Slide 1

Developing a Secure Web Application PwC Information Security April 2007 Hui Zhu Information Security Architect Information Security 416 9418383 Ext.13238 hui.zhu@ca.pwc.com Adrien Mak Director IT Advisory Cell: 416-721-4613 Office: 416-365-8191 Adrien.c.mak@ca.pwc.com

Slide 2

PricewaterhouseCoopers Date Page 2 [Slide to be removed] Presenter: Adrien Mak & Hui Zhu Session Title: Developing a Secure Web Application Session Description : The session will review the web application security issues with demonstrations of common vulnerabilities, using a case study of a web application development project as a backdrop. We will present how to incorporate security elements into the Systems Development Life Cycle (SDLC) to improve the security of the application design and implementation. This will include elements such as web application security framework, security requirement study, threat modeling, security testing, code review, and operational security. Content Development Formatting: to be fixed & aligned with PDit /CIPS template if provided. Colour to be adjusted. Adjust footer to include PDIT or CIPS, or EnergiseIT Have marketing review & polish Content: Overall tighten up presentation with fewer slides Collapse section 3 and refer to external methodologies and tools Add the case study on payment registration web application (sanitize first). Tighten up summary / key messages

Slide 3

Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Case Study Developing a Secure Web Application 4. Integrate Web Application Assessment and code Review A few lines of code can wreak more havoc than a bomb. - Tom Ridge (Former) Secretary of U.S. Department of Homeland Security

Slide 4

PricewaterhouseCoopers Date Page 4 Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Case Study Developing a Secure Web Application 4. Integrate Web Application Assessment and code Review

Slide 5

PricewaterhouseCoopers Date Page 5 The Facts of Application Security Industry Perspectives 75% of attacks today happen at the Application (Gartner). The cost of correcting code in production increases up to 100 times as compared to in development... (MSDN November, 2005) PwC Perspectives 95% apps we tested had serious security bugs! 100% 5-year old apps have serious security bugs The cost and reputation savings of avoiding a security breach are priceless

Slide 6

PricewaterhouseCoopers Date Page 6 Security Professionals Dont Know The Applications As an Application Developer, I can build great features and functions while meeting deadlines, but I dont know how to develop my web application with security as a feature. The Application Security Gap As a Network Security Professional, I dont know how my companies web applications are supposed to work so I deploy a protective solutionbut dont know if its protecting what its supposed to. Application Architect and Developers Dont Know Security Why Application Risks Occur Source: The Hacker Evolution: New Trends in Application Vulnerabilities and Exploits Tom Speigner, SPI Dynamics

Slide 7

PricewaterhouseCoopers Date Page 7 What are the typical threats applications face Server (Web Server) PHP Perl ASP.Net J2EE mainframe SQL Database Client (Browser) HTTP (http tcp/80 and SSL https/443) Firewall Database binding (ODBC, JDBC, ADO, SQLNet) Web-server Application Server Cross-site scripting Spoofing Privacy Sniffing Man-in-the middle Session Hijack Buffer overflow Format string Directory Traversal Default Accounts Sample Applications Input validation Output validation Metacharacters Buffer Overflow SQL injection Commands Misconfiguration

Slide 8

PricewaterhouseCoopers Date Page 8 Business Threats Environmental Threat Inappropriate Action IT Malfunction External Threat Internal Threat Developer Sys Admin Internal staff App Admin Power failure Fire Other nature disaster Hacker Activist Industry Spy Foreign government Intelligence agents Application user Accidental human error Deliberate human error Computer components failure Network failure Hardware failure Software bug ISP failure Financial loss Loss of IP Loss of trade secrete Privacy Non-compliance Business interruption Loss of reputation Loss of customer confidence Industry espionage Impact of Productivity Cost Revenue

Slide 9

PricewaterhouseCoopers Date Page 9 Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Case Study Developing a Secure Web Application 4. Integrate Web Application Assessment and code Review

