application security at mu allen brokken (gsec,cpts) principal systems security analyst

Application Security at MU

Allen Brokken (GSEC,CPTS)Principal Systems Security

Analyst

DemonstrationSQL Injection /

Blind SQL Injection

SQL Injection – Vulnerable Code

Vulnerable code

URL

sSql = sSql + " where LocationID = " + Request["cboLocation"] + "";sSql = sSql + " where LocationID = " + Request["cboLocation"] + "";oCmd.CommandText = sSql;oCmd.CommandText = sSql;

SQL Injection – Vulnerable Code

Debug View? oCmd.CommandText? oCmd.CommandText"SELECT EventName, EndDate, [Description], [Location], ……. "SELECT EventName, EndDate, [Description], [Location], ……. from Events from Events where LocationID = convert(int,(select top 1 name from sysobjects))"where LocationID = convert(int,(select top 1 name from sysobjects))"

SQL Remediation

Do not build SQL Statements with user provided data in the commandParameterized queriesMimimum necessary rights on application userDisable error messages

SQL Injection – Safe Code

Simple but safe code

URL

sSql = sSql + " where LocationID = @LocationID";sSql = sSql + " where LocationID = @LocationID";oCmd.CommandText = sSql;oCmd.CommandText = sSql;oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);

SQL Injection – Safe Code

Debug view? oCmd.CommandText? oCmd.CommandTextSELECT EventName,[Description], [Location] from Events SELECT EventName,[Description], [Location] from Events where LocationID = @LocationIDwhere LocationID = @LocationID

Java Prepared Statement

http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html

PreparedStatement updateSales = con.prepareStatement( "UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");

updateSales.setInt(1, 75); updateSales.setString(2, "Colombian"); updateSales.executeUpdate();

University of Missouri - Columbia

Flagship campus in a four campus public University system15000+ employeesOutreach and Extension programs (state-wide) Approximately 27,000 students ■ ~20,500 undergraduates■ ~6500 graduate/professional

Approximately 6000 students live in University housing■ Most have high speed internet access (ResNet)

University of Missouri - Columbia

Information Access & Technology Services (IATS) is the central IT group■ Voice/Cable TV/Wired & Wireless Network■ Central storage■ Help desk ■ Computing Sites■ Application Development■ Account Management■ Security

University of Missouri - Columbia

Application Development Environment■ Central Application Development Group

.Net centric Organized around standard process

■ Distributed Application DevelopmentMultiple development “shops”Lone Jack of all Trades development

■ 3rd Party Applications

Traditional Security Concept

Security subject matter expertLargely bolted on after the factIncredibly slow process

Traditional Security Concept

Issues with the traditional concept■ The Security Professional becomes a

bottle neck■ The process builds adversarial

relationships within the organization■ The process has a high long term cost

in productivity and tends to actually reduce security

The New Security Concept

Whole campus focusMore StaffDeveloper EducationBetter ToolsCampus Policy

The New Security Concept

The SAFEWEB Campaign Objectives■ Applications development standards with an

emphasis on security. ■ Data classification policies. ■ Secure server environments that support

the defined data classifications. ■ Auditing policies and processes to insure

adherence to the standards. ■ Minimum training requirements for

applications development, database administration and server administration.

Administrative Effect

Buy-in from Provost Staff, Counsel of DeansCampus developer education opportunities to gain supportIAT Services process changes

Administrative Effect

Vastly increased turn around timeBetter code, with fewer vulnerabilitiesBetter communication with campus developersStandardized code for key functions

Research Effect

Research Systems Inspections■ I3■ “Departmental Back-Up Web Server”

Researcher awarenessGraduate student benefits

Classroom Effect

Faculty CollaborationGuest Lecture SeriesClassroom Software Pilot

Classroom Effect

Guest Lecture Series■ General Security Awareness■ Digital Millennium Copyright Act■ Web Application Security Basics■ Payment Card Industry Data Security

Standard■ Information Security Auditing and

Tools

Classroom Effect“In the auditing environment today technology plays a very large part in what we will be doing. After this presentation I was given insight into various tools that companies I might be auditing could be implementing.”Anonymous Student – Information Assurance“[the]…presentation really does help to validate our course content. Students seem to better appreciate the value of controls when someone who actually deals with them on a daily basis emphasizes their importance.”Dr. Elaine Mauldin – Professor Information Assurance

Classroom Effect

Classroom Effect

Classroom Effect

Classroom Effect

Classroom Effect

Classroom Effect

Report Details■ Severity■ File Name(s)■ Summary■ Execution■ Implication■ Fix■ References

Classroom Effect

Management Console Look at Student LearningManagement Console Look at Student Learning

Classroom Effect

Classroom EffectI would use this tool outside of this class to ensure the security of my code if it were generally available:

Mostly Agree / Mostly AgreeI would recommend the use of this tool to others if it were generally available:

Mostly agree / Mostly agreeI learned something from the use of this software:

Mostly agree / Totally AgreeI appreciated the inclusion of security related topics in this course:

Totally Agree / Totally AgreeI am more concerned about the security of my code now than I was before using the software:

Totally agree / Totally Agree

Classroom Effect

“… I truly believe that my students learned more about web security by using this software in the Web App II class. … I think Computer Science and SISLT should consider using this system in the future.”Chris Amelung – Course Instructor Web Application Development II

Q&A

SafeWeb Initiative■ http://safeweb.missouri.edu

Application Security Software■ http://www.spidynamics.com

Presenter Contact■ brokkena@missouri.edu