Let start with the Hacker Webzine: "Why hacking changed" and "why hacking change part 2". You really need to read those 2 marvelous pieces. An excerpt:
Today everything is software, even in the form of virtual hardware. The network today is no longer the main landscape for attack. Take the firewall for instance. Without the firewall, hacking was a walk in the park. Anyone with a dial-up modem could hack. Launch a telnet client and you had a very good chance that port 23 was open. Along came the firewall and now we have 99,99% of all ports blocked. Only port 80 and 25 are open if you are secure. So, most of the network is secure and does not pose an issue anymore. While the firewall is here, everyone in security fell asleep. We thought we were secure now right? the firewall and the IDS and other stuff is monitoring it right? Yes, that was the old view of security. That view is dead, and buried with the old school hackers because this isn't how the Internet operates today. What is happening now, is that the whole security of every server depends on the programmer that writes software. Software is the main culprit of almost all hacks today. If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer. With the application layer, I also mean the scripting language beneath it, since it interacts with the applications that it's running and share memory, and thereby the hardware it's running on.So the firewall and IDS is dead? (So might Antivirus but let's not touch that hot potato today). But the whole security of the server depends on the programmer who writes the software? Well, in that case, I have bad news for you!
After years of fighting the hacker wars, today's Websites are still a long way from being secure, according to a new research report. According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied. "While the security posture of some industries is better than others, the difference is largely insignificant when it comes to preventing a Website from becoming compromised –- attackers only need to exploit a single vulnerability," the report says. (Source: Darkreading)
So how to fix this? Here is an interesting article from techtarget.com: The essentials of Web application threat modeling. The highlights:
Determine your security goals
Document the general architecture of your application
Outline what really needs to be protected
Pinpoint the various entry points and "trust" zones
Discover what can be exploited using a malicious mindset -- from both the perspective of an untrusted outsider and a trusted user.
You'll never find or think of everything no matter how analytical your team is or how good your tools are. That's OK. Just go for the basics now. It doesn't take long to realise that the majority of Web application vulnerabilities are related to input validation, system configuration problems, and insiders abusing privileges they probably shouldn't have, including the following:
- Cross-site scripting in search forms or message boards
- SSL not being used or enforced throughout the application
- Weak password requirements
- Lack of account lockout after so many failed login attempts
- Informative authentication errors being returned to the user, resulting in username and password harvesting
- Weak mutual-factor authentication processes implemented per the Federal Financial Institutions Examination Council (FFIEC) requirements
- Session keys and cookies not expiring or being easily manipulated
- URL and/or form-field manipulation to bypass authentication or escalate privileges
- Sensitive information returned in server errors that can give an attacker a leg up on penetrating the system
Also, you may want to check out Microsoft's threat model called STRIDE that highlights the important areas of most applications:
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilegeDetermine what's urgent and important
Determine what can be done about each weakness
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment