1 - Security Fundamentals

Security Fundamentals
• In this module you will learn:

• Fundamentals of security and risk
• The business impact of application security failures
• Overview of Application Security controls
• Current & future trends in application security
Fortify - Tek-Experts | ©Tek Experts 2015 2 04/28/2021

What does security mean to you?

What is “Security”?
Definitions
from The American Heritage® Dictionary of the English Language, 4th Edition
n. Freedom from risk or danger; safety.

n. Freedom from doubt, anxiety, or fear; confidence.
n. Something that gives or assures safety

Security Issue?
“Security is never black and white, and

context matters more than technology”
– Bruce Schneier
Secrets & Lies: Digital Security
in a Networked World

Application security challenges
Monitoring / Protecting
Production Software
Securing legacy Certifying new

applications Demonstrating releases
compliance
Existing Software In-house development
Procuring secure
software
Outsourced Commercial Open source

Core Security Concepts
• Assets
• Threats
• Vulnerabilities
• Attack
• Risk

Assets
What assets are in your business?
Physical
• Computers
• Devices Employees
• Equipment
Information
• Intellectual Property
• Employee records
• Customer records Customers

Asset Characteristics
What impacts the value of your asset?
• Availability
• Integrity
• Confidentiality

Confidentiality
Confidentiality is a requisite for maintaining the privacy of the

people whose personal information the organization holds.
Information that is considered to be confidential in nature must only be

accessed, used, copied, or disclosed by persons who have been authorized
to access, use, copy, or disclose the information.

Integrity
Integrity means that data can not be created, changed,

or deleted without authorization.
A loss of integrity occurs when an employee accidentally, or with

malicious intent, deletes important data files.

Availability
Availability means that the information, the computing

systems used to process the information, and the security
controls used to protect the information are all available and
functioning correctly when the information is needed.

Protecting Assets
Sample security controls that aim to protect assets

• Asset tags
• Perimeters
• Backups
• Hashes / Checksums
• Encryption
• Access Control

Core Security Concepts
• Assets
• Threats
• Vulnerabilities
• Attack
• Risk

Threats
Who wants your assets?
• Competitors
• Criminals
• Bot nets
• Organizations
• Insiders
• Customers
• Partners

Threat Characteristics
What differentiates each threat?

• Motivation
• Skill set
• Sponsorship
• Access
• Time

Threat Motivation
Why do they want your assets?

• Research
• Bragging rights
• Revenge / vengeance
• Business Intelligence
• Extortion
• Exploitation

Threat Skillset
Threat skills evolve and improve over time

Threat Prevention
What can we do to reduce threats?

• Conduct frequent audits to look for unused accounts and
disable or remove them if possible.
• Use temporary accounts
• Use two-factor authentication
• Use encryption of confidential data either in motion or at
rest.

Vulnerability
What is a vulnerability?

Vulnerability
What is a vulnerability?
Personal: Vulnerability is the susceptibility to physical or emotional

injury or attack.
Computer: Vulnerability is applied to a weakness in a system which

allows an attacker to violate the integrity of that system.

Vulnerability
Where do vulnerabilities exist?

• Human processes
• Business processes
• Networks
• Data stores
• Software?

Vulnerabilities in Software
"Since most security for Web applications can be
implemented by a system administrator, application
developers need not pay attention to the details of
securing the application…"
– BEA WebLogic Server

Security Documentation

A vulnerability is a hole or a weakness in the application,

which can be a design flaw or an implementation bug, that
allows an attacker to cause harm to the stakeholders of an
application.


Why are there so many vulnerabilities in software?

• Software complexity increases over time

• As our software has become more sophisticated and better…
• … It seems it has become less secure
• Why?
• There is a LOT more code to review
• More people are writing the code so the over-all systems knowledge is less
• Internet time means timelines are much tighter so we have less time to
think about problems
• With stiff competition there are no points for second to market

• Are we becoming careless ?

• Probably not but our knowledge is becoming more specialized and
compartmentalized
• The guy who built the network is not the same person writing the firewall software!
That used to be the case not so many years ago…
• Complex systems are harder to design

• Many systems are an integration of many disparate systems
• No longer one person is in charge of everything !

OWASP
• The Open Web Application Security Project (OWASP) is a worldwide
free and open community focused on improving the security of
application software
• Referenced from www.owasp.org
• This community routinely updates and lists the top-10 application

security vulnerabilities
• However, OWASP has overlap between categories

The OWASP Top-10 Categories
As of 2007, OWASP lists the following top-10 categories:
1) Cross Site Scripting (XSS)
2) Injection Flaws
3) Malicious File Execution
4) Insecure Direct Object Reference
5) Cross Site Request Forgery (CSRF)
6) Information Leakage and Improper Error Handling
7) Broken Authentication and Session Management
8) Insecure Cryptographic Storage
9) Insecure Communications
10) Failure to Restrict URL Access
Reference: www.owasp.org/index.php/Top_10_2007

How do we prevent them?

