Software Security

Agenda

i. Why security for applications?

ii. What is holistic security?
iii. Threat model for software
iv. Owasp Top10
Why security for applications?
 Why security for applications?

Q: Which threats and vulnerabilities information security professionals are tackling?

Conclusion: Application vulnerabilities topped the list of threats

 Why security for applications?

Q: Define the level of security concern among SDLC phases

Conclusion: Security concerns fluctuate significantly, being more major in the design.
(Ideally).
 Why security for applications?

Cost of fixing code issues at different stages of the SDLC

What is holistic security?
 Holistic security
¿What holistic security means?

It means secure applications running on secure hosts (OS) in secure networks.

It is pivotal to recognize that software is only as secure as the weakest link.
 Holistic security

¿Why holistic security can not be achieved regularly?

Software development projects always are defined by scope, budget and

schedule, and almost always these are so rigid and with no space for security

Managers do not consider

investments in security have
a return. This results in:

Security as an add-on
Very bad and worst practice
Iron Triangle Constraints
Threat Model for Software
 Threat Model for Software

Practical case: Finding risk for a web store

Zion, Inc. is in the business of selling and renting Zii game consoles, games,
and accessories. Lately, it has been losing market share to online competitors
who are providing a better customer experience than Zion’s establishments.
Zion, Inc,. wants to secure its #1 market leader position for gaming
products and services. The company plans to provide a secure, uninterrupted,
and enhanced user experience to its existing and prospective customers. Zion,
Inc., has contracted your organization to perform a risk analysis exercise for
its online strategy. Customer conditions:

1. Customers should be able to search for products and place their orders using the
web store or by calling the sales office.
2. Prior to a customer’s placing an order, a customer account needs to be created.
3. Customer must pay with a credit card or debit card.
4. Customers must be logged in before they are allowed to personalize their
preferences.
5. Customers should be able to write reviews of only the products they purchase.
6. Sales agents are allowed to give discounts to customers.
7. Administrators can modify and delete customer and product information.
Threat Model for Software
 Threat Model for Software
Diagram Application Architecture
Physical topology
 Threat Model for Software
Diagram Application Architecture
Logical topology
 Threat Model for Software
Diagram Application Architecture
Components, services, protocols, and ports
 Threat Model for Software
Diagram Application Architecture
Identities that will be used in the application
 Threat Model for Software
Diagram Application Architecture
Human and non-human actors of the system
 Threat Model for Software
Diagram Application Architecture
 Risk management
Diagram Architecture Application

Data access control matrix

 Risk management

Identify threats
 Risk management
Damage Potential (D)
1 = Nothing
2 = Individual user data is compromised or DREAD
affected
(Damage Potential, Reproducibility,
3 = Complete system or data destruction
Exploitability, Affected Users, and
Reproducibility (R) Discoverability)
1 = Very hard or impossible, even for
administrators of the
application Affected Users (A)
2 = One or two steps required; may need to 1 = None
be an authorized user 2 = Some users or systems, but not all
3 = Just the address bar in a web browser is 3 = All users
sufficient, without Authentication
Discoverability (DI)
Exploitability (E) 1 = Very hard-to-impossible; requires source
1 = Advanced programming and networking code or administrative
knowledge, with access
custom or advanced attack tools 2 = Can figure it out by guessing or by
2 = Malware exists on the Internet, or an monitoring network traces
exploit is easily performed 3 = Information is visible in the web
using available attack tools browser address bar or in a
3 = Just a web browser form
 Risk management

Identify threats
 Risk management

Identify, Prioritize and Implement Controls

 Risk management
Document and validate controls which become software
requirements
 Risk management

¿Why is important to do risk analysis before starting a

software development project?

All Total Risks are identified [Vulnerabilities, threats, probabilities,

impact]

Identify which security requirements (controls) could reduce Total Risk

to Residual Risk

Security requirements are the representation of

controls/countermeasures/safeguards

The company must decide which will be the risk treatment option for
each identified risk, considering acceptable risk, costs and losses

If the company decides to mitigate the risk, it means that the security
requirement must be implemented
OWASP TOP10
 OWASP TOP 10

• Open Web Application Security Project (OWASP) is a non-profit

community which help organizations to develop and maintain secure
application

• Everything is free, open and without commercial influence

• OWASP products:
 Security tools
 Documents, standards, books, https://www.owasp.org
 Local chapters
 Conferences
 Mailing lists
• One of the most popular products: OWASP TOP 10
https://storage.googleapis.com/google-code-archive-
downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
 WebGoat

• WebGoat: Deliberately insecure web application for interactive teaching of web

application security

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
 ZAP

• Zed Attack Proxy (ZAP): Software de interceptación de comunicaciones

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
 OWASP TOP 10

• The ten most critical web application security risks

A1 - Injection – Inyección de código

A2 – Broken authentication and sesion management - Pérdida de

Autenticación y Gestión de Sesiones

A3 - Cross-site scripting (XSS) - Secuencia de Comandos en Sitios Cruzados

A4 – Insecure direct object references - Referencia Directa Insegura a Objetos

A5 – Security misconfiguration - Configuración de seguridad Incorrecta

A6 – Sensitive data exposure - Exposición de Datos Sensibles

A7 – Missing function level Access control - Ausencia de Control de Acceso a

Funciones
A8 – Cross-Site Request Forgery (CSRF) - Falsificación de Peticiones en Sitios
Cruzados
A9 – Components with known vulnerabilities - Uso de Componentes con
Vulnerabilidades conocidas
A10- Unvalidated redirects and forwards - Redirecciones y reenvíos no
validados
Injection
 INJECTION

• How? The intruder sends text-based attacks that exploit

the syntax of the application interpreter. Almost any data
source (including internal data) can be an attack vector.

