Hacking and Hardening your Corporate WebApplication
A Developer Perspective
A completely unique approach to making internally developed code safe. Sure we all know the basics but have we ever walked a mile in the hacker’s shoes. How would they go about Hacking our Corporate Developed Web Site/Web App? Our Developers are schooled in what they would try? Aren’t they?
How can you possibly know how to protect your home if you don’t know how the burglar breaks into it? It’s impossible! We are taking the unusual approach of hacking our own code using very simple tools that the developer uses every day. The most expensive tool we use is phenomenally priced cost of Chrome. Yes Chrome the browser and a number of other free tools that almost all IT people are familiar with.
You will see your developers eyes light up when they see how easy it is to break in. Most importantly we will show them what the developer can do to prevent it? In this course we take the very unusual approach of allowing the corporate developers themselves to hack their own code. We also allow any other stake holders to watch. It’s almost like a bad car wreck, you just have to slow down and watch.
The unusual approach is that the course is 100% language independent. It makes no difference if you write in PHP, .NET, Java, Flash/Flex or the 100 other variants or mashups. If you drive your application from a Browser, and it returns angle brackets, then you are in the right place.
A well thought out course designed with the average security unaware programmer in mind. Your developers will be astonished at the things they do every day that turn out to have security flaws in them. To drive the point home, the course is designed with more than 50% involving hands-on coding labs. The ideal participant should have a development background, coding or architecting background either currently or previously. The candidate currently could be a developer trying to raise his or her cyber awareness. Or the Candidate may either now or have moved into a managerial position perhaps making them even more responsible for any security breach. In today’s world, there is not one day that goes by that the national evening news mentions a break in. While that may not seem that ground breaking in and of itself, the truth of the matter is much more staggering. Studies have not only shown but have proven that for every record compromised it can cost the company well over a $1000 in costs to repair. Those costs may be hard $ costs as well as costs of reputation. So if 10, 000 records were compromised… Well do the math! This can be not only a job limiting oversight but a career limiting one as well. And every manager knows after Sarbanes Oxley the finger points back to the man in charge.
Much thought was put into the course to be sure it worked and could be taught as a language agnostic course providing both the developer as well as management types to be exposed to how their own web site/web app could be compromised.
The course will require no special pen testing tools that are normally used during a course similar to this. The author expects that you simply understand program logic. And if you know development techniques and have an architecture background you will walk away with a heightened sense of awareness about the things you do on a day to day basis.
Regardless if you are the developer, the architect or even the project manager each will walk away with an astonishing clarity of how things could be easily improved and secured. To get the most from the course all participants should have at least some programming experience.
This course is NOT language specific although program logic and design concepts both are an absolute must have! Most of the entire course will be not only enlightening but also entertaining and easily well worth the time allocated to take. You will instantly find yourself suggesting this course to other developers, project managers and architects on your team and at your company!
Tim Pierson is one of the World’s leading trainers in technology networks and security with credentials including ongoing selection to author training courses and manuals for global corporations. He conducts high-level security evaluations and delivers seminars before professional conventions. He is endowed with exceptional skills in communicating sophisticated information to sophisticated and non-sophisticated clientele.
Tim has been a technical trainer for the past 23 years and is an industry leader in both Security and Virtualization. He has been the noted speaker at many industry events including, Lectures at/for Savannah River & Los Alamos Nuclear Power Plant, Innotech, GISSA, many military venues including the Pentagon, and numerous Military facilities addressing security both in the US and Europe, Including but not limited to Numerous Army Bases in Germany and Belgium with both the US and Foreign Military organizations.
Tim is currently Senior Consultant and Trainer at Data Sentry, Inc. with special responsibilities to initiate, develop and validate training programs for current security practices and procedures. Tim possesses formidable knowledge in these areas and the years ahead will see Tim transcribe his know-how into authoring many certification training classes, often times completing self-certification on new and emerging products in advance of teaching or writing courseware or books on related subjects.
