web application security grant murphy, cisspvp enterprise solutions
Post on 21-Dec-2015
218 views
TRANSCRIPT
Web Application Security
Grant Murphy, CISSP VP Enterprise Solutions
Cenzic/Barracuda/Ponemon Research Study – February 2011
“The State of Web Application Security”
Ponenon Research – Key Findings• 74% of the respondents said Web Application
Security is amongst their highest security priority.
All’s Good………… Right?
Ponenon Research – Key Findings• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect their web applications
“We’ll leave a light on…” Tom Bodett
Ponenon Research – Key Findings• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect their web applications
• When asked why they don’t test their web apps for nearly 2/3rds said “No expertise or budget exists”, yet the average prediction for loss due to a hacking event is $255,000
"We don't spend enough money on app security and we spend way too much on antivirus software, which is
basically worthless" Josh Corman, The 451 Group
Truer Words Cannot be Spoken
Ponenon Research – Key Findings• 74% of the respondents said Web Application
Security is amongst their highest security priority.
• 69% said they use Network layer Firewalls to protect their web applications
• When asked why they don’t test their web apps for nearly 2/3rds said No expertise or budget, yet the average prediction for loss due to a hacking event is $255,000
• Over half expect their Web Hosting provider to provide security for their Web Applications.
How Many Do?
0~
Other Ponemon Stats• 68% of WAF users recognize that a fully functional
WAF is one that optimizes Performance as well as Security
• 60% said they protect Web apps KNOWN to be vulnerable to exploits with layer 4 technology (Network Firewall or IDS/IPS)
• 88% said their Web App Security budget is less than their coffee budget
• 62% cited data protection as their #1 concern about Web application security
Why do I need a Web Application Firewall?Compliance, Security, Performance
What is PCI DSS?
• Insurance• A consortium of Visa, MasterCard, DiscoverCard, American Express,
and JCB
• PCI standards apply to ALL companies worldwide that process, store, or transmit credit card information
• 4 levels of Credit Card processors dependent upon volume, which also determines the level of audit scrutiny
• 1 >6M transactions/year
• 2 >1M and <6M transactions/year
• 3 >20,000 ecommerce transactions and <1M transactions per year
• 4 <20,000 ecommerce or >1M transactions/year
What word keeps 62% of the security bosses up at night?
BreachThe other 38% have sleep apnea!
15
Security Market OverviewFact 1: 98% of all Breaches are the result of organized crime and/or unaffiliated parties1
Fact 2: Data Breach cost organizations an average of $202 per stolen record2
Fact 3: 24% of the records stolen during breaches were from vulnerable Web applications exploitable by SQL injection1
Fact 4: SQL injection is 3x more efficient than the #1 method employed to extract records
1) Source: Verizon and USSS Data Breach Investigation Report, 20102) Source: Ponemom Institute Study, 2009
Interesting excerpts: 2010 Verizon and USSS Data Breach Investigation Report
• Records lost was down from 144M to 4M, but the number of breaches up 5-6x
• 89% of breach victims subject to PCI DSS were not in compliance – if they had been there would have been no breach!
• ~1/2 of breaches were on systems managed by hosting providers – “It’s more about giving up control of our assets….than any technology specific to The Cloud.”
• “Just because web applications dropped as an overall percentage of attacks, don’t believe for an instant that they are any less critical a vector than they were a year ago. …. Please don’t let the bad guys catch your development and application assessment teams napping.”
OWASP - 2010
SQL Injection – Illustrated
Fire
wal
l
Hardened OS
Web Server
App ServerFi
rew
all
Dat
abas
es
Leg
acy
Syst
ems
Web
Ser
vice
s
Dir
ecto
ries
Hum
an R
esrc
s
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wor
k L
ayer
App
licat
ion
Lay
er
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
HTTP request
SQL
query
DB Table
HTTP response
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
Who Gets Attacked?
Source: Based on data provided by OSF DataLoss DB
Every industry is a target!Target of Opportunity or Target of Choice?
