Final

Database Security – Issues and Best Practices

Outline • Intro to Database Security

•Need for Database Security

•Database Security Fundamentals

•Database Security Issues • OWASP Top 10 – A1:2017– Injection

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Database Security Mechanisms

•Database Security Best Practices

2

Intro to Database Security

3

Intro to Database Security • How does a web application work?

4

Client

Server

Involves databases

Intro to Database Security (contd.) •Database • A database is “an organized collection of structured information, or

data, typically stored electronically in a computer system” • It includes: the data, the DBMS, & applications that use them

•Database Management Systems (DBMS): • DBMS serve “as an interface between the database and its end

users or programs, allowing users to retrieve, update, and manage how the information is organized and optimized”

5

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Management Systems (DBMS) (continued): • DBMS also facilitate “oversight and control of databases, enabling a

variety of administrative operations such as performance monitoring, tuning, and backup and recovery” • Types: • Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,

Cloud, Autonomous, etc.

• Examples: • Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.

6

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Tutorial for Beginners – Lucidchart

7

Source: Lucidchart – Database Tutorial for Beginners – https://www.youtube.com/watch?v=wR0jg0eQsZA

Intro to Database Security (contd.) •Database security refers to “the range of tools, controls, and

measures designed to establish and preserve database confidentiality, integrity, and availability” (IBM, 2019) •Database security involves protection of • The data in the database • The database management system (DBMS) itself • Any associated applications (including web applications) • The physical and/or virtual database server farms and their

underlying hardware • The computing and/or network infrastructure used to access

the database (IBM, 2019)

8

Intro to Database Security (contd.) •Database security involves securing data • At rest • Using techniques such as encryption • Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for

securing database instances, automated backups, and snapshots at rest • In flight • Using protocols such as Transport Layer Security (TLS) • Example: Amazon RDS uses TLS from the web application to encrypt a

connection to a database instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL to protect data in flight

9

Need for Database Security

10

Need for Database Security •As per Oracle (2022): • Data breaches are “happening everywhere these days, and hackers

are getting more inventive. It’s more important than ever to ensure that data is secure but also easily accessible to users”

•As per IBM (2019): • The consequences of data breaches include the following: • Compromised intellectual property • Damaged brand reputation • Loss of business continuity • Fines or penalties for non-compliance • Expenses related to repairing breaches

11

Need for Database Security (contd.) •As per the IBM (2021) Cost of a Data Breach Report: • The average total cost of a data breach in 2021 was $4.24M • The highest country average cost of a data breach was $9.05M for

U.S. • The highest industry average cost of a data breach was $9.23M

(healthcare) • The cost per lost or stolen record was $161 • The time to identify and contain a data breach was 287 days

12

Need for Database Security (contd.) •As per IBM (2021), the four cost components are:

13

Need for Database Security (contd.) • Data breaches typically involve unauthorized access of company

databases (Privacy Rights Clearinghouse, 2020)

14

Database Security Fundamentals

15

Database Security Fundamentals •Oracle Database Security – Oracle France

Source: Oracle France – Database Security – https://www.youtube.com/watch?v=GXF3T4g2tJg

16

Database Security Fundamentals (contd.)

•As per Oracle (2021), effective database security involves using the following powerful preventive and detective security controls: • Transparent Data Encryption (TDE) • Encryption key management • Privileged user and multifactor access control • Data classification and discovery • Database activity monitoring and blocking • Consolidated auditing and reporting • Data masking

17

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) • Helps prevent attacks that attempt to bypass the database and read

sensitive information from data files at the operating system level, from database backups, or from database exports by encrypting data in the database layer

18

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) (continued)

• It is transparent because the encryption and decryption processes do not require any application changes, and the application users do not have to directly deal with encrypted data • It supports tablespace encryption and column encryption

19

Database Security Fundamentals (contd.)

•Encryption Key Management • TDE uses a two-tier key management architecture • Consists of data encryption keys and a master encryption key • Enables rotation of master keys without having to re-encrypt all of the

sensitive data • Oracle Database 18c introduced support for Bring Your Own Key (BYOK)

• Data encryption keys • Are managed automatically by the database

• The master encryption key • Is used to encrypt the data encryption keys • Is stored and managed outside of the database within an Oracle Wallet or in

an Oracle Key Vault

20

Database Security Fundamentals (contd.)

•Privileged User and Multifactor Access Control – Oracle Database Vault

Source: Oracle – Database Vault – https://www.youtube.com/watch?v=AomjVCdUp6k

21

Database Security Fundamentals (contd.)

•Data Classification and Discovery • Oracle Label Security enforces data access requirements and

records data classification levels at the database row level • Automated discovery of sensitive columns and parent-child

relationships • The discovery process uses built-in extensible patterns such as

credit card numbers and national identifiers to check metadata and column data to identify sensitive columns • The discovery results are stored as an application data model, which

is reusable across multiple databases

22

Database Security Fundamentals (contd.)

•Database Activity Monitoring and Blocking • Oracle Database Firewall provides a first line of defense for

databases

23

Database Security Fundamentals (contd.)

•Consolidated Auditing and Reporting • Oracle Audit Vault consolidates audit data from databases,

operating systems, and directories

24

Database Security Fundamentals (contd.)

•Data Masking • Oracle Data Masking provides a flexible option to discover, mask

and subset sensitive data, enabling the data to be safely shared across non-production environments • Non-production environments such as test and development

systems are the potential targets for a cyber attack as they generally contain copies of production data • Compliance costs are lowered as masked non-production databases

are out of the scope for the audit teams • Sensitive data such as credit card numbers, national identifiers, and

other personally identifiable information (PII) can be masked using predefined masking formats

25

Database Security Issues

26

Database Security Issues •Specific database security issues include: • Cloud database configuration errors • SQL injection • Weak authentication • Privilege abuse / excessive privileges • Inadequate logging / weak auditing / • Unpatched services • Insecure system architecture • Inadequate backups

Source: BCS.org – The Chartered Institute for IT – https://www.bcs.org/articles-opinion-and-research/top-ten-database-

attacks

27

Database Security Issues (contd.)

•OWASP Top 10 – A1:2017–Injection

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

28

Database Security Issues (contd.)•Common database security vulnerabilities:

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

29

Database Security Issues (contd.)

•OWASP Top 10: SQL Injection – Security Innovation

Source: Security Innovation – OWASP Top 10: SQL Injection – https://www.youtube.com/watch?v=X34cKt8RfJs

30

Database Security Issues (contd.)

