Skip to content

Excellent ISACA event on Web Application Security

This morning (1/21/15) attended ISACA (previously the Information Systems Audit and Control Association) meeting:

http://www.isaca.org/chapters5/Saint-Louis/Pages/default.aspx

The past present and future of Web Application Security by Christopher Boyd

 

Good quote  sometimes I talk to the "Security echo chamber"  i.e. talking to other security people

The PAST

the first web page is still on the Internet: http://info.cern.ch/hypertext/WWW/TheProject.html  The Web became publicly accessible on Aug. 6, 1991.

The PRESENT

OWASP is important   https://www.owasp.org/index.php/Main_Page

OWASP top 10:

https://www.owasp.org/index.php/Top_10_2013-Top_10

1. Injection

2. Broken authentication and session management

3. (XSS) Cross-Site Scripting

4. Insecure Direct Object Reference

5. Security Misconfiguration

6. Sensitive data exposure

7. Missing level function access control

8. (CSRF) Cross-site request forgery

9. Using components with known vulnerabilities

10. Unvalidated redirects and forwards

 

All of the Web app problems stem from 3 basic issues

1. Input validation

2. Redirection

3. authentication

 

Of course SQL injection is important, but not as prevalent as it used to be

I focus on more esoteric problems, since many programmers have fixed many security issues already, like improper error handling where an error sends more information than you anticipated to the hacker.  (Burp Suite can find the differences in bytes)

 

How to fix some of these problems?

Validate all input

context sensitive escaping/coding (redirection)

use libraries for encryption

 

for cross-site scripting the enemy is the following: < ' "

this is a typical test case: <script> alert("xss") ; </script>

 

The browser exploitation framework (BeEF is a good program to work with testing your programs) and typically if someone is trying hook.js someone is using BeEF.

 

CSRF (Cross-site Request Forgery) means to click on a link and use all the current open connections

 

Double submit cookies is a no no

 

creating a Data flow Diagram will help you. you can even use Microsoft flow diagram

WAF - Web Application Firewall "But control"   App profiling

 

OWASP top10 Proactive controls are important to understand

https://www.owasp.org/index.php/OWASP_Proactive_Controls

 

But the OWASP App security verification standard is really good.  (Chris thought this would appeal to ISACA due to the auditing nature of the group)

https://www.owasp.org/index.php/Project_Information:template_Application_Security_Verification_Standard

 

TLS 1.2 is current SSL version (POODLE takes advantage of SSL v3.0)

POODLE is the https downgrade attack example

HSTS is ok Strict Transport Security even though programmmers don't like to be shoe horned

THE FUTURE

Certificate transparency is coming

"Content Security Policy" on your websites

report collection

Source whitelisting

OWASP Appsensor   Application  Intrusion Detection & Response

embedded into logic

 

Ubiquitous HTTPS is coming

chrome SPDY protocol requires TLS already

" Let's encrypt"   was another good quote before time ran out.

Leave a Reply