injecting security controls into software applications
play

Injecting Security Controls into Software Applications Katy Anton - PowerPoint PPT Presentation

Dec 24, 2022 •227 likes •599 views

Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant About me Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

  1. Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant

  2. About me Katy Anton • Software development background • Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls) • Principal Application Security Consultant @Veracode @KatyAnton

  3. @KatyAnton

  4. Common Developer Questions “My website is behind the firewall. Why do I have to fix the SQL injection ?“ @KatyAnton

  5. Common Developer Questions “I validated the input. Isn’t this enough to prevent SQL Injection ?” @KatyAnton

  6. Common Developer Questions “ I have parameterized. Look I use preparedStatement - why is not correct ?” @KatyAnton

  7. Injection @KatyAnton

  8. CWEs in Injection Category • CWE-78: OS Cmd Inj CWE-77: Commmand Injection CWE-78: Argument CWE-78: XSS CWE-91: XML Injection CWE-74 Injectio CWE-93: CRLF Injection CWE-94: Code Injection CWE-89: SQL CWE-943: Improper Neutr. of Special El in CWE-90: LDAP @KatyAnton Source: NVD

  9. Types of SQL Injection • In-Band SQLi • Error based SQLi • Union based SQLi • Blind SQL injection • Boolean • Time based • Out-of-Band SQLi • Compounded SQLi (SQL + XSS) • Second Order SQL Injection @KatyAnton

  10. @KatyAnton

  11. Injection First mentioned in Phrack magazine in 1998 20 years anniversary 2004 2009 2010 2013 2017 Injection A6 A2 A1 A1 A1 @KatyAnton

  12. Is there another way to look at it? @KatyAnton

  13. Decompose the Injection Data interpreted as Code Input Parser Output Get / Post Data SQL Parser SQL File Uploads HTML Parser HTML HTTP Headers XML Parser XML Database Data Shell Bash Script Config files LDAP Parser LDAP Query @KatyAnton

  14. Extract Security Controls Output Input Parser Vulnerability Encode Output Parameterize Validate Input ! ! SQL Injection ! ! XSS ! ! XML Injection ! ! Code Injection ! ! LDAP Injection ! ! ! Cmd Injection Primary Controls Defence in depth @KatyAnton

  15. Security Controls Recap Application Server Operating System OS Command Software Application Param Data Param Queries Validate Input Encode Output @KatyAnton

  16. Intrusions (or lack of Intrusion Detection) “If a pen tester is able to get into a system without being detected, then there is insufficient logging and monitoring in place“ @KatyAnton

  17. Security Controls: Security Logging The security control developers can use to log security information during the runtime operation of an application. @KatyAnton

  18. The 6 Best Types of Detection Points Good attack identifiers: 1. Authorisation failures 2. Authentication failures 3. Client-side input validation bypass 4. Whitelist input validation failures 5. Obvious code injection attack 6. High rate of function use Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints @KatyAnton

  19. Examples of Intrusion Detection Points Request Exceptions • Application receives GET when expecting POST • Additional form or URL parameters submitted with request Authentication Exceptions • The user submits a POST request which only contains the username variable. The password variable has been removed. • Additional variables received during an authentication request (like ‘admin=true’') Input Exceptions • Input validation failure on server despite client side validation • Input validation failure on server side on non-user editable parameters (hidden fields, checkboxes, radio buttons, etc) Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints @KatyAnton

  20. Vulnerable Components Using Software Components with Known Vulnerabilities @KatyAnton

  21. Root Cause • Difficult to understand • Easy to break • Difficult to test • Difficult to upgrade • Increase technical debt @KatyAnton

  22. Components Examples Example of external components: • Open source libraries - for example: a logging library • APIs - for example: vendor APIs • Libraries / packages by another team within same company @KatyAnton

  23. Example 1: Implement Logging Library • Third-party - provides logging levels: • FATAL, ERROR, WARN, INFO, DEBUG. • We need only: • DEBUG, WARN, INFO. @KatyAnton

  24. Simple Wrapper Helps to: • Expose only the functionality required. • Hide unwanted behaviour. • Reduce the attack surface area. • Update or replace libraries. • Reduce the technical debt. @KatyAnton

  25. Example 2: Implement a Payment Gateway Scenario: • Vendor APIs - like payment gateways • Can have more than payment gateway one in application • Require to be inter-changed @KatyAnton

  26. Adapter Design Pattern • Converts from provided interface Your Code to the required interface. • A single Adapter interface can work with many Adaptees. Adapter • Easy to maintain. Third-party code @KatyAnton

  27. Example 3: Implement a Single Sign-On • Libraries / packages created by another team within same company • Re-used by multiple applications • Common practice in large companies @KatyAnton

  28. Façade Design Pattern • Simplifies the interaction with a complex sub-system • Make easier to use a poorly designed API • It can hide away the details from the client. • Reduces dependencies on the outside code. @KatyAnton

  29. Secure Software Starts from Design !

  30. Secure Software Starts from Design ! Wrapper Adapter Pattern Façade Pattern To expose only required To convert from the required To simplify the interaction with functionality and hide unwanted interface to provided interface a complex sub-system. behaviour. Your Code Adapter Third-party code

