Applied Application

Security
ISM 6124
JOE PARTLOW
JONATHAN ECHAVARRIA
Who are we?

 Joe Partlow (jpartlow@reliaquest.com)– CTO, ReliaQuest

 Joe has been in the IT and information Security industry for 20+ years and has experience in
Operations Management, Information Security, Network Security, Systems Design, Risk
Assessment, Database Administration, Network Infrastructure, Web Application Development,
Systems Design & Integration and Project Management. Joe holds a BS in MIS from Purdue
University and has industry certifications including CISSP,CISM, NSA-IAM, GSEC, CEH as well as
many vendor product certifications.

 Jonathan Echavarria (jechavarria@reliaquest.com) – Senior Security Engineer,

ReliaQuest
 Jonathan Echavarria has worked for ReliaQuest for over 6 years. Currently, he works as an
Innovations Engineer while performing security research in his spare time. His primary interests
include adversary emulation, reverse engineering, and good old fashioned breaking into
networks; and he holds a number of industry certifications including OSCE, OSCP and CEH.
Presentation Overview

 Building on the course learning outcome of “Designing secure software systems

with the latest cybersecurity methods”, this presentation will review common
secure software development lifecycle methodologies, typical vulnerabilities in
software and exploits used against applications and current issues with monitoring
applications. We will also demonstrate how a typical Agile secure SDLC is
implemented along with some example code exploits and attack
methodologies.
SDLC
SDLC Components

 SDLC Methodology – Agile, Rapid, Waterfall, Incremental/Iterative

 Development Environments – Production, QA, Development, UAT
 Programming Languages – Java, C++, Python
 Programming IDEs – Visual Studio, Eclipse, Android Studio, Xcode
 Source Control/Build Servers – Git, Team Foundation, Jenkins
 Testing Process – User Acceptance, Performance, Security, Unit
 Bugtracking – Jira, ServiceNow
Testing Methodologies

 Static Application Security Testing (SAST) - Static analysis is software analysis performed
without actually executing, or running, the software.
 Analysis of source code
 Analysis of byte code on interpreted language (java, C#)
 Analysis of raw binaries of compiled application (C/C++)
 Dynamic Application Security Testing (DAST) - Dynamic analysis is the testing and
evaluation of a program by executing data in real-time.
 Input/output validation: (Cross-Site Scripting, SQL Injection, etc.)
 Specific application problems
 Server configuration mistakes/errors
 Whitebox (code review) & Blackbox
S-SDLC Prerequisites

 Business Risk Factors

 Business impact
 Value of assets
 Info risk management
 Technical Risk Factors
 Technical impacts
 Value of data
 Software risks associated to threats & vulnerabilities
 Risk Remediation
 Cost to fix vulnerabilities vs cost of exploitation
 Translate tech risks to business risks
 Assess, evaluate and prioritize by business impact
 S-SDLC Methodologies

 Gary McGraw Touch Point

Model

http://www.swsec.com/resources/touchpoints/
S-SDLC Methodologies – Cont.

 CMMI Development
(Evolved from the SEI Team
Software Process)

https://cmmiinstitute.com/cmmi/dev
S-SDLC Methodologies – Cont.

 Building Security In Maturity Model (BSIMM)

https://www.bsimm.com
S-SDLC Methodologies – Cont.

 Microsoft Security Development Lifecycle

https://www.microsoft.com/en-us/SDL
 S-SDLC Methodologies – Cont.

 OWASP Secure SDLC -

follows Software
Assurance Maturity
Model (SAMM)

https://www.owasp.org/index.php/OWASP_SAMM_Project
Agile S-SDLC in Practice

 Ideas for projects in Kanban board

 Project Acceptance and Solution initiation document creation
 Project Requirements gathering
 Requirements and design doc creation with security considerations outlined
 Development finished and initial unit testing by developers
 QA process
 Normal QA testing process with security scanning
 Code passes QA and deployed to staging environment
 Unit testing and Red Team/vulnerability tests against “production” environment
 Ongoing platform vulnerability scans and red teaming against real production servers
Application Security Focus/Skillsets

 Web Application Security

 Reverse Engineering
 Malware Analysis
 Database Security
 Mobile Security
 Application Integration (customization, API, etc.)
 Appliance Administration (WAF, DAM, CASB, etc.)
 Cloud Platforms (Devops in general)
 Exploit creation
Common Vulnerabilities & Exploits

 SQL injection
 Cross site scripting
 Insecure cryptographic storage/use
 Vulnerable third party components
 Sensitive data exposure
 Insecure/Incorrect authentication & session management
 Plaintext/hardcoded credentials
Finding Application Vulnerabilities

 Burp Suite is the de-facto web application testing tool

 Proxy to view hidden fields or change fields to test client side validations
 Spidering to pull down copy of the site
 Robots.txt or DirBuster good start for looking for sensitive areas
 Watch for unintended consequences of hitting every page and brute forcing each field
 Binary Reversing
 Look for vulnerabilities by analyzing closed-source code
 Vulnerability Scanners work as well – Rapid7 Nexpose, IBM Appscan,
MicroFocus Fortify
 Test many commercial applications or popular frameworks
 Also look for misconfigurations in platforms (ex. Wordpress)
Attacking & Defending

