Slides - owasp
Download
Report
Transcript Slides - owasp
Protecting Federal Government from
Web 2.0 Application Security Risks
Dr. Sarbari Gupta, CISSP, CISA
[email protected]
Electrosoft
11417 Sunset Hills Road, #228
Reston, VA 20190
www.electrosoft-inc.com
Agenda
• Web 2.0 Fundamentals
• Web 2.0 and the US Feds
• Web 2.0 Risks
• FISMA and Web 2.0
Web 2.0 Fundamentals
Created by Rob Cottingham at http://mashable.com/2010/08/10/social-media-web-comics/#24865-Noise-to-Signal
What is Web 2.0?
• Social Media/Web Applications such as:
–
Facebook/LinkedIn
–
Twitter
–
RSS Feeds
–
Blogs
–
Wikis
–
Web Chat
–
Podcasts
–
Mashups
–
Photo/Video-sharing
–
Virtual Worlds
–
…
Characteristics of Web
2.0 Tools
• Applications hosted on Web platform
• Users are Content Creators/Editors
• Highly Interactive
• Supports Rich Content / Media Types
• Easy to Use
Web 1.0 Content Model
Security Controls
Webmaster
Site Content
Web Platform
Browser Users
Sys Admin
Hackers
Web 2.0 Content Model (I)
Outside
Content
Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Sys Admin
Security Controls
Benign Users
Web 2.0 Content Model (II)
• Web 2.0 Clients are Content Creators
• Web 2.0 Server provides
– Data Aggregation from Varied Sources
– Platform for Information Exchange
– Storage for User/Client-created Content
– Segregation between Users (if needed)
Technologies enabling
Web 2.0
• AJAX (Asynchronous JavaScript and
XML)
• JSON (JavaScript Object Notation)
• REST (Representational State Transfer)
• SOAP (Simple Object Access Protocol)
• and others …
Web 2.0 and the US Federal
Government
Drivers for Fed Adoption
of Web 2.0
•
Jan 21, 2009 – Memorandum on Transparency and Open
Government
–
•
Feb 24, 2000 - M-09-12, President's Memorandum on
Transparency and Open Government - Interagency
Collaboration
–
•
Promotes Transparency, Participation and Collaboration
Establishes mechanisms to seek participation/collaboration
Dec 8, 2009 - M-10-06 Open Government Initiative
–
Describes 4 Specific Steps for Agencies to implement Open
Government
Benefits for Fed Adoption
of Web 2.0 Tools
• Increase education/outreach/training
• Allow Rapid dissemination of
information
• Support Recruitment
• Promote citizen participation in
Government
• Facilitate interactive communication
Fed Policy for Web 2.0
•
Apr 7, 2010 – Memo on Social Media, Web-based
Interactive Technologies and the Paperwork Reduction Act
–
•
Jun 25, 2010 – M-10-23 - Guidance for the Use of ThirdParty Websites and Applications
–
•
Describes activities that are not subject to the Paperwork
Reduction Act (PRA)
Protecting Individual Privacy while using 3rd party websites/tools to
engage with public
Nov 3, 2010 – M-11-02 – Sharing Data While Protecting
Personal Privacy
–
Promotes data sharing while embracing responsible stewardship
Fed Initiatives for Web 2.0
•
GSA/ Office of Citizen Services
–
•
•
•
•
•
www.usa.gov; answers.usa.gov; webcontent.gov;
http://search.usa.gov; Apps.gov
CIA – Facebook for recruiting
HHS – Pandemic Flu Leadership Blog
USPTO – Collect input towards pending patents
DoD – Virtual Worlds to simulate terrorism
Library of Congress – Flickr to make public
aware of holdings
Web 2.0 Risks
Internal
External
Sharing Direction
Web 2.0 Use Cases* for
Government
Inward
Intra-organizational
Inbound
“Crowd-sourcing”
(public polls, change.gov)
(internal Wikis, SharePoint)
Outward
Inter-Institutional
(GovLoop, STAR-TIDES)
Group
Outbound
Govt engagement on
commercial Social Media
(Twitter)
Interaction Level
Individual
* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009
•
•
•
Top Web 2.0 Security
Risks
Spear Fishing*
Social Engineering*
Web Application Attacks*
–
Cross Site Scripting (XSS)
–
Cross Site Request Forgery (XSRF)
–
Security Flaws in (Aggregation) Partner Sites
–
Weak Authentication Controls
–
Information Leakage
–
Injection Flaws
* Guidelines for Secure Use of Social Media by Federal Departments and Agencies”, ISIMC, V1.0, Sept 2009
