Injecting Security Controls into Software Applications Katy Anton - - PowerPoint PPT Presentation

injecting security controls into software applications
SMART_READER_LITE
LIVE PREVIEW

Injecting Security Controls into Software Applications Katy Anton - - PowerPoint PPT Presentation

Dec 24, 2022 227 likes •602 views

Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant About me Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

slide-1
SLIDE 1

Injecting Security Controls into Software Applications

Katy Anton Principal Application Security Consultant

slide-2
SLIDE 2

@KatyAnton

Katy Anton

  • Software development background
  • Project co-leader for OWASP Top 10 Proactive Controls

(@OWASPControls)

  • Principal Application Security Consultant @Veracode

About me

slide-3
SLIDE 3

@KatyAnton

slide-4
SLIDE 4

@KatyAnton

“My website is behind the firewall. Why do I have to fix the SQL injection ?“

Common Developer Questions

slide-5
SLIDE 5

@KatyAnton

“I validated the input. Isn’t this enough to prevent SQL Injection ?”

Common Developer Questions

slide-6
SLIDE 6

@KatyAnton

“I have parameterized. Look I use preparedStatement - why is not correct ?”

Common Developer Questions

slide-7
SLIDE 7

@KatyAnton

Injection

slide-8
SLIDE 8

@KatyAnton

CWEs in Injection Category

  • CWE-93: CRLF Injection

CWE-74 Injectio

CWE-943: Improper Neutr. of Special El in CWE-94: Code Injection CWE-91: XML Injection CWE-78: XSS CWE-77: Commmand Injection CWE-89: SQL CWE-90: LDAP

Source: NVD

CWE-78: OS Cmd Inj CWE-78: Argument

slide-9
SLIDE 9

@KatyAnton

  • In-Band SQLi
  • Error based SQLi
  • Union based SQLi
  • Blind SQL injection
  • Boolean
  • Time based
  • Out-of-Band SQLi
  • Compounded SQLi (SQL + XSS)
  • Second Order SQL Injection

Types of SQL Injection

slide-10
SLIDE 10

@KatyAnton

slide-11
SLIDE 11

@KatyAnton

First mentioned in Phrack magazine in 1998

Injection

2004 2009 2010 2013 2017 Injection A6 A2 A1 A1 A1

20 years anniversary

slide-12
SLIDE 12

@KatyAnton

Is there another way to look at it?

slide-13
SLIDE 13

@KatyAnton

Decompose the Injection

Get / Post Data File Uploads HTTP Headers Database Data Config files SQL HTML XML Bash Script LDAP Query SQL Parser HTML Parser XML Parser Shell LDAP Parser Input Output Parser

Data interpreted as Code

slide-14
SLIDE 14

@KatyAnton

Extract Security Controls

Input Output Parser Vulnerability Encode Output Parameterize Validate Input

SQL Injection

! !

XSS

! !

XML Injection

! !

Code Injection

! !

LDAP Injection

! !

Cmd Injection

! ! !

Primary Controls

Defence in depth

slide-15
SLIDE 15

@KatyAnton

Security Controls Recap

Application Server Operating System Software Application Param Data Param Queries Encode Output Validate Input OS Command

slide-16
SLIDE 16

@KatyAnton

“If a pen tester is able to get into a system without being detected, then there is insufficient logging and monitoring in place“

Intrusions (or lack of Intrusion Detection)

slide-17
SLIDE 17

@KatyAnton

The security control developers can use to log security information during the runtime operation of an application.

Security Controls: Security Logging

slide-18
SLIDE 18

@KatyAnton

Good attack identifiers:

1. Authorisation failures 2. Authentication failures 3. Client-side input validation bypass 4. Whitelist input validation failures 5. Obvious code injection attack 6. High rate of function use

Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints

The 6 Best Types of Detection Points

slide-19
SLIDE 19

@KatyAnton

Request Exceptions

  • Application receives GET when expecting POST
  • Additional form or URL parameters submitted with request

Authentication Exceptions

  • The user submits a POST request which only contains the username variable.

