Transcript SQL injection

Are Security and Quality Assurance
Part of Your Software
Development Life Cycle?
Joshua Drummond, Security Architect
Carmen Roode, Associate Director of Systems Development
Marina Arseniev, Associate Director of Enterprise Architecture
University of California, Irvine
Statistics you need to know!
•
3 out of 4 vendor apps we tested had serious SQL Injection bugs!
•
75% of attacks today happen at the Application (Gartner)
•
“The cost of correcting code in production increases up to 100
times as compared to in development...”
-
•
(1) MSDN (November, 2005) “Leveraging the Role of Testing and Quality
Across the Lifecycle to Cut Costs and Drive IT/Business Responsiveness “
http://msdn.microsoft.com/vstudio/why/testingquality/default.aspx
The cost and reputation savings of avoiding a security breach are
“priceless”
Higher-Ed Security Incidents
http://www.privacyrights.org
People
Date
178,000
380,000
207,000
600,000
98,400
59,000
120,000
106,000
40,000
150,000
72,000
15,000
27,000
April 2004
May 2004
May 2004
Sept 2004
March 2005
March 2005
March 2005
April 2005
April 2005
June 2005
June 2005
June 2005
July 2005
Type
Hacking
Hacking
Stolen laptop/Hack
Hacking
Stolen laptop
Hacking
Hacking
Hacking
Hacking
Dishonest Insider
Hacking
Stolen laptop
Hacking
People
Date
42,000
270,000
31,077
36,000
61,709
100,000
49,000
100,000
21,762
2,800
9,100
93,000
41,000
July 2005
July 2005
July 2005
August 2005
August 2005
August, 2005
August 2005
Sept 2005
Sept 2005
October 2005
October 2005
March 2006
March 2006
Type
Hacking
Exposed online- Injection
Hacking
Hacking
Hacking
Hacking
Hacking
Stolen computer
Exposed Online
Exposed Online
Exposed Online
Stolen laptop
Hacking
Agenda
•
•
•
•
•
Demo of Common Application Hacks
7 Steps to Integrating SDLC and Security
SDLC and Sample Checklists
Security Architecture
Useful URLs and Q&A
What do Hackers do?
• Application security testing is a “nascent
market”. *
– Browser caching
– Cookie and URL hacks
– SQL Injection
– Cross-site Scripting
*Gartner
Browser Page Caching
• Be aware of differences between browsers!
• Pages with sensitive data should not be cached:
page content is easily accessed using browser’s
history
• Use the following tags to disable page caching:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, nocache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
Browser Page Caching
Cookies and URLs
• Sensitive data in cookies and URLs?
– Issues that arise are:
• Information is stored on a local computer (as files or in the browser’s
history)
• Unencrypted data can be intercepted on the network and/or logged
into unprotected web log files
– To prevent unauthorized data access:
• Do NOT store sensitive data of any kind in cookies or URLs
• Use non-persistent cookies (that disappear once a browser is closed)
instead of persistent ones.
• Use HTTP POST instead of GET when submitting data
SQL Injection Attacks
“SQL injection is a security vulnerability that occurs
in the database layer of an application. Its source is
the incorrect escaping of dynamically-generated
string literals embedded in SQL statements. “
(Wikipedia)
Uses SQL script
injection to
access data
Hacker
Web App
SQL Injection Attacks
• Example of attack:
– SQL Query in Web application code:
• “SELECT * FROM users WHERE login = ‘” + userName +
“’ and password= ‘” + password + “’;”
– Hacker logs in as: ‘ or ‘’ = ‘’; -• SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; -'; and password=‘’;
– Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; -• SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP
TABLE users; --'; and password=‘’;
• SQL Injection examples are outlined in:
– http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
– http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection Attacks Demo
SQL Injection Attacks Demo
SQL Injection Attacks Demo
Cross-Site Scripting (XSS)
Attacks
• Malicious code can secretly gather sensitive
data from user while using authentic
website (login, password, cookie)
Cross-Site Scripting (XSS)
Attacks
• Modified URL
– URL parameters are modified on the URL to
contain script code
– Input is not validated and displayed as entered
on the resulting dynamic webpage
Cross-Site Scripting (XSS)
Attacks
XSS: Script Injection Demo
XSS: Script Injection Demo
Preventing
SQL injection and XSS
• VALIDATE all user entered parameters
– CHECK data types and lengths
– DISALLOW unwanted data (e.g. HTML tags,
JavaScript)
– ESCAPE questionable characters (ticks, -,semi-colon, brackets, etc.)
Agenda
•
•
•
•
•
Demo of Common Application Hacks
7 Steps to Integrating SDLC and Security
SDLC and Sample Checklists
Security Architecture
Useful URLs and Q&A
Integrating SDLC and Security
Step 1: Training

You can build the most secure system, however, if users
are not educated on how to use it or on today’s security
concerns, regulations, and laws, the system will fail.





Email can be unintentionally used to transmit regulated or
confidential information – due to lack of education
Private data can be entered into a text field
Training is about a specific purpose or certification
Education is more general and conceptual
Train Project Leaders, Developers, End users, Business
units on global issues and scope of functions they want.
Too much trust and assumptions that technical staff and
vendors are aware of all the issues.


Assign appropriately trained staff, mentors/reviewers
Integrating SDLC and Security
Step 2: Requirements

Acquisition or development


Identify Security requirements at requirements
gathering phase
Examples of questions to ask and put into formal
template?


Compliance requirements – PCI, SB1386, FERPA, HIPAA
Risk assessment – normal or high risk application?
Requirements Template
1.1
2.5
3.4
5.3
User Classes and Characteristics
<Identify the various user classes that you anticipate will use this product (i.e. users doing
updating vs. users with browse access only). User classes may be differentiated based on
frequency of use, subset of product functions used, technical expertise, security or privilege
levels, educational level, or experience...>
Design and Implementation Constraints
<Describe any items or issues that will limit the options available to the developers. These might
include: …corporate or regulatory policies; …interfaces to other applications; specific
technologies, tools, and databases to be used; …communications protocols; security
considerations.>
Communications Interfaces
<Describe the requirements associated with any communications functions required by this
product, including e-mail, web browser, network server communications protocols, electronic
forms, and so on. Define any pertinent message formatting. Identify any communication
standards that will be used, such as FTP or HTTP. Specify any communication security or
encryption issues, data transfer rates, and synchronization mechanisms.>
Security Requirements
<Specify any requirements regarding security or privacy issues surrounding use of the product or
protection of the data used or created by the product. Define any user identity authentication
requirements. Refer to any external policies or regulations containing security issues that affect
the product. Define any security or privacy certifications that must be satisfied.>
ASP Vendor Security Checklist








What certification or audits does the
University have that the system will be
managed per our guidelines and
contract agreement?
How do you manage the system for
detection of intrusion.
How often is the system patched, by
whom and when?
How are we notified if system security
is breached? Notification handling?
How is data purged from the vendor's
hardware?
How are disks, tapes, or computers
that might store sensitive data
disposed of? Are the media erased
before disposal or reuse?
Where is the hardware location? Is it
inside or outside of the United States?
Is it subject to our laws?
Are the personnel who administer and
use the hardware located within the
United States and subject to our laws?






Is data encrypted?
If private data is transmitted, either via
Internet, on CD-ROM or file transfer, is it
encrypted?
Is SSL enabled to the application so that
traffic over the Internet, including
authentication is secure and private?
Data loss, data backups: what are the
guarantees? Are backups stored offsite?
If backups have sensitive data, are the
backups encrypted? Can we store the
backup at UCI? How about disaster
recovery planning?
How is the hardware or database
distributed by the vendor among
customers? Is one hardware used for all
customers? Is a single database used for
all customers or does each customer
have a private database?
How are user accounts managed?
Integrating SDLC and Security
Step 3: Design


Use your most experienced security experts!
Identify vulnerable points





authentication and authorization/access control
database or file stores of sensitive data
logging/auditing
Identify, design and use common and tested
components
Dedicated Security role required in any organization
Integrating SDLC and Security
Step 4: Implementation
Implementation/Acquisition – make security “routine”



Schedule code reviews
Require developers to build unit test harnesses – Junit
Automate nightly code and application security scanning – Jtest,
AppScan, Nessus, database security scanning




Schedule network and configuration scanning - Foundstone
Write and use manual security test procedures
Perform concurrency and stress testing - Jmeter, OpenSTA
Integration testing



Services and APIs
Are services or distributed components using encryption?
How does an application authenticate to a service?
Integrating SDLC and Security
Step 4: Implementation cont.

Functional testing








Do you use formal Test Plans or AdHoc? Tied to Requirements?
Done by developers and end users?
Do Pilot Users test methodically using Test Plans?
How do you ensure testing coverage is adequate?
SQL Injection testing
Browser Compatibility Testing (ex: browser cache)
Regression testing
Use Security Checklists / Assessments – code, database,
network





Test data – “de-identified?”
If storage of private data absolutely required, is it encrypted?
Transmission encrypted?
Error messages divulge information that can be used by hacker?
PCI Compliance scanning/self-assessment passed? HIPAA?
Firewalls configured?
Integrating SDLC and Security
Step 5,6,7
5. Deployment





Create secured test and production environment
Helpdesk, Sys Admin, support staff cross-trained?
Application security risks
Policy issues identified?
System and data backups, disaster recovery
6. Operations/Maintenance


Repeated “routine” reviews and scanning
Change control
7. Decommissioning of Application and Data


Retention/preservation of information and data
Sanitize media, properly dispose hardware and software
Our Change Control Process
•
Coordinate and schedule changes in network, database,
applications, OS, firewalls and configurations
–
–
–
•
All developers, system and network admins meet every
Tuesday morning for at least 15 minutes!
2 week notice of all planned changes
•
–
–
•
•
Avoid downtime due to collisions
Avoid accidental security exposures
We use Oracle Calender
Test Plan and checklist required
Identification of required security tasks
High/low risk identified on all changes
Changes recorded in AdCom ServiceDesk
Security Architecture Governance –
Multi-layer
Policies, Standards, Procedures, Technical Reference Architecture
Approved Tools and Lifecycle
Exceptions by Approval
Regularly reviewed
User
Identity Management
Authentication
Education
Network/Web
Account Admin
Firewalls, Encryption
Logging/Auditing
Application
Authorization
Logging/Audit
Test Tools
Data
Authorization
Logging/Audit
Encryption,Inventory
Operations
Backups (incl off-site)
Logging/Audit
Disaster Recovery
Security Architecture Lifecycle
Summary of Tools to Try
•
Unit Test
–
•
Code Scanning
–
JTest
•
Application/Network/Web Scanning Tools
–
Foundstone, SiteDigger, AppScan, Nessus
•
Load/Stress Test
–
OpenSTA, JMeter
•
Database Scanning
–
•
Junit for Java, Integrated with Eclipse
Microsoft Analyzer
Wiki
Agenda
•
•
•
•
•
Demo of Common Application Hacks
7 Steps to Integrating SDLC and Security
SDLC and Sample Checklists
Security Architecture
Useful URLs and Q&A
Q&A
Useful Links
• Campus security site:
http://www.security.uci.edu
• AdCom's application security checklist:
http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440
• AdCom's Java code review checklist:
http://snap.uci.edu/viewXmlFile.jsp?resourceID=1529
• Open Web Application Security Project
(OWASP): http://www.owasp.org