T16 September 30, 2004 3:00 PM D EVELOPING S ECURE W EB A PPLICATIONS - PDF document

BIO PRESENTATION T16 September 30, 2004 3:00 PM D EVELOPING S ECURE W EB A PPLICATIONS Dennis Hurst SPI Dynamics Inc Better Software Conference & EXPO September 27-30, 2004 San Jose, CA USA

Dennis Hurst Dennis Hurst, senior consulting engineer for SPI Dynamics, is responsible for working with developers to educate them on the need for Web Application security and practical ways to protect Web Applications from hacking attacks. With more than 15 years experience in the Information Systems/Application development industry, he is an expert in system design, implementation and maintenance of complex multi- vendor, multi-platform computer applications and networks. He has extensive experience in planning developing and enhancing Internet systems as well as integrating Internet systems with legacy systems. For the past three years he has focused on developing tools to test and secure the HTTP protocol. Dennis is a Microsoft Certified Solution Developer (MSCD in Visual Basic and SQL Server) and a Certified Novell Engineer (CNE) for version 3.x and 4.x. Furthermore, he has published articles and developed classes on the secure application development process. Dennis has spoken on the topic of secure coding practices at Software Development West 2004, WebSec 2003 and various user group chapter meetings. He has been published in asp.net PRO and on http://www.15seconds.com/Issue/000612.htm.

Developing Secure Web Applications Hacker Exploits, Coding Best Practices and Automated Code Testing Tools

Agenda PART 1: Introductions PART 2: What is Web Application Security? PART 3: Web Application Hacks & Application Risks PART 4: Web Applications and HTTP 101 PART 5: Web Application Attacks PART 6: Managing & Detecting Vulnerabilities

SPI Dynamics The Expert in Web Application Security Assessment SPI Dynamics delivers security products and services that protect enterprises at the web application layer . These products are backed by the industry’s leading security experts, SPI Labs . WebInspect is our industry leading web application security assessment product line and is licensed to enterprises, consultants, and other institutions, both directly and via global partners.

SPI Dynamics The Expert in Web Application Security Assessment SPI Dynamics believes that security must be implemented across the application lifecycle . The earlier a security defect is detected the less it will ultimately cost an organization. SPI Dynamics is dedicated to maintaining a leadership position in vulnerability assessment and we truly measure our success through the success of our customers .

PART 2 What is Web Application Security? The evolution from web sites to web applications Where does the risk come from?

Web Sites Simple, single server solutions Web Server Browser HTML

Web Applications Very complex architectures, multiple platforms, multiple protocols Browser Database Application Web Servers Server Server Wireless Presentation Business Customer Layer Identification Logic Media Store Content Access Services Controls Web Services Transaction Information Core Business Data

Web Applications Invite Public Access “Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner

Web Applications Breach the Perimeter HTTP(S) INTERNET FTP TELNET IMAP SSH POP3 Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the DMZ web server. Any – Web Server: 80 ASP .NET IIS WebSphere SunOne Java Apache TRUSTED INSIDE Firewall only allows applications SQL on the web server to talk to Oracle application server. DB2 Web Server Application Server CORPORATE Firewall only INSIDE allows application server to talk to database server. Application Server Database

PART 3 Web Application Hacks and Application Risks Who got hacked? How they got hacked, what method was used? What was the result of being hacked? Why web application risks occur Web application vulnerabilities

Web Application Risk “Web application incidents cost companies more than $320,000,000 in 2001.” Forty-four percent (223 respondents) to the 2002 Computer Crime and Security Survey were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses. “2002 Computer Crime and Security Survey” Computer Security Institute & San Francisco FBI Computer Intrusion Squad

Recent Web Application Hack Example Ziff Davis Hacked August 2002 Ziff Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year. The agreement between Ziff Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses - - and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine.

Recent Web Application Hacks Victoria’s Secret, Victoria’s Secret November 27, 2002 A vulnerability at the Victoria’s Secret web site allowed customers who purchased items there to view other customers’ orders. By simply changing the data in the URL address line the web application was manipulated. $50,000 fine and publicity in 2003

Recent Web Application Hacks January 3, 2003 Recording Industry RIAA was hacked 8 times in 6 Association of America months The 6 th time the RIAA site was hacked, downloadable, pirated music was posted This time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages that then appeared on the RIAA's official press release page

Sept 25 th 2003: Car Shoppers Credit Details Exposed in Bulk An administrative page not properly secured and any personal loan application information could be viewed. Over 1,000 shoppers from multiple websites had their entire financial history exposed on a public site The researcher simply read the HTML comments, saw the filename, and typed it into his browser. “The exposure of personal financial information could also put Dealerskins and its customers afoul of Federal Trade Commission (FTC) regulations “

Gateway Computers Wall Street Journal Article “More Scary Tales Involving Big Holes in Website Security”, by Lee Gomes, February 2 nd 2004 Gateway’s website stored an ID number in a cookie to identify you when returning to the site. By changing this ID number, you are able to view the information of other shoppers. Information viewable includes Name, Address, Phone Number, Order History, Last Four Digits of Credit Card, Credit Card Expiration Date, Credit Card Verification Code .

Federal Trade Commission investigates Guess Inc. “Guess Settles with FTC over Cyber Security Snafu”, June 2003 by Kevin Poulson for SecurityFocus “ Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all …The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess “ "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

Other Hacked Websites Tiffany.Com - 2004 SQL Injection, OpenTable.com : Non-random identifiers Saks Fifth Avenue: Non-random identifiers FTD.com – February 14, 2003 sequential cookies Source: CNET News “ FTD Hole Leaks Personal Information “ Travelocity - January 22, 2001 open directory Source: CNET News “ Travelocity Exposes Customer Information ” Creditcards.com – December 12, 2000 SQL Injection Source: CNET News “ Company says extortion try exposes thousands of card numbers “ CD Universe – January 9, 2000 SQL Injection Source: Internetnews.com “Failed Blackmail Attempt Leads to Credit Card Theft” MasterCard - February 17, 2003 Partner Liability Tower Records - December 5, 2002 Access permissions

Why Web Application Risks Occur The Web Application Security Gap Security Professionals Don’t Know The Applications Application Developers and QA Professionals Don’t Know Security

Why Web Application Risks Occur Developers Are Not Security Professionals Application development stresses functionality, not security Lack of awareness of security issues in development Lack of effective testing tools in Development & QA Resource constrained development teams Security Professionals Are Not Developers Lack of awareness of application vulnerabilities in security teams Lack of effective testing tools Certification and accreditations don’t examine the web application Development cycle missing from security procedures and audits Security scrutinizes the desktop, the network, and the server. The web application is missing.