Can’t We Just Go Fix the unsecure Code?Every 1,000 lines of code averages 15 critical security defects.
- U.S. Dept. of Defense
The average security defect takes 75 min to diagnose and 6 hrs to fix.
- 5 year Pentagon Study
The average business application has 150,000-250,000 lines of code.
- Software Magazine
An average web application vulnerability persists between 30 – 90 days after discovery
- Forrester Research
The MATH … It would take 70 to 562 weeks to fix the code Not to mention the newer defects that will get introduced.
Code reviews: Start at $2000 for a small application
Database Servers
Customer Info
Business Data
Transaction Info
Confidenti
al Data
Customized Web ApplicationsCustomized Packaged AppsInternal and 3rd Party Code
75% of Attacks Focused Here
(Gartner)
75% of Attacks Focused Here
(Gartner)
No signatures
no patchesNo signatures
no patches
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
Network
Firewall
IDSIPS
Malvertising
USAToday.com ad network compromised
Visitors served malicious javascript bundled with ad for Roxio Creator
Automatically directed users to Rogue AV site through malicious traffic distribution system – users did not even have to click the link
Compromised Legitimate Sites
PBS.org – and subdomain for Curious George site compromised
Yielded javascript that served exploits from a malicious domain
Targeted a variety of software vulnerabilities, including Acrobat Reader, Applie QuickTime, etc.
A WAF must provide Security…..As well as Performance Optimization
TCP Pooling - Multiple requests use same connection
Improved Performance
Load BalancingCaching
Compression
SSL Offloading/Acceleration, Backend Encryption
Internet
High Availability minimizes downtime of critical business Apps
Application Health Monitoring ensures optimal Load Balancing
User Access Control LDAP etc
Only availableVia a Layer 7
Reverse Proxy!
Top 5 Myths of Web Application Security “We use SSL”
• SSL ensures that no “man-in-the-middle” can tap into communications
• Hackers are can still send application attacks through SSL
“We have a Network Firewall”• 75%-90% of attacks today are against applications, not networks
“Our Web Hosting provider is secure”• Web Hosters - at best - provide Network Firewalls
Hactivism on the Rise – Again?
“…worked with the website hosting company, Boca Raton-based Verio, and initially they were able to fix it. But the images returned over the weekend. And Monday was a holiday, so nothing could be done.
But with just a cursory glance of the website, Heid claimed to have pinpointed its weaknesses -- a decade-old web applications and a system that needs ``sanitizing.''
The Miami Herald 1/18/11
“…hackers sidestepped ineffective firewalls”
“We use SSL”• SSL ensures that no “man-in-the-middle” can tap into communications
• Hackers are can still send application attacks through SSL
“We have a Network Firewall”• 75%-90% of attacks today are against applications, not networks
“Our Web Hosting provider is secure”• Web Hosters - at best - provide Network Firewalls
“Only large banks get hacked, not us”• Hacking is an equal opportunity business
“Too Expensive/Too Complicated”• Not anymore with Barracuda’s Web Application Firewall
Top 5 Myths of Web Application Security
28
When it comes to protecting the valuable data on which Web Applications are
dependent, the best use of a budgeted security
$ € £ ¥is spent on a Web Applications Firewall
Technology.
What Do I Need in a WAF?Barracuda Networks
Servers
PCI and security drive inbound user content scanning
Outbound inspection to protect against
customer data leakage
Barracuda Web Application Firewall• PCI standards exist for a reason!
• “Assumed” Security doesn’t exist!
• Protection against malicious users
Web application hosters provide reliable application access, Not Compliance or Secure Web Applications
Most Apps are Web Apps Today
• Microsoft– Sharepoint– Office– Exchange
• Oracle– Peoplesoft– Financials– Oracle Business
• SAP
• Custom Applications– Partner/Sales Portals– Order Entry Systems– HR Systems
• Open Source– PHP Bulletin Board– Bugzilla
Profiled applications
Level of Security Customization
High
Utilizing template securityMedium
Default security policyLow
Secure Multiple Web Applications
Reporting – Ensuring Compliance
One Arm ProxyEasier, less secure, performance gainsManagement172.10.10.5
Mgmt
Servers
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
10.10.10.10
10.10.10.20
10.10.10.30Subnet10.10.10.0/24
192.168.9.1Subnet
192.168.9.0/24
WAN
Internal DNS changes to redirect traffic
Internet
Pros:• Limited changes to networking scheme• Virus scanning, Data Loss Prevention• Full performance optimization features
available (LB, SSL Acceleration, HA etc)
Cons:• Backend servers are still exposed since they
have native IPs• In High end web sites performance is limited
since a single Ethernet nic is used for inbound/outbound traffic
Reverse ProxyOptimized Security, Optimized Performance
Management172.10.10.5
Mgmt
Servers
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
10.10.10.1010.10.10.20
10.10.10.30Subnet
10.10.10.0/24192.168.9.1
Subnet192.168.9.0/24
WAN LAN
10.10.10.1
DNS resolves to the WAF
Server IPs reside in the LAN subnet
Pros:• Most Secure Deployment Scheme since
backend servers are completely isolated• Headers can be rewritten • Virus scanning, Data Loss Prevention• Full performance optimization features
available (LB, SSL Acceleration, HA etc)
Cons:• Much more security and performance at the
expense of deployment simplicity• Applications requiring protection must be
moved behind reverse proxy during a maintenance window
WAN LAN
Management172.10.10.5
Mgmt
Servers
Bridge Mode - Operates as Layer 2 Bridge
Internet
All incoming traffic is bridged. Security policies are applied to defined services
VIP1: 10.182.12.20VIP2: 10.182.12.21VIP3: 10.182.12.22
10.182.12.2210.182.12.20
10.182.12.21
Virtual IP are same as Server IP addresses
10.182.12.1
Pros:• No Back end/Front end networking
changes• Ease of installation• Ethernet Hard Bypass Mode
Cons:• No Header rewrite• No Load Balancing• No TCP Pooling
The Barracuda WAFBarracuda Networks
Servers
SSL Accelerators
Security IDP, IPS
Access Control
Caching
Load Balancing
Barracuda Web Application
Firewalls
SSL AccelerationPipeliningCachingCompressionLoad Balancing
OWASP protectionMalware scanningData leakageCloakingXML Firewall
Remote Users
Teleworkers
Scalable Performance To Meet Applications Needs
WAF 360
WAF 460
WAF 660
WAF 860
WAF 960
Security
, Manageabilit
y, Sca
lability
Servers
Barracuda Web Application
Firewalls
VirtualizedWeb Applications
Remote Users
Teleworkers
VirtualizedWeb ApplicationsInfrastructure
Remote Users
Teleworkers
Evolution of the Web Application Environment
Scalable Performance To Meet Applications Needs
WAF 360
WAF 460
WAF 660
WAF 860
WAF 960
Security
, Manageabilit
y, Sca
lability
44
Barracuda Control CenterCentralized Multi-Appliance Administration
– Consistent Web interface– Status Monitoring– Distributed Configuration mgt.