Attack
Attack:
The exploitation of a
Threats vulnerability by a threat
to reach an asset.
Vulnerabilities
Assets

Attack
The exploitation of a vulnerability by a threat to reach an asset
Web Server Data (Asset)
IDS
Attacker (Threat)
Attacker Financial Data
Firewall Proxy Application Server
Firewall

Attacks
It is important to clarify that adversaries have fewer obstacles, when performing an attack on code
For example, an infrastructure attack presents all the following obstacles and elements
Web Server Data

IDS
IDS
Attacker Financial Data
Attacker Firewall
Firewall Proxy Proxy
Firewall
Web Server App
Application Server
Server
An application attack presents fewer obstacles and elements
Attacker Application
Attacker App Server
Server

Risk Risk:
The expected loss
when the confidentiality,
integrity, or availability of
Threats asset is compromised.
Risk analysis:
The expected loss
Vulnerabilities
when a specific asset is
compromised by a specific
threat.
Assets

APPLICATION SECURITY
Fortify - Tek-Experts | ©Tek Experts

36 2015 04/28/2021
Application Security
• There is no wide-spread agreement on the definition of application security

• However, the domain of application security focuses on the development and
maintenance of secure code and attempts to answer questions such as:
• How do we define the business requirements of an application?
• How do we take into account security when defining requirements?
• How do we write secure code?
• How do we test my code for security?
• How do we protect my application from known exploits?

Other Types of Related Security
• Besides application security, there are two other types of security, which need to
be considered
• Infrastructure
• Focuses on the development and maintenance of a secure environment for code
• Strategic
• Focuses on the development and maintenance of workflows, processes, and artifacts
surrounding the production of code
• It is important to draw a distinction between these types of security

• We need to identify who is responsible for maintaining different aspects of security

Assessing Security Controls
The McCumber Cube
• Information Characteristics
– Confidentiality
– Integrity
– Availability
• Information States
– Transmission
– Storage
– Processing
• Security Measures
– Technology
– Policies & Practices
– Human Factors

Network & System Security

Outsourcing
Legacy App
Integration
Web Facing
Applications
Employee
Self-Service
Connectivity w/
Partners, Suppliers

• OSI 7-layer Model
• Securing the network stack

• Complexity increases bottom up
• Speed to defend decreases from
bottom up

• Focus is on preventing attacks rather than fixing the problems
• Tends to be reactive in nature
• Methods include
• Network and Host Firewalls
• Network and Host Vulnerability Scanning

• Intrusion Detection and Prevention Systems
• Patch Management

Applications Must Protect Themselves
Outside: Inside:
Source IP User sessions

Destination IP SQL queries
Fragmented data Application variables
Partial protocol imperatives Historical patterns

Risk Management
• Modern security is about managing risk
• There is no such thing as 100% secure
• Secure is a relative term… Do you consider skydiving
safe?
• Security is a business tradeoff
• Proactive security is about building things right
• Design for security
• Secure coding practices
• Security testing as part of Quality assurance testing
• Quality Software is Secure Software

Software Development Today
• Small coding errors can have a big effect on security
• Typical software development practices don’t address the problem
• As a group, developers tend to make the same security mistakes

over and over

CONCEPTS

47 2015 04/28/2021
“Sequel injection” is… just a follow-on flu shot, right?
Knowing common s/w security-related terms
shows that you have a basic grasp of the space…
• PII
• XSS
• SQLi
• DAST
• SAST
• OWASP
• PCI DSS
• Phishing
• Pen Testing
• Spear Phishing
• … and many more….
Fortify - Tek-Experts | ©Tek Experts 2015 48

04/28/2021
AppSec-related Terms to Know (Domain: Governance)
Term Is What Notes
PCI Payment Card Industry owasp.org

PCI DSS PCI Data Security Standard www.pcisecuritystandards.org
HIPAA Health Insurance Portability and Accountability Act ww.hhs.gov/ocr/privacy/hipaa/understanding
DISA STIG Defense Information Systems Agency iase.disa.mil/stigs
Security Technical Implementation Guide
GLBA Gramm-Leach-Bliley Act security and data integrity
FISMA Federal Information Security Management Act www.dhs.gov/federal-information-security-
management-act-fisma

04/28/2021
AppSec-related Terms to Know
Term What Notes
OWASP Open Web Application Security Project owasp.org

VulnCat Vulnerability Categories – An HP Fortify Taxonomy of vulncat.fortfy.com
Software Security Errors Maintained by HP SSR
BSIMM Building Security In Maturity Model bsimm.com

