WebSec 101 Introduction Presented By Mike Andrews mike.andrews@foundstone.com mike@mikeandrews.com Copyright © 2008, McAfee, Inc. Intro Music by DoKashiteru via CCMixter Introductions… ► About me… The way the world is ► The wheel of IT ► More software being pushed to the web ● Netcraft Webserver Survey ► Systems are getting more complex Then Now Bad news… ► It seems to be getting much easier to find vulns in web-based software ● 63% of all vulns disclosed 2008 were in web apps [Symantec Internet Security Threat Report Trends for 2008] ► Where are the vulns? ► Why? The total number of publicly reported web application vulnerabilities has risen sharply, to the point where they have overtaken buffer overflows. This is probably due to ease of detection and exploitation of web vulnerabilities, combined with the proliferation of low-grade software applications written by inexperienced developers. In 2005 and 2006, cross-site scripting (XSS) was number 1, and SQL injection was number 2. …Good news ► Window ► The of exposure “instant service pack” Traditional App Web App …The somewhat better news ► Vendors are securing systems “out the box” ► Developers are starting to hear about the problems ► Lots more info in the main IT press ● SQL injection and XSS ● Cross-site request forgery is hardly being talked about! (save this for another webcast) No silver bullet? ► Jack ► Are and the beanstalk… there silver bullets? ● Education ● SDLC − TM, CR, PT, Policy, Sec response, … ● Frameworks Upcoming ► ► The purpose of this webcast is to… Generate more awareness of the main issues in having secure web apps ● Webapps are the most common dev platform ● “That’s where the money is” – Willie Sutton ● We’re still making stupid/simple mistakes ► Looking at auditing webapps for basic security mistakes. Black-box, mostly for two reasons Is how most people are testing (security or otherwise for good or bad) − Try to be language/system agnostic, although will mostly focus on LAMP and WISA Knowledge transfer Generate discussion on trends/news Short! -- ~20 minutes. − ● ● ● Bugs vs. Flaws vs. “Top N’s” ► In (web)appsec we’ve focused a lot on “bugs” ► Flaws are just (more?) important, and harder to find ► Top-N lists are “bug parades” ● Useful for awareness/education ● Can change quickly (and miss things) ● Only scratch the surface ► Taxonomies or frameworks? ● Best practices General Structure ► Follow a “security frame” ● ● ● ● ● ● ● ● ► Configuration Authentication Authorization User management Session management Data (more than one webcasts on this topic) Privacy [ your choice… ] Some “other” topics ● ● ● ● ● Techniques - Automated vs. Manual testing Technologies, and what they are good for (e.g. WAF’s) Consulting, outsourcing, etc, (insider knowledge on how to use/manage) May move into things like SDL (given enough interest) Keep this going into code? Topics ► Each topic should… ● Introduce the basics of the area/attack/technology − Will not be “all you need to know”, but more of a starting point − Attacks always get better, they never get worse − It’s an infinite space, and your own brain in your best tool ● ● ● ● ► Discuss why it’s a good/bad thing Examples Mitigation techniques (if appropriate) Point to some of what I think are the seminal articles/posts/papers that you should follow up with I’m up for going back and either re-recording or writing follow-up posts with more detail if needed Follow-on ► Some homework if anyone is interested :) ● http://www.securitybloggers.net/ ● http://www.securosis.com/blog/new-release-building-aweb-application-security-program ● http://ha.ckers.org ● http://jeremiahgrossman.blogspot.com • • • • • • “How to Break Web Software” - Mike Andrews & James Whittaker “XSS Exploits: Cross Site Scripting Attacks and Defense” - Seth Fogie et al “Hacking Exposed - Web Applications” – Joel Scambray et al “Innocent Code” – Sverre Huseby “19 Deadly Sins of Software Security” – Michael Howard et al “Improving Web Application Security: Threats and Countermeasures” - J.D. Meier et al Next Up: Configuration Credits/References ► Number of servers on the internet ● http://news.netcraft.com/archives/web_server_su rvey.html ► Window of exposure ● http://www.schneier.com/crypto-gram-0009.html ► SQL injection and XSS mentions ● www.google.com/trends ► http://www.bsi-mm.com