Web Application Security - IBM

IBM Global Services

IBM X-Force:

Web Application Security Dan Holden X-Force Product Manager IBM Internet Security Systems™ Ahead of the threat®

© Copyright IBM Corporation 2009

IBM Internet Security Systems

Agenda  The Changing World of Security – How technology and business landscapes are changing how we think

and talk about security

 Security Trends in a Changing World – New technology innovation and adoption are allowing attackers to push

the envelope

 Real Deep Packet Inspection With PAM (Protocol

Analysis Module) – How security R&D drives better technology and adds value to our

customers security investment

 Wrap Up – Conclusions and X-Force resources IBM Internet Security Systems X-Force Preemptive Protection


IBM Global Services

The X-Force Advantage:

Web Application Protection

IBM Internet Security Systems™ Ahead of the threat®



“Amateurs Study Cryptography; Professionals Study Economics”  Threat Evolution: –

A flat world has brought about an unprecedented amount of criminals and cons

–

Attackers keep ROI in mind as well, and constantly evolve their wares in order to re-purpose it for the next flood of attacks

–

High profile vulnerabilities will still be the vehicles for new attacks, however, the low and slow attack vectors cannot be ignored

–

The economics of exploitation must be taken into consideration to better prioritize risk IBM Internet Security Systems X-Force Preemptive Protection



The Security Landscape of Old Traditional Infrastructure was easier to protect . . .  Concrete entities that were

easy to understand  Attack surface and vectors

were very well-defined  Application footprint very

static  Perimeter defense was king

IBM Internet Security Systems X-Force Preemptive Protection



The Changing Security Landscape of Today “Webification” has changed everything . . .  Infrastructure is more

abstract and less defined  Everything needs a web

interface  Agents and heavy clients are

no longer acceptable  Traditional defenses no

longer apply IBM Internet Security Systems X-Force Preemptive Protection



The Web Ecosystem (simple view)    

Client with a Web browser renders the content for a user Network transports content between the server and the client Server with the Web application performs the required action Database stores information




The Web Ecosystem (complex view)




Attack Vectors




Growth of Web Application Vulnerabilities

SQL injection vulnerability

disclosures more than doubled in comparison to 2007 The number of active,

automated attacks on web servers was unprecedented




2008 Web Threats Take Center Stage  Web application vulnerabilities – Represent largest category in vulnerability disclosures (55% in 2008)

– 74% of Web application vulnerabilities disclosed in 2008 have no patch to fix them

11




Attack Techniques Are Plentiful And Trivial  SQL injection and cross-site scripting are the two largest categories of Web application vulnerabilities  SQL injection is fastest growing category (up 134% in 2008)




Exploitation is Rampant  Exploitation of SQL injection skyrocketed in 2008 – Increased by 30x from the midyear to the end of 2008




The Web Has Become Increasingly Vulnerable, But Security Priorities Haven’t Followed Suit  Risk prioritization hasn’t

Security and Spending are Unbalanced changed with the overall landscape  Businesses and professionals still tend to prioritize risk against an outdated traditional infrastructure viewpoint  Security solutions that focus on traditional threats and vectors are still implemented  Big blind spots –

Browsers and web applications are still largely ignored or prioritized below other infrastructure from a security perspective IBM Internet Security Systems X-Force Preemptive Protection


IBM Global Services

The X-Force Advantage:

How Do These Threats Present Themselves




1. Cross-Site Scripting (XSS)  What is it?

– Malicious script echoed back into HTML returned

from a trusted site, and runs under trusted context  What are the implications?

– Steal your cookies for the domain you’re browsing – Completely modify the content of any page you

see on this domain – Track every action you do in that browser from now on – Redirect you to a Phishing site – Exploit browser vulnerabilities to take over machine IBM Internet Security Systems X-Force Preemptive Protection



2. Injection Flaws  What is it?

– User-supplied data is sent to an interpreter as part

of a command, query or data.  Many kinds of injection flaws

– LDAP, XPath, SSI, MX (Mail)… – HTML Injection (Cross Site Scripting) – HTTP Injection (HTTP Response Splitting)  What are the implications?