Slide 10

PricewaterhouseCoopers Date Page 10 PwC Web Application Vulnerability Classification Input ValidationBusiness LogicAuthenticationAuthorizationSession Management Script Injection SQL Injection OS Command Injection LDAP Injection Cross Site Scripting (XSS) Buffer Overflow Input Validation Evasion Need to know Separation of Duty Reconciliation Transaction integrity Authentication Request Security Authentication bypass User Name Password Quality Password Reset Password Lockout User Name Enumeration Authentication replay Parameter Manipulation Input manipulation Authorization Application Flow Controls Access Control Matrix Compliance Least Privilege Session Token Security Session Timeout Session Reuse Session Deletion Session Storage Session Token connect Data ProtectionConfiguration Hardening LoggingArchitectureOperation Sensitive Data in HTML Data Storage SSL security Data Transport Security Client-site Data Security HTTP Methods Know Vulnerabilities/ Security Patches Back-up Files Obsolete Files Web Server Configuration Infrastructure Admin Interface Application Admin Interface Transaction Log Authentication Log Error Log Network Security Server Security Database Security Perimeter Security Backup and Recovery Problem Management Incident Response BCP and DRP

Slide 11

PricewaterhouseCoopers Date Page 11 Demo [5 minute demo/walkthrough of web application vulnerability classifications]

Slide 12

PricewaterhouseCoopers Date Page 12 Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Methodology and Approach 4. Case Study Developing a Secure Web Application

Slide 13

PricewaterhouseCoopers Date Page 13 Integrate Security Processes into SDLC

Slide 14

PricewaterhouseCoopers Date Page 14 Proposed Secure SDLC SDLCProcessDocumentOwner RequirementSecurity Requirement EngineeringSecurity requirement templateSoftware Architect Design Threat modeling Threat modeling guideline and template Security Analyst Security design and architecture review Security architecture standard/guideline Security Analyst Development Secure codingSecure coding guidelineDevelopers Peer ReviewPeer review security checklistDevelopers Test Security assessmentSecurity assessment guidelineSecurity Analyst Security source code review Source code review security checklist Security Analyst Deployment Security review Deployment security checklist and guideline Security Analyst Penetration Testing Security Analyst Operation Security Assessment and Audit Security Analyst Security MonitoringSecurity monitoring procedureOperations Incident responseIncident response procedureOperations Disaster Recovery Plan Operations

Slide 15

PricewaterhouseCoopers Date Page 15 Key SDLC Processes - Security requirement engineering Approach Interview with stakeholders Review relevant security document (regulatory, law, contract, policy) High-level risk assessment Security requirements includes requirements for Confidentiality Integrity Availability Non-repudiation Authentication Authorization

Slide 16

PricewaterhouseCoopers Date Page 16 Key SDLC Processes Threat Modeling Approach -Establish security context Security requirement Application use scenarios (public, anonymous, registered, internal admin, etc) External dependencies (network, system, application, environment, COTS, modules, etc) Trust boundaries Security assumptions -Threat analysis Data Flow Diagram (DFD) analysis at various levels for architecture and detailed design threat modeling -Risk rating -Mitigation selection -Iteration

Slide 17

PricewaterhouseCoopers Date Page 17 PwC Application Security Assessment and Code Review Services Summary The application security assessment and code review service takes an integrated approach to application security issues. The service is performed by qualified PwC security personnel to provide clients with an comprehensive understanding of their current application security posture and impact to the business, outline areas for improvement, which would ensure compliance with their business security requirements and alignment with their business objectives. Advantage -Save cost and minimize the impact to application operation -Ensure completeness and improve efficiency of application security assessment and code review -Security assessment and source code review are customized and prioritized based on clients specific application security profile -Integrated code review with assessment promotes cross-verification of the findings, and ensure the accuracy of the results. Key Points Each engagement contains objectives specific to the clients needs. Our methodology is intended to be universally applicable regardless of technology, architecture or scope, but adaptive to individual clients security objectives and requirements. The key points of our service are: - To provide a strong risk management framework for testing; - To provide a risk and business based focus to testing and provide results that link to business objective and risk; - To ensure maximum value and validity of test results by optimizing the testing to balance risk with depth of testing; - To provide comprehensive root cause analysis of findings to allow for the development of strategic solutions.

