IBM Software Group

DiscoveringtheValueofVerifyingWebApplication SecurityUsingIBMRationalAppScan Security Using IBM Rational AppScan

OngKhaiWei RationalITSpecialist p ongkw@my.ibm.com

2009 IBM Corporation

IBMSoftwareGroup|Rationalsoftware

Objectives
Understandthewebapplicationenvironment Understandanddifferentiatebetweennetworkandapplicationlevelvulnerabilities Understandwherethevulnerabilitiesexist U de sta d o to e e age ppSca to pe o a auto ated sca o u e ab t es UnderstandhowtoleverageAppScantoperformanautomatedscanforvulnerabilities

IBMSoftwareGroup|Rationalsoftware

Agenda
SecurityLandscape VulnerabilityAnalysis AutomatedVulnerabilityAnalysis
IBM Rational AppScanOverview

IBM Software Group

SecurityLandscape

2009 IBM Corporation

IBMSoftwareGroup|Rationalsoftware

TheAlarmingReality The Alarming Reality

Hacking Stage 6
Wikipedia, Feb 9 2007

IBMSoftwareGroup|Rationalsoftware

IBMSoftwareGroup|Rationalsoftware

IBMSoftwareGroup|Rationalsoftware

WhyApplicationSecurityisaHighPriority Why Application Security is a High Priority

Webapplicationsarethe#1focusofhackers:
75%ofattacksatApplicationlayer(Gartner) 75% of attacks at Application layer (Gartner) XSSandSQLInjectionare#1and#2reportedvulnerabilities(Mitre)

Mostsitesarevulnerable:
90%ofsitesarevulnerabletoapplicationattacks(Watchfire) 78%percentofeasilyexploitablevulnerabilitiesaffectedWebapplications(Symantec) 80%oforganizationswillexperienceanapplicationsecurityincidentby2010(Gartner)

Webapplicationsarehighvaluetargetsforhackers:
Customerdata,creditcards,IDtheft,fraud,sitedefacement,etc

Compliancerequirements:
PaymentCardIndustry(PCI)Standards,GLBA,HIPPA,FISMA,

IBMSoftwareGroup|Rationalsoftware

TheSecurityLandscapeofthepast The Security Landscape of the past

TraditionalInfrastructurewaseasiertoprotect... Concreteentitiesthatwereeasytounderstand Attacksurfaceandvectorswereverywelldefined Applicationfootprintverystatic pp cat o ootp t e y stat c Perimeterdefensewasking

IBMSoftwareGroup|Rationalsoftware

ChangingSecurityLandscapeofToday Changing Security Landscape of Today

Webificationhaschangedeverything... Infrastructureismoreabstractandlessdefined Everythingneedsawebinterface Agentsandheavyclientsarenolongeracceptable ge ts a d ea y c e ts a e o o ge acceptab e Traditionaldefensesnolongerapply

IBMSoftwareGroup|Rationalsoftware

TopHackAttacksTodayTargetWebApplications Top Hack Attacks Today Target Web Applications

IBMSoftwareGroup|Rationalsoftware

HighLevelWebApplicationArchitectureReview g pp
Customer App is deployed here Sensitive data is stored here

Internet

Firewall Client Tier (Browser) SSL (Presentation) App Server (Business Logic) Data Tier Database

Protects Transport

Protects Network

Middle Tier

IBMSoftwareGroup|Rationalsoftware

NetworkDefensesforWebApplications N kD f f W b A li i
Security

Perimeter Firewall

IDS Intrusion Detection System

IPS Intrusion Prevention System

App Firewall Application Firewall

System Incident Event Management (SIEM)

IBMSoftwareGroup|Rationalsoftware

TheMyth: OurSiteIsSafe The Myth: Our Site Is Safe

Port 80 & 443 are open for the right reasons

We Have Firewalls and IPS in Place

We Audit It Once a Quarter with Pen Testers Q

Applications are constantly changing

We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web server

We Use SSL Encryption

Only protects data between site and user not the web application itself

IBMSoftwareGroup|Rationalsoftware

Reality:SecurityandSpendingAreUnbalanced R lit S it dS di A U b l d

75% 2/3

of All Attacks on Information Security are Directed to the Web Application Layer of All Web Applications are Vulnerable
**Gartner

IBMSoftwareGroup|Rationalsoftware

WhyDoHackersTodayTargetApplications? y y g pp
Becausetheyknowyouhavefirewalls
Soitsnotveryconvenienttoattackthenetworkanymore Buttheystillwanttoattack costheystillwanttostealdata But they still want to attack cos they still want to steal data

Becausefirewallsdonotprotectagainstappattacks!
Sothehackersarehavingafieldday! Veryfewpeopleareactivelyawareofapplicationsecurityissues Very few people are actively aware of application security issues

Becausewebsiteshavealargefootprint
NoneedtoworryanymoreaboutcumbersomeIPaddresses

Becausetheycan! h !
Itisdifficultorimpossibletowriteacomprehensivelyrobustapplication Developersareyettohavesecurecodingassecondnature Developersthinkdifferentlyfromhackers l hi k diff l f h k Cheap,Fast,Good choosetwo,youcanthaveitall ItisalsoanightmaretomanuallyQAtheapplication Whiteboxstaticcodeanalyzersdonttestforinterapprelationships Whit b t ti d l d t t t f i t l ti hi ManycompaniestodaystilldonothaveasoftwaresecurityQApolicyorresource

IBMSoftwareGroup|Rationalsoftware

WhatCanHappen? What Can Happen?

