This morning (1/21/15) attended ISACA (previously the Information Systems Audit and Control Association) meeting:
http://www.isaca.org/chapters5/Saint-Louis/Pages/default.aspx
The past present and future of Web Application Security by Christopher Boyd
Good quote sometimes I talk to the “Security echo chamber” i.e. talking to other security people
The PAST
the first web page is still on the Internet: http://info.cern.ch/hypertext/WWW/TheProject.html The Web became publicly accessible on Aug. 6, 1991.
The PRESENT
OWASP is important https://www.owasp.org/index.php/Main_Page
OWASP top 10:
https://www.owasp.org/index.php/Top_10_2013-Top_10
1. Injection
2. Broken authentication and session management
3. (XSS) Cross-Site Scripting
4. Insecure Direct Object Reference
5. Security Misconfiguration
6. Sensitive data exposure
7. Missing level function access control
8. (CSRF) Cross-site request forgery
9. Using components with known vulnerabilities
10. Unvalidated redirects and forwards
All of the Web app problems stem from 3 basic issues
1. Input validation
2. Redirection
3. authentication
Of course SQL injection is important, but not as prevalent as it used to be
I focus on more esoteric problems, since many programmers have fixed many security issues already, like improper error handling where an error sends more information than you anticipated to the hacker. (Burp Suite can find the differences in bytes)
How to fix some of these problems?
Validate all input
context sensitive escaping/coding (redirection)
use libraries for encryption
for cross-site scripting the enemy is the following: < ‘ ”
this is a typical test case: <script> alert(“xss”) ; </script>
The browser exploitation framework (BeEF is a good program to work with testing your programs) and typically if someone is trying hook.js someone is using BeEF.
CSRF (Cross-site Request Forgery) means to click on a link and use all the current open connections
Double submit cookies is a no no
creating a Data flow Diagram will help you. you can even use Microsoft flow diagram
WAF – Web Application Firewall “But control” App profiling
OWASP top10 Proactive controls are important to understand
https://www.owasp.org/index.php/OWASP_Proactive_Controls
But the OWASP App security verification standard is really good. (Chris thought this would appeal to ISACA due to the auditing nature of the group)
TLS 1.2 is current SSL version (POODLE takes advantage of SSL v3.0)
POODLE is the https downgrade attack example
HSTS is ok Strict Transport Security even though programmmers don’t like to be shoe horned
THE FUTURE
Certificate transparency is coming
“Content Security Policy” on your websites
report collection
Source whitelisting
OWASP Appsensor Application Intrusion Detection & Response
embedded into logic
Ubiquitous HTTPS is coming
chrome SPDY protocol requires TLS already
” Let’s encrypt” was another good quote before time ran out.