Monday, January 9, 2012

Application Security Remediation

Application Security Remediation

There are numerous resources available to help organizations test for security vulnerabilities in their existing applications. There are also resources available to help development teams build security into their new applications from the ground up. None of these address the real and pervasive challenge of fixing vulnerabilities in an existing application portfolio.

Most Web sites need to selectively restrict access to some portions of the site. You can think of a Web site as somewhat analogous to an art gallery. The gallery is open for the public to come in and browse, but there are certain parts of the facility, such as the business offices, that are accessible only to people with certain credentials, such as employees. When a Web site stores its customers' credit card information in a database, for example, access to the database must be restricted. ASP.NET security features help you address this and many other security issues.

Software Security Remediation Services is the software development industry focused on securing software systems from threats. Security help companies leverage their significant technology investments and remediate for known security issues.

The Architecture on the Securing the Application as bellows:

Application Security Threats

Input validation
Buffer overflow; cross-site scripting; SQL injection; canonicalization
Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft
Elevation of privilege; disclosure of confidential data;          data tampering; luring attacks
Configuration management
Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability;            over privileged process and service accounts
Sensitive data
Access sensitive data in storage; network eavesdropping; data
Session management
Session hijacking; session replay; man in the middle
Poor key generation or key management; weak or custom encryption
Parameter manipulation
Query string manipulation; form field manipulation;         cookie manipulation; HTTP header manipulation
Exception management
Information disclosure; denial of service
Auditing and logging
User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

The Foundations of Security
Security relies on the following elements:
*       Authentication

Authentication addresses the question: who are you? It is the process of uniquely
identifying the clients of your applications and services. These might be end users,
other services, processes, or computers. In security parlance, authenticated clients
are referred to as principals.

*       Authorization

Authorization addresses the question: what can you do? It is the process that
governs the resources and operations that the authenticated client is permitted to
access. Resources include files, databases, tables, rows, and so on, together with
system-level resources such as registry keys and configuration data. Operations
include performing transactions such as purchasing a product, transferring money
from one account to another, or increasing a customer’s credit rating.

*       Auditing

Effective auditing and logging is the key to non-repudiation. Non-repudiation
guarantees that a user cannot deny performing an operation or initiating a
transaction. For example, in an e-commerce system, non-repudiation mechanisms
are required to make sure that a consumer cannot deny ordering 100 copies of a
particular book.
*       Confidentiality

Confidentiality, also referred to as privacy, is the process of making sure that data
remains private and confidential, and that it cannot be viewed by unauthorized
users or eavesdroppers who monitor the flow of traffic across a network.
Encryption is frequently used to enforce confidentiality. Access control lists (ACLs)
are another means of enforcing confidentiality.

*       Integrity

Integrity is the guarantee that data is protected from accidental or deliberate
(malicious) modification. Like privacy, integrity is a key concern, particularly for
data passed across networks. Integrity for data in transit is typically provided by
using hashing techniques and message authentication codes.

*       Availability

From a security perspective, availability means that systems remain available for
Legitimate users. The goal for many attackers with denial of service attacks is to
crash an application or to make sure that it is sufficiently overwhelmed so that
other users cannot access the application.

*       Threats, Vulnerabilities, and Attacks Defined

A threat is any potential occurrence, malicious or otherwise, that could harm an asset.
In other words, a threat is any bad thing that can happen to your assets.
Vulnerability is a weakness that makes a threat possible. This may be because of
Poor design, configuration mistakes, or inappropriate and insecure coding
Techniques. Weak input validation is an example of application layer vulnerability,
which can result in input attacks.

An attack is an action that exploits vulnerability or enacts a threat. Examples of
attacks include sending malicious input to an application or flooding a network in an
attempt to deny service.

To summarize, a threat is a potential event that can adversely affect an asset, whereas
a successful attack exploits vulnerabilities in your system.

Secure Web Application?

It is not possible to design and build a secure Web application until you know your
threats. An increasingly important discipline and one that is recommended to form
part of your application’s design phase is threat modeling. The purpose of threat
modeling is to analyze your application’s architecture and design and identify
potentially vulnerable areas that may allow a user, perhaps mistakenly, or an attacker
with malicious intent, to compromise your system’s security.

After you know your threats, design with security in mind by applying timeworn
and proven security principles. As developers, you must follow secure coding
techniques to develop secure, robust, and hack-resilient solutions. The design and
development of application layer software must be supported by a secure network,
host, and application configuration on the servers where the application software is
to be deployed.

A secure Web application relies upon a secure network infrastructure. The network
infrastructure consists of routers, firewalls, and switches. The role of the secure
network is not only to protect itself from TCP/IP-based attacks, but also to
implement countermeasures such as secure administrative interfaces and strong
passwords. The secure network is also responsible for ensuring the integrity of the
traffic that it is forwarding. If you know at the network layer about ports, protocols,
or communication that may be harmful, counter those potential threats at that layer.

Software Security Services

Secure application services provide organizations with a programmatic approach to effectively design, develop, test, and maintain the security of applications:

Application Design Assessment: identifies potential security risks and recommends remediation related to an application’s design;

Application Code Review: helps organizations to identify, prioritize, and remediate security vulnerabilities within source code;

Application Penetration Tests: evaluate security of web-based applications, commercial products, and new or updated software;

Software Development Lifecycle Review: evaluates processes and provides recommendations for establishing security across the application development lifecycle.
Application Design Assessment
Application Design Assessment evaluates the security of an application at the design level to provide organizations with an understanding of potential security risks.