IBMSoftwareGroup|Rationalsoftware

WhyDoApplicationSecurityProblemsExist? Why Do Application Security Problems Exist?

ITsecuritysolutionsandprofessionalsarenormallyfromthenetwork /infrastructure/sysadminside
Theyusuallyhavelittleornoexperienceinapplicationdevelopment Anddeveloperstypicallydontknowordontcareaboutsecurityornetworking

MostcompaniestodaystilldonothaveanapplicationsecurityQApolicyor resource
ITsecuritystaffarefocusedonotherthingsandareswarmed
AppSecistheirjobbuttheydontunderstanditanddontwanttodealwithit Developersthinkitsnottheirjoborproblemtohavesecurityincoding D l hi k i h i j b bl h i i di Peoplewhooutsourceexpectthe3rd partytosecurityQAforthem

Itisculturalcurrentlytonotassociatesecuritywithcoding
BufferOverflowhasbeenaroundfor25years! B ff O fl h b d f 25 ! InputValidationisstilloftenoverlooked.

IBM Software Group

VulnerabilityAnalysis

2009 IBM Corporation

IBMSoftwareGroup|Rationalsoftware

SecurityDefects:ThoseImanagevs.ThoseIown Security Defects Those I manage vs Those I own

Infrastructure Vulnerabilities or Common Web Vulnerabilities (CWVs) Cause of Defect Location within Application Type(s) of Exploits yp ( ) p Detection Business Risk Cost Control Insecureapplicationdevelopmentby3rd partySW 3rd partytechnicalbuildingblocksor infrastructure (webservers,) Knownvulnerabilities(patchesissued), misconfiguration Matchsignatures&checkforknown misconfigurations. Patchlatencyprimaryissue Application Specific Vulnerabilities (ASVs) InsecureapplicationdevelopmentInhouse Businesslogic dynamicdataconsumedby anapplication SQLinjection,pathtampering,Crosssite scripting,Suspectcontent&cookie p g p poisoning Requiresapplicationspecificknowledge Requiresautomaticapplicationlifecycle security Earlydetectionsaves$$$ y $$$

Assecureas3rd partysoftware p y

IBMSoftwareGroup|Rationalsoftware

TheOWASPTop10list
ApplicationThreat pp NegativeImpact g p ExampleImpact p p

CrossSite scripting InjectionFlaws Injection Flaws MaliciousFileExecution

IdentityTheft,SensitiveInformation Leakage, AttackercanmanipulatequeriestotheDB Attacker can manipulate queries to the DB /LDAP/Othersystem Executeshellcommandsonserver,upto fullcontrol Attackercanaccesssensitivefilesand resources Attackercaninvokeblindactionsonweb applications,impersonatingasatrusted user Attackerscangaindetailedsystem information Sessiontokensnotguardedorinvalidated properly l Weakencryptiontechniquesmayleadto brokenencryption Sensitiveinfosentunencryptedover Sensitive info sent unencrypted over insecurechannel Hackercanaccessunauthorizedresources

Hackerscanimpersonatelegitimateusers,andcontrol theiraccounts. Hackerscanaccessbackenddatabaseinformation,alter Hackers can access backend database information alter itorstealit. Sitemodifiedtotransferallinteractionstothehacker.

InsecureDirectObjectReference CrossSiteRequestForgery

Webapplicationreturnscontentsofsensitivefile (insteadofharmlessone) Blindrequeststobankaccounttransfermoneyto hacker Malicioussystemreconnaissancemayassistin developingfurtherattacks Hackercanforcesessiontokenonvictim;session tokenscanbestolenafterlogout t k b t l ft l t Confidentialinformation(SSN,CreditCards)canbe decryptedbymalicioususers Unencryptedcredentials sniffed and used by hacker Unencrypted credentials sniffedandusedbyhacker toimpersonateuser Hackercanforcefullybrowseandaccessapagepastthe loginpage

InformationLeakageandImproper ErrorHandling BrokenAuthentication&Session Management M t InsecureCryptographicStorage

InsecureCommunications Insecure Communications

FailuretoRestrictURLAccess

IBMSoftwareGroup|Rationalsoftware

1.CrossSiteScripting(XSS) 1 Cross Site Scripting (XSS)

Whatisit? MaliciousscriptechoedbackintoHTMLreturnedfromatrustedsite,andrunsunder trustedcontext Whataretheimplications? SessionTokensstolen(browsersecuritycircumvented) Completepagecontentcompromised Futurepagesinbrowsercompromised

IBMSoftwareGroup|Rationalsoftware

Why&WhereXSSHappens Why & Where XSS Happens

User data is embedded in HTML response

JS is embedded in page, as if originating from the trusted site

IBMSoftwareGroup|Rationalsoftware

CrossSiteScripting TheExploitProcess
Evil.org

Script sends users cookie and session information without the users consent l d or k knowledge

1
Link to bank.com sent to user via Email or HTTP

Evil.org uses stolen session information to impersonate user

4 User sends script embedded as data 2 3

Script returned, executed by browser

User

Bank.com

IBMSoftwareGroup|Rationalsoftware

2.InjectionFlaws 2 Injection Flaws

Whatisit? What is it? Usersupplieddataissenttoaninterpreteraspartofacommand,queryordata. Whataretheimplications? SQLInjection Access/modify/deletedatainDB SSIInjection Executecommandsonserverandaccesssensitivedata LDAPInjection Bypassauthentication

IBMSoftwareGroup|Rationalsoftware

SQLInjectionExampleI SQL Injection Example I

IBMSoftwareGroup|Rationalsoftware

SQLInjectionExampleII SQL Injection Example II

IBMSoftwareGroup|Rationalsoftware

SQLInjectionExample SQL Injection Example Exploit

IBMSoftwareGroup|Rationalsoftware

SQLInjectionExample SQL Injection Example Outcome

IBM Software Group

AutomatedVulnerabilityAnalysis IBM Rational AppScan

2009 IBM Corporation

IBMSoftwareGroup|Rationalsoftware

SECURITYTESTINGISPARTOFSDLCQUALITYTESTING SECURITY TESTING IS PART OF SDLC QUALITY TESTING

Collaborative Application Lifecycle Management

SDLC Quality Assurance

Quality Dashboard Requirements Management Test Management and Execution Defect Management
Report Results

Create Plan

Build Tests

Manage Test Lab

Open Platform

Best Practice Processes

TEAM SERVER
SAP Java Open Lifecycle Service Integrations System z, i .NET

Functional Testing

Performance Testing

Web Service Quality

Code Quality

Security and Compliance

o eg o homegrown

IBMSoftwareGroup|Rationalsoftware

AppScanintheRationalPortfolio A S i th R ti l P tf li
BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management
Requirements
Rational RequisitePro

Test
Rational ClearQuest

Change
Rational ClearQuest

Defects
Rational ClearQuest

DEVELOP PMENT

Test Automation
Developer Test
Rational PurifyPlus Rational Test RealTime

Functional Test
Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Rational Robot

Security and Compliance Test

AppScan PolicyTester

Performance Test
Rational Performance Tester

Quality Metrics
Project Dashboards Detailed Test Results Quality Reports

OPERAT TOINS

IBMSoftwareGroup|Rationalsoftware

RationalAppScan Rational AppScan

Whatisit? AppScanisanautomatedtoolusedtoperformvulnerabilityassessments onWebApplications WhydoIneedit? Why do I need it? Tosimplifyfindingandfixingwebapplicationsecurityproblems Whatdoesitdo? Scanswebapplications,findssecurityissuesandreportsontheminan actionablefashion Whousesit? Who uses it? SecurityAuditors mainuserstoday QAengineers whentheauditorsbecomethebottleneck Developers tofindissuesasearlyaspossible(mostefficient)

IBMSoftwareGroup|Rationalsoftware

HowdoesAppScanwork? How does AppScan work?

Approachesanapplicationasablackbox Traversesawebapplicationandbuildsthesitemodel DeterminestheattackvectorsbasedontheselectedTestpolicy TestsbysendingmodifiedHTTPrequeststotheapplicationandexaminingtheHTTP responseaccordingtovalidaterules di t lid t l

Web Application

HTTP Request

HTTP Response

IBMSoftwareGroup|Rationalsoftware

AppScanGoesBeyondPointingoutProblems AppScan Goes Beyond Pointing out Problems

IBMSoftwareGroup|Rationalsoftware

ConfigurationWizard Configuration Wizard

IBMSoftwareGroup|Rationalsoftware

ScanninginProgress Scanning in Progress

IBMSoftwareGroup|Rationalsoftware

IdentifyVulnerabilities Identify Vulnerabilities

IBMSoftwareGroup|Rationalsoftware

ActionableFix Actionable Fix Recommendations MOSTIMPORTANT

IBMSoftwareGroup|Rationalsoftware

Reports

IBMSoftwareGroup|Rationalsoftware

AppScanwithQADefectLoggerforClearQuest AppScan with QA Defect Logger for ClearQuest

IBMSoftwareGroup|Rationalsoftware

Sessionsummary Session summary

Understandthewebapplicationenvironment Understand the web application environment Understandanddifferentiatebetweennetworkandapplicationlevelvulnerabilities Understandwherethevulnerabilitiesexist Handsonexercisestounderstandtypesofvulnerabilities Handsonexercisetoleverageautomatedscanforvulnerabilities

IBMSoftwareGroup|Rationalsoftware

IBMSoftwareGroup|Rationalsoftware

IBMSoftwareGroup|Rationalsoftware