•OWASP Top 10 – A3:2017–Sensitive Data Exposure

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

31

Database Security Issues (contd.) •Common database security vulnerabilities:

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

32

Database Security Attacks

33

Database Security Attacks •Most common database security attacks include:

Source: OWASP – Attacks – https://owasp.org/www-community/attacks/

Attack Type Description

SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data

Denial of Service Storing too much information in a user session object, such as large quantities of data retrieved from the database, can cause DoS issues

Brute Force The attacker makes requests to a server using pre-configured values and then analyzes the response

Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data

34

Database Security Attacks (contd.) •As per IBM (2022), some of the most common database

security attacks include: Attack Type Description

Insider Threats Abuse of privileged access by a malicious insider, a negligent insider, or an infiltrator

Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors

SQL Injection Insertion of arbitrary SQL attack strings into database queries served by web applications

Buffer Overflow A process attempts to write more data to a fixed-length block of memory than it is allowed to hold

35

Database Security Attacks (contd.) •Common database security attacks (continued):

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

Attack Type Description

DoS/DDoS The attacker floods the database server with so many requests that the server can no longer fulfil legitimate requests from actual users

Malware Software written specifically to exploit vulnerabilities or otherwise cause damage to the database

Attacks on Backups Organizations fail to protect backup data with the same stringent controls used to protect the database itself

36

Database Security Best Practices

37

Database Security Best Practices •OWASP recommends the following best practices: • Connect to the database securely • Prevent unencrypted traffic at the transport layer • Configure databases to always require authentication • Never store database credentials in the application source code

especially if they are unencrypted • Apply the principle of least privilege to the permissions assigned to

database user accounts • Harden the underlying operating system for the database server

Source: OWASP – Database Security Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Che

at_Sheet.html

38

Database Security Best Practices (contd.)

•Best practices to secure databases (as per IBM): • Consider physical security if the database is not in the cloud • Restrict number of users, their permissions, and network access to the

minimum levels necessary • Focus on end user account/device security • Use best-in-class encryption to protect the data while at rest and in transit • Keep the DBMS version up to date and apply patches as soon as they are

issued • Use best practices for application/web server security • Secure backups / log all operations / perform audits regularly

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

39

Database Security Best Practices (contd.) •Use the following database security best practices: • Best practices to protect against SQL Injection:

• Primary defenses: • Use prepared statements with parameterized queries • Use stored procedures • Allow-list input validation • Escape all user supplied input

• Additional defenses: • Enforce least privilege • Perform allow-list input validation as a secondary defense

Source: OWASP – SQL Injection Prevention Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preve

ntion_Cheat_Sheet.html

40

Recap • Database security issues continue to be among the OWASP Top 10 list

of web application security risks • This is due to weaknesses in database mechanisms such as dynamic

queries, input validation, key management, access control, configuration, logging, auditing, backups, etc. • Hackers are able to exploit the weaknesses using attacks such as SQL

injection, DoS, brute force, ransomware, etc. • Best practices to protect databases include understanding what types

of data needs to be protected, understanding regulatory compliance, discovering/classifying databases based on data sensitivity, using data masking, monitoring, auditing, encryption, access control, parameterized queries, stored procedures, allow-list input validation, hardening, etc.

41

Thank you!!!

42

Browser Security – Issues and Best Practices

Outline • Intro to Browser Security

•Need for Browser Security

•Browser Security Fundamentals

•Browser Security Issues • OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Browser Security Mechanisms

•Browser Security Best Practices

2

Intro to Browser Security

3

Intro to Browser Security • How does a web application work?

4

Client

Server

Involves browsers

Intro to Browser Security (contd.)

•Browser • A browser is “an application that finds and displays web pages”. • It coordinates communication between your computer and the web

server where a particular website “lives” by: • Accepting a website address as a URL • Submitting a request to the server to retrieve the content for the page • Processing the code (HTML, CSS, JavaScript, etc.) from the server • Loading active content (Flash, ActiveX, etc.) needed by the page • Displaying the complete, formatted web page • Repeating the process for every single user interaction with the page

5

Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022

Intro to Browser Security (contd.)

•Examples: • Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari,

Opera, etc. •Browser Market Share as of February 2022:

6

Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php

Intro to Browser Security (contd.) • Browser security refers to “how differences in design and

implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) • Browser security involves the following: • Protection against common client-side attacks • Protection against phishing • Management of browser extensions • Use of adequate cryptography protocols

7

Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

Intro to Browser Security (contd.) • Browser security also involves the following: • Protection against active content

• Active content refers to scripts that execute programs within the browser • e.g.: scripts used to create splash pages or options like drop-down menus • JavaScript is widely used to create active content • ActiveX controls reside on your computer and can be used as spyware

• Protecting cookies • Cookies store information such as IP address, domain names, browser info, browsing

habits, etc. • Both session cookies and persistent cookies must be protected from security attacks by

adjusting the browser’s security settings to block or limit access to cookie information

8

Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies – https://www.cisa.gov/uscert/ncas/tips/ST04-012

Intro to Browser Security (contd.)

•Browser-specific security features: • Google Chrome security features • Apple Safari security features • Internet Explorer security features • Microsoft Edge security features • Mozilla Firefox security features • Opera security features

9

Intro to Browser Security (contd.)

• Your Browser’s Security Features – GCFLearnFree.org

Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features – https://www.youtube.com/watch?v=2ZZQlgV2Gus

10

Need for Browser Security

11

Need for Browser Security

•As per U.S. CERT (2015): • Browsers such as Firefox, Chrome, Edge, and Safari are installed on

almost all computers • Default browsers that come with the Operating Systems are not

setup using secure default configurations • Unsecure browsers can lead to spyware being installed on your

computers allowing intruders to take control • There is an increasing threat from attacks that take advantage of

vulnerable web browsers • Hackers are using compromised or malicious websites to exploit

vulnerabilities in browsers

12

Need for Browser Security (contd.) •As per U.S. CERT (2015), the problem is made worse by a

number of factors including the following:

13

Need for Browser Security (contd.) •As per the EdgeScan (2019) Vulnerability Statistics Report:

• 19% of all vulnerabilities were associated with Layer 7 web applications

• However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities

14

Need for Browser Security (contd.) •As per the EdgeScan (2019)

Vulnerability Statistics Report, the most common browser- related vulnerabilities are: • Cross-Site Scripting – 14.69% • Other Injection – 8.18% • DOM-based Vulnerability –

1.82% • Cross-Site Request Forgery –

1.75%

15

Need for Browser Security (contd.) •Hackers are increasingly using browsers to cause data

breaches (Privacy Rights Clearinghouse, 2020)

16

Need for Browser Security (contd.) •Hackers are increasingly using browsers to cause data

breaches (Privacy Rights Clearinghouse, 2020)

17

Browser Security Fundamentals

18

Browser Security Fundamentals •How Web Browsers Function – Open Canvas

Source: OpenCanvas – How Web Browsers Function – https://www.youtube.com/watch?v=z0HN-fG6oT4

19

Browser Security Fundamentals (contd.)

•As per Open Canvas (2016), web browsers use the following architectural components: • User interface • Rendering engine • Browser engine • Networking • JavaScript interpreter • Data storage – cookies, local storage, etc.

20

Browser Security Fundamentals (contd.) •Google Chrome Architecture

Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

21

Browser Security Fundamentals (contd.)

•Google Chrome Architecture: • Browser Process • Includes the User Interface (UI), networking, and storage

• GPU Process • Handles rich web page content built using features like WebGL • Is a separate process to ensure stability and security

• Utility Process • Runs untrusted code on behalf of browser in a sandbox • e.g.: installing an extension, processing JSON • Is a short-lived process

Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

22

Browser Security Fundamentals (contd.)

