an approach to app security - for beginners
TRANSCRIPT
An Approach to Application Security
For beginners
#vodqa
Hi!
Why are you here?
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
AgendaIntroduction and case study
High-level threat modeling
Application threat modeling
Vulnerability Testing
References
Case study
BackgroundHave food industry background
Known network of food critics
Business and Investment numbers
Start-up
Venture capital investment: ~$10mn
Number of employees: 50
Hired contractors for development
Application strategyFood critics write and read reviews
In the future, plans to extend ads to hotels for revenue
Critical assetsCustomers (food critics)
Credibility
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
Mockups
Mockups
Mockups
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
Phases in our delivery lifecycleInception (Business Feasibility Study and Requirement Gathering)
Design thinking and tech analysis
Development
Testing
Release
Inception
ParticipantsBusiness stakeholders : CTO, CFO, Tech architect
Delivery team: BA, Tech lead, QA, Tech architect, developers (optional)
High-level Threat modelingStructured, shared understanding of what could go wrong
Incorporate security thinking throughout our software delivery
Vocabulary to record and talk about possible threats
Understand the security threats that your client is facing
Understand the stakeholders’ concerns
ASK!
Split up in delivery teams
What are the
services and people
that are a
part of YourFeedback’s ecosystem?
Employees?
Hotels?
App users?
Government?
Cloud systems?
ActorsPeople and services within a system
But first, why protect anything?
What
does YourFeedback app want
to protect?
CIA TriadConfidentiality
IntegrityAvailability
What
does YourFeedback app want
to protect?
Reviews?
Customer information?
Logs?
Server?
AssetDevice, data or service that needs to be protected
Who
might
attack
YourFeeback’s assets?
Competitors?
Application users?
Firewall?
Hacktivists?
Government?
Other app in the same network?
AttackerPeople/services that intentionally, or unintentionally, compromise an asset
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
What are we protecting our assets against?
ThreatA cause of a possible incident that could lead an attacker to attack an asset
AttackerAsset Threat
Assets● Reputation, credibility
● Investors
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Identifying threats and risk
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
Assets● Reputation, credibility
● Investors Info
● Application
● Servers
● Code
● Reviews
● Customer data
● Audit/financial data
● Investment
● Application / Server Logs
Attackers● Business competitors
● Application user
● Hotel owners
● Investor’s competitors
● Hotel’s competitors
● Hackers
● Firewall
● Delivery team
● Employees
● Hacktivists
(Sample List)
More terminologiesMitigation : Ways to counterbalance a threat
Vulnerability : An un-mitigated or insufficiently mitigated threat
Risk : An onset of a threat on a vulnerability
Threat Vulnerability
Mitigation
Risk Magic QuadrantImpact
Probability
Our Risk Magic Quadrant (examples)
Application User giving unfair reviews
Application user misusing customer data
Hotel Owner changing reviews in favor of themselves
Business competitors bringing down Reputation and Credibility
Hackers bring down reputation and credibility
Probability
Impact
Firewall brings down the server
Business competitor’s catching hold of investment detailsEmployees disclosing
customer data
Design thinkingTech analysis
ParticipantsBusiness stakeholders : Tech team (if distributed team)
Delivery team: BA, Tech lead, QA, Tech architect, developers
Application Threat ModelingStructured, shared understanding of what could go wrong in identified threats
Incorporate security thinking into user stories and designThreat awareness for the delivery teamUnderstand protection mechanisms
But first, what ways can attackers attack in?
Example - STRIDESpoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privileges
Application Threat Modeling : Attack TreesOpen safe
Break openLearn combinationPick lock
Find written combination
Get combination from someone
Look into emails/chatsLook into personal diary/notebooks Social engg PhishingCheck notes in laptop
Goal
Ways
What will bring Our business down?
Lose Customers
Lose Credibility
Targeted Marketing - By CompetitorsUnrelated/Unfair reviews
Competitors release attractive features before YourFeedback.comApplication is not usable.
Application is not performing as expected.
Illegitimate/Offensive content posted on the site.
Business owners have lost personal credibility.
Has been proved to be hacked at least once.