  31. How often ? @KatyAnton

  32. Rick Rescorla • United States Army office of British origin • Born in Hayle, Cornwall, UK • Director of Security for Morgan Stanley at WTC @KatyAnton

  33. Security Controls Recap @KatyAnton

  34. Security Controls In Development Cycle Application Server OS Command Logs Operating System Log Exception Software Application Param Data Encode output Secure Date Key Management Encapsulation Param Queries Mo Mo Mo Mo Mo Mo Encode Validate Harden Mo output Enca Input TLS XML Parser Libra TLS TLS XML @KatyAnton

  35. Final Takeaways Focus on CWEs Security which prevent Controls @KatyAnton

  36. Final Takeaways Focus on CWEs Security Verify Early and Often Controls @KatyAnton

  37. Thank you very much Katy Anton Principal Application Security Consultant @KatyAnton

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk Types of Controls Preventive Controls (E.g. Password lockout after 5 failed

483 views • 31 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or countermeasure for an information system or an organization designed to protect confidentiality, integrity, and availability of its information and to

605 views • 34 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with

Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with

Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with hardware -Launches and manages applications -Handles I/O Peripherals Hardware -Underlying physical components -Directed by software -Easy to swap out

851 views • 47 slides
Mean Field Games with Singular Controls, and Applications Xin Guo University of California at

Mean Field Games with Singular Controls, and Applications Xin Guo University of California at

ABCs of MFGs MFGs with Singular Controls MFG with singular controls Conclusion Mean Field Games with Singular Controls, and Applications Xin Guo University of California at Berkeley March 24, 2017 Based on joint works with Joon Seok Lee, UC

327 views • 32 slides
Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV

Sharing: Transmission of HIV during Injecting 6 Ways SW-IDUs put themselves at risk of HIV beyond using the same syringes/needles Messages Our main message for the safer injecting theme is: Use a sterile syringe and needle each time

252 views • 8 slides
Injecting Diversity Into Running Software Systems Vivek Nallur Trinity College Dublin

Injecting Diversity Into Running Software Systems Vivek Nallur Trinity College Dublin

W HAT S THIS ABOUT ? The Big Idea Injecting Diversity Into Running Software Systems Vivek Nallur Trinity College Dublin 16-May-2014 W HAT S THIS ABOUT ? The Big Idea E FFECTS OF M ONOCULTURE Figure: Phytophthora infestans W HAT S

586 views • 29 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Security and Privacy of Hash-Based Software Applications This work has been partially supported

Security and Privacy of Hash-Based Software Applications This work has been partially supported

Security and Privacy of Hash-Based Software Applications This work has been partially supported by the LabEx PERSYVAL-Lab (ANR-11-LABX-0025-01) funded by the French program Investissement davenir. Amrit Kumar January 6, 2017 Privatics team,

1.08k views • 85 slides
8. WinForms Applications Writing native Windows programs Overview Windows Applications

8. WinForms Applications Writing native Windows programs Overview Windows Applications

8. WinForms Applications Writing native Windows programs Overview Windows Applications Events and event handlers Layered (tiered) model of software Focus Form designer and controls Dialog boxes and forms Delegates

268 views • 22 slides
STARC ABL Software Harry Olar Software Engineer System architecture 8 250 KW Inverters

STARC ABL Software Harry Olar Software Engineer System architecture 8 250 KW Inverters

STARC ABL Software Harry Olar Software Engineer System architecture 8 250 KW Inverters 2 PCs 4 Embedded Linux Devices (PowerDNA) GUI (Graphical User Interface ) Controls Motors Controls Relays Saves Data Shows Relay

463 views • 15 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
Building security from scratch Anthi Gilligan Application Security Engineer - Logitech

Building security from scratch Anthi Gilligan Application Security Engineer - Logitech

From ZERO to HERO Building security from scratch Anthi Gilligan Application Security Engineer - Logitech @AnGreagach Who I am and what I do The state of Infosec The experts Pitfall #1 Pitfall #2 Pitfall #3 Pitfall #4 ENCRYPT

522 views • 16 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods - Endava @eoinwoodz 1 BACKGROUND Eoin Woods CTO at Endava (technology services, 3300 people) 10 years in product development - Bull,

453 views • 31 slides
Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential

Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential

Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential Knowledge Workshop on Nuclear Power Plant Design Safety Agenda item Title ICTP/Trieste, 9 20 October 2017 Assessment of Defence in Depth Name,

580 views • 38 slides
Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong -

Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong -

Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong - Fewer possible inconsistencies - Easy to understand Restriction - Minimize access - Inhibit communication Saltzer and Schroeder 75 2 Economy of

330 views • 20 slides
Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open

Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open

Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open environment: Why this is difficult but (maybe) important. Two short examples showing how a small change in our formal view alters practice.

262 views • 24 slides
Concept for Naval Mine Counter Measures Major Van Hoeserlande Patrick, Ir HQ SACT Concept

Concept for Naval Mine Counter Measures Major Van Hoeserlande Patrick, Ir HQ SACT Concept

Supreme Allied Commander Transformation Proposal for a Future NATO Concept for Naval Mine Counter Measures Major Van Hoeserlande Patrick, Ir HQ SACT Concept Developer Patrick.VanHoeserlande@act.nato.int ACT - Improving today, Shaping

409 views • 24 slides

More recommend