•Google Chrome Architecture (continued): • Extension Process • Ensures extensions have limited access to browser, page, & system • Stops poorly written extension code from adversely affecting pages

• Pepper Plugins • Handles plugin code not controlled by Google (Flash, PDF, etc.) • Uses new plugin API that is sandboxed

• Renderer – Blink rendering engine • JavaScript Interpreter – v8 JavaScript engine

Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

23

Browser Security Fundamentals (contd.) •Google Chrome Security: • Sandboxing • Limits the impact of many browser vulnerabilities by isolating different

components of an application from the rest of the system • Components are run with their access privileges to system resources and/or

other components limited to the bare essentials needed to perform its function • Thus, the privileges an attacker can gain by exploiting a security issue in these

components is fairly limited • Process and Origin Isolation • Chrome uses Site Isolation to isolate websites with different origins

Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

24

Browser Security Fundamentals (contd.) •Google Chrome Security: • Hardening and Exploit Mitigation • Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc.

• Web Security • Same Origin Policy Enforcement

• Restricts interaction between websites of different origins • Port Banning Enforcement

• Denies connections to non-standard TCP ports • Content Security Policy Enforcement

• Limits what sources of scripts are acceptable • HTML5 Features Support

• Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc.

Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

25

Browser Security Issues

26

Browser Security Issues • Specific browser security issues include the following: • Client-side JavaScript code for checking user input is not enough • Information sent from the browser can be modified before it reaches the server • Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose • Protocols such as SSL that browsers rely on have their own issues • Likewise, attackers can use browser mechanisms such as cache, cookies, session

IDs, etc. to steal sensitive information • Java applets are susceptible to Man-in-the-Middle (MITM) attacks • Java servlets may be vulnerable to SQL injection

Source: OWASP – Application Security FAQ – https://owasp.org/www-community/OWASP_Application_Security_FAQ

27

Browser Security Issues (contd.) • Specific browser security issues include the following: • Browsers pose a unique risk to the enterprise infrastructure because of their

frequent exposure to untrusted dynamic content • Configuring browser security settings is challenging due to uncertainty of both

attack mitigation effectiveness and impact on end users • Administrator-driven manual patching often incurs significant lag time before

patches are deployed • Administrators are often hesitant to enable automatic updating out of fear that

patches will break existing functionality • 88% of publicly disclosed vulnerabilities exploited within a day of release • Browser plugins accounted for 34.5% of browser-related vulnerabilities

Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-

resources/csi-steps-to-secure-web-browsing.pdf

28

Browser Security Issues (contd.)

•OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS

Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-

Site_Scripting_(XSS)

29

Browser Security Issues (contd.) •Common browser security vulnerabilities:

Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-

Site_Scripting_(XSS)

30

Browser Security Issues (contd.) •Cross-Site Scripting – XSS – Professor Messer

Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-501 – 1.2 – https://www.youtube.com/watch?v=AjsYOMatAcg

31

Browser Security Issues (contd.)

•OWASP Top 10 – A3:2017–Sensitive Data Exposure

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

32

Browser Security Issues (contd.) •Common browser security vulnerabilities:

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

33

Browser Security Attacks

34

Browser Security Attacks •Most common browser security attacks:

Source: OWASP – Attacks – https://owasp.org/www-community/attacks/

Attack Type Description

Cache Poisoning A maliciously constructed response is cached by the browser

Clickjacking The attacker hijacks clicks meant for their own page and routes them to another page

Cross-Site Request Forgery (CSRF)

An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Cross-Site Scripting (XSS) A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

35

Browser Security Attacks (contd.) •Most common browser security attacks (continued):

Attack Type Description

Man-in-the-Browser A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction

Session Hijacking An attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server

Spyware A program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history.

Source: OWASP – Attacks – https://owasp.org/www-community/attacks/

36

Browser Security Best Practices

37

Browser Security Best Practices •Best practices for web browser security include : • Setting up browsers to Auto Update • Disabling malicious browser plugins such as Adware • Connecting to websites only using HTTPS • Clearing the browser history including cookies • Disabling the browser’s auto-complete of forms (including stored

passwords) functionality • Blocking browser pop-ups using extensions such as AdBlock • Using VPN or proxy servers

Source: InfoSec Institute – Best Practices for Web Browser Security – https://resources.infosecinstitute.com/best-practices-web-browser-security/

38

Browser Security Best Practices (contd.) •Best practices for web browser security include : • Enabling automatic updates • Mitigates 91% of publicly known vulnerabilities

• Enabling reputation services such as Google Safe Browsing or Microsoft SmartScreen • Prevents 87.7% of socially engineered malware and phishing attempts

• Disable unsafe plugins and extensions • Use advanced mitigation techniques/tools • Browser isolation, Cloud Browsers, O/S level mitigations, etc.

Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-

resources/csi-steps-to-secure-web-browsing.pdf

39

Browser Security Best Practices (contd.) •Use the following best practices to protect against XSS:

Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-

Site_Scripting_(XSS).html

40

Recap • Browser security issues continue to be among the OWASP Top 10

list of web application security risks • This is due to weaknesses in browser mechanisms such as

browser processes, renderers, plugins, extensions, etc. • Hackers are able to exploit the weaknesses using attacks such as

cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc. • Best practices to protect browsers include using auto update,

HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc.

41

Thank you!!!

42

Server Security – Issues and Best Practices

Outline

• Intro to Server Security • Need for Server Security • Server Security Fundamentals • Server Security Issues • OWASP Top 10 – A6:2017– Security Misconfiguration • OWASP Top 10 – A10:2017– Insufficient Logging and

Monitoring

• Attacks against Server Security Mechanisms • Server Security Best Practices

2

Intro to Server Security

3

Intro to Server Security • How does a web application work?

4

Client

Server

Involves servers

Intro to Server Security (contd.) • Server • A server serves as the host for web applications • It refers to the “server” portion of the client-server architecture • It receives the HyperText Transfer Protocol (HTTP) request

message from the client machine’s browser • It authenticates the client based on the user-supplied credentials • It authorizes the client’s access to the requested web application

after authentication

5

Intro to Server Security (contd.)

• Server (continued) • It sends an HTTP response header back to the client machine with the response

code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link)

• It uses ports to make services available to clients • Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for

SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.

• Examples: • Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle

WebLogic, Red Hat JBoss EAP, etc.