Lets see how one of those goals can be achieved by Attacker
Attack threats for you to pick upDisplay unreliable reviews
Make application unusable for users
Offensive/illegitimate content posted on the sites
Targeted marketing (by competitors/hotel owners)
Competitors release attractive features before us
Application is not performing as expected for business
Make the App not usable by user
Make the App not usable
Existing users are not able to Login
Redirect to another website
Bring the server down
Change Password
Delete User
Creating too much load
Sending too many asynchronous calls
Hide content on page load
Stop users from viewing/reading content
of website
Show popup on page load
Getting access to DB server
Show pop up on any click
Make website/browser too slow
Access the DB through application
Creating load on Database
Show irrelevant content on top of
actual page content
Running too many scripts on page
load
Display unreliable reviews
Display unreliable reviews
Login as existing member
Phishing
Change directly in database
Bypass login
Social engineering
Find password
Add new member
Bug in login
Get Password
Post wrong reviews
Offensive/illegitimate content posted on the sites
Offensive/illegitimate content posted on the sites
Offensive content in the review section
Run a script with offensive images
Login as existing user and post review
Add a new user and post review
Add offensive content and image in the information PDF
Load illegitimate image on page load
Get password
Bug in login
Get access to DB server
Targeted marketing (by competitors/hotel owners)
Targeted marketing
Capture attention by Ads
Call /email customers directly Get Customer Info
Posts Add in our feedback App
Get customers to visit competitor’s sites
Social Engineering Get Customer Info
Competitors market new attractive features before Yourfeedback.com
Competitors market new features before Yourfeedback.com
Get access to staging or pre prod environment
Get access to project management system
Accessing development branch to get active code
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
DevelopmentTesting
Vulnerability IdentificationVulnerability is an unmitigated or insufficiently mitigated threat
OWASP Top 10 Vulnerabilities : A Start
SQL InjectionServer-side attack
Misuses interpreter to attack database
Different types of SQL injections: Error-based, Blind etc.
Cross-Site Scripting (XSS)A type of injection
Client-side attack
Misusing powers of HTML, Javascript, CSS etc.
Types:
Reflective
Persistent
Reflective XSS
Reflective XSS
Persistent XSS
Persistent XSS
Path TraversalAccess or execute command on restricted directories or files
Outside the web root folder
a.k.a. ‘dot-dot-slash’, ‘directory traversal’, ‘directory climbing’ or ‘backtracking’
Demo
Let’s test
Make the App not usable
Existing users are not able to Login
Redirect to another website
Bring the server down
Change Password
Delete User
Creating too much load
Sending too many Asynchronous Calls
Hide actual page content on Page
load
Stop users from viewing/reading content
of website
Show popup on Page load
Getting access to DB server
Show pop up on any click
Make website/browser too slow
Access the DB from the application
Creating load on Database
Show irrelevant content on top of
actual page content
Running too many scripts on page load
Access the DB from the applicationChange Password
Delete User
Hide actual page content on Page
load
Show popup on Page load
Redirect to another website
Display unreliable reviews
Display unreliable reviews
Login as existing member
Phishing
Change directly in database
Bypass login
Social engineering
Find password
Add new member
Bug in login
Get Password
Post wrong reviews
Competitors market new attractive features before Yourfeedback.com
Competitors market new features before Yourfeedback.com
Get access to staging or pre prod environment
Get access to project management system
Accessing development branch to get active
code
Reference: https://www.owasp.org
Identify Security
Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
Mitigations/SuggestionsSQL Injections :
Input Validation, like use of ORM.
Limit Database Permission
Configure Error Reporting
Path Traversal :
Use of search function instead of appending from URL.
XSS
CSP - Content Security Policy
Use AutoEscape
Input validation
Tool ExamplesZed Attack Proxy
BurpSuite
IronWASP
Fiddler
TamperData
Websecurify
XSS Me, SQL Inject Me etc.
ReferencesVulnerable application: https://github.com/jaydeepc/vul_feedback_app
Fixed application: https://github.com/jaydeepc/non_vul_python_app
https://www.thoughtworks.com/insights/blog/appsec101-welcoming-all-roles-world-security
https://www.owasp.org
Thank you!Harinee Muralinath ([email protected]) , Jaydeep Chakraborty ([email protected])
Nagesh Kumar, Shraddha Suman, Navya Bailkeri, Fathima Harris, Pallipuspa Samal, Astha Jaiswal, Hitesh Sharma
Presenters:
Volunteers: