snap shot of the presentation

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner

Is Your WebApplication Security Cleared?

Dr. Ravi Kiran Raju Yerra

Vice President – Security Testing

Arsin Corporation

Documents> Security Services > Web Application

Snap Shot of the Presentation

About Me Web Applications – The Challenge Why Web Applications are Vulnerable Top 10 Vulnerabilities Is Application Security a Tool Business ? Methodology Suggested Tools Whats Next ?


Holds Doctor of Science in Internet Security Management

Have 15 years of experience in Information Technology & Information Security solutions

Vice President – QA (Security Testing) at Arsin Corporation

Actively involved in 10 different innovative information threat management projects with various universities across the globe.

About Me


Web Applications – The challenge

WebServer

DatabaseServer

ApplicationServer

Web ApplicationThe World Wide Web has evolved into a global environment delivering applications such as reservation systems, online shopping or auction sites, games, multimedia applications, calendars, maps, chat applications or data entry/display systems, and many more

Web applications are characterized by multiculturalism, continuous change, fast pace and competitiveness, high demands on user adaptivity,

Thus, the complexity of securing such Web applications has increased significantly


Why is this important?


Why Web Applications are Vulnerable

Application attacks are the latest trend when it comes to hacking.On average, 90% of all dynamic content sites have vulnerabilities associated with them.No single web server and database server combination has been found to be immune!Current security solutions do not offer adequate protectionAttacks pass through perimeter firewall security over port 80 (or 443 for SSL).Exploiting bugs and poor security programming practices in the software.

Documents> Security Services > Web Application 7

What is Web Application Security?

Web Application Security is not:Traditional Layers Traditional Security Controls

Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners

Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners

Commercial and

Open Source

Applications

Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners


What is Web Application Security?

Web Application Security is:

Traditional Layers Traditional Security Controls

Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners

Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners

Commercial and

Open Source

Applications

Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners

Custom Web Applications

Architecture, Design and Code Reviews,

Application Scanners,

Testing with Malicious Input


Data Flow example


How Bad Is It? – Vulnerability Reports

• Vulnerability reports consistent report Web Applications with highest # of vulnerabilities.

• For example SANS @RISK Aug 2007

SANS @RISK Aug 2007 8/7 8/13 8/20 8/27 Total

Microsoft Products 0 5 15 0 20

Mac 1 0 1 2 4

Linux 4 5 1 5 15

Unix, Solaris, etc 6 2 6 3 17

Network Device 1 2 3 5 11

Web Applications 50 35 23 22 130


Story

A Successful Hack


What are the Top 10 Vulnerabilities ?


OWASP 2007 Top Ten List

A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File ExecutionA4. Insecure Direct Object ReferenceA5. Cross Site Request Forgery (CSRF)A6. Information Leakage & Improper Error HandlingA7. Broken Authentication & Session ManagementA8. Insecure Cryptographic StorageA9. Insecure CommunicationsA10. Failure to Restrict URL Access

www.owasp.org


Is Application Security A Tool Business???

Web applications can be tested in combination of tools.

Typical Web Application Testing believes 30% Tool and 70 % Manual Effort

Often tools throw false positive results

Evaluation of the results of scanner and Analyzing Statement Of Applicability is a Key

Tools may not have the “ Risk Based Approach”

The Answer is

NO.


Story

A Great Damage


Methodology


Methodology – Web Application Penetration Testing

Test Against OWASP 2004

Test Against OWASP 2007

Deliver Final Reports

Test Protocol Security Issues

Recommend / Implement

SolutionsRe Test the Application

Mapping of Technical vulnerabilities to Business Risks


Testing Against OWASP 2004:

Understand the Applications in detail.

Test against OWASP 2004 (Intrusive / Non Intrusive Methods)

Authorized User Test & Black Box Testing

Testing Against OWASP 2007 & Protocol Security Testing :

Test against OWASP 2007 (Intrusive / Non Intrusive Methods) & Implement fuzzing techniques for Protocol analysis

External Code Posture Analysis

Recommend or Implement Solutions:

Recommend appropriate solutions include CODE Snippet Design

If required, Arsin COE Security also helps in Implementing solutions.

Re Test the fixed Applications•Re Test the entire applications against OWASP 2004 & 2007 and Protocol issues.

• Retesting process will continue till the bugs reduced to < 5% (Non Severe).

Deliver Report• On successful completion of testing Arsin delivers the an Executive, Technical report with appropriate applicable Recommendations

Methodology – Contd


Is there any suggested tools…

There are couple of industry standard commercial and open source tools like.

Rational Appscan from IBM

Web Scrap from OWASP

HP – Web Inspect etc.


What’s Next ?


Next !

Generally web applications are tested against the “Application” only.

Web Applications must also undergo respective protocol security testing i.e

HTTPHTTPS etc

It means, a security testing must upgrade to “Application Layer” to “Network Layer”

Web Services security testing will also plays an important role.


Queries

Dr. Ravi Kiran Raju [email protected]

IM – Yahoo : brightvaio Image References: Black Hat Briefings – & www.owasp.org


Thank You

For More DetailsJonathan McClean

[email protected]