6

Intro to Server Security (contd.) • Server Market Share:

7

Source: Web and Application Servers Market Share Report – Datanyze – https://www.datanyze.com/market-share/web-and-application-servers--425

Intro to Server Security (contd.) • What is a Server? – PowerCert Animated Videos

8

Source: PowerCert Animated Videos – What is a Server? – https://www.youtube.com/watch?v=UjCDWCeHCzY

Intro to Server Security (contd.) • Server security refers to “the fundamental activities performed as part

of securing and maintaining the security of servers that provide services over network communications as a main function” (NIST SP 800-123, pg.10) • Server security involves the following (NIST SP 800-44, pg.18):

• Installing, configuring, and securing the server Operating System (OS) • Installing, configuring, and securing the server software • Employing appropriate network protection mechanisms

• Firewalls, packet filtering routers, proxies, etc. • Ensuring that the hosted web applications are securely coded • Employing secure administration and maintenance processes

• Patching and upgrading, testing, monitoring of logs, backing up data and OS • Protecting information and data in a careful/systemic manner • Conducting initial/periodic vulnerability scans of server/network

infrastructure

9

Intro to Server Security (contd.) • Server security (by technology): • Apache HTTP Server security settings • NGINX security settings • Internet Information Services (IIS) security settings • LiteSpeed Web Server security settings • OpenResty security settings

• Server security (by Operating System) • Ubuntu Linux Server guide • Windows Server security guide • macOS Server Guide

10

Need for Server Security

11

Need for Server Security • As per NIST SP 800-123: • Servers are frequently targeted by attackers because of the value

of their data and services • Servers might contain personally identifiable information that

could be used to perform identity theft • Most organizations install servers with standard directory names,

directory locations, and filenames making it easy for attackers to target those servers • The failure of organizations to fully recognize the amount of

expense and skills required to field a secure server often results in overworked employees and insecure systems

12

Need for Server Security (contd.) • As per NIST SP 800-123 (continued): • Default hardware and software configurations are typically set by

manufacturers to emphasize features, functions, and ease of use, at the expense of security • The default configuration of the OS often includes guest accounts

(with and without passwords), administrator or root level accounts, and accounts associated with local and network services • Because manufacturers are unaware of each organization’s

security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and reconfigure them as needed

13

Need for Server Security (contd.) • As per NIST SP 800-44: • Compromised web sites can serve as an entry point for intrusions

into many organizations’ internal networks • Organizations can face monetary losses, damage to reputation, or

legal action if an intruder successfully violates the confidentiality of their data • Hackers could compromise web server security by:

• defacing organizations’ web site or otherwise affecting integrity • executing unauthorized commands on the host OS • launching attacks on external sites from the web server • using the server to deliver attacks against vulnerable clients • using the server to distribute illegally copied software

14

Need for Server Security (contd.)

• As per the EdgeScan (2019) Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues: • 44.70% – SSL / TLS Version & Configuration Issues • 29.53% – SMB Security Issues • 8.61% – OpenSSH Vulnerabilities & Configuration Issues • 6.25% – Windows Remote Desktop Protocol Server

MITM • 4.15% – Unencrypted Telnet Services • 1.69% – Unsupported & Unpatched Server Detection

15

Need for Server Security (contd.) • As per the EdgeScan (2019) Vulnerability Statistics Report: • 33.33% of all high and critical risk vulnerabilities discovered in

2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems) • 7.53% of all high and critical risk vulnerabilities discovered in 2018

related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-2017- 0145) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability • Systems using Apache and PHP also contributed to the Top 10 due

to weak component security and traditional patch management of exposed systems

16

Need for Server Security (contd.) • Hackers are increasingly using servers to cause data breaches (Privacy

Rights Clearinghouse, 2020)

17

Server Security Fundamentals

18

Server Security Fundamentals• What is the Apache HTTP Server? – CBT Nuggets

19

Source: CBT Nuggets – What is the Apache HTTP Server? – https://www.youtube.com/watch?v=fRLJ3bnbHmE

Server Security Fundamentals (contd.) • A basic Apache web server architecture includes the

following components (Kew, 2007): • Modules • Multi-Processing Modules (MPM) • Apache Portable Runtime (APR)

Libraries

20

Server Security Fundamentals (contd.) • Apache web server architecture: • Modules

• Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc.

• Multi Processing Modules (MPM) • Special module which allows Apache to be configured as a pure process-

based server, a pure threaded server, or both • Apache Portable Runtime (APR) Libraries

• Provides for platform-specific tuning and optimization

21

Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/

Server Security Fundamentals (contd.) • Apache web server security: • Modular architecture

• Allows modules to be enabled or disabled to add and remove web server functionality

• Only MPM modules can interact directly with the Operating System • Authentication

• Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc.

• E.g. mod_auth_basic, mod_auth_digest, mod_auth_form, mod_authn_dbd, etc.

22

Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/

Server Security Fundamentals (contd.) • Apache web server security (continued): • Access Control

• The mod_access_compat module can restrict access to resources based on IP address or hostname of the client

• SSL / TLS • The mod_ssl module provides strong encryption to protect data

transmitted between the web server and the client • Proxy

• Apache supports both a traditional HTTP proxy and a reverse proxy • Reverse proxy can be used for load balancing

• Virtual Hosting Support and XML Security

23

Source: TLDP.org – Apache Overview HOWTO – https://www.tldp.org/HOWTO/pdf/Apache-Overview-HOWTO.pdf

Server Security Fundamentals (contd.) • Apache web server security (continued): • Configuration Settings

• Modules come with several directives related to timeouts, resource consumption, request processing, concurrent connections, etc.

• Common Gateway Interface (CGI) & Server Side Includes (SSI) • The suEXEC feature can reduce considerably the security risks involved with

allowing users to develop and run private CGI or SSI programs • Logs

• The mod_log_config, mod_log_forensic modules can be used to log everything that happens on the server

24

Source: Apache.org – Apache HTTP Server Documentation Version 2.4 – https://archive.apache.org/dist/httpd/docs/httpd-docs-2.4.33.en.pdf

Server Security Issues

25

Server Security Issues • As per NIST SP 800-123 (pg. 7), server security issues include:

26

Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

Server Security Issues (contd.) • As per NIST SP 800-44 (pg. 17-18), other server security issues include

the following: • Misconfiguration or other improper operation of the Web server, which may

result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as: • Assets of the organization • Configuration of the server or network that could be exploited for subsequent attacks • Credentials of the users or administrator(s) of the Web server

• Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required

27

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Issues (contd.) • Other server security issues include the following (continued):

• Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following:

28

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Issues (contd.) • OWASP Top 10–A6:2017 – Security Misconfiguration

29

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration.html

Server Security Issues (contd.) • Common server security vulnerabilities:

30

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration.html

Server Security Issues (contd.) • OWASP Top 10–A10:2017 – Insufficient Logging & Monitoring

31

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017-

Insufficient_Logging%2526Monitoring

Server Security Issues (contd.) • Common server security vulnerabilities:

32

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017-

Insufficient_Logging%2526Monitoring

Server Security Attacks

33

Server Security Attacks • Most common server security attacks:

34

Attack Type Description

Denial of Service (DoS)

Attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services. Attacks may take advantage of the server’s account lockout policy. Attacks may involve uploading many large files Attacks take advantage of simultaneous network connections.

Malware Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the server

Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

Server Security Attacks (contd.) • Most common server security attacks (continued):

35

Attack Type Description

Man-in-the Middle (MITM)

Password information can be intercepted using network sniffers and used by an attacker to masquerade as an authorized user

SYN Flood If the maximum number of open connections (or connections that are half-open—that is, the first part of the TCP handshake was successful) is set to a low number, an attacker can easily consume the available connections with illegitimate requests (often called a SYN flood)

Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

Server Security Attacks (contd.) • Most common server security attacks (continued):

36

Attack Type Description

Brute Force Attackers try every possible password to attempt to gain access to a user’s account

Command Injection Compromise of sensitive information on backend databases that are used to support a web application

Directory Traversal Unauthorized access including gaining access to files or folders and being able to execute commands and/or install software on the web server

Replay Attack An impostor verifier replays the OTP authenticator output to the verifier and successfully authenticates to the web server (NIST SP 800-63b)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Attacks (contd.) • Replay Attacks – Professor Messer

37

Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 – https://www.youtube.com/watch?v=Ar97HbWLijU

Server Security Best Practices

38

Server Security Best Practices • Best practices for web server security include :

• Planning and managing web servers (pg. 33) • Plan the configuration and deployment of the web server • Choose an appropriate Operating System (OS) for the web server • Choose an appropriate platform for the web server

• General purpose OS, Trusted OS, web server appliance, virtualized platform, etc.

• Securing the web server OS (pg. 41) • Patch and upgrade the OS • Remove or disable unnecessary services and applications • Configure OS user authentication • Configure resource controls appropriately • Install and configure additional security controls • Test the security of the OS

39

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Best Practices (contd.) • Best practices for web server security include :

• Securing the web server (pg. 51) • Securely install the web server • Configure IS and web server access controls • Configure a secure web content directory

• Securing web content (pg. 70) • Ensure that sensitive information is not available on the web server • Establish an organizational-wide documented formal policy and process for

approving public web content • Maintain Web user privacy • Mitigate indirect attacks on content • Consider client-side active content security • Maintain server-side active content security

40

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Best Practices (contd.) • Best practices for web server security include : • Using authentication and encryption technologies (pg. 86)

• Configure web authentication and encryption technologies • Configure SSL / TLS • Protect against brute force attacks

• Implementing a secure network infrastructure (pg. 99) • Identify a network location • Assess firewall configuration • Evaluate intrusion detection and prevention systems • Assess network switches • Evaluate load balancers • Evaluate reverse proxies

41

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Best Practices (contd.) • Best practices for web server security include : • Administering the web server (pg. 113)

• Perform logging • Perform web server backups • Recover from a compromise • Test security • Conduct remote administration and content updates

42

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Server Security Best Practices (contd.)

• Use the following server security best practices to protect against security misconfiguration:

43

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration

Server Security Best Practices (contd.)

• Use the following server security best practices to protect against insufficient logging and monitoring:

44

Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017-

Insufficient_Logging%2526Monitoring

Recap • Server security issues continue to be among the OWASP Top 10 list of

web application security risks • This is due to weaknesses in server technologies such as

authentication, access controls, configuration, connections, encryption, active content, logs, etc. • Hackers are able to exploit the weaknesses using attacks such as DoS,

malware, MITM, SYN flood, brute force, command injection, directory traversal, replay attacks, etc. • Best practices to protect servers include planning and managing web

servers, securing the web server OS, securing the web server, securing web content, using authentication and encryption technologies, implementing a secure network infrastructure, administering the web server, etc.

45

Thank you!!!

46

Code Security – Issues and Best Practices

Outline Intro to Code Security

Need for Code Security

Code Security Fundamentals

Code Security Issues ◦ OWASP Top 10 – A4:2017– XML External Entities (XXE)

◦ OWASP Top 10 – A8:2017– Insecure Deserialization

◦ OWASP Top 10 – A9:2017– Using Components with Known Vulnerabilities

Attacks against Code Security Mechanisms

Code Security Best Practices

2

Intro to Code Security

3

Intro to Code Security What is Code? ◦ Code refers to instructions issued to a computer that tells it which

actions to perform and in what order ◦ Code is made of strings of typed letters, numbers, and figures, which

constitute a language complete with spelling rules and syntax ◦ Code is used to do all sorts of activities including:

◦ Building websites ◦ Flying airplanes ◦ Running NASA satellites ◦ Making cars/cellphones/TVs/gaming consoles, etc. work

4

Source: Indeed.com – How to Write Code in 6 Steps? – https://www.indeed.com/career-advice/career-development/how-

to-write-code

Intro to Code Security (contd.) Code Types

◦ Markup Languages – Use start tags (<>) and end tags (</>) to represent different components

◦ Examples: ◦ HTML – Is the code that describes the structure and content of a web application ◦ XML – Is code that is designed to store and transport data in both human– and machine–readable format ◦ SAML – Is a framework for describing and exchanging security information between online business partners

5

Intro to Code Security (contd.) Code Types (continued) ◦ Scripting Languages – Used to write small programs that are usually

interpreted at runtime by a runtime environment ◦ Examples (client-side):

◦ JavaScript – Is a cross-platform scripting language that can be embedded within web pages to create interactive documents

◦ AJAX – Is a collection of technologies that allows web developers to improve the response times between web pages

6

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Intro to Code Security (contd.) Code Types (continued) ◦ Scripting Languages – Can also be used from server-side ◦ Examples (server-side):

◦ CGI – Is used to make web sites interact with databases and other applications ◦ SSI – Is a limited scripting language supported by most web servers ◦ ASP – Is used to create dynamic and interactive web applications for servers that

serve “.asp” web pages using the .NET framework ◦ PHP – Is used to create dynamic web pages that extract data from a database and

present it on a web page

7

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-

44ver2.pdf

Intro to Code Security (contd.) Code Types (continued) ◦ Programming Languages – Used to code the business logic behind the

web applications ◦ Examples:

◦ Java – Is a cross-platform programming language that is secure, fast, powerful, open-source, and free

◦ C# – Is an object-oriented programming language created by Microsoft that runs on the .NET framework

◦ Python – Is an interpreted programming language used to create web applications that can be used to handle big data and perform complex math

◦ Ruby – Is an open-source programming language with a focus on simplicity and productivity

8

Intro to Code Security (contd.) Code Market Share:

9

Source: Programming Languages Market Share Report – Datanyze – https://www.datanyze.com/market-share/programming-languages--67/

Intro to Code Security (contd.) Secure Coding Concepts – Professor Messer

10

Source: Professor Messer – Secure Coding Concepts – CompTIA Security+ SY0-401: 4.1 –

https://www.youtube.com/watch?v=N-tQtS5uQoo

Intro to Code Security (contd.) Code security refers to “a set of technologies and best practices for making software as secure and stable as possible. It encompasses everything from encryption, certificates, and federated identity to recommendations for moving sensitive data, accessing a file system, and managing memory” (Red Hat, 2020)

As per Apple (2016), code security involves writing software that: ◦ Is resistant to attack by malicious or mischievous people or programs ◦ Stops an attacker from accessing and taking control of a server or a user’s computer

resulting in denial of service, compromise of secrets, or damage to the systems of thousands of users

◦ Protects a user’s data from theft or corruption ◦ Is secure regardless of whether it is a small script or a

commercial application

11

Need for Code Security

12

Need for Code Security As per OWASP (2010): ◦ It is much less expensive to build secure software than to correct

security issues after the software package has been completed, not to mention the costs that may be associated with a security breach

◦ Securing critical software resources is more important than ever as the focus of attackers has steadily moved toward the application layer

◦ Failure to do secure coding can compromise: ◦ The software and its associated information ◦ The operating systems of the associated servers ◦ The backend database ◦ Other applications in a shared environment

13

Need for Code Security (contd.) As per Veracode (2020): ◦ Code security analysis is a must for competitive enterprises ◦ Most current threats are directed at the application layer ◦ It is critical to search code for vulnerabilities such as backdoors and

malicious code before hackers discover and exploit those vulnerabilities using a variety of attacks

◦ Such code-targeted attacks on the enterprise can have severe consequences: ◦ Reduce productivity ◦ Tie up valuable organizational resources ◦ Damage brand reputation ◦ Cut into profits

14

Need for Code Security (contd.) As per the Veracode (2019) State of Software Security Report, web applications coded in most common languages have at least 1 vulnerability:

15

Need for Code Security (contd.) As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are:

16

Need for Code Security (contd.) As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are :

17

Need for Code Security (contd.) As per the Veracode (2019) State of Software Security Report, the flaw debt types by language are :

18

Need for Code Security (contd.) Poor code security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)

19

Code Security Fundamentals

20

Code Security Fundamentals Secure Coding Standards – SEI | CMU | CERT

21

Source: SEI | CMU | CERT – Secure Coding Standards – https://www.youtube.com/watch?v=WYKSivnp3gA

Code Security Fundamentals (contd.) Code security (by code type):

◦ Markup language security ◦ HTML security ◦ XML security ◦ SAML security

◦ Scripting language (client-side) security ◦ JavaScript security (in Firefox) ◦ AJAX security

22

Code Security Fundamentals (contd.) Code security (by code type):

◦ Scripting language (server-side) security ◦ CGI security ◦ SSI security ◦ ASP security ◦ PHP security

◦ Programming language security ◦ Java security ◦ C++ security ◦ Python security ◦ Ruby security

23

Code Security Issues

24

Code Security Issues Specific code security issues include the following: ◦ Vulnerabilities in C amounted to 50% of all reported vulnerabilities ◦ The most common CWEs across most programming languages are Cross-Site-

Scripting (XSS), Input Validation, Permissions, Privileges, and Access Control, and Information Leak / Disclosure

◦ A significant rise was seen in reported vulnerabilities as a result of the use of automated tools and the trend of bug bounty programs

◦ While there was a spike in the number of reported security vulnerabilities in the past couple of years, the number of high severity vulnerabilities has decreased in most languages.

25

Source: Whitesource – Most Secure Programming Languages – https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.) Specific code security issues include the following: ◦ Total reported vulnerabilities per language

26

Source: Whitesource – Most Secure Programming Languages – https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.) Top 3 vulnerabilities per language

27

Source: Whitesource – Most Secure Programming Languages – https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.) Top 3 vulnerabilities per language

28

Source: Whitesource – Most Secure Programming Languages – https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.) OWASP Top 10–A4:2017 – XML External Entities (XXE)

29

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) – https://owasp.org/www-project-top-ten/2017/A4_2017-

XML_External_Entities_(XXE).html

Code Security Issues (contd.) Common code security vulnerabilities:

30

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) – https://owasp.org/www-project-top-ten/2017/A4_2017-

XML_External_Entities_(XXE).html

Code Security Issues (contd.) OWASP Top 10–A8:2017 – Insecure Deserialization

31

Source: OWASP Top 10 2017 A8 – Insecure Deserialization – https://owasp.org/www-project-top-ten/2017/A8_2017-

Insecure_Deserialization

Code Security Issues (contd.) Common code security vulnerabilities:

32

Source: OWASP Top 10 2017 A8 – Insecure Deserialization – https://owasp.org/www-project-top-ten/2017/A8_2017-

Insecure_Deserialization

Code Security Issues (contd.) OWASP Top 10–A9:2017 – Using Components with Known Vulnerabilities

33

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities – https://owasp.org/www-project-top-ten/2017/A9_2017-

Using_Components_with_Known_Vulnerabilities

Code Security Issues (contd.) Common code security vulnerabilities:

34

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities – https://owasp.org/www-project-top-ten/2017/A9_2017-

Using_Components_with_Known_Vulnerabilities

Code Security Attacks

35

Code Security Attacks Most common code security attacks:

36

Attack Type Description

Billion Laughs Attack / XML Bomb

A block of XML that is both well-formed and valid according to the rules of an XML schema but which crashes or hangs a program when that program attempts to parse it (Microsoft, 2015)

Buffer Overflow An attack which consists of overwriting memory fragments of a process resulting in errors that end execution of the application in an unexpected way

Code Injection An attack which consists of injecting code that is then interpreted/executed by the application

Code Security Attacks (contd.) Most common code security attacks (continued):

37

Attack Type Description

JSON Injection A simple server-side attack that could be performed in PHP to grant admin privileges to a regular user

SSI Injection An attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely

XXE Attack The attacker breaks out of the usual processing schema and bypasses the security verification and reads locally stored files

Code Security Attacks (contd.) What is an XXE Attack – Hacksplaining

38

Source: Hacksplaining – What is an XXE Attack? – https://www.youtube.com/watch?v=hIHrGuG3r5w

Code Security Best Practices

39

Code Security Best Practices Best practices for code security include : ◦ Establishing coding standards and conventions

◦ Select languages based on security issues they inherit ◦ Use built-in security features ◦ Use loosely coupled frameworks / libraries / components ◦ Enforce standards

◦ Using safe functions / APIs only ◦ Provide guidance to developers on what functions / APIs to avoid ◦ Use appropriate tools to assist in identifying and reviewing the usage of dangerous functions ◦ Use the latest versions of compliers / interpreters / runtime environments

40

Source: SAFEcode.org – Fundamental Practices for Secure Software Development – https://safecode.org/wp-

content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Develo pment_March_2018.pdf

Code Security Best Practices (contd.) Best practices for code security include (continued): ◦ Using code analysis tools to find security issues early

◦ Use tools to analyze code to identify deviation from requirements ◦ Use tools that plug in directly into the IDE ◦ Use secure code review to identify logical errors in the source code

◦ Handling data safely / handling errors gracefully ◦ Use input validation techniques to begin with ◦ Enforce data segregation to prevent data from becoming application logic ◦ Use encoding so that data is interpreted in the context in which it is used ◦ Use data binding which prevents data from being interpreted as control logic ◦ Use sanitization techniques to remove, replace, or encode unwanted characters

41

Source: SAFEcode.org – Fundamental Practices for Secure Software Development – https://safecode.org/wp-

content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Develo pment_March_2018.pdf

Code Security Best Practices (contd.) Best practices for code security include the following: ◦ Take Security Requirements and Risk Information into Account During

Software Design ◦ Review the Software Design to Verify Compliance with Security

Requirements and Risk Information ◦ Verify Third-Party Software Complies with Security Requirements ◦ Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating

Functionality ◦ Create Source Code Adhering to Secure Coding Practices

42

Source: NIST – Cybersecurity White Paper – https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-

software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software- vulns-draft.pdf

Code Security Best Practices (contd.) Best practices for code security include the following: ◦ Configure the Compilation and Build Processes to Improve Executable

Security ◦ Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and

Verify Compliance with Security Requirements ◦ Test Executable Code to Identify Vulnerabilities and Verify Compliance with

Security Requirements ◦ Configure the Software to Have Secure Settings by Default

43

Source: NIST – Cybersecurity White Paper – https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-

software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software- vulns-draft.pdf

Code Security Best Practices (contd.) Use the following code security best practices to protect against XML External Entities (XXE):

44

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) – https://owasp.org/www-project-top-ten/2017/A4_2017-

XML_External_Entities_(XXE).html

Code Security Best Practices (contd.) Use the following code security best practices to protect against insecure deserialization:

45

Source: OWASP Top 10 2017 A8 – Insecure Deserialization – https://owasp.org/www-project-top-ten/2017/A8_2017-

Insecure_Deserialization.html

Code Security Best Practices (contd.) Use the following code security best practices to protect against using components with known vulnerabilities:

46

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities – https://owasp.org/www-project-top-ten/2017/A9_2017-

Using_Components_with_Known_Vulnerabilities.html

Recap Code security issues are among the OWASP Top 10 list of web application security risks

This is due to weaknesses in coding technologies such as markup languages, scripting languages (client- and server-side), programming languages, etc.

Hackers are able to exploit the weaknesses using attacks such as billion laughs, buffer overflow, code/SSI/JSON injection, XXE attacks, etc.

Best practices to protect code include establishing coding standards, protecting data, performing input validation/error handling/logging, ensuring proper memory management, using code analysis tools to do secure code review, etc.

47

Thank you!!!

48

Cloud Security – Issues and Best Practices

Outline Intro to Cloud Security

Need for Cloud Security

Cloud Security Fundamentals

Cloud Security Issues

◦ OWASP Top 10 – A6:2017– Security Misconfiguration

◦ OWASP Cloud-Native Application Security Top 10

Attacks against Cloud Security Mechanisms

Cloud Security Best Practices

2

Intro to Cloud Security

3

Intro to Cloud Security What is the cloud? ◦ According to Microsoft (2022) the cloud refers to “a vast network of

remote servers around the globe which are hooked together and meant to operate as a single ecosystem”

◦ Cloud servers are designed to: ◦ Store and manage data ◦ Run applications ◦ Deliver content/service such as streaming videos, web mail, office productivity

software, social media to any Internet-connected device ◦ According to NSA (2018), cloud browsers can be used to completely

separate the web browser from the user’s O/S by hosting the browser in a remote cloud environment

4

Intro to Cloud Security (contd.) What is the cloud? – PowerCert Animated Videos

5

Source: PowerCert Animated Videos – Cloud Computing Explained – https://www.youtube.com/watch?v=_a6us8kaq0g/

Intro to Cloud Security (contd.) Cloud deployment methods ◦ Public cloud – shares resources and offers services over the public

Internet ◦ Private cloud – does not share resources and offers services over a

private internal network typically hosted in an on-premise datacenter ◦ Hybrid cloud – shares resources between public and private clouds

depending on their purpose ◦ Community cloud – shares resources only between specific

organizations such as government institutions

6

Source: Microsoft.com – What is the Cloud? – https://azure.microsoft.com/en-us/overview/what-is-the-cloud/

Intro to Cloud Security (contd.) Cloud service models: ◦ SaaS

◦ Examples: Amazon SaaS Factory, Office 365, Google Kubernetes Engine

◦ PaaS ◦ Examples: Elastic Beanstalk, Azure App Service, Google Cloud Run

◦ IaaS ◦ Examples: Amazon EC2, Azure IaaS, Google Compute Engine

7

Cloud Service Model

Hardware Operating System

Applications Data

SaaS

PaaS

IaaS

SP – Service Provider C – Customer

Intro to Cloud Security (contd.) Cloud market share:

8

Source: 64 Significant Cloud Computing Statistics for 2022 – FinancesOnline – https://financesonline.com/cloud-computing-statistics/

Intro to Cloud Security (contd.) The big 3 cloud service providers:

9

Source: AWS vs Azure vs GCP – bmc – https://www.bmc.com/blogs/aws-vs-azure-vs-google-cloud-platforms/

Customers: • Netflix • Airbnb • Lyft • FDA • Coinbase

Customers: • Starbucks • Walgreens • 3M • HP • CDC

Customers: • Toyota • Spotify • Target • Twitter • UPS

Intro to Cloud Security (contd.) Cloud security refers to “a broad set of technologies, policies, and applications that are applied to defend online IP, services, applications, and other imperative data against cyber threats and malicious activity” (Cisco, 2022)

As per Cisco, 2022, cloud security involves securing data and applications in the cloud by: ◦ Protecting apps, data, and users in the cloud against compromised accounts,

malware, and data breaches ◦ Stopping malware before it spreads across the network ◦ Decreasing the time spent remediating data breaches ◦ Improving security without impacting end-user productivity ◦ Extending protection by securing users anywhere and anytime

10

Intro to Cloud Security (contd.) Cloud security can enable better business outcomes by being:

11

Source: Secure Cloud – Accenture – https://www.accenture.com/_acnmedia/PDF-143/Accenture-Secure-Cloud.pdf

Need for Cloud Security

12

Need for Cloud Security As per IBM (2022): ◦ Organizations need cloud security as they incorporate cloud-based

tools and services as a part of their digital strategy ◦ Organizations must make their own considerations when protecting

data and applications on the cloud since the responsibility of data asset security and accountability does not necessarily shift to the cloud service provider

◦ Threats targeting cloud providers continues to evolve ◦ Lack of cloud security can make organizations face significant

governance and compliance risks ◦ Cloud security is a necessity to ensure continuity of business

operations

13

Need for Cloud Security (contd.) As per the Accenture (2021) Cyber Threat Intelligence Report: ◦ Spending on public cloud services are expected to rise 21.7% from

2021 ($396B) to 2022 ($482B) ◦ Cloud centricity prompts new attack vectors ◦ Public-facing cloud environments serve as initial entry vectors through

which threat actors can gain access to individual endpoint devices ◦ Some organizations do not monitor cloud platforms as closely as they

do their own on-premise servers

14

Need for Cloud Security (contd.) As per the Accenture (2021) Cyber Threat Intelligence Report (contd.): ◦ Ransomware attacks on cloud infrastructure is on the rise ◦ Cloud malware has evolved faster than traditional ones ◦ Cloud-centric toolset threats are escalating ◦ Expanding cloud infrastructure also creates highly scalable and reliable

command-and-control infrastructure and botnets ◦ Moving to the cloud has increased both the risk and consequences of

supply chain attacks

15

Need for Cloud Security (contd.) According to the McAfee (2019) Cloud Adoption and Risk Report:

16

• Sharing of sensitive data in the cloud has increased 53%

• An average organization has 2,269 IaaS misconfiguration incidents per month

• 80% of organizations will experience at least 1 compromised account threat in the cloud each month

• 92% of organizations currently have stolen cloud credentials for sale on the Dark Web