Cloud Service, Hardware and VM based Appliance
44
– Information aggregation– Role based Administration– Delegated Administration
Barracuda Networks Confidential
Barracuda Web Application Firewall Overview
SECUREWEBAPPLICATIONS
SCALE ANDSPEED APPLICATION DELIVERY
GAIN VISIBIILITYVIA LOGSAND REPORTS
ACHIEVECOMPLIANCE
COMPREHENSIVEYETAFFORDABLE
About Barracuda Networks
47
CONNECTIVITY DATASERVERS
YosemiteDesktop/Laptop
YosemiteServer
Cen
tral
ized
Man
agem
ent
Barracuda SSL VPN
Barracuda Load Balancer
Barracuda Link Balancer
STORAGEPEACE OF MIND
Barracuda Message Archiver
Barracuda Spam & Virus Firewall
Barracuda Web Filter
Barracuda Web Application Firewall
Barracuda IM Firewall
Barracuda Next-Generation Firewall
NETWORKINGPERFORMANCE
SECURITYPROTECTION
Security Principals (CIA)Availability Confidentiality Integrity
Superior TechnologyProven, Field Tested
135,000+ Customers Worldwide
Innovative Technology Diverse IP AssetsPredictive Sender ProfilingReal-time ProtectionReputation ServiceData De-duplicationMulti-tenant CloudCentralized management
Barracuda Labs Global ResearchThought LeadershipSecurity Intelligence
Top Emerging Vendor - Storage
Cool Vendor in Security SaaS
Top 10 Security Stories
Purewire Web Security Service - DEMOgod
Top 10 IT Security Companies to Watch
Top 10 “Most Innovative”
Barracuda Networks Confidential
50
Supplemental Slides
Who Need Application Firewalls?
1. Compliance Audit (PCI, HIPAA, GLBA)• Anybody who works with confidential data
• i.e. Credit Cards, SSN, Patient records, Client Records
2. Security Requirements• Internal and external threats. Business partners.
3. Secure “Load Balancer” for Web Applications• For the price of competitor’s Load Balancer, you can buy a WAF
Hacked!
Other Hacker Money Makers: Server Botnets
Botnet-as-a-ServiceDistributed Denial of Service attacks (DDoS)
Brute-force hacking of bank accounts
Attackers rent bots for extortion or attacks against legitimate sites
Rental starts at $8.94/hr and averages approximately $67.02/day1
Affects All IndustriesWeb Application Server are especially viable bots due to high
bandwidth and processor capabilities
Your Web servers can be hijacked to be a zombie in a botnet
Malware relay point
1. VeriSign May, 2010 cybersecurity study
Barracuda Web Application Technology
Mature Solutions Trusted by Financial Institutions Worldwide
Why Do Hackers Hack?
Amount is in USD Per Record on the Black Market
Reverse Proxy WAF Advantages…
Capabilities fully implemented only in reverse proxy WAF such as Barracuda’s WAF
• Application Performance Optimization• Cookie encryption / signing• Client fingerprinting• Response control• Cross Site Request Forgery (CSRF) protection• Cloaking• Rate control
A WAF Should Provide
Capabilities that a good WAF solution should provide
• URL Decoding• Code Injection• SQL Injection• Cross Site Scripting
(XSS)
• HTML Form Validation• XML Validation
A Complete WAF Solution Requires
Capabilities not present in other WAF Vendors
• Load Balancing– Layer 4– Layer 7
• Caching• Compression• Content Routing• SSL Offloading
• FTP security• Anti Virus• Authentication &
Authorization– Two factor authentication
• Client certificates • RSA SecurID
• Single sign on• CA SiteMinder
Malicious Activity Rankings by Country
Overall Attack Origin
Bots Malicious Code
Spam Zombie
Brazil 3 6 3 5 1
Argentina 17 19 12 46 12
Mexico 18 15 25 7 17
• Increased Adoption of Broadband and Internet leads to growth in malicious activity– Latin America has IP-traffic annual growth rate of 51% over next 5 years
• Web Application Security is often an after thought
Web Application Security will be increasingly important in Latin America!
Web Applications
Users
Hacker
Traffic is allowed to pass through port 80/443.
Firewalls allow traffic to pass only through specific network ports
BUT NOW hackers are using valid traffic to exploit vulnerabilities found in the applications deployed on the Web servers.