Slide 18

PricewaterhouseCoopers Date Page 18 Security Source Code Review Review application source code in accordance with the test plan and test procedure to evaluate security architecture and coding security, to identity security weakness and vulnerability. Objective: Determine security weakness and vulnerability in application source code. Approach: -Review for common application vulnerability -Review for design deficiency -Review for malicious code -Review for business logic design flaw -Vulnerability analysis and verification Runtime Security Assessment Perform runtime security assessment in accordance with the test procedure to identity the weakness and vulnerability, determine the effectiveness and efficiency of the security controls. Objectives: Identity application weakness and vulnerability through runtime security assessment. Approach: -Application infrastructure security testing -Application design and coding security testing -Business logic security testing -Vulnerability analysis -Vulnerability verification Application Security Baseline Establish application security baseline including security requirements, data assets, threat and risk, controls. Develop test plan and test procedure. Objectives: Determine application security profile to plan and prioritize the assessment. Approach: - Application security requirement gathering - Application technology survey -Threat Modeling -Application security baseline development -Application test plan and procedure development Integrated Application Security Approach -- Application Security Assessment and Code Review Date April 27, 2006 A Security Requirement Gathering B Threat Modeling C Test plan and procedure D Application Testing J Risk assessment E G Source code security profiling F Vulnerabili ties analysis I Code Security verification H Code security review Formal Approval Point Vulnerability verification Report Analyze the findings, evaluate the risk and business impact, generate report with executive summary as well as technical details of the findings and recommendations. Objective: Evaluate and report the findings and recommendations Approach: -Risk Assessment and Business Impact analysis -Reporting Reporting K

Slide 19

PricewaterhouseCoopers Date Page 19 Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Methodology and Approach 4. Case Study Developing a Secure Web Application

Slide 20

PricewaterhouseCoopers Date Page 20 Case Study Developing a Secure Web Application Sample Web Application Development Projects Security Requirement Engineering

Slide 21

PricewaterhouseCoopers Date Page 21 Security Requirement Engineering

Slide 22

PricewaterhouseCoopers Date Page 22 Threat Modeling Threat Modeling.

Slide 23

PricewaterhouseCoopers Date Page 23 Integrated Security Assessment and Code Review Integrated security assessment and code review

Slide 24

PricewaterhouseCoopers Date Page 24 Agenda 1. Facts of Web Application Security 2. Web Application Vulnerability Classification 3. Methodology and Approach 4. Case Study Developing a Secure Web Application 5. Summary

Slide 25

PricewaterhouseCoopers Date Page 25 Summary Developing a Secure Web Application PracticeBenefit Develop SDLC Security Policy Ensure requirement for application security is well communicated. Develop SDLC Security standard, guideline and procedure Ensure processes are in place to management the development security Ensure all applications are in compliance with SDLC security policy Communicate specific application security requirement to application team Adopt Threat Modeling Identifies of security vulnerabilities Increases awareness of application architecture Train development team Avoids common security defects Correct application of security technologies Code Review Secures code that Accesses the network Runs by default Uses unauthenticated protocols Runs with elevated privileges Security Assessment Identity critical security vulnerability and exposure by independent party Assign Responsibility Establish responsibility and accountability for application security

Slide 26

PricewaterhouseCoopers Date Page 26 Summary - Critical Thinking Questions -People Software development organization structure? What security skills the project team has? Any resources with security skills can be allocated to the project? Does QA or security team has the capability to perform application security assessment? -Process Is IT governance established? Is formal SDLC practiced? Software quality management practices? What security processes are necessary to achieve the application security objective? -Technology Security standards, guidelines? Security testing tools?

Slide 27

Thank you. 2007 PricewaterhouseCoopers LLP, Canada. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, Canada, an Ontario limited liability partnership, or, as the context requires, the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.