Need for Cloud Security (contd.) According to the McAfee (2019) Cloud Adoption and Risk Report:

17

Need for Cloud Security (contd.) Poor cloud security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)

18

Need for Cloud Security (contd.) Poor cloud security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)

19

Cloud Security Fundamentals

20

Cloud Security Fundamentals What is AWS Security? – Amazon Web Services

21

Source: Amazon Web Services – What is AWS Security? – https://www.youtube.com/watch?v=_2HFqANE4gw

Cloud Security Fundamentals (contd.) AWS cloud architecture for web application hosting:

22

Source: AWS – Web Application Hosting in the AWS Cloud – https://docs.aws.amazon.com/whitepapers/latest/web-application-hosting-best-

practices/web-application-hosting-best-practices.pdf

Cloud Security Fundamentals (contd.) AWS cloud security includes:

◦ Infrastructure security ◦ AWS WAF defends against XSS, SQL injection, & DDoS ◦ AWS Shield provides DDoS mitigation technologies available for layer 3, 4, and 7 protection ◦ Amazon VPC offers built-in network firewalls

◦ Inventory and configuration management ◦ Deployment tools offered ◦ Inventory and configuration management tools available ◦ Template tools exist to create standard, preconfigured, hardened VMs for EC2 instances

23

Cloud Security Fundamentals (contd.) AWS cloud security includes:

◦ Data encryption ◦ At rest built into EBS, S3, RDS, and most other services ◦ AWS Key Management Service available ◦ AWS CloudHSM for secure key storage

◦ Identity and access control ◦ AWS IAM allows account and permission management ◦ AWS MFA available for privileged accounts ◦ AWS SSO allows central management of SSO access

24

Cloud Security Fundamentals (contd.) AWS cloud security includes:

◦ Monitoring and logging ◦ AWS CloudTrail can monitor AWS deployments including API call history ◦ Amazon CloudWatch provides a reliable, scalable, and flexible monitoring solution ◦ Amazon GuardDuty available for intelligent threat detection and notification

◦ AWS Nitro System

25

Cloud Security Issues

26

Cloud Security Issues Specific cloud security issues include the following: ◦ Lack of visibility ◦ Multitenancy ◦ Access management and shadow IT

◦ Access control may be more challenging in cloud environments ◦ Compliance

◦ Accountability for data privacy and security still rests with the enterprise ◦ Misconfigurations

◦ Accounted for 86% of breached records in 2019

27

Source: IBM – What is Cloud Security? – https://www.ibm.com/topics/cloud-security

Cloud Security Issues (contd.) Specific cloud security issues include the following:

28

Source: Accenture – State of Cybersecurity Resilience 2021 – https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-

Cybersecurity-2021.pdf

• More than 66% of workloads will shift to the cloud

• 32% of organizations • will move more than 75% into the cloud • say security is not part of the cloud

discussion to begin with • say poor governance and compliance

practices are an issue • say cloud security is too complex • do not have the skills needed

Cloud Security Issues (contd.) OWASP Top 10–A6:2017 – Security Misconfiguration

29

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration.html

Cloud Security Issues (contd.) Common cloud security vulnerabilities:

30

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration.html

Cloud Security Issues (contd.) OWASP Cloud-Native Application Security Top 10:

31

Source: OWASP Foundation – OWASP CNAS Top 10 – https://www.youtube.com/watch?v=BG4Kn6dcGtI

Cloud Security Issues (contd.) OWASP Cloud-Native Application Security Top 10:

1. Insecure cloud, container or orchestration configuration 2. Injection flaws 3. Improper authentication & authorization 4. CI/CD pipeline & software supply chain flaws 5. Insecure secrets storage 6. Over-permissive or insecure network policies 7. Using components with known vulnerabilities 8. Improper assets management 9. Inadequate compute resource quota limits 10. Ineffective logging & monitoring

32

Cloud Security Attacks

33

Cloud Security Attacks Most common cloud security attacks:

34

Attack Type Description

Cross-Site Scripting (XSS)

A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data

DDoS The attacker floods the server with so many requests from compromised computers that act as a part of a larger botnet that the server can no longer fulfill requests from legitimate users

Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors

Cloud Security Attacks (contd.) Most common cloud security attacks (continued):

35

Attack Type Description

Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data. Ransomware operators abused cloud infrastructure and introduced new encryption techniques to better evade detection (Accenture, 2021).

Malware Software written specifically to exploit vulnerabilities. Cloud- related malware has evolved faster than more traditional malware (Accenture, 2021).

Server-Side Request Forgery (SSRF)

The attacker can abuse functionality on the server to read or update internal resources

Cloud Security Attacks (contd.) What is an SSRF Attack? – Professor Messer

36

Source: Professor Messer – Request Forgeries – SY0-601 CompTIA Security+: 1.3 – https://www.youtube.com/watch?v=fmtqMzP7aXI

Cloud Security Best Practices

37

Cloud Security Best Practices Best practices for cloud security include : ◦ Implementing a strong identity foundation ◦ Enabling traceability ◦ Applying security at all layers ◦ Automating security best practices ◦ Protecting data in transit and at rest ◦ Keeping people away from data ◦ Preparing for security events

38

Source: AWS – Well-Architected Framework – https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/wellarchitected-security-

pillar.pdf

Cloud Security Best Practices (contd.) Best practices for cloud security include : ◦ Implementing a cloud-based secure web gateway (SWG) so corporate devices are

protected against web-based threats without routing through VPN ◦ Protecting data with a cloud access security broker (CASB) ◦ Setting CASB policy to include device checks, data controls, and protection for SaaS

accounts ◦ Implementing MFA to reduce the risk of stolen credentials being used to access

accounts ◦ Letting employees use their personal devices to access SaaS applications for

productivity with conditional access to sensitive data

39

Source: McAfee – Cloud Adoption and Risk Report – https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cloud-adoption-and-risk-

report-work-from-home-edition.pdf

Cloud Security Best Practices (contd.) Best practices for cloud security include (continued): ◦ Taking a risk-based view ◦ Understanding the shared responsibility model ◦ Driving a collaborative culture between application, IT/ops, and

security teams ◦ Considering security as a forethought and not an afterthought ◦ Monitoring continuously for security and compliance ◦ Planning proactively for cybersecurity events

40

Source: IBM – Cloud Security White Paper – https://www.ibm.com/cloud/architecture/files/ibm-cloud-security-white-paper.pdf

Cloud Security Best Practices (contd.)

Use the following cloud security best practices to protect against security misconfiguration:

41

Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-

Security_Misconfiguration

Recap Cloud security issues are among the OWASP Top 10 list of web application security risks

This is due to issues in cloud security such as misconfiguration, lack of visibility, multitenancy, identity and access management, compliance, monitoring and logging, etc.

Hackers are able to exploit the weaknesses using attacks such as XSS, SQL injection, DDoS, human error, ransomware, malware, SSRF, etc.

Cloud security best practices include understanding the shared responsibility model, using strong IAM policies, implementing MFA, using CASBs, using SWGs, encrypting data in transit and at rest, enabling traceability, preparing proactively for security events, etc.

42

Thank you!!!

43