Dealing with Web Application Security, Regulation Style Andrew Weidenhamer 11/10/2010 Agenda • • • • • Why do we need Web Application Security How does PCI address Web Application Security shortcomings How does HIPAA, GLBA, and SOX address Web Application Security shortcomings How does FISMA address Web Application Security shortcomings What about other industries? Why do we need Web Application Security? After being edged out in 2008 as the most-used path of intrusion, web applications now reign supreme in both the number of breaches and the amount of data compromised through this vector. Both Verizon and USSS cases show the same trend. Web applications have the rather unfortunate calling to be public-facing, dynamic, user-friendly, and secure all at the same time. Needless to say, it’s a tough job. - Verizon 2010 Data Breach Statistics Report The Problem • • • • Custom coded web applications are very common Visual Studio, WebSphere, Eclipse, etc. are *almost* point and click solutions ASP.NET, Java, PHP allow for powerful web applications with minimal coding Custom Coded = Human Error 75% of all external attacks occur at the application layer 90% of web applications are vulnerable • • • • • • No Windows Update for web based applications – multiple technologies involved Lack of awareness of application developers, application owners, architects, system administrators, etc. Security not embedded into the software development lifecycle Estimated 60+% of testing is production systems Lack of awareness of vendors/third party software companies Lack of awareness for outsourced developers Why Web Security? I have a Firewall and IDS • Am I Safe with a Firewall? Many companies are filtering their Internet connection (Block ALL except 80 & 443) • What is vulnerable at the Web and Application layer? Financial Data PHI (Medical) Privacy Port 80/443 – Permits access to the Web Server and Web Applications • Intrusion Detection Systems? – DETECT Signatures and DON’T work on custom coded applications. • What about anti-virus software?– Code RED exploited by virus/worm – Attacked Microsoft IIS Web Server How does PCI address Web Application Security? Requirement 6 • • • • • 6.3 Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices. Incorporate information security throughout the software development life cycle. 6.3.1 Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers 6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. 6.4.1 Separate development/test and production environments 6.4.2 Separation of duties between development/test and production environments Requirement 6 – Cont’d • 6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws 6.5.2 Buffer overflow 6.5.3 Insecure cryptographic storage 6.5.4 Insecure communications 6.5.5 Improper error handling 6.5.6 All “High” vulnerabilities identified in the vulnerability identification process Cross-site scripting Improper Access Control Cross-site request forgery Requirement 6 – Cont’d • 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications • • • • • • • Shortcomings Why give the client a choice between code review and web application firewall? You can’t scan for the OWASP Top 10 OWASP Top 10 is dynamic Only requires scanning and code reviews for publically facing applications. Most ASV scanners do very little at the web application layer External Penetration Assessments can be performed by internal resources Level 3 and 4 merchants PROOF!!! How does HIPAA, GLBA, and SOX address Web Application Security? HIPAA – Access Controls • • Analyze workloads and operations to identify the access needs of all users • Develop access control policy • Establish an emergency access procedure Analyze workloads and operations to identify the access needs of all users • Implement access control procedures using selected hardware and software • Ensure that all system users have been assigned a unique identifier • Review and update user access • Terminate access if it is no longer needed HIPAA – Audit Controls • Determine the systems or activities that will be tracked or audited • Develop appropriate standard operating procedures • Select the tools that will be deployed for auditing and system activity reviews • Develop and deploy the Information System Activity Review/Audit Policy • Implement the audit/system activity review process HIPAA – Integrity • Identify all users who have been authorized to access ePHI • Implement procedures to address these requirements • Identify any possible unauthorized sources that may be able to intercept the information and modify it • Develop the integrity policy and requirements • Establish a monitoring process to assess how the implemented process is working HIPAA – Person or Entity Authentication • Determine authentication applicability to current systems/applications • Evaluate authentication options available • Select and implement authentication option HIPAA – Transmission Security • Identify any possible unauthorized sources that may be able to intercept and/or modify the information • Develop a transmission security policy • Implement procedures for transmitting ePHI using Hardware/Software if needed What did we notice about HIPAA? Web application security is not specifically called out in the HIPAA Security Rule, however: • A risk analysis and risk assessment is required • Depending on the risk rating, entities may need to ensure proper security controls are in place for web applications associated with electronic protected health information (ePHI) Shortcomings PROOF!!! PROOF #2!!! GLBA – Safeguards Rule • Denoting at least one employee to manage the safeguards • Constructing a thorough risk management on each department handling the nonpublic information • Develop, monitor, and test a program to secure the information and, • Change the safeguards as needed with changes in how information is collected, stored and used. GLBA - Guidance • Section 501(b) of GLBA requires Federal Financial Institutions Examination Council (FFIEC) member regulators to establish standards and guidelines for complying with the GLBA Safeguards Rule • Accordingly, the regulators created the Interagency Guidelines Establishing Information Security Standards and the IT Examination Information Security Handbook • Both the Guidelines and Handbook require web application security if appropriate to the size and complexity of the financial institution GLBA – Guidance (cont’d) G. APPLICATION SECURITY (IT EXAMINATION INFORMATION SECURITY HANDBOOK) 1. Determine whether software storage, including program source, object libraries, and load modules, are appropriately secured against unauthorized access. 2. Determine whether user input is validated appropriately (e.g. character set, length, etc). 3. Determine whether appropriate message authentication takes place. 4. Determine whether access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted. 5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization. 6. Determine whether appropriate warning banners are displayed when applications are accessed. 7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts. GLBA – Guidance (cont’d) H. SOFTWARE DEVELOPMENT (IT EXAMINATION INFORMATION SECURITY HANDBOOK) 1. Inquire about how security control requirements are determined for software, whether internally developed or acquired from a vendor. 2. Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards. 3. Determine whether the group or individual establishing security control requirements has appropriate credentials, background, and/or training. 4. Inquire about the method used to test the newly developed or acquired software for vulnerabilities. For manual source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews. If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues. 5. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation management’s consideration of the: Development process Establishment of security requirements Establishment of acceptance criterion Use of secure coding standards Compliance with security requirements Code development and testing processes Restrictions on developer access to production source code Physical security over developer work areas Source code review Quality and functionality of security patches • • • • • • • • • • Shortcomings VAGUE!!!! PROOF!!! SOX • Most corporate financial records are accessed and maintained in electronic formats that often have Web-based components, there is a significant correlation between this information and Web applications. • Section 404 requires companies have in place appropriate, enterprise-wide controls to protect the integrity of financial data as well as the systems that access the data SOX - Guidance The development controls with a SOX perspective include: 1) Documented policy and procedures 2) Developers/ IT managers are trained on the procedures 3) Standard controls such as business owners approve the design, 4) Development is carried over as per standards, functional specifications 5) Separate test environment for development/ test/ production / test plans 6) Segregation of duties ( The developer who created and cannot pass his own test, cannot promote the code to production etc) 7) Business owner’s testing and approval before changes/ app goes into production 8) Good Version Control Program to ensure that older versions are kept available 9) Source Code is properly secured 10) Built in user access controls for authentication and prevention of fraud. Shortcomings Virtually no controls around Security How does Federal Information Security Management Act (FISMA) address Web Application Security? • • • • FISMA Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. NIST 800-30 used to perform a risk analysis NIST 800-53 controls will be required based on an agencies data risk classifications. NIST 800-53 control areas such as System and Communications Protection are applicable to web applications. FISMA – System and Information Integrity • Security Assessments • Vulnerability Scanning • Policies and Procedures • Information Input Validation • Error Handling • Information Output Handling and Retention Shortcomings Good..But not as prescriptive as PCI What about other industries? Privacy?? • Legal • Manufacturing • Retail • Business Services Thank you for your time! QUESTIONS ANSWERS E: aweidenhamer@securestate.com