Tim’s training stints have taken him to many parts of the world — most major US cities, Europe and Asia. Having been exposed to a variety of students and audiences has given him the added advantage of being able to pitch his commitment at the appropriate level. It is therefore not surprising that he consistently receives accolades bearing testimony to his training prowess.
Tim’s projects include being contributing author of “VMware Virtual Infrastructure Security: Securing ESX and the Virtual Environment“. Moreover, he has done work for the bi-monthly Virtualization Security Roundtable Podcast available as a download on iTunes and Talk Shoe. Tim was Featured Speaker on Secure Coding and Virtualization Practices at Hacker-Halted in Miami September 2009 and the Hacker-Halted in Kuala Lumpur Malaysia in November 2009.
The frequency and availability of online attacks against websites and web apps has accelerated quickly in the past several years and the same risks continue to be readily exploited.
However, these are very often easily identified directly within the browser; it's just a matter of understanding what the vulnerable patterns look like and what to look for.
Most developers are not security people. They consider security to be an afterthought. If we can get the developer to think in the context of the attacker he will inherently build more secure code.
This course comes at security from the attack perspective of the hacker but with the developer following the same footsteps as the hacker and attacking their own corporate website or web application almost all of this can be done with a few simple free tools and the browser itself.
What typically happens is the attackers have a website or web app they wish to probe for security risks or vulnerabilities. This is how the attackers would typically find these vulnerabilities that we as developers may have so casually and cavalierly left available.
So the idea behind this course is to empower our developers to do the same things that will be done to their web apps and websites by external entities trying to break in. We will not be using any special tools or any special web or app scanners in this course. Every tool that we use will be very familiar to the developer himself. We will simply be using it in different ways that are not particularly familiar to the developer. We will push the developer to think outside the box in exactly the same way that an attacker would be doing when they are trying to get in to our corporate web application or website.
- About the course and Author Tim Pierson
- Why I developed Hacking and Hardening your Corporate Website/WebApp: A developer Perspective
- A Tip of the Hat to Troy Hunt and Jerimiah Grossman for the original concept!
- Introducing the vulnerable website
- Using very Expensive Pen testing tools high priced tools like Firefox/Firebug or Chrome's developer tools (Comes with Chrome).
- Introducing a few Free Add-ons to Chrome and Firefox, Did I mention they were Free?
- Monitoring and composing requests using a common proxy like Fiddler, Paros or Burp Suite.
- Modifying requests and responses in Fiddler to change what goes out and what comes in before Browser Renders it.
- Browser simply reads code from the top to the bottom. No idea what is good, bad, malicious or otherwise.
- Surfing the Web is like giving every website you go to a shell on your box!
- For 10 Bonus Points…Who is this man?
- Encryption – A Definition
- Encryption Algorithm
- Symmetric Encryption
- Asymmetric Encryption
- Crack Times
- Password Policies and why they simply don’t work!
- Don’t use a Pass Word Every Again! Use a Pass Phrase Instead!
- Hash Collisions
- Common Hash Algorithms
- Digital Signatures – Proving who we say we are.
- Digital Certificate Levels – It comes down to Cost!
- Working with SSL Certificates.
- We Trust what we Know – True Story.
- IPSec – Will this solve it all?
- Public Key Infrastructure
- HeartBleed – What’s all the Hype? Should we care?
- Laptop and Portable Encryption: TrueCrypt – BYOB is here or is Coming!
3-Account Management – The Key to it all?
- Understanding How Important password strength and attack vectors are
- My Favorite Slide in the World
- Passing the Monkey Wrench Technique!
- Limiting characters in passwords
- Providing (Emailing credentials) on account creation
- Account enumeration
- Denial of service via password reset
- Correctly securing the reset processes
- Wall of Shame – Plain Text Offenders
- How to spot a Secure Web Site – Everyone should try this on their Family.