The password variable has been removed.

  • Additional variables received during an authentication request (like ‘admin=true’')

Input Exceptions

  • Input validation failure on server despite client side validation
  • Input validation failure on server side on non-user editable parameters (hidden

fields, checkboxes, radio buttons, etc)

Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints

Examples of Intrusion Detection Points

slide-20
SLIDE 20

@KatyAnton

Using Software Components with Known Vulnerabilities

Vulnerable Components

slide-21
SLIDE 21

@KatyAnton

  • Difficult to understand
  • Easy to break
  • Difficult to test
  • Difficult to upgrade
  • Increase technical debt

Root Cause

slide-22
SLIDE 22

@KatyAnton

Example of external components:

  • Open source libraries - for example: a logging library
  • APIs - for example: vendor APIs
  • Libraries / packages by another team within same

company

Components Examples

slide-23
SLIDE 23

@KatyAnton

  • Third-party - provides logging levels:
  • FATAL, ERROR, WARN, INFO, DEBUG.
  • We need only:
  • DEBUG, WARN, INFO.

Example 1: Implement Logging Library

slide-24
SLIDE 24

@KatyAnton

Helps to:

  • Expose only the functionality

required.

  • Hide unwanted behaviour.
  • Reduce the attack surface area.
  • Update or replace libraries.
  • Reduce the technical debt.

Simple Wrapper

slide-25
SLIDE 25

@KatyAnton

Scenario:

  • Vendor APIs - like payment gateways
  • Can have more than payment gateway one in application
  • Require to be inter-changed

Example 2: Implement a Payment Gateway

slide-26
SLIDE 26

@KatyAnton

  • Converts from provided interface

to the required interface.

  • A single Adapter interface can

work with many Adaptees.

  • Easy to maintain.

Adapter Design Pattern

Your Code

Third-party code

Adapter

slide-27
SLIDE 27

@KatyAnton

  • Libraries / packages created by another team within same

company

  • Re-used by multiple applications
  • Common practice in large companies

Example 3: Implement a Single Sign-On

slide-28
SLIDE 28

@KatyAnton

  • Simplifies the interaction

with a complex sub-system

  • Make easier to use a poorly

designed API

  • It can hide away the details

from the client.

  • Reduces dependencies on

the outside code.

Façade Design Pattern

slide-29
SLIDE 29

Secure Software Starts from Design !

slide-30
SLIDE 30

Secure Software Starts from Design !

Wrapper To expose only required functionality and hide unwanted behaviour. Adapter Pattern To convert from the required interface to provided interface Façade Pattern To simplify the interaction with a complex sub-system. Your Code

Third-party code

Adapter

slide-31
SLIDE 31

@KatyAnton

How often ?

slide-32
SLIDE 32

@KatyAnton

  • United States Army office of British origin
  • Born in Hayle, Cornwall, UK
  • Director of Security for Morgan Stanley at

WTC

Rick Rescorla

slide-33
SLIDE 33

@KatyAnton

Security Controls Recap

slide-34
SLIDE 34

@KatyAnton

Security Controls In Development Cycle

Application Server Operating System Software Application Param Queries Encode

  • utput

TLS Validate Input TLS TLS XML

Harden XML Parser

Mo Mo Enca Mo Mo Mo Libra Mo Mo

Encapsulation

OS Command Logs Log Exception Encode output Param Data Secure Date

Key Management

slide-35
SLIDE 35

@KatyAnton

Final Takeaways

CWEs

Focus on Security Controls

which prevent

slide-36
SLIDE 36

@KatyAnton

Verify Early and Often

Final Takeaways

CWEs

Focus on Security Controls

slide-37
SLIDE 37

@KatyAnton

Katy Anton Principal Application Security Consultant

Thank you very much