– SQL Injection – Access/modify data in DB – SSI Injection – Execute commands / access

sensitive data – LDAP Injection – Bypass authentication IBM Internet Security Systems X-Force Preemptive Protection



The Realities Of SQL Injection  SQL Injection has become increasingly popular

 Automated tools have improved  Web applications more sophisticated and reliant on back-end DB’s  Average of 100k

“defacements” per week  High percentage due

to SQL Injection

 Up to 500k sites targeted each day IBM Internet Security Systems X-Force Preemptive Protection



Automated SQL Injection With Search Engines  Several commercial SQL Injection tools make use of backend services/C&C to receive latest exploits

 Many rely upon search engine queries to identify likely vulnerable Web servers before commencing their automated attack IBM Internet Security Systems X-Force Preemptive Protection



Subscription Based SQL Injection Tools  Automating the SQL Injection attacks

 Specify the injection payload (default http://www.2117966 [dot] net/fuckjp.js )  Tool checks a site in China to verify subscription fees  Connects to Google to search for vulnerable sites inurl:".asp" inurl:"a="  Starts SQL injection  Uses table cursors to enumerate tables on

Microsoft SQL  Seeks columns columns that are of type ntext, text, nvarchar, or varchar AND the table type is a user table and not a system table.  Then uses a cursor WHILE loop to iterate the results updating each Courtesy: http://isc.sans.org/diary.html?storyid=4294 table.columname and injecting the chosen attack string (converts the current data to varchar too)




SQL Injection Attack Tools

* Automatic page-rank verification * Search engine integration for finding “vulnerable” sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.




3. Malicious File Execution  What is it?

– Application tricked into executing

commands or creating files on server  What are the implications?

– Command execution on server – complete

takeover – Site Defacement, including XSS option




Commercial Web defacement tools  Tools that speed up the

defacement process

 Not necessarily targeted  Defacement submissions




Web Threats Will Become Increasingly Complex  Web becoming main

application delivery interface and ecosystem  Popularization of new web

technologies (Web 2.0) growing attack surface  New techniques and

scenarios for targeting web infrastructure

Web Protection Doesn’t Have To … IBM Internet Security Systems X-Force Preemptive Protection


IBM Global Services

The IBM Advantage:

Web Application Security




IBM X-Force Extensible Protection Platform PAM is the engine behind the preemptive protection afforded by many of the solutions of the IBM Proventia product family. PAM is comprised of 5 key technologies.

Virtual Patch What It Does: Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach Why Important: At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability

Threat Detection & Prevention What It Does: Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability. Why Important: Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

Content Analysis

Web Protection

What It Does: Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

What It Does: Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important: Flexible and scalable customized data search criteria; serves as a complement to data security strategy


Why Important: Expands security capabilities to meet both compliance requirements and threat evolution.

Network Policy Enforcement What It Does: Manages security policy and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling. Why Important: Enforces network application and service access based on corporate policy and governance.



Proventia Web Application Security Protects Web Applications Against Sophisticated Application-Level Attacks  SQL (Structured Query Language) Injection  XSS (Cross-site scripting)  PHP (Hypertext Preprocessor) fileincludes  CSRF (Cross-site request forgery)  Path Traversal  HTTP Response Splitting  Forceful Browsing  Expands security capabilities to meet both compliance requirements and threat evolution IBM Internet Security Systems X-Force Preemptive Protection



The ILE (Injection Logic Engine) Advantage  Injection attacks are typically made up of unique patterns that are not

commonly seen in valid web application requests – By totaling and scoring these specific keywords and symbols, we

can accurately detect and block SQL injection attacks  Tracks an extremely comprehensive list of SQL keywords, operators, and

symbols and correlates them based on valid SQL syntax – Parameter values will be evaluated and scored based on particular

keywords and symbols that it may contain – Parameter values that exceed the configurable scoring threshold

should be considered SQL injection and the request blocked – Flagging of particular combinations of classes of keywords can

determine what type of SQL injection is occurring    

query injection store procedure execution login bypass blind SQL injection




Secure Web Applications: Who is responsible? Organization Application Development

