evolution of application security · owasp project – owasp top 10 – what has changed since 2010...
TRANSCRIPT
Evolution of Application Security
Winning in the Era of the One-sided Game
John South
Chief Security Officer
Heartland Payment Systems
Concept of one-sided games is that one side can execute an
inherit advantage throughout the game
Premise – Security in Application Development world:
Illustrates a threat model where the attacker has a distinct
advantage
Exploited by vectors that are used have been with us for a
number of years
Developers are moving to newer technologies thinking that they
are eliminating old threats – only to find newer ones they
haven’t anticipated
Strategic Asymmetry – a One-Sided Game
Strategic Asymmetry
www.darkreading.com/database-security/167901020/security/news/231901236/mass-sql-
injection-attack-hits-1-million-sites.html
Veracode, State of Software Security Report: The Intractable Problem of Insecure Software, Apr 2011, pg 18
Pick a Statistic
OWASP Project – OWASP Top 10 – What has changed since 2010
OWASP View of the Problem
OWASP View of the Problem
2007:
1. A1 - Cross Site Scripting (XSS)
2. A2 - Injection Flaws
3. A3 - Malicious File Execution
4. A4 - Insecure Direct Object
Reference
5. A5 - Cross Site Request Forgery
(CSRF)
6. A6 - Information Leakage and
Improper Error Handling
7. A7 - Broken Authentication and
Session Management
8. A8 - Insecure Cryptographic
Storage
9. A9 - Insecure Communications
10. A10 - Failure to Restrict URL
Access
2004:
1. A1 - Unvalidated Input
2. A2 - Broken Access Control
3. A3 - Broken Authentication and
Session Management
4. A4 - Cross Site Scripting
5. A5 - Buffer Overflow
6. A6 - Injection Flaws
7. A7 - Improper Error Handling
8. A8 - Insecure Storage
9. A9 - Application Denial of Service
10.A10 - Insecure Configuration
Management
Is it too tough to drive these issues out of our development
programs?
Over the course of 10+ years, why do we still have SQL injection
problems?
Are universities under-representing the problem of security in their
course work? If so, why?
Is the churn of developers a problem for stabilizing the issue?
Why are these still threats?
Will moving NOSql databases solve problem of injection
attacks?
Short answer: perhaps for SQL injection
Longer answer: No
New classes of Injection Attacks
Query: creating unsafe queries via string concatenation
Schema: inserting a record into a schema that does not exist
will automatically create the new schema
JavaScript: $where, db.eval() take in JavaScript functions as
parameters
Can a Newer Technology Save us?
NoSQL is a giant data bucket
RDMS - tight controls of data, NoSQL provides loose controls
over datasets
RDMS uses metadata to precisely control data type, and heavily
synchronized process controls to maintain data integrity.
NoSQL uses loosely synchronized processes to scatter data
across many systems, with small regard for the status of any
one server or quality of data being stored.
It's a giant self-organizing bucket you put data in.
If you want security, then build it into your application.
Only store secured (encrypted, anonymized, tokenized) data.
Can a Newer Technology Save us?
Authentication Weakness – By default the DB installs with NO
password credentials!
Authorization Weaknesses – Any created user has read-only
access to the WHOLE database.
Admin Authorization Weakness – A user with access to the
Admin database has read/write access to everything! There is no
granularity.
Clear Text – All data is sent in the clear, so the data can be
captured in an ARP Poison attack or other such MITM attack.
Multiple Interfaces Weakness – By default the service will bind
ALL available interfaces….not so good if you’re installing it in
dual-homed environment
No Encryption – Currently there is no data encryption.
NoSQL infers it’s safer than RDBMS’s which are vulnerable to
SQL Injection
Inherent Security Weaknesses in NOSql
Does this all mean that we can’t win in this particular game?
It means that we solve two problems for our respective companies:
Creating a development environment that addresses the
current threat models (a problem we haven’t solved yet)
Educating ourselves and our developers about the threats
introduced with emerging technologies
Summary
Talk from 2013 Defcon by Ming Chow – search for Chow-Abusing-
NoSQL-Databases.pdf
http://www.darkreading.com/database/a-response-to-nosql-security-
concerns/232600288 - nice concise summary, the original article
this is in response to is also worth reading
http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-
in-a-typical-nosql-database.html
Can a Newer Technology Save us?
Questions
Support our Troops
John South
Chief Security Officer
Heartland Payment Systems
Contact:
Office: 972-295-8841