OWASP Top 10 (2010)
•
•
•
•
•
•
•
•
•
•
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Implications …
• Application Security Vulnerabilities are
at the core of Web 2.0 risks
• Web 2.0 Applications provide new
avenues for old threats due to their:
– Complexity
– Popularity
– Ubiquity
FISMA and Web 2.0
•
•
Federal Information
Security Landscape
Federal Practices in Information Security are
driven by REGULATORY COMPLIANCE
–
Title III of E-Government Act of 2002 - Federal
Information Security Management Act (FISMA)
–
Privacy Act of 1974
–
OMB Circular A-130, Appendix III
–
OMB Memos, …
FISMA is implemented through NIST guidelines
–
Special Pubs 800-37, 800-53, …
NIST SP 800-53 Rev 3
ID
FAMILY
CLASS
AC
Access Control
Technical
AT
Awareness and Training
Operational
AU
Audit and Accountability
Technical
CA
Security Assessment and Authorization
Management
CM
Configuration Management
Operational
CP
Contingency Planning
Operational
IA
Identification and Authentication
Technical
IR
Incident Response
Operational
MA
Maintenance
Operational
MP
Media Protection
Operational
PE
Physical and Environmental Protection
Operational
PL
Planning
Management
PS
Personnel Security
Operational
RA
Risk Assessment
Management
SA
System and Services Acquisition
Management
SC
System and Communications Protection
Technical
SI
System and Information Integrity
Operational
PM
Program Management
Management
•
•
•
•
Title: Recommended Security
Controls for Federal Information
Systems and Organizations
Published: August 2009
Approach: Risk Management
Framework
–
Categorize Information System
–
Select Security Controls
–
Implement Security Controls
–
Assess Security Controls
–
Authorize Information System
–
Monitor Security Controls
18 families of Security Controls
FISMA Definition of
“Information Security”
•
•
•
•
Protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide—
(A) integrity, which means guarding against improper
information modification or destruction, and includes
ensuring information non-repudiation and authenticity;
(B) confidentiality, which means preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information;
and
(C) availability, which means ensuring timely and reliable
access to and use of information.
Parsing the FISMA
Definition …
•
Assets to be protected
– Information
– Information Systems
•
Information needs to be protected for C-I-A
– Confidentiality (C)
– Integrity (I)
– Availability (A)
Web 2.0 Content Model
Outside
Content
Providers
Evil Users
Content
Web 2.0 Tool
Web Platform
Tool Programmer
Sys Admin
Security Controls
Benign Users
Web 2.0 Usage Models
for Feds
•
Fed Users are Web 2.0 Clients – Web 2.0
Server is in the Cloud
– FISMA Controls may suffice to protect the IT
resources used by the Fed Users
•
Feds Host Web 2.0 Applications/Servers
– FISMA controls provide little or no protection for
(citizen) Users
FISMA and Web 2.0
Content
• User supplied Web 2.0 content can be
protected for C-I-A per FISMA …
– and yet be dangerous to other Users
• Protecting Users of Government Web
2.0 Apps is …
– not within the scope of FISMA
Introducing Safety &
Reliability (I)
• When Government builds a bridge over
a river
– Concern #1: Is the bridge reliable?
– Concern #2: Is the bridge safe?
– …
– Concern #n: Is the bridge protected from
harm (by Users)?
•
Introducing Safety &
Reliability (II)
When Government builds a Web 2.0 Application
– Concern #1: Is the underlying Information System
protected from harm (by Users)?
– Concern #2: Is the Web 2.0 content protected for C-IA?
•
The concerns that do not currently surface
– Is the Application reliable?
– Is the Application safe?
Final Thoughts
• How do we protect US Federal
Government and Citizens from Web 2.0
Risks?
– Promulgate policy to ensure the safety and
reliability of Government information
systems from the Users’ perspective
– Add security controls to explicitly require
safety and reliability checks