SSA Software Security Assurance What we do!
XSS Cross-Site Scripting OWASP 2013 Ax
SQL Structured Query Language
SQLi SQL Injection OWASP 2013 Ax
SAST Static Application Security Testing Fortify SCA
DAST Dynamic Application Security Testing WebInspect (incl. WIE)
IAST Interactive Application Security Testing WebInspect + WebInspect Agent
RASP Runtime Application Self-Protection Application Defender

04/28/2021
CASE STUDY

51 2015 04/28/2021
Case Study
Riches Bank
Fictional scenario based on real building blocks

Palo Alto (AP) − Hackers mounted a massive phishing campaign against the online
banking and brokerage site of Riches Bank (RIB) to harvest user accounts. Experts
attribute the initial success of the attack to a cross-site scripting vulnerability in the
bank’s login page.
Once inside, the hackers compromised the bank’s authentication and access
control to send fraudulent market advisories. Analysts estimate the combined
monetary and reputational damage caused by this attack will approach 1 billion
dollars.
Riches Bank representatives declined to comment.

time 0 + 1 hour
uses spam list to
hacker discovers
send phishing
XSS vulnerability in
email to 100,000
banking app
potential victims

www.xssed.com

time 0 + 1 hour
hacker uses spam list to
discovers XSS send phishing
vulnerability in email to 100,000
banking app potential victims

+ 5 seconds + 2 days
receives victim’s uses stolen
login name and credentials to
password login to bank
victim receives
phishing email, seeing nothing
clicks on exploit, suspicious, logs
and logs in out from bank
+ 6 hours + 1 minute

victim receives
activates exploit, suspicious, logs

victim receives
activates suspicious, logs
exploit, and logs out from bank
in
+ 6app
hours + 1 minute

victim receives
activates exploit, suspicious, logs

+ 20 minutes + 16 hours + 3 days
uses privilege brokers deal to sends “sell”
escalation to get send message to message to all
admin access all bank users on bank users
specific date

specific date

specific date

+ 3 hours + 1 hour
waits for HSR to condenses profit
drop in price and in overseas bank
alerts team of and closes user’s
buyers account
receives “sell”
message and
sells all shares
of HSR right
away
+ 2 hours

+ 3 hours + 1 hour
buyers account
receives “sell”
message and sells
all shares of HSR
right away
+ 2 hours

+ 3 hours + 1 hour
buyers account
receives “sell”
message and sells
all shares of HSR
right away
+ 2 hours

Business Impact of Application Security
• Web Hacking Incidents Database by

• http://www.webappsec.org/projects/whid/whid.shtml
• OWASP

APPLICATION SECURITY
CONTROLS

78 2015 04/28/2021
Application Security Controls
• Regulation
• Education
• Penetration testing
• Manual review
• Source code analysis
• Run time protection

Legal Compliance and Regulation
•Laws are passed that force companies to comply with certain measures of security
• International Organization for Standardization (ISO)
• Payment Card Industry (PCI)
• HIPAA
• Often, the fines for not complying with such measures are small and not enforced
• Attempt at regulation often leave security specifications that are vague and fraught with
uncertainty
• Although compliance passes, the organization is often left with a false sense of security as the
standards are often set too low

Education
•Education is a critical key to any successful security rollout within an

organization
• You have begun to implement this solution
•Identify a curriculum of courses that address the various stages of your

maturity model

Penetration Testing
•Testers attempt to hack into an application within a safe environment utilizing a

specific set of techniques
• Provides practical examples that a development team can reproduce and fix
• However, this method provides only superficial testing and quality is unpredictable
•Automated hacking tools try to perform automatic penetration testing, but they are
• Inaccurate and
• Provide to many false positives and negatives

Manual Code Review
•Developers manually inspect source code of the given solution for security
vulnerabilities
• Extremely thorough, but high false negative rate
• Expensive and time consuming
• Difficult, if not impossible, to examine all code in large projects

• As the project grows in complexity and length, it takes more time to perform manual
source code review
• Higher costs and greater probability of human error

Source Code Analyzers
•Automated scanning tools, which inspect source code for known security
vulnerabilities
• Although not all analyzers are equally effective, they are relatively easy to deploy
and execute
• Greatly reduce the probability of human error, which occurs in manual code reviews
• Provide thorough coverage of code

Source Code Analyzers
• Reduce cost of reviews
• Increased review capability
• Source code analyzers provide full coverage of reviewed apps
• Support for iterative application reviews (multiple reviews during project life
cycle)
• Consistent and accurate reviews
• Development and QA know what they are measured at
• Detect all instances of reported issues
• Cleaner code to review
• No critical coding issues in submitted applications to code review team

Run-time Protection
• Protect application server by intercepting and scanning incoming/outgoing

data
• Lies between firewall and application server
• As scanning complexity increases, performance decreases
• Based on known vulnerabilities and attack patterns
• Difficult to protect proprietary web frameworks

TRENDS IN APPLICATION
SECURITY

87 2015 04/28/2021
Current Attack Trends
1. Application Security attacks are on the rise
2. Attacks move from global to targeted
3. Attack services for sale
4. Attack motivation changing from fun to profit,

terrorism

Emerging Attack Trends
1. Underlying software stack targeted
2. Application vulnerabilities used to crossover to

infrastructure access
3. Global coordination between attackers

4. Insider knowledge increasingly valuable
5. Prosecution & investigation

PCI Compliance
• PCI 6.3.7 Requirement

• Review of custom code prior to release to production or customers in order to identify
any potential coding vulnerability
• PCI 6.5 Requirement

• Develop all web applications (internal and external, and including web administrative
access to application) based on secure coding guidelines such as the Open Web
Application Security Project Guide. Cover prevention of common coding vulnerabilities
in software development processes.

PCI Compliance
• PCI 6.6
• For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods
• Reviewing public-facing web applications via manual or automated application
vulnerability security assessment tools or methods, at least annually and after any
changes
• Installing a web-application firewall in front of public-facing web applications

PCI Compliance
PCI 11.3
• Perform penetration testing at least once a year and after any significant
infrastructure or application upgrade or modification (such as an operating system
upgrade, a sub-network added to the environment, or a Web server added to the
environment). These penetration tests must include the following:
• Network-layer penetration tests
• Application-layer penetration tests

OWASP
• Industry Consortium
• Publishes Top Ten Vulnerabilities and latest trends
• Referenced by PCI and others emerging standards


1 - Security Fundamentals

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 - Security Fundamentals

Uploaded by

Copyright:

Available Formats

Security Fundamentals

• In this module you will learn:

Fortify - Tek-Experts | ©Tek Experts 2015 2 04/28/2021

What does security mean to you?

Fortify - Tek-Experts | ©Tek Experts 2015 3 04/28/2021

n. Freedom from risk or danger; safety.

Fortify - Tek-Experts | ©Tek Experts 2015 4 04/28/2021

“Security is never black and white, and

Fortify - Tek-Experts | ©Tek Experts 2015 5 04/28/2021

Securing legacy Certifying new

Outsourced Commercial Open source

Fortify - Tek-Experts | ©Tek Experts 2015 6 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 7 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 8 04/28/2021

What impacts the value of your asset?

Fortify - Tek-Experts | ©Tek Experts 2015 9 04/28/2021

Confidentiality is a requisite for maintaining the privacy of the

Information that is considered to be confidential in nature must only be

Fortify - Tek-Experts | ©Tek Experts 2015 10 04/28/2021

Integrity means that data can not be created, changed,

A loss of integrity occurs when an employee accidentally, or with

Fortify - Tek-Experts | ©Tek Experts 2015 11 04/28/2021

Availability means that the information, the computing

Fortify - Tek-Experts | ©Tek Experts 2015 12 04/28/2021

Sample security controls that aim to protect assets

Fortify - Tek-Experts | ©Tek Experts 2015 13 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 14 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 15 04/28/2021

What differentiates each threat?

Fortify - Tek-Experts | ©Tek Experts 2015 16 04/28/2021

Why do they want your assets?

Fortify - Tek-Experts | ©Tek Experts 2015 17 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 18 04/28/2021

What can we do to reduce threats?

Fortify - Tek-Experts | ©Tek Experts 2015 19 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 20 04/28/2021

Personal: Vulnerability is the susceptibility to physical or emotional

Computer: Vulnerability is applied to a weakness in a system which

Fortify - Tek-Experts | ©Tek Experts 2015 21 04/28/2021

Where do vulnerabilities exist?

Fortify - Tek-Experts | ©Tek Experts 2015 22 04/28/2021

– BEA WebLogic Server

Fortify - Tek-Experts | ©Tek Experts 2015 23 04/28/2021

A vulnerability is a hole or a weakness in the application,

Fortify - Tek-Experts | ©Tek Experts 2015 24 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 25 04/28/2021

Why are there so many vulnerabilities in software?

Fortify - Tek-Experts | ©Tek Experts 2015 26 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 27 04/28/2021

• Are we becoming careless ?

• Complex systems are harder to design

Fortify - Tek-Experts | ©Tek Experts 2015 28 04/28/2021

• This community routinely updates and lists the top-10 application

Fortify - Tek-Experts | ©Tek Experts 2015 29 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 30 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 31 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 32 04/28/2021

Web Server Data (Asset)

Fortify - Tek-Experts | ©Tek Experts 2015 33 04/28/2021

Web Server Data

An application attack presents fewer obstacles and elements

Fortify - Tek-Experts | ©Tek Experts 2015 34 04/28/2021

Fortify - Tek-Experts | ©Tek Experts 2015 35 04/28/2021