- Establishing insecure password storage
- Testing for risks in the 'remember me' feature
- Re-authenticating before key actions
- Testing for authentication brute force
- Identifying untrusted data in HTTP request parameters
- Capturing requests and using easy tools to manipulating parameters
- Manipulating application logic via parameters
- Testing for missing server side validation, if you don’t do it, it’s like having the fat kid watch the pie!
- Understanding model binding
- Executing a mass assignment attack
- HTTP verb tampering – What’s a Verb? Post, Get etc. Are they interchangeable you’d be surprised?
- Fuzz testing – Spraying that App like a fireman’s sprays a fire with his fire hose, then see if it Hiccups!
5-Transport Layer Protection – Safety During the Commute
- The three objectives of transport layer protection
- Understanding a man in the middle attack, and we all fall victim to it every day!
- Protecting sensitive data in transit, and at Rest.
- The risk of sending cookies over insecure connections
- How loading login forms over HTTP is risky
- What’s the Solution? Http Everywhere? What about the overhead?
- Exploiting mixed-mode content
- The HSTS header
6-Cross Site Scripting (XSS) - Truth Is I just do what I am told.
- Understanding untrusted data and sanitization
- Establishing input sanitization practices – Keep it Clean going in
- Understanding XSS and output encoding
- Identifying the use of output encoding - and coming back out!
- 3 types of XSS, Reflected, Stored and DOM
- Delivering a payload via reflected XSS
- Testing for the risk of persistent XSS
- The X-XSS-Protection header
7-Cookies – Not Just for Hansel and Gretel
- Cookies 101 – Everything you wanted to know but were afraid to Ask!
- Session Management – HTTP is like an Alzehemiers Patient – Like the Movie, 50 First Dates!
- Understanding Http Only cookies, what are they and why we should use them?
- Understanding secure cookies. No not putting Grandmas Cookies in a locked Cookie Jar!
- Disabling Cookies – Do we really need them?
- Restricting cookie access by path – Now there’s an Idea!
- Reducing risk with cookie expiration – Keep it short!
- Using session cookies to further reduce risk
8-Internal Implementation Disclosure - What’s going on inside the Beast
- How an attacker builds a website risk profile, Make sure you don’t fit that profile.
- Server response header disclosure – Tell it like it is, or is that not what you intended?
- Locating at-risk websites – Making Sure Yours is not one of them
- HTTP fingerprinting of servers – Determining what your WebApp WebSite is running
- Disclosure via robots.txt – Tell the World Where not to Look!
- The risks in HTML source – What your HTML is telling Everyone, whether you know it or not!
- Internal error message leakage – Error messages that say Way Too Much!
- Lack of access controls on diagnostic data – First things Hackers Try is to Put the sight in Debug Mode
9- SQL Injection - SQL Injection- What’s a Command, What’s Data?
- Understanding SQL injection
- Testing for injection risks – “Using Very High Priced Expensive tools like Chrome and FireFox!”
- Discovering database structure via injection
- Harvesting data via injection. Simply print out the Entire Schema under the right conditions.
- Automating attacks with Havij
- Blind SQL injection – How the Blind Man can still find Holes
- Secure app patterns
10-Cross Site Attacks – Same Origin Policy. Everyone Else Breaks it why shouldn’t we?
- Understanding cross site attacks – Leveraging the Authority of an approved User
- Testing for a cross site request forgery risk
- The role of anti-forgery tokens – A few Things that will help
- Testing cross site request forgery against APIs
- Mounting a clickjacking attack – What are you clicking on anyway?
If you have taken secure coding courses in the past you may think this is going to be the same. Nothing can be further from the truth. This course is a completely different approach. Most developers will tell you that if I knew how the Hackers could get in, it is usually easy to fix. That is just it. The developers have never tried to break in to their own code or someone else’s code. Perhaps they don’t have the skills to do so. Does that make them just an honest person? Perhaps, but In today’s world that is not a good thing but a very bad thing. You must we aware of the things that can happen to you or you will not be able to protect yourself. The hackers actually have it very easy they only need to find 1 hole to get in. The developer must plug all the holes. The developer must keep up to date with the latest security threats.
