Lori MacVittie - Web Application Security is a Stack: How to CYA (cover your apps) completely

Web Application Security is a Stack

How to CYA (Cover Your Apps) Completely

Web Application Security is a Stack

How to CYA (Cover Your Apps) Completely

Lori MacVittie

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the readers own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licenses issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomews Walk

Cambridgeshire Business Park

Ely, Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

Lori Mac Vittie 2015

The author has asserted the rights of the author under the Copyright, Designs, and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2015
by IT Governance Publishing

ISBN:978-1-84928-707-4

ABOUT THE AUTHOR

Lori MacVittie is responsible for education and evangelism of application services available across F5s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organisations, among other efforts. She currently focuses on Cloud Computing, infrastructure, DevOps, data centre architecture and security-related topics. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organisations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computingmagazine.

She holds a BS in Information and Computing Science from the University of Wisconsin at Green Bay, and an MS in Computer Science from Nova Southeastern University. She is Technical Editor and a member of the steering committee for CloudNOW, a non-profit consortium of the leading women in Cloud Computing.

ACKNOWLEDGEMENTS

I would like to thank Antonio Velasco, CEO of Sinersys Technologies, and Giuseppe G. Zorzino CISA CGEIT CRISC, security architect, for their useful contributions during the review process.

CONTENTS

CHAPTER 1: INTRODUCTION

The modern threat

In 2011 an exploit taking advantage of a vulnerability in the Apache web server rapidly circulated across the Internet. Apache, at the time, was used by more than 65% of websites, according to Netcraft, so this was a serious issue which required immediate remediation. The exploit took advantage of a little-known vulnerability in the way Apache handled two HTTP headers. Exploitation of this vulnerability resulted in, as described by CVE-2011-3192, very significant memory and CPU usage on the server, resulting in a distributed denial-of-serviceattack (DDoS) through resource exhaustion.

In late 2013, a highly complex DDoS attack on a prominent member of an online trading community was detected and mitigated. In addition to the overwhelming network traffic generated, post-mortem analysis discovered a significant amount of application layer traffic. What had originally appeared to be simply an unusual spike in human interaction was, in truth, driven by a network of nearly 20,000 compromised browsers, all infected with a variant of the PushDo malware.

In early 2014, another vulnerability would shake the foundations of the Internet. Within the implementation of SSL as supported by the open source library, OpenSSL, existed the potential for attacks to exploit a buffer-overflow,enabling the extraction of sensitive consumer and corporate data. The open source library was widely used by web servers, as well as a wide variety of open and closed software and hardware around the world. Its discovery led to disruption of business and consumer fears regarding just what data attackers may have been able to extract.

None of these very serious web application vulnerabilities fall under what is traditionally considered the domain of application developers. The term web application security usually conjures up thoughts of the more well-known web application attack vectors, such as SQL injection and cross-site scripting. But the reality is that web application security is not just about the application, but about the Web too. Exploitation of web application platform and protocol implementation is becoming more common and, ultimately, is far more likely to produce the result desired by attackers.

These results are not always the theft of data, as is traditionally put forth. The rise of hacktivism attacking organisations through their web presence as a means of protest against some business practice or to highlight a social cause has resulted in a dramatic increase in attacks intended not to steal data or information but to disrupt business operations. These denial-of-service (DoS) attacks generate a lot of press, in addition to the financial costs incurred while applications are unavailable, not to mention the costs to remediate.

Also on the rise are attempts to use vulnerabilities in applications as a delivery vehicle for malware and remote access. Attackers seek not to attack applicationsthemselves, but rather its consumers. By using vulnerabilities in the application layer, attackers can plant, and subsequently deliver, malware and malicious code to a much larger set of victims, some of whom are certain to be compromised and deliver to attackers the resources, data or credentials they are seeking.

The WhiteHat Website Security Statistics Report from May 2013 notes that 23% of organisations website(s) said they experienced a data or system breach as a result of an application layer vulnerability noted that nearly three in five IT professionals are concerned with application DDoS.

Much of the blame for successful attacks against web applications is laid solely at the feet of the developers who design and build the applications. While many of the attacks rely on common mistakes made during development, it is increasingly the case that attackers are targeting other areas of the web application stack, namely protocols and platforms. Recognising that application security is really a stack, ensures that a growing vector of attacks does not go ignored. Protocol and metadata manipulation attacks are a dangerous source of DDoS and other disruptive techniques that can interrupt business and have a serious impact on the business bottom line, as well as its reputation.

A holistic web application security strategy must therefore necessarily view its attack surface as the entire web application stack.

CYA: Cover Your Apps

Web application security must evolve along with the threat spectrum, to ensure complete coverage. Therefore, we will look not only at traditional application logic and data related security issues, but also at protocol and platform concerns. As emerging technologies and architectures, such asCloud Computing and SDN (Software Defined Networking) continue to advance, application developers are increasingly responsible not only for ensuring compliance with best practices regarding web applications security, but in defining and managing the application policies and procedures that ensure application security at the platform and protocol layers.