Security Testing & The Depth
Behind OWASP Top 10
Yaniv Simsolo, CISSP
Image: Hubble Telescope: The cat’s eye nebula
OWASP Top 10 2013
OWASP Top 10 – 2013 has evolved:
• 2013-A1 – Injection
• 2013-A2 – Broken Authentication and Session
Management
• 2013-A3 – Cross Site Scripting (XSS)
• 2013-A4 – Insecure Direct Object References
• 2013-A5 – Security Misconfiguration
• 2013-A6 – Sensitive Data Exposure
• 2013-A7 – Missing Function Level Access Control
• 2013-A8 – Cross-Site Request Forgery (CSRF)
• 2013-A9 – Using Known Vulnerable Components (NEW)
• 2013-A10 – Unvalidated Redirects and Forwards
OWASP Top 10 2013
OWASP Top 10 – 2013 Resources:
• https://www.owasp.org/index.php/Top_10_2013Top_10
• OWASP Top 10 2013 presentation by Dave Wichers,
on the OWASP web site
Mapping Top 10: From 2010 to 2013
Source: OWASP Top 10 2013 presentation by Dave Wichers
Assumptions
• In Information Security – several top 10 exist
– OWASP Top 10 is dominant
• “Top 3”: we all know about XSS’s Injections,
CSRF’s etc.
• Most organizations are well aware of these
issues
Assumptions
• OK. What now?
• “Top 6” = (“Top 3”) + (“we test what we can”):
– Broken authentication and session management
– Unvalidated redirects and forwards
– Insecure direct object references
• Most organizations are aware of these issues
• OK, What now?
What did we miss?
•
•
•
•
Security misconfiguration – A5.
Missing Function Level access control – A7.
Using known vulnerable components – A9
A6 – sensitive data exposure now includes a
merge of:
– Insufficient transport layer protection (2010 – A9)
– Insecure cryptographic storage (2010-A7)
What did we miss?
• Security misconfiguration – A5.
– (almost) not Web Application but:
Application/system
• Missing Function Level access control – A7.
– Partial Web Application, Partial
Application/system
• Using known vulnerable components – A9
– (almost) not Web Application but:
Application/syste
What did we miss?
• A6 – sensitive data exposure now includes a
merge of:
– Insufficient transport layer protection (2010 – A9)
– Insecure cryptographic storage (2010-A7)
• Is this just Web Application?
• Is the problem more severe once we look
below the Web Layer?
What did we miss? Example
Security misconfiguration – A5
+
Using known vulnerable components – A9
=
Perimeter is not working
The Problem
Image: Hubble Telescope: The cat’s eye nebula
Over Complexity
• Too much data
• Endless attack possibilities
• Too many security solutions, vendors,
products
• No homogenous approach
The Attack Vectors
– Any (communication)
channel
– Any interface
– Any encryption
– Any environment
– Any site (including DR)
– Any transaction
– Any log and audit trail
– Any archive
– Any process (operations,
ongoing, development)
– Any system
– Any infrastructure
– Any communication
– Any language
– Any architecture
– Any component
– Any information, any
data
– Any physical layer
– Any logical layer
– Any storage device /
facility
The Attack Types
– Any (communication)Takeover – Any system
Data theft
channel
– Any infrastructure
Data tampering
– Any interfaceSystem integrity disruption
– Any communication
Business Logic manipulation
– Any encryption
– Any language
– Any environment Eavesdropping
– Any architecture
Backdoors – built in by design
– Any site (including
DR)
component
Backdoors – creation –
byAny
attackers
– Any transactionUnintentional attacks
– Any information, any
Intentional
by authorized
entities
– Any log and
audit trail
data
entities
– Any archiveAttacks by non-human
– Any
physical layer
Denial of Service
– Any process (operations,
Any logical layer
De Facto Denial of–Service
ongoing, development)
– Any storage device /
Authorization bypass
Access bypassfacility
Smuggling, Splitting and evasion-type attacks
The Problem
Even the simplified security areas present a
demanding challenge. For example - XSS:
• Very difficult to detect all variants in modern
systems
• Almost impossible to retain high security level
once achieved
Common Solutions
• Superficial security tests.
– Many “good reasons”:
•
•
•
•
Budget
Time constraints
Lack of understanding
Over complexity
Common Solutions
• Impacts of superficial security tests in the
long run?
– Partial to no security
– Poor security practices
– These organizations effect the security
market, pulling downwards!
– Loss or partial integrity of security
professionals
– Worse still: false sense of security
Where Did That Got Us?
• Ludicrous security warnings:
– January 2013: Department of Homeland Security:
Do not use Java. Remove the JRE.
– April 2014: Department of Homeland Security:
Versions 6 – 11 of IE are not to be used.
– April 2014: OpenSSL is insecure
Where Did That Got Us?
• Poor security in design and architecture
• (Almost) no security in Agile/Continuous
Delivery developed code
Modern Systems Common Pitfall
• Modern systems are more secured. ???
20
Where Did That Got Us?
• Challenging security presentations:
– In-Depth Security is dead (RSA conference 2011)
– Security is dead (Rugged coding - RSA conference
2012)
• Ignorance is bliss….
Security Testing
Image: Hubble Telescope: The cat’s eye nebula
How to Test?
• This is messy. VERY messy.
• There are shortcuts
How to Test?
• Actually – most is quiet easy to test.
• Go back to theory.
• Forget about the payloads.
The Fallback Common Option
• Test the GUI
• Black Box testing methodology
• Exclude the difficult stuff from scope
• This is a “good” solution: it fits organizations
and security professionals
The Fallback Common Option
• “The greatest enemy of knowledge is not
ignorance, it is the illusion of knowledge.”
― Stephen Hawking
• Testing just the GUI illusion of knowledge
• Testing just the FE illusion of security
• Increasingly often we are requested to test
much less than the actual scope.
• Consider carefully prior to testing – what
should be the actual testing scope
How to test?
• “Supreme excellence consists in breaking the enemy's
resistance without fighting.” Sun Tzu
• Common Mobile WCF architecture
– Where is the presentation layer?
– Which entities are granted access to business logic?
How to test?
• OWASP top 10 – mobile:
Source: OWASP Top 10 Mobile project
The Oracle Exadata Example
• Oracle Exadata simplified:
– Data Warehouse platform
– Consolidation/Grid platform
– Storage platform
• Exadata security best practices consist of:
– The “regular stuff”
– Database standard security
– Data Warehouse specialized security
– Consolidation/Grid specialized security
The Oracle Exadata Example
• Oracle Exadata (as a database platform) Security
Testing Benchmark:
– Organization A tested:
•
•
•
•
The databases
The environments
The Data Warehouse specialized security
The Exadata itself
– Organization B tested:
• Just some deployed databases
• Partial security testing for each database
• Worse still: Exadata not to be tested as a policy
• Who said: 2013-A5 Security Misconfiguration?
Testing A5, A7, A9
• “If you know the enemy and know yourself
you need not fear the results of a hundred
battles”, Sun Tzu
• Do we really know ourselves?
• Where are A5, A7 and A9 implemented?
• Not testing the BE  illusion of knowing
The Windows XP Example
• Organization C, defines and enforces strict
development and deployment security
standards towards all its suppliers/customers.
• Over 60 pages of procedures and instructions.
• Insisting on supporting Windows XP based
systems.
• Who said: 2013-A9 Using Known Vulnerable
Components?
2013-A9 Using known Vulnerable
Components
• A vendor offers DBAAS
– Excellent: beat the market offering *AAS
something...
• How can the organization trust the security of
DBAAS?
– Will separation be enforced?
– Will compartmentalization be enforced?
• Did we really tested and can trust the Cloud
on which the DBAAS is based?
Declarative Security
• What?
• One of the foundations of modern languages
run-time security.
• Mostly ignored or bypassed.
• Who said: Security misconfiguration – A5,
Missing Function Level access control – A7?
Declarative Security
• “Deployment descriptors must provide certain
structural information for each component if this
information has not been provided in annotations or
is not to be defaulted.” (Oracle docs.)
Declarative Security
• “Engage people with what they expect; it is
what they are able to discern and confirms
their projections. It settles them into
predictable patterns of response, occupying
their minds while you wait for the
extraordinary moment — that which they
cannot anticipate.” Sun Tzu
• Lack or weak declarative security: Once code
access achieved – the extraordinary will be
feasible.
Declarative Security
• Poor design due to no design
• Cancelling off declarative security or ignoring
declarative security  revoking language
security fundamentals.
• Common real life deployment descriptors:
// Do what you will. Totally permissive policy file.
grant {
permission java.security.AllPermission;
};
•  Killing my own code!
Reverse Engineering (A5, A6, A9)
• What for?
• Why for Mobile security testing ONLY?
• From Wikipedia:
– Reverse engineering is the process of discovering
the technological principles of a device, object, or
system through analysis of its structure, function,
and operation.
Testing A2, A5, A6
•
•
•
•
2013 A6 – Sensitive data exposure
2013 A5 – Security misconfiguration
2013 A2 – Broken authentication
Too much use of “third singulars”
– The actual minute details of the tested object
dissolve
2013-A5 Security Misconfiguration
• There is no external access!
• The intended users will only
perform intended actions…
• Virtualization  Separation
40
2013-A5 Security Misconfiguration
• How do organizations secure legacy unsecured
systems?
• Install terminals (e.g. Citrix) as the presentation
layer / access control layer.
• Challenge: manage multiple users across multiple
systems.
• Result: the terminals are partially secure.
– Too many terminals to manage over long periods
– Some insecure
– The insecure terminals are the attacker entry points.
Critical Thinking
– Any (communication)Takeover – Any system
Data theft
channel
– Any infrastructure
Data tampering
– Any interfaceSystem integrity disruption
– Any communication
Business Logic manipulation
– Any encryption
– Any language
– Any environment Eavesdropping
– Any architecture
Backdoors – built in by design
– Any site (including
DR)
component
Backdoors – creation –
byAny
attackers
– Any transactionUnintentional attacks
– Any information, any
Intentional
by authorized
entities
– Any log and
audit trail
data
entities
– Any archiveAttacks by non-human
– Any
physical layer
Denial of Service
– Any process (operations,
Any logical layer
De Facto Denial of–Service
ongoing, development)
– Any storage device /
Authorization bypass
Access bypassfacility
Smuggling, Splitting and evasion-type attacks
Critical Thinking
• Critical thinking is the ability to think clearly
and rationally. This requires reflective and
independent thinking. (Philosophy field)
• For organization security is too difficult: over
complexity, too much to orchestrate, etc.
• Increasingly often we are requested to test
much less than the actual scope.
• Some organizations will not be educated.
• Push the industry back up with those
organizations that can be educated.
Critical Thinking
• For the security professionals, security is a
challenge. Hence, always employ critical
thinking and review the process of testing
itself.
– Flexibility under varying technologies
– Use automated testing tools to the max AND be
always aware of their limitations
– Scoping accurately is mandatory
Qustions?
Yaniv Simsolo, CISSP
Image: Hubble Telescope: The cat’s eye nebula