Web Application Security Best Practices for Modern Applications

SECURING MODERN WEB APPLICATIONS Based on the book Web Application Security: Exploitation and Countermeasures for Modern Web Applications by Andrew Hoffman (2020)

WHAT AND WHY? Understanding hacking techniques that can be used for researching, analyzing, and breaking into web applications provides important insights when we need to secure web applications. Today s web applications are much more complex and distributed than their predecessors. Increased attack surface To secure a web application: Understanding the attack surface and techniques hackers are using to break into web applications Deriving mitigations to defend and/or camouflage your application architecture and logic from malicious eyes An analogy: Defending a castle 2

HOW? Application/Software security professionals take on the role of master defender, using software engineering skills in combination with recon and hacking skills to a) reduce the probability of a successful attack, b) mitigate potential damages, and then c) manage active or past damages 3

DEFENSIVE SOFTWARE ARCHITECTURE The first step in writing a well-fortified web application starts prior to any software actually being written. (The architecture phase) To properly evaluate the security in an application s architecture analysis of data flow threat modeling for new features In the architecture phase of any new product or feature, deep attention to detail should be spent on the data that flows throughout the application. Sender Receiver: data Q: Where can the data be exposed or corrupted? (Hint: data at rest + data in transit) ... It is much easier to catch and resolve deep architectural security flaws before actually writing and deploying the software. 4

COMPREHENSIVE CODE REVIEWS Following the creation and evaluation of a secure architecture carefully evaluating each commit (of codes) prior to release into the codebase Purposes? To improve quality assurance, To reduce technical debt, To eliminate easy-to-find programming mistakes, To ensure that released code meets security standards 5

COMPREHENSIVE CODE REVIEWS (CONT.) In order to reduce conflict of interest, commits to source code version control should not only be reviewed by members of the committer s team, but also by an unrelated team (especially in regard to security). A B: data How is data being transmitted from point A to point B (typically over a network, and in a specific format)? How is data being stored? When data gets to the client, how is it presented to the user? When data gets to the server, what operations occur on it and how is it persisted? 6

VULNERABILITY DISCOVERY Following the architecture and the code reviews steps Finding vulnerabilities in the code that occur as a result of bugs that are not easily identifiable (or might have been missed) in the code review process The old-fashioned (and undesirable) way of finding vulnerabilities is either by customer notification or (worst case) widespread public disclosure. Modern methods: Bug bounty programs Internal red/blue teams Third-party penetration testers Corporate incentives for engineers to log known vulnerabilities 7

VULNERABILITY ANALYSIS After a vulnerability has been found Several steps: To triage -- conduct a preliminary assessment of (patients or casualties) in order to determine the urgency of their need for treatment and the nature of treatment required; To prioritize the vulnerability Risk factors: Financial risk to the company, Difficulty of exploitation, Type of data compromised, Existing contractual agreements, Mitigation measures already in place, ... To manage the vulnerability 8

VULNERABILITY MANAGEMENT After assessing the risk of a vulnerability, and prioritizing it based on the risk factors Before a fix is available: Closely monitor and log hacking attempts to exploit the vulnerability A fix to a given vulnerability must be tracked through to completion. Such fixes should be completed in a timely manner, with deadlines determined based off of the risk assessment. Customer contracts (and laws/regulations) should be analyzed in response to an assessed vulnerability to determine if any agreements have been violated. 9

REGRESSION TESTING Regression testing: a type of software testing technique that re-runs functional and non-functional tests to ensure that a software application works as intended after any code changes, updates, revisions, improvements, or optimizations After a fix that resolves a vulnerability has been developed To write a regression test that will assert that a) The fix is valid. b) The vulnerability no longer exists. 10

REGRESSION TESTING (CONT.) A large percentage of vulnerabilities are regressions either directly reopened bugs or variations of an original bug. Later (Ch. 20) A vulnerability regression testing suite ... works similarly to a functional or performance testing suite, but tests previously found vulnerabilities to ensure they do not get released into the codebase once again as a result of a rollback or overwrite. 11

MITIGATION STRATEGIES An organization should actively make a good effort to mitigate the risk of a vulnerability occurring in the application codebase. Components of mitigation strategies: secure coding best practices secure application architecture regression testing frameworks secure software development life cycle (SSDL) secure-by-default developer mindset and development frameworks 12

SUMMARY Deep knowledge of recon and offensive techniques will give you insight into building stronger defenses that could not be obtained otherwise. By understanding common vulnerabilities that hackers look for in order to break into a web application, you will better understand what types of defenses you can put up to mitigate such attacks. Knowledge of specific categories of exploit should also help you prioritize your fixes, because you will understand what type of data will be put at risk if one of these exploits is found in your web application. An organization/company should take a strategical position in mitigating risks of vulnerabilities existing in its codebase. 13