Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007 Web Application Security Implementation - © 2007 GIAC Introduction • Website vulnerability used to copy customer data to foreign host. • Senior management to acquire services of penetration team. Not available for immediate needs. • Post incident,we are tasked with creation of a web application security assessment program, to implement within a few days. Web Application Security Implementation - © 2007 GIAC Web Assessment Process Manual Web Server Audit Inventory Conduct Interviews Automated Vulnerability Scan Manual Web Application Audit Report Findings Web Application Security Implementation - © 2007 GIAC Web Service Inventory • Need to know what is legitimate and necessary. (Programs, services, ports) • Need to know where the data lives and how it is accessed. • Rate assets (web servers/services) to focus resources and set priorities. Web Application Security Implementation - © 2007 GIAC Performing Automated Scans • Verify the inventory by confirming the existence of services. • Identify additional, unneeded processes and check for common vulnerabilities and misconfigurations for both the necessary and unnecessary processes and services. • Quickly identify the low hanging fruit. Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Server Security • Review if best practices are followed – Is defense in depth employed? – Configuration of web server and web development frameworks – User and service accounts and rights – Error messages, other information leakage – Do log files store appropriate information? • Review change processes for ports and services through interviews Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Applications • Based on inventory, focus on potentially vulnerable code • Specific tests to be performed against each dynamic page • Interview developers to determine if processes prevent new vulnerabilities Web Application Security Implementation - © 2007 GIAC Deliverables for the Senior Management Team • Reports and recommendations delivered within days. • Results of inventory, scans, and manual audits used to provide action items that can be given to implementation team. • Additional recommendations from tiger team to management to minimize reoccurrences. Web Application Security Implementation - © 2007 GIAC