 User Access
 Commonly a web form with application users in a DB
 Internal apps mostly use LDAP (Active Directory)
 Authentication
 Watch for Weak controls, methods or non-centralized user mgmt.
 Make sure these are over secure channel so can’t get intercepted (ie. FTP)
 Don’t use easy to guess default creds
 Use Captchas and maximum tries to avoid brute forcing
 Session Mgmt – Handles variables and tokens server side and tracks the user’s
interaction
 Should be set to timeout after reasonable period (ie. Banking apps, shopping carts)
 Don’t use predicable user IDs or tokens
 Access Control – could be for DB tables or admin-protected areas of the site
Attacking & Defending

 User Input
 Many built-in validation controls available (type, length, special characters)
 Don’t use only client side
 Many client side controls could by proxied and modified

 Sanitize and mask sensitive data in form fields, sessions and cookies (ie. Credit
cards, SSN)
 Web Application Firewall (WAF) is a good technology to catch many of these
bad requests, but also should be used a report back to developers so they can
fix root cause.
Attacking & Defending

 Databases
 Use stored procedures versus in-line SQL against injection (not foolproof but
raises the bar)
 Database Activity Monitoring (DAM) technologies perform many checks (similar
to WAF) for the front end
 Looks for large results returned, select *, etc.
 Again, good front line defense but DBAs need to correct findings

 Restrict access to tables your app needs with correct permissions

 Hard to keep track of service account permissions, but essential for controlling
unintended selects or deletes
Attacking & Defending

 Information Disclosure
 Hide error messages with splash page
 Try not to put connection string, query info in debug info just in case ( old .inc files)

 Log all requests & errors – but not sensitive info!

 Especially Authentication & Administrative events
 Push all logs to central server and avoid storing on server itself to get compromised

 Database alerts also (ie. Admin user inserted that regular audit logs wouldn’t
catch)
Exploitation Demos

 redirection.elf
 A demonstration of a simple exploiting buffer overflow vulnerability to access a
normally unreachable function within an application
 keygen.elf
 A demonstration of analyzing a key authentication algorithm and how to exploit it to
bypass it
 Web application demos
 Various attacks commonly done against a web application
Monitoring Applications

 Application logging and monitoring is the most commonly missed log source
being ingested into most SIEM/logging tools, but certainly one of the most
important since they often are the “crown jewels”
 Most of our issues we see in production environments fall to one of the following
categories, each with their own challenges:
 Configuration or procedure errors
 Actual Insecure coding practices
Monitoring Use Cases

 Application logging is typically the hardest for an organization so rarely

done
 Logs should have the following key elements: user, ip, request, date, status,
size, query string, referrer
 Ideally the security team would like to see the following types of events:
 Users logging into the site, what pages they visited and where they came from
 Audit of all actions they performed on those pages
 Audit of all administrative changes to configurations (server or app)
Config/Procedural Difficulties

 There are many hindrances to getting visibility into applications and effective
monitoring outside of actual code practices:
 Lack of complete inventory of applications in use
 Undocumented third party components
 Unidentified service accounts in use (also overly permissive or reused)
 Third party/outsourced development teams
 Insufficient testing time/resources
Codebase Difficulties

 There are also many hindrances related to the actual codebase affecting
monitoring:
 Lack of consistent logging across platforms or within same-application components
 No common logging architecture (log4j, log4net, nlog, serilog, etc.)
 Excessive debug messages
 Inconsistent log message formats that cause parsing issues (multiline, improper XML, etc.)
Additional Resources

 Good online guides for Application Security

 https://www.owasp.org/index.php/Main_Page
 https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
 https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
 https://www.sans.org/courses/developer

 Recommended books on Application Security

 The Web Application Hacker’s Handbook
 Practical Malware Analysis
 Reversing: Secrets of reverse engineering
Additional Resources – Cont.

 Recent conference presentations on Application Security

 http://www.irongeek.com/i.php?page=videos/bsidescleveland2018/c03-tools-and-procedures-
for-securing-net-applications-sam-nasr
 http://www.irongeek.com/i.php?page=videos/grrcon2018/grrcon-2018-lovelace07-my-first-year-
in-application-security-whitney-phillips
 http://www.irongeek.com/i.php?page=videos/bsidescolumbus2018/p00-shifting-application-
security-left-craig-stuntz
 http://www.irongeek.com/i.php?page=videos/bsidestampa2018/track-303-modern-web-
application-security-julien-vehent
 http://www.irongeek.com/i.php?page=videos/circlecitycon2017/108-application-security-
metrics-caroline-wong
 http://www.irongeek.com/i.php?page=videos/showmecon2017/showmecon-107-kick-starting-
an-application-security-program-tim-de-block
 https://www.youtube.com/watch?v=I8AhfDEKUQ4
Application Security Companies

Many of these companies also have very good whitepapers or blogs around application security:

 Veracode - https://www.veracode.com
 Whitehat Security - https://www.whitehatsec.com
 Burp Suite - https://portswigger.net
 IBM - https://www.ibm.com/security/application-security/appscan
 Microfocus - https://software.microfocus.com/en-us/solutions/application-security
 Rapid7 - https://www.rapid7.com/products/InsightAppSec
 IDA - https://www.hex-rays.com/index.shtml
 Checkmarx - https://www.checkmarx.com
 Qualys - https://www.qualys.com/solutions/web-app/
 Acunetix - https://www.acunetix.com
Questions?

Thank You!

 Joe Partlow – jpartlow@reliaquest.com

 Jonathan Echavarria – jechavarria@reliaquest.com