Consultants identify, evaluate, and establish remediation priorities for security risks in the application, addressed within the context of the organization’s business and technical requirements.  experts also verify that a proposed architecture will support the organization’s security requirements, and identify potential problem areas that will require focused attention during coding. The service offers organizations guidance on how best to apply their resources to address application security issues so applications may better meet their business needs.

Application Code Review provides organizations with expert review of critical components of application source code to help them identify, prioritize, and remediate potentially exploitable security vulnerabilities. In addition, code reviews help determine the root cause of security issues identified during Application Design Assessments and Application Penetration Tests.

As part of the review, consultants not only inspect code, but they also examine coding standards, guidelines, policies, and design and architecture documents to gain an understanding of the software design criteria and interactions. In addition, they interview development team members to learn more about the application’s purpose, functionality, and high-level architecture.

At the conclusion of the Application Code Review, delivers a written report that details the found issues and their potential impact, and offers recommendations for mitigation. The report pinpoints vulnerabilities by line number and highlights critical areas of code, enabling developers to quickly address any critical faults. It also describes pervasive problems identified throughout the application, offers coding best practices, and suggests improvements to the development process to reduce the overall number of application level security faults.

An Application Penetration Test is an ethical attack simulation that is intended to expose the effectiveness of an application's security controls by highlighting risks posed by actual exploitable vulnerabilities.

Software Development Lifecycle Review provides organizations with recommendations for establishing secure application development processes. The service offers insight into security practices already in place, and suggests improvements that can be made in the application development lifecycle.

As part of the service, consultants establish a baseline of the security within the organization’s current application development lifecycle, identify key security goals and objectives, and perform a gap analysis of the organization’s current application development security process based on security best practices. ’s experienced advisors leverage experience gained through testing thousands of applications for security vulnerabilities and through years of providing security support in a wide variety of development environments to evaluate the organization’s security processes.

At the conclusion of a Software Development Lifecycle Review, delivers a written report that provides a prioritized list of recommendations to improve the level of security integration in the organization’s standard application development lifecycle. By documenting and identifying areas where security is underrepresented, is able to provide an organization with a clear roadmap of the prioritized steps required to integrate security into every phase of the application development lifecycle.  consultants conduct a series of debriefing meetings to communicate the findings to key constituents within the client’s organization, and transfer in-depth knowledge that helps customers understand the best practices for implementing a secure development lifecycle.

Network Threats and Countermeasures

The primary components that make up your network infrastructure are routers,
firewalls, and switches. They act as the gatekeepers guarding your servers and
applications from attacks and intrusions. An attacker may exploit poorly configured
network devices. Common vulnerabilities include weak default installation settings,
wide open access controls, and devices lacking the latest security patches. Top
network level threats include:

*       Information gathering
*       Sniffing
*       Spoofing
*       Session hijacking
*       Denial of service

*       Information Gathering

Network devices can be discovered and profiled in much the same way as other
Types of systems. Attackers usually start with port scanning. After they identify open
Ports, they use banner grabbing and enumeration to detect device types and to
Determine operating system and application versions. Armed with this information,
An attacker can attack known vulnerabilities that may not be updated with security

Countermeasures to prevent information gathering include:

*       Configure routers to restrict their responses to foot printing requests.
*       Configure operating systems that host network software (for example, software firewalls) to prevent foot printing by disabling unused protocols and unnecessary ports.

*       Sniffing

Sniffing or eavesdropping is the act of monitoring traffic on the network for data such
as plaintext passwords or configuration information. With a simple packet sniffer, an
attacker can easily read all plaintext traffic. Also, attackers can crack packets
encrypted by lightweight hashing algorithms and can decipher the payload that you
considered to be safe. The sniffing of packets requires a packet sniffer in the path of
the server/client communication.

Countermeasures to help prevent sniffing include:
*       Use strong physical security and proper segmenting of the network. This is the first step in preventing traffic from being collected locally.
*       Encrypt communication fully, including authentication credentials. This prevents sniffed packets from being usable to an attacker. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.

*       Spoofing

Spoofing is a means to hide one’s true identity on the network. To create a spoofed
Identity, an attacker uses a fake source address that does not represent the actual
Address of the packet. Spoofing may be used to hide the original source of an attack
Or to work around network access control lists (ACLs) that are in place to limit host
Access based on source address rules.

Although carefully crafted spoofed packets may never be tracked to the original
Sender, a combination of filtering rules prevents spoofed packets from originating
From your network, allowing you to block obviously spoofed packets.

Countermeasures to prevent spoofing include:

*       Filter incoming packets that appear to come from an internal IP address at your perimeter.
*       Filter outgoing packets that appear to originate from an invalid local IP address.

*       Session Hijacking

Also known as man in the middle attacks, session hijacking deceives a server or a
client into accepting the upstream host as the actual legitimate host. Instead the
upstream host is an attacker’s host that is manipulating the network so the attacker’s
host appears to be the desired destination.

Countermeasures to help prevent session hijacking include:

*       Use encrypted session negotiation.
*       Use encrypted communication channels.
*       Stay informed of platform patches to fix TCP/IP vulnerabilities, such as
predictable packet sequences.

*       Denial of Service

Denial of service denies legitimate users access to a server or services. The SYN flood
attack is a common example of a network level denial of service attack. It is easy to
launch and difficult to track. The aim of the attack is to send more requests to a server
than it can handle. The attack exploits a potential vulnerability in the TCP/IP
connection establishment mechanism and floods the server’s pending connection
Countermeasures to prevent denial of service include:

*       Apply the latest service packs.
*       Harden the TCP/IP stack by applying the appropriate registry settings to increase.
*       The size of the TCP connection queue, decrease the connection establishment
Period, and employ dynamic backlog mechanisms to ensure that the connection queue is never exhausted.
*       Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.

Anil Singh

No comments: