Server

Data

Apps HTTP/HTTPS requests go through open firewall port 80 or 443

Once the firewall is behind, application security is the only thing protecting your data and application integrity, confidentiality and availability

1

2

PricewaterhouseCoopers

Rapid development Complex Development Framework

•Competitive Market

•Development Cost

•Automation Tools

PricewaterhouseCoopers

High level language for complex tasks

•New languages hide complexity

•Development Complexity is hidden

•Template and Wizards

•Distributed Programming Architecture

PricewaterhouseCoopers

Scripting language

•Not compiled

•Process flow can be modified at run time

•Rely on compiled languages

•Used in untrusted environment to access critical data

PricewaterhouseCoopers

Dynamic Environment

•High level of customization

•Different integration requirements

•Custom development

How web application works?

PricewaterhouseCoopers

Web Application Process

RequestPage to the Web Server

Web Server process Server Side ScriptInterpreter

Server Side Script Requestexternal data

Return Processed HTMLto the user

Script return HTML to the server

PricewaterhouseCoopers

Terminology

Script Argumenthttp://somesite.com/script?argument1=somedata

Script Argument Data

http://somesite.com/script?argument1=somedata1

PricewaterhouseCoopers

Web communication

GET– Most widely used

request method used.– Simplest request

method.– Consist of resource

and argument– Example:http://server/file?argument1=data

POST– Used to transfer data

with server.– Mostly used in

conjunction with HTML form

Current Attack Methods

PricewaterhouseCoopers

SQL Injection

•SQL injection is the process of modifying the internal SQL query of the server side script to perform actions not intended by the developers.

•SQL injection can have serious security implications from data loss to full infiltration of your internal network.

•Widely used and most documented type of web application attack

•Can be used against most language used to develop web applications

•Only impact application using back end SQL server to store data

PricewaterhouseCoopers

Code Injection

•Code injection is the process of injecting code that will be processed by the server.

•Code injection is extremely dangerous since the remote attacker can make the server run is code..

•Code injection is not widely used and is cause by file access abstraction.

•Not all programming language are affected.

PricewaterhouseCoopers

Application Discovery with Program Error

•Like normal applications, web application will display error messages when something goes wrong

•Error messages will often display a lot of information on the environment and the cause of the error.

•Often the information displayed give to much information

•Error messages are often used by attackers to help them gain a better understanding of the environment they are attacking and can help them construct very precise attacks.

PricewaterhouseCoopers

Error Reporting Example

Development Considerations

to Prevent Attacks

PricewaterhouseCoopers

Dealing with Hostile Environment

All incoming data should be threaded as potentially invalid

All outgoing data should be documented and all undocumented data should not be sent to the client

All error messages should be standardized

PricewaterhouseCoopers

Dealing with Error Reporting

All error should be catched by the application When an error occur, the user should be directed to

a standard page indicating an that an error as occurred.

The full error message should be sent to the development team.

PricewaterhouseCoopers

Programming Language - Application Programming Interface

Developers and Software engineer should review all functions used and the full impact they might have.

A detailed list of valid characters should be made and all other should be rejected.

PricewaterhouseCoopers

Platform Configuration

Administrators should read the documentation of the specified platform used to run the web applications.

Administrators and developers should be aware of the types of internal and external communication it may use with other applications (single sign on, data base, LDAP, ...).

PricewaterhouseCoopers

Network Configuration

Only port used by your web server (often 80(HTTP) and 443(HTTP-SSL) should be allowed as incoming communication.

Outgoing communication should be restricted to limit many types of attack.

All communication between the various servers used in your environment should be documented and all other types of communication should be restricted.

For added security, all traffic between servers that should not be talking to each other should be flagged and investigated immediately.

PricewaterhouseCoopers GRMS

PricewaterhouseCoopers

GRMS - Information Security Solutions

Web Application Assessment– Input Validation– Configuration– Assessment of platform

Attack and Penetration– Network Security Assessment– Penetration Tests– Host Security Assessment

Source Code review– Security Architecture

review– Identification of

vulnerable functions calls– Integrity