• Why? It occurs when the data provided by the user are

not validated before being processed by the interpreter.
Injection can exist in SQL code, LDAP, XPATH, OS
Commands, XML parsers, SMTP headers, program
arguments, etc.

• Impact: Loss of data, modification of data, execution of

activities outside of logs, denial of service
 INJECTION

OS COMMAND INJECTION
• Same problem: a command sequence is built using user input which is
NOT sanitized or validated
• Imagine what would happen if the OS application account is not restricted

• Two types: Flaw

1. The software has a field which is the The programmer assumes that
argument for a single command the input is always trustworthy
2. The software accept an argument which is The programmer assumes that
converted to a command the command will never be used

The command must

; %3B be codified to URL
; /bin/ls -l Espace [ ] %20 format

http://www.mycompany.com/sensitive/cgi-bin/userData.pl?doc=%20%3B%20/bin/ls%20-l

https://www.owasp.org/index.php/Command_Injection
Injection Laboratory
 INJECTION

• Example Command injection in WebGoat

 INJECTION

• Example Command injection in WebGoat This is the normal

behavior: I select a
file (lesson) and the
web server return it
 INJECTION

• Example Command injection in WebGoat

This is a normal
request
 INJECTION

• Example Command injection in WebGoat

I use this tool to

convert a comand to
URL format

This is what I will

inject
 INJECTION

• Example Command injection in WebGoat

Here I am injecting
the command
 INJECTION

• Example Command injection in WebGoat

This is the expected

answer

This is the result of

the injected
command
 INJECTION

Execution on live!
https://www.youtube.com/watch?v=M2wU
CSIeeqY&list=PL9HjVcGKtXM305JN2FjKyHN
AGIZxZNzNn&index=1
 Assignment
• In groups of two persons chose a vulnerability from the
Owasp Top 10 and deliver:
I. A presentation that contains:
• 1 slide that contains the name of the vulnerability
• 1 slide explaining How the attack occur (Threat Agent and Attack vector),
Why (Security Weakness) and the Impact (Technical Impact, Business
Impact). Follow the template of the first slide of Injection vulnerability.
• 1 slide explaining the section “Is the application vulnerable?” or “Am I
vulnerable to …”
• 1 slide explaining the section “How do I prevent …?” or “How to prevent”
• 1 slide explaining the section “Example attack Scenarios”
II. Understand and explain an attack (Not done by you)
• You can play one video of our Youtube channel, from another channel or
use another resource you consider useful:
– https://www.youtube.com/playlist?list=PL9HjVcGKtXM305JN2FjKyHNAGIZxZ
NzNn
– https://www.youtube.com/playlist?list=PL9HjVcGKtXM2pi1nY2g6SWM9yiyet
EB5A
Note: Presentation (Writing and oral) must be done in English and
should last 10 minutes approx
 OWASP TOP 10

• The ten most critical web application security risks

A1: 2017-Injection – Inyección de código

A2: 2017- Broken authentication

A3: 2017 - Sensitive data exposure

A4 - 2017 XML External Entities (XXE)

A5 - 2017- Broken Access Control

A6 - 2017 - Security misconfiguration

A7: 2017-Cross-site scripting (XSS)

A8 – 2017 - Insecure Deserialization

A9-2017 - Using components with known vulnerabilities

A10 – 2017 - Insufficient Logging&Monitoring

A8 – 2013 - Cross-Site Request Forgery (CSRF)

A10 – 2013 Unvalidated redirects and forwards

 OWASP TOP 10

Bibliography

Main resources:
https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/index.php/Top_10_2013-Top_10

Multimedia resources:
https://www.youtube.com/playlist?list=PL9HjVcGKtXM305JN2FjKyHNAGIZxZ
NzNn
https://www.youtube.com/playlist?list=PL9HjVcGKtXM2pi1nY2g6SWM9yiye
tEB5A
 OWASP TOP 10

• The ten most critical web application security risks

A1 - Injection – Inyección de código

A2 – Broken authentication and sesion management - Pérdida de

Autenticación y Gestión de Sesiones

A3 - Cross-site scripting (XSS) - Secuencia de Comandos en Sitios Cruzados

A4 – Insecure direct object references - Referencia Directa Insegura a Objetos

A5 – Security misconfiguration - Configuración de seguridad Incorrecta

A6 – Sensitive data exposure - Exposición de Datos Sensibles

A7 – Missing function level Access control - Ausencia de Control de Acceso a

Funciones
A8 – Cross-Site Request Forgery (CSRF) - Falsificación de Peticiones en Sitios
Cruzados
A9 – Components with known vulnerabilities - Uso de Componentes con
Vulnerabilidades conocidas
A10- Unvalidated redirects and forwards - Redirecciones y reenvíos no
validados