Evolution of Application Security

Winning in the Era of the One-sided Game

John South

Chief Security Officer

Heartland Payment Systems

Concept of one-sided games is that one side can execute an

inherit advantage throughout the game

Premise – Security in Application Development world:

Illustrates a threat model where the attacker has a distinct

advantage

Exploited by vectors that are used have been with us for a

number of years

Developers are moving to newer technologies thinking that they

are eliminating old threats – only to find newer ones they

haven’t anticipated

Strategic Asymmetry – a One-Sided Game

Strategic Asymmetry

www.darkreading.com/database-security/167901020/security/news/231901236/mass-sql-

injection-attack-hits-1-million-sites.html

Veracode, State of Software Security Report: The Intractable Problem of Insecure Software, Apr 2011, pg 18

Pick a Statistic

OWASP Project – OWASP Top 10 – What has changed since 2010

OWASP View of the Problem

OWASP View of the Problem

2007:

1. A1 - Cross Site Scripting (XSS)

2. A2 - Injection Flaws

3. A3 - Malicious File Execution

4. A4 - Insecure Direct Object

Reference

5. A5 - Cross Site Request Forgery

(CSRF)

6. A6 - Information Leakage and

Improper Error Handling

7. A7 - Broken Authentication and

Session Management

8. A8 - Insecure Cryptographic

Storage

9. A9 - Insecure Communications

10. A10 - Failure to Restrict URL

Access

2004:

1. A1 - Unvalidated Input

2. A2 - Broken Access Control

3. A3 - Broken Authentication and

Session Management

4. A4 - Cross Site Scripting

5. A5 - Buffer Overflow

6. A6 - Injection Flaws

7. A7 - Improper Error Handling

8. A8 - Insecure Storage

9. A9 - Application Denial of Service

10.A10 - Insecure Configuration

Management

Is it too tough to drive these issues out of our development

programs?

Over the course of 10+ years, why do we still have SQL injection

problems?

Are universities under-representing the problem of security in their

course work? If so, why?

Is the churn of developers a problem for stabilizing the issue?

Why are these still threats?

Will moving NOSql databases solve problem of injection

attacks?

Short answer: perhaps for SQL injection

Longer answer: No

New classes of Injection Attacks

Query: creating unsafe queries via string concatenation

Schema: inserting a record into a schema that does not exist

will automatically create the new schema

JavaScript: $where, db.eval() take in JavaScript functions as

parameters

Can a Newer Technology Save us?

NoSQL is a giant data bucket

RDMS - tight controls of data, NoSQL provides loose controls

over datasets

RDMS uses metadata to precisely control data type, and heavily

synchronized process controls to maintain data integrity.

NoSQL uses loosely synchronized processes to scatter data

across many systems, with small regard for the status of any

one server or quality of data being stored.

It's a giant self-organizing bucket you put data in.

If you want security, then build it into your application.

Only store secured (encrypted, anonymized, tokenized) data.

Can a Newer Technology Save us?

Authentication Weakness – By default the DB installs with NO

password credentials!

Authorization Weaknesses – Any created user has read-only

access to the WHOLE database.

Admin Authorization Weakness – A user with access to the

Admin database has read/write access to everything! There is no

granularity.

Clear Text – All data is sent in the clear, so the data can be

captured in an ARP Poison attack or other such MITM attack.

Multiple Interfaces Weakness – By default the service will bind

ALL available interfaces….not so good if you’re installing it in

dual-homed environment

No Encryption – Currently there is no data encryption.

NoSQL infers it’s safer than RDBMS’s which are vulnerable to

SQL Injection

Inherent Security Weaknesses in NOSql

Does this all mean that we can’t win in this particular game?

It means that we solve two problems for our respective companies:

Creating a development environment that addresses the

current threat models (a problem we haven’t solved yet)

Educating ourselves and our developers about the threats

introduced with emerging technologies

Summary

Talk from 2013 Defcon by Ming Chow – search for Chow-Abusing-

NoSQL-Databases.pdf

http://www.darkreading.com/database/a-response-to-nosql-security-

concerns/232600288 - nice concise summary, the original article

this is in response to is also worth reading

http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-

in-a-typical-nosql-database.html

Can a Newer Technology Save us?

Questions

Support our Troops

John South

Chief Security Officer

Heartland Payment Systems

Contact:

john.south@e-hps.com

Office: 972-295-8841