Beruflich Dokumente
Kultur Dokumente
IBMSoftwareGroup|Rationalsoftware
Objectives
Understandthewebapplicationenvironment Understandanddifferentiatebetweennetworkandapplicationlevelvulnerabilities Understandwherethevulnerabilitiesexist U de sta d o to e e age ppSca to pe o a auto ated sca o u e ab t es UnderstandhowtoleverageAppScantoperformanautomatedscanforvulnerabilities
IBMSoftwareGroup|Rationalsoftware
Agenda
SecurityLandscape VulnerabilityAnalysis AutomatedVulnerabilityAnalysis
IBM Rational AppScanOverview
SecurityLandscape
IBMSoftwareGroup|Rationalsoftware
Hacking Stage 6
Wikipedia, Feb 9 2007
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
Mostsitesarevulnerable:
90%ofsitesarevulnerabletoapplicationattacks(Watchfire) 78%percentofeasilyexploitablevulnerabilitiesaffectedWebapplications(Symantec) 80%oforganizationswillexperienceanapplicationsecurityincidentby2010(Gartner)
Webapplicationsarehighvaluetargetsforhackers:
Customerdata,creditcards,IDtheft,fraud,sitedefacement,etc
Compliancerequirements:
PaymentCardIndustry(PCI)Standards,GLBA,HIPPA,FISMA,
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
HighLevelWebApplicationArchitectureReview g pp
Customer App is deployed here Sensitive data is stored here
Internet
Firewall Client Tier (Browser) SSL (Presentation) App Server (Business Logic) Data Tier Database
Protects Transport
Protects Network
Middle Tier
IBMSoftwareGroup|Rationalsoftware
NetworkDefensesforWebApplications N kD f f W b A li i
Security
Perimeter Firewall
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
Reality:SecurityandSpendingAreUnbalanced R lit S it dS di A U b l d
75% 2/3
of All Attacks on Information Security are Directed to the Web Application Layer of All Web Applications are Vulnerable
**Gartner
IBMSoftwareGroup|Rationalsoftware
WhyDoHackersTodayTargetApplications? y y g pp
Becausetheyknowyouhavefirewalls
Soitsnotveryconvenienttoattackthenetworkanymore Buttheystillwanttoattack costheystillwanttostealdata But they still want to attack cos they still want to steal data
Becausefirewallsdonotprotectagainstappattacks!
Sothehackersarehavingafieldday! Veryfewpeopleareactivelyawareofapplicationsecurityissues Very few people are actively aware of application security issues
Becausewebsiteshavealargefootprint
NoneedtoworryanymoreaboutcumbersomeIPaddresses
Becausetheycan! h !
Itisdifficultorimpossibletowriteacomprehensivelyrobustapplication Developersareyettohavesecurecodingassecondnature Developersthinkdifferentlyfromhackers l hi k diff l f h k Cheap,Fast,Good choosetwo,youcanthaveitall ItisalsoanightmaretomanuallyQAtheapplication Whiteboxstaticcodeanalyzersdonttestforinterapprelationships Whit b t ti d l d t t t f i t l ti hi ManycompaniestodaystilldonothaveasoftwaresecurityQApolicyorresource
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
MostcompaniestodaystilldonothaveanapplicationsecurityQApolicyor resource
ITsecuritystaffarefocusedonotherthingsandareswarmed
AppSecistheirjobbuttheydontunderstanditanddontwanttodealwithit Developersthinkitsnottheirjoborproblemtohavesecurityincoding D l hi k i h i j b bl h i i di Peoplewhooutsourceexpectthe3rd partytosecurityQAforthem
Itisculturalcurrentlytonotassociatesecuritywithcoding
BufferOverflowhasbeenaroundfor25years! B ff O fl h b d f 25 ! InputValidationisstilloftenoverlooked.
VulnerabilityAnalysis
IBMSoftwareGroup|Rationalsoftware
Assecureas3rd partysoftware p y
IBMSoftwareGroup|Rationalsoftware
TheOWASPTop10list
ApplicationThreat pp NegativeImpact g p ExampleImpact p p
IdentityTheft,SensitiveInformation Leakage, AttackercanmanipulatequeriestotheDB Attacker can manipulate queries to the DB /LDAP/Othersystem Executeshellcommandsonserver,upto fullcontrol Attackercanaccesssensitivefilesand resources Attackercaninvokeblindactionsonweb applications,impersonatingasatrusted user Attackerscangaindetailedsystem information Sessiontokensnotguardedorinvalidated properly l Weakencryptiontechniquesmayleadto brokenencryption Sensitiveinfosentunencryptedover Sensitive info sent unencrypted over insecurechannel Hackercanaccessunauthorizedresources
Hackerscanimpersonatelegitimateusers,andcontrol theiraccounts. Hackerscanaccessbackenddatabaseinformation,alter Hackers can access backend database information alter itorstealit. Sitemodifiedtotransferallinteractionstothehacker.
InsecureDirectObjectReference CrossSiteRequestForgery
Webapplicationreturnscontentsofsensitivefile (insteadofharmlessone) Blindrequeststobankaccounttransfermoneyto hacker Malicioussystemreconnaissancemayassistin developingfurtherattacks Hackercanforcesessiontokenonvictim;session tokenscanbestolenafterlogout t k b t l ft l t Confidentialinformation(SSN,CreditCards)canbe decryptedbymalicioususers Unencryptedcredentials sniffed and used by hacker Unencrypted credentials sniffedandusedbyhacker toimpersonateuser Hackercanforcefullybrowseandaccessapagepastthe loginpage
FailuretoRestrictURLAccess
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
CrossSiteScripting TheExploitProcess
Evil.org
Script sends users cookie and session information without the users consent l d or k knowledge
1
Link to bank.com sent to user via Email or HTTP
User
Bank.com
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
Create Plan
Build Tests
Open Platform
TEAM SERVER
SAP Java Open Lifecycle Service Integrations System z, i .NET
Functional Testing
Performance Testing
Code Quality
IBMSoftwareGroup|Rationalsoftware
AppScanintheRationalPortfolio A S i th R ti l P tf li
BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management
Requirements
Rational RequisitePro
Test
Rational ClearQuest
Change
Rational ClearQuest
Defects
Rational ClearQuest
DEVELOP PMENT
Test Automation
Developer Test
Rational PurifyPlus Rational Test RealTime
Functional Test
Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Rational Robot
Performance Test
Rational Performance Tester
Quality Metrics
Project Dashboards Detailed Test Results Quality Reports
OPERAT TOINS
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
Web Application
HTTP Request
HTTP Response
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
Reports
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware
IBMSoftwareGroup|Rationalsoftware