Some developers may argue that it is not the developer’s job to secure the enterprise, that is the security department’s job. That is pure rubbish. Each has a hand in protecting the corporate environment. Each shares this responsibility. While the finger pointing goes on the hacker is enjoying himself with all of your intellectual property, Human Resource Information, or anything else he can monetize.
This course is designed so if you understand programming logic you can benefit from this course.
Practically information security personnel from any organization with the responsibility of handling important data would find this course beneficial, examples are:
- Government agencies
- Banking and Financial institutions
- Brokerage and Trading firms
- Scientific institutions & research agencies
- Computer design firms
- Consulting firms
- Science and Engineering firms
- Those involved with online related businesses & transactions
- Card related businesses
NOTE: Students must be familiar with IT Security best practices, and have a good understanding of programming logic and common web technologies
Course is designed for Developers but Most It Personnel will benefit, anyone with these minimum skills:
- Basic Windows administration for servers and workstations
- Basic command line proficiency on both Windows
Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis
May 5, 2014, 10:15 am
Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.
Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.
Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.
As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.
In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.
An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.
Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.
When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
Key features of CAST On-site:
- Each of the courses selected from the CAST Advanced Training Suite will be specifically designed to meet the needs of each individual, based according to their current skills and pace of learning to meet your organisation’s unique objectives and goals
- CAST On-site expert/trainers will be flown down to your premise of choice at a date most suitable to you
- CAST On-site allows students to receive training in more manageable sessions arranged over a spread of a few days that allowing for greater absorption of knowledge with an opportunity to practice and verify the new skills after each session prior to commencing the next one
- With CAST On-site Advanced Security courses students will be able to take advantage of directly conversing with the chosen expert in matters unique to the student and your organisation
- You can be rest assured that all challenges and objectives pertaining to your organisation’s goals can be discussed in an environment that ensures complete confidentiality
- Each individual client receives the required high level of training that is benchmarked to international best practise and standards
- Each student receives a CAST Advanced Security Training Courseware that allows them to follow and revise the material that has been taught to them
- Upon completion of the course, each student will receive a CAST On-Site Advanced Security Training certificate of attendance
We at CAST would like to hear from you
if you have questions, comments or feedback for us, please send us a message using the from below or email us at firstname.lastname@example.org
For more information and news updates, connect with us via Social Media or our Mailing List.
We look forward to hearing from you!
CAST General Enquiry Form
Special Thanks and Grateful Mention
A big tip of the Hat needs to good to my friend and colleague Troy Hunt from Pfizer pharmaceuticals and OWASP Contributor, as well as Jeremiah Grossman from White Hat Security for the original concept/ idea. And lastly but not least my good friend and colleague Jim Manico, also from White Hat and team lead at OWASP.
Both Troy Hunt and Jim Manico were a big help to me allowing me to bounce things off of them to obtain the "perfect" Instructor led course. My job would have been much more difficult without their help and I simply wanted to acknowledge them.
A few others I would like to mention are Joe Sanders former CIO of First Horizon Mortgage Company and later CIO for City of Memphis for his "C" level perspective and what Management would ultimately provide the buy in for.
Billy Austin, longtime friend, mentor and colleague as well as the creator of fine, albeit complex professional Penetration Testing tools such as SAINT and now co-Founder of iSCAN Online a completely different approach to quickly determining exposures who gave me a professional penetration testers perspective and fresh new concept that I dare say most companies will adopt as their methodology.
And lastly a special thanks to my friends at Phillips Consulting Company in East Africa who gave me the perspective from a developing country and one that quite frankly is one to watch for their keen insight and effectiveness. Thank you Oluwaseun Ngonnase, Jason Ikegwu, Paul Ayim and lastly Mr. Phillips who taught me what integrity really means!