Powerpoint Slides

advertisement
WebSec 101
Introduction
Presented By
Mike Andrews
mike.andrews@foundstone.com
mike@mikeandrews.com
Copyright © 2008, McAfee, Inc.
Intro Music by DoKashiteru via CCMixter
Introductions…
► About
me…
The way the world is
► The
wheel of IT
► More software being pushed to the web
● Netcraft Webserver Survey
► Systems
are getting more complex
Then
Now
Bad news…
► It
seems to be getting much easier to find
vulns in web-based software
● 63% of all vulns disclosed
2008 were in web apps
[Symantec Internet Security Threat Report Trends for 2008]
► Where
are the vulns?
► Why?
The total number of publicly reported web application vulnerabilities has risen sharply,
to the point where they have overtaken buffer overflows. This is probably due to ease
of detection and exploitation of web vulnerabilities, combined with the proliferation
of low-grade software applications written by inexperienced developers. In 2005 and
2006, cross-site scripting (XSS) was number 1, and SQL injection was number 2.
…Good news
► Window
► The
of exposure
“instant service pack”
Traditional App
Web App
…The somewhat better news
► Vendors
are securing systems “out the box”
► Developers are starting to hear about the
problems
► Lots more info in the main IT press
● SQL injection and XSS
● Cross-site request forgery is hardly being talked
about! (save this for another webcast)
No silver bullet?
► Jack
► Are
and the beanstalk…
there silver bullets?
● Education
● SDLC
− TM, CR, PT, Policy, Sec response, …
● Frameworks
Upcoming
►
►
The purpose of this webcast is to…
Generate more awareness of the main issues in
having secure web apps
● Webapps are the most common dev platform
● “That’s where the money is” – Willie Sutton
● We’re still making stupid/simple mistakes
►
Looking at auditing webapps for basic security
mistakes. Black-box, mostly for two reasons
Is how most people are testing (security or otherwise for
good or bad)
−
Try to be language/system agnostic, although will mostly
focus on LAMP and WISA
Knowledge transfer
Generate discussion on trends/news
Short! -- ~20 minutes.
−
●
●
●
Bugs vs. Flaws vs. “Top N’s”
► In
(web)appsec we’ve focused a lot on “bugs”
► Flaws are just (more?) important, and harder
to find
► Top-N
lists are “bug parades”
● Useful for awareness/education
● Can change quickly (and miss things)
● Only scratch the surface
► Taxonomies
or frameworks?
● Best practices
General Structure
►
Follow a “security frame”
●
●
●
●
●
●
●
●
►
Configuration
Authentication
Authorization
User management
Session management
Data (more than one webcasts on this topic)
Privacy
[ your choice… ]
Some “other” topics
●
●
●
●
●
Techniques - Automated vs. Manual testing
Technologies, and what they are good for (e.g. WAF’s)
Consulting, outsourcing, etc, (insider knowledge on how to use/manage)
May move into things like SDL (given enough interest)
Keep this going into code?
Topics
►
Each topic should…
● Introduce the basics of the area/attack/technology
− Will not be “all you need to know”, but more of a starting point
− Attacks always get better, they never get worse
− It’s an infinite space, and your own brain in your best tool
●
●
●
●
►
Discuss why it’s a good/bad thing
Examples
Mitigation techniques (if appropriate)
Point to some of what I think are the seminal
articles/posts/papers that you should follow up with
I’m up for going back and either re-recording or
writing follow-up posts with more detail if needed
Follow-on
► Some
homework if anyone is interested :)
● http://www.securitybloggers.net/
● http://www.securosis.com/blog/new-release-building-aweb-application-security-program
● http://ha.ckers.org
● http://jeremiahgrossman.blogspot.com
•
•
•
•
•
•
“How to Break Web Software” - Mike Andrews & James Whittaker
“XSS Exploits: Cross Site Scripting Attacks and Defense” - Seth Fogie et al
“Hacking Exposed - Web Applications” – Joel Scambray et al
“Innocent Code” – Sverre Huseby
“19 Deadly Sins of Software Security” – Michael Howard et al
“Improving Web Application Security: Threats and Countermeasures” - J.D.
Meier et al
Next Up: Configuration
Credits/References
► Number
of servers on the internet
● http://news.netcraft.com/archives/web_server_su
rvey.html
► Window
of exposure
● http://www.schneier.com/crypto-gram-0009.html
► SQL
injection and XSS mentions
● www.google.com/trends
► http://www.bsi-mm.com
Download