the thing that should not be
DESCRIPTION
Presentation delivered @ OWASP's IBWAS 2010TRANSCRIPT
![Page 1: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/1.jpg)
The Thing That Should Not Be
A glimpse into the dark future of web application security
Bruno Morisson <[email protected]> IBWAS’10
![Page 2: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/2.jpg)
About me
• Consultant & Partner - INTEGRITY, Consulting & Advisory
• ~12 years in Information Security
• CISSP-ISSMP/CISA/ISO27001 Lead Auditor
• Background as a Linux/Unix sysadmin
• Background as a C developer
2
![Page 3: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/3.jpg)
Warning!
This is all rather unscientific!
Really.
Consider yourself warned.
3
![Page 4: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/4.jpg)
If wishes were ponies…
…security would be inherent to the applications.
…there would be no (security) bugs.
…we would all get along just fine.
4
![Page 5: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/5.jpg)
5
This is how they see us
![Page 6: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/6.jpg)
6
This is how we see them
![Page 7: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/7.jpg)
We’re all skewed!
Security practitioners have a skewed vision of reality.
We’re usually what regular people would call paranoid.
Developers have a skewed vision of reality.
They usually don’t care about (or understand) security issues.
7
![Page 8: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/8.jpg)
We’re all skewed!
We believe everyone should care about security at least as much as we do.
WE’RE WRONG!
8
![Page 9: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/9.jpg)
We’re all skewed!
9
![Page 10: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/10.jpg)
Security Mindset
“Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.”
Bruce Schneier
10
![Page 11: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/11.jpg)
“We have a firewall on our internets”
11
![Page 12: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/12.jpg)
“We use usernames and passwords to access our web application”
12
![Page 13: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/13.jpg)
SSL 13
![Page 14: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/14.jpg)
Proof
Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 14
![Page 15: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/15.jpg)
More Proof
Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 15
![Page 16: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/16.jpg)
Even more proof
Source: Verizon Data Breach Report 2010 16
![Page 17: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/17.jpg)
OWASP Top Ten
• Injection • XSS • Broken Authentication and Session Management
• Insecure Direct Object Reference • CSRF
• Security Misconfiguration
• Insecure Cryptographic Storage • Failure to Restrict URL Access
• Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
17
![Page 18: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/18.jpg)
How are we solving this ?
The typical approach is forcing developers to solve all of these problems.
But the question is: Who are the developers ? Do they understand the problem ?
Most of them know nothing about security.
Some of them know little about web development.
18
![Page 19: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/19.jpg)
19
![Page 20: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/20.jpg)
Render Unto Caesar…
Security practitioners are not web developers
Why should web developers be security practitioners ?
20
![Page 21: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/21.jpg)
Flashback
21
![Page 22: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/22.jpg)
Let’s party like it’s 1999 Most security vulnerabilities had to do with services: • HTTP (IIS, apache) • FTP (wu-ftpd, IIS) • POP3 (Qpopper) • SMTP (Sendmail) • DNS (Bind) • Telnet • SSH • …
Buffer Overflows, Format Strings, Integer Overflows were the flavor of the decade…
22
![Page 23: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/23.jpg)
What happened ? Security vulnerabilities had global impact.
Few companies/groups produced that software: Microsoft, Apache, SUN, Sendmail, Linux community/vendors.
Some built security into the process (Secure SDL), mainly Microsoft.
Tools started having security features (from bounds checking, to static and dynamic code analysis)
Operating Systems security was improved (no ASLR or DEP back then)
23
![Page 24: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/24.jpg)
Back to the future
24
![Page 25: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/25.jpg)
And now ?
Impact of vulnerabilities is limited to that company (or set of companies that use that particular software)
Anyone develops a Web Application.
Myriad of development languages.
Point & Click frameworks that automagically create code…
25
![Page 26: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/26.jpg)
Looking into the future…
Let’s break this down into 4 areas:
• Compliance
• Processes
• People
• Tools
26
![Page 27: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/27.jpg)
Compliance
Unless there’s a business requirement, don’t expect anyone to implement security.
Ex: PCI-DSS, Data Privacy Laws, …
27
![Page 28: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/28.jpg)
Processes
If security is done ad-hoc, it will most surely fail.
• Embed security in the SDL • Create internal processes for dealing
specifically with security (e.g. risk assessment, engineering, testing, etc)
28
![Page 29: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/29.jpg)
29
![Page 30: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/30.jpg)
People
Developers won’t build security into the apps, unless it’s a requirement…
They need to: understand the security impact. know how to solve the problem. know how to use the tools…
Developers won’t become security gurus.
30
![Page 31: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/31.jpg)
Tools
People fail.
Tools/frameworks should become more idiot-proof.
Have security built in by default. Force insecurity to be explicit.
31
![Page 32: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/32.jpg)
32
![Page 33: The Thing That Should Not Be](https://reader036.vdocument.in/reader036/viewer/2022081403/5562c023d8b42aaf178b4a32/html5/thumbnails/33.jpg)
Thank You!"
Q&A?
Bruno Morisson CISSP-ISSMP, CISA, ISO27001LA [email]: [email protected] [work]: http://www.integrity.pt/ [fun]: http://genhex.org/~mori/
33