Network Firewalls Only Secure Port/Protocol
Web Application Security Comparison
IPS/IDS Barracuda WAFInjection attack protection (XSS, SQLi etc) No YesSession tampering protection No YesCookie hijacking protection No YesData Theft protection No YesBrute-force protection No YesWeb Services Projection No YesAnti Virus and Malware upload protection Yes YesAuthentication/Authorization No YesXML Firewall No YesDenial of Service Attacks Yes Yes
Standard Installation Methods
• Bridge Mode– Initial installation for existing applications
• One Armed Proxy Mode– Excellent for product evaluation
• Reverse Proxy Mode– Highest inherent security
Infected IP Addresses
Source: The Economist, July, 2010
Existing Network/Application Data Flow
Internet
Application 1223.216.5.9
Application 2223.216.5.10
N/w FirewallSwitch / Router
Clients
The Barracuda Web Application Firewall is inserted between the Network firewall and the switch to the backend.
Switch
WAN LAN
Management172.10.10.5
Mgmt
Servers
Bridge Mode - Operates as Layer 2 Bridge
Internet
All incoming traffic is bridged. Security policies are applied to defined services
VIP1: 10.182.12.20VIP2: 10.182.12.21VIP3: 10.182.12.22
10.182.12.2210.182.12.20
10.182.12.21
Virtual IP are same as Server IP addresses
10.182.12.1
Pros:• No Back end/Front end networking
changes• Ease of installation• Ethernet Hard Bypass Mode
Cons:• Some performance compromises• No Load Balancing• No TCP Pooling
One Arm Proxy
Pros:• Easier Deployment compared to Reverse
Proxy, network infrastructure, partitioning does not need to be changed
Cons:• Requires DNS/IP changes as in Reverse Proxy• Lower throughput since only one port (WAN) is
used
Management172.10.10.5
Mgmt
Servers
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
10.10.10.10
10.10.10.20
10.10.10.30Subnet10.10.10.0/24
192.168.9.1Subnet
192.168.9.0/24
WAN
Only WAN Port used
Internet
One-Armed Configuration For Evaluation
Cache
Testers can use the internally published VIP to access the Application. Existing client traffic remains unaffected and traverses via the Load Balancer
Load BalancerIP : 223.216.5.9
Server 110.10.10.101:80
Server 2 10.10.10.102:80
VIP10.10.10.202:80
Advertised IP for Web Site No changes
Clients
Switch / Router
Internet
Once the evaluation of the Barracuda is complete, it can be moved inline into production, either coexisting with the Load Balancer or replacing it
Client Traffic
Test Traffic
Testing VIPIP : 223.216.5.18
Reverse Proxy
Pros:• Full feature availability including Load
Balancing and Instant SSL• Most Secure Deployment Scheme since
backend servers are completely isolated• Fast HA Failover
Cons:• Network changes required such as Server IP
addresses and DNS mappings• Backing out requires undo of all the changes• Deployment requires cutover of live services
Management172.10.10.5
Mgmt
Servers
VIP1: 192.168.9.110
VIP2: 192.168.9.120
VIP3: 192.168.9.130
10.10.10.10
10.10.10.20
10.10.10.30Subnet
10.10.10.0/24192.168.9.1
Subnet192.168.9.0/24
WAN LAN
10.10.10.1
VIPs belong in the WAN subnet
Server IPs reside in the LAN subnet
Barracuda Web Application Firewall• Mature Solution with over 10 years of R&D• WAF Customers in America Latina
• Colombia – Efecty - Financiero • Colombia - Alianza Fiduciaria - Financiero• Mexico - Punto Clave – PCI Certified – ISP• Mexico - Metropolitana – Aseguradora• Mexico - Escuela de Trafico Aereo – Educacional• Mexico - Escuela Naval Militar – Educacional• Chile - Banco Central - Financiero • Chile - Banco de Credito – Financiero• Bolivia – Banco Mercantil – Financiero• Paraguay – Bancard – Fianciero
Competition from ADCs
• Dedicated Security Device• Malware scanning for Uploaded content• Energize updates – near real-time updates for security issues via
Barracuda Labs• Positive/Negative Security models• Rule set customization and iRules
• Capacity and performance• Nickel and diming of Add-ons• License simplification