Application Security and Hardening
Geekwise Academy
Week 01 - Introduction to APIs and Development Tools
Instructors:
Corey Shuman
Slack Channel:
Github Repo:
https://github.com/coreyshuman/GeekwiseApplicationSecurity
Lecture Notes:
http://coreyshuman.github.io/GeekwiseApplicationSecurity/LectureNotes
Table of Contents:
Introductions
- What is your name?
- Tell us some background about yourself.
- Have you had any experience with web security or a data breach?
Goals for Week 1
- Outline the general goals and topics of the class
- Review some examples and highlight the importance of Application Security
- Setup a development environment for a simple NodeJS RESTful API and basic frontend application using Docker as our development platform
What is Application Security?
Application Security is the processes and measures taken to improve the security of an application. This includes:
- Finding and fixing bugs
- Conducting tests, security reviews, and code reviews
- Conducting design reviews and building a threat model of the application
- Using automated tools to monitor for suspicious activity
- Regular audits of security practices and logs
This class will focus on the development side of application security. An important part of secure development is following strong security practices as a development team. Before you can develop these practices, it helps to understand what threats and vulnerabilities you are trying to defend against. Therefore this class will be a hands-on opportunity to learn, perform, and defends against common web application vulnerabilities.
Hackers only need to get it right once. You need to get it right every time!
The following are common classes of application security threats from the book Improving Web Application Security
| Category | Threats / Attacks |
|---|---|
| Input Validation | Buffer overflow; cross-site scripting; SQL injection; canonicalization |
| Software Tampering | Attacker modifies an existing application's runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension |
| Authentication | Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft |
| Authorization | Elevation of privilege; disclosure of confidential data; data tampering; luring attacks |
| Configuration management | Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts |
| Sensitive information | Access sensitive code or data in storage; network eavesdropping; code/data tampering |
| Session management | Session hijacking; session replay; man in the middle |
| Cryptography | Poor key generation or key management; weak or custom encryption |
| Parameter manipulation | Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation |
| Exception management | Information disclosure; denial of service |
| Auditing and logging | User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks |
This table is from the Application Security page on Wikipedia
Topics We Will Cover
- SQL Injection
- Cross Site Scripting
- Authorization (tokens, cookies, etc)
- User Data Sanitization
- Passwords and Validation
- Session Hijacking/ Session Replay
- Handling of Sensitive Data
- Encryption
- Cryptography
- Error Handling
- Auditing and Logging
- Development and Testing Techniques
- Setting up SSL
- Fuzzing
- Content Security Policy
- CORS
Tools We Will Use
- Docker
- Kali Linux
- NodeJS
- PHP
- RESTful API
- Wireshark
- Postman
- PostgresSQL
- Postico
- MongoDB
Largest Data Breaches of 2017
In 2016, reported data breaches increased by 40% and Yahoo announced the largest breach in history.
- April: The IRS reports 100,000 taxpayers may have had personal info stolen
- May: OneLogin reports a data breach
- May: Gmail phishing scam affects 1 million users
- July: 14 million Verizon customers affected by data breach
- September: 143 million consumers affected by Equifax (Credit Bureau) data breach
- October: Yahoo updates status of 2016 breach from 1 billion to 3 billion users affected
- October: Hyatt Hotels reports 41 properties had unauthorized access to debit and credit card info
- November: Uber revealved that 57 million users personal info was exposed, and they paid hackers $100,000 to try and keep the breach a secret.
- December: eBay leaked user info and purchase history via Google's Shopping platform due to improper configuration
- December: Alteryx, a California-based analytics company, was found to have stored information on more than 120 million American households on an open Amazon cloud storage bucket.
More Info: https://www.identityforce.com/blog/2017-data-breaches
“The fact security guidance is labeled as ‘Best Practices’ and not ‘Standard Operating Procedures’ is what attackers count on for success.”
Setting Up Our Development Environment
- Setup an IDE or Text Editor (Visual Code, Sublime, Webstorm, Atom, etc...)
- Install Docker (Instructions here)
- Setup Git and Github if necessary
- Install Postman
- Install Postico (Mac) or pgAdmin (Windows/Linux)
- Fork this repository on Github
- Pull down your fork of the repo to your machine
- Move on to the next section to test our simple application
Basic Insecure Web Application Example
Our basic application will give us an intruduction to NodeJS, Postgres, Postico, Postman, and Docker.
Click Here to go to the application page.Docker Environment
The Docker environment for our basic application includes 3 docker containers. You can think of a container as a lightweight virtual machine running on your computer. Each container is built from an image which represents what the underlying operating system is for the container.