Secure Hosting Environment

Backend Server

Client Defend Network

Protect Data across Internet

Desktop

Application Server

Database Web Server

Requirements

Vulnerability management

Firewall

SSL Encryption

Anti-virus

Secure Design

Network

IDS / IPS

Anti-malware

Dynamic Analysis

Host

Web App Firewall

Personal firewall

Static Analysis

Application

Anti-virus

Incident & event management Identity & access management Malware detection




Secure Application Development  Challenge – Ensure the creation of high quality, secure and

compliant software – Ensure effective management of secure requirements, design and testing – Lifecycle management of vulnerabilities – Application Lifecycle Management (ALM)  IBM Solutions

– IBM Rational AppScan  Standard Edition  Developer Edition

Application Development

Requirements Secure Design

Dynamic Analysis Static Analysis

 Build Edition  Test Edition  Enterprise Edition IBM Internet Security Systems X-Force Preemptive Protection



Secure Hosting Environment  Challenges – Maintain a secure environment – Ensure security policies are


implemented and enforced – Lifecycle management of vulnerabilities and incidents – Assess production systems for malware  IBM Solutions Vulnerability management Network Host Application Incident & event management Identity & access management Malware detection




Required Technologies for Secure Operations 

Assess – Host Configuration  Tivoli Security Compliance Manager – Network*  ISS Proventia Network Enterprise Scanner – Application  Rational AppScan Enterprise



Manage – Vulnerabilities*  ISS Proventia Site Protector – Incidents*  Tivoli Security Operations Manager



Protect – Block and Enforce*  ISS Proventia G IPS  ISS Proventia M UTM  ISS Proventia Serve


* Can be managed through IBM ISS Managed Security Services!



Defending the Network  Challenge – – –

Protect your business from Internet threats without jeopardizing bandwidth or availability Protect your end users from spam and other productivity drainers Conserve resources by eliminating the need for specialized security expertise

 IBM Solutions – IBM Proventia® Network Multi-Function Security

(MFS)  Complete protection from Internet threats including firewall,

intrusion prevention and anti-virus  Define Web access policies

– IBM Proventia® Network Intrusion Prevention

System (IPS)  Provides Web Application Firewalling functionality without the

additional point product investment of a WAF  Provides inline network protection against all major categories of Web application vulnerabilities and attacks IBM Internet Security Systems X-Force Preemptive Protection



Encrypting transmission across the Internet  Challenge – Ensuring data and intellectual property is not stolen while


crossing the Internet – Ensuring that data is not tampered with or altered between the server and client – Ensure that a malicious site does not impersonate the legitimate server and establish communication with the client SSL Encryption

 IBM Solutions – IBM Websphere Application Server – IBM Websphere DataPower XML Security Gateway




Client-side Security  Organization can not control their external clients  Internal client challenges Desktop

– Mitigating risks posed by zero-day, targeted attacks – Protecting critical data and intellectual property – Minimizing costs and lost productivity associated with

remediating infected endpoints – Reducing help desk calls  IBM Solution

– IBM ISS Proventia Server and ESC  Mitigates against application and network vector attacks

Anti-virus

 Patented Virus Prevention System blocks malware based


Anti-malware

on behavior  Includes signature anti-virus/anti-malware signatures  Provides protection against all major categories of web application vulnerabilities and attacks  Includes data security and IT operations features IBM Internet Security Systems X-Force Preemptive Protection



Secure Web Applications: A complete approach Organization Application Development


Backend Server

Client Defend Network


Desktop

Application Server

Database Web Server

Requirements

Vulnerability management

Firewall

SSL Encryption

Anti-virus

Secure Design

Network

IDS / IPS

Anti-malware

Dynamic Analysis

Host

Web App Firewall


Static Analysis

Application

Anti-virus

Incident & event management Identity & access management Malware detection



IBM Global Services

Thank you!

The X-Force Advantage IBM Internet Security Systems™ Ahead of the threat®
