Securing Web applications with Rational AppScan part 1th: Getting Started with web security and Rational AppScan

Objective

Today's world, the Internet (Internet) has become a very important foundation platform, many enterprises will be used to set up the platform, to provide customers with more convenient and fast service support. These applications are constantly being perfected and improved in function and performance, but they are not paid enough attention to in the very important safety. As the network technology matures, hackers have shifted their attention from the previous attacks on Web servers to the attacks on the Internet. According to Gartner's latest survey, 75% of information security attacks occur on Web applications rather than at the network level. At the same time, the data also shows that two-thirds of Web sites are fairly fragile and vulnerable to attack. However, the reality is that the vast majority of enterprises will spend a lot of investment in the network and server security, not in the real sense to ensure the security of the Web application itself, to hackers to exploit.

This paper begins with the analysis of the present situation of Web application, illustrates the challenges faced by the Web application by enumerating common attack methods, and, through the introduction of Rational AppScan Platform, helps enterprises to develop Web application security solution and put on armor for enterprise Web application.

The basic concept of Web application in Web applications

Before discussing Web application security, let's start with a brief introduction to Web application fundamentals, which makes it easy to understand why Web applications are fragile and vulnerable to attack.

1. What is WEB application

Web applications are composed of dynamic scripts, compiled code, and so on. It is usually set up on a Web server where users send requests on a Web browser that uses the HTTP protocol to interact with the Internet and enterprise Web applications, and communicates with the database and other dynamic content in the Web application and the Enterprise backend.

2. Architecture of WEB applications

Although different organizations have different ways to build a web environment, a typical Web application is typically a standard three-tier architecture model, as shown in 1.

Figure 1:web Application is typically a standard three-tier architecture model

In this most common model, the client is the first layer; the part that uses dynamic WEB content technology belongs to the middle layer; The database is the third tier. The user sends a request to the middle tier through a Web browser, which translates the user's request into a query or update of the background data, and presents the final result to the user in the browser.

WEB Application Security Panorama

When discussing WEB application security, we often hear the answer:
"We use Firewalls", "We use the Network Vulnerability Scanning Tool", "We use SSL technology", "We conduct penetration testing every quarter" ... So, "Our application is safe". Is the reality really so? Let's take a look at a panoramic view of WEB application security.

Figure 2: Information security panorama

At every level of enterprise WEB applications, different technologies are used to ensure security. In order to protect the security of the client machine, the user installs anti-virus software, in order to ensure the transmission security of the user data to the Enterprise Web server, the communication layer usually encrypts the data using SSL (Secure Sockets Layer) technology; The enterprise uses firewalls and IDS (intrusion diagnosis System) IPS (Intrusion prevention system) to ensure that only specific access is allowed, ports that do not have to be exposed, and illegal access are blocked here, and even if there is a firewall, the enterprise will still use the authentication mechanism to authorize users to access the WEB application.

However, even with antivirus protection, firewalls, and ids/ips, businesses still have to allow a portion of the traffic to pass through the firewall, after all, the purpose of the Web application is to provide services to the user, the protection measures can close unnecessary exposed ports, but the Web application must be 80 and 443 ports, it is necessary to open. This part of the communication, which can be passed smoothly, may be benign or malicious and difficult to discern. It should be noted here that the Web application is made up of software, so it must contain bugs (bugs) that can be exploited by malicious users who perform various malicious actions, or steal, or manipulate, or destroy important information in a WEB application.

Therefore, it can be seen that the enterprise's answer, and can not really guarantee the application of enterprise security:

• Network vulnerability Scanning Tool, because it is only used to analyze the network level of vulnerability, do not understand the application itself, so can not completely improve the security of WEB applications;
• Firewalls can block access to important ports, but the 80 and 443 ports are always open, and we cannot tell whether the communication data in either port is a benign or malicious attack;
• SSL can encrypt data, but it only protects the data during transmission, and does not protect the WEB application itself;
• Every quarterly penetration test fails to meet the ever-changing application.

As long as the access can be smoothly through the enterprise's firewall, the WEB application will be rendered without reservation in front of the user. Only by strengthening the security of Web application itself, is the real Web application security solution.

Common WEB applications attack two important international application security organizations

Before we discuss common Web app attacks, we need to understand two organizations: WASC and OWASP. The two organizations have played an important role in appealing to enterprises to enhance their application of security awareness and to guide enterprises to develop secure WEB applications.

The Web Application Security Consortium (WASC) is an international group of security experts, industry advisers and representatives of many organizations. They are responsible for developing widely accepted application safety standards for WWW. One of the key projects of the WASC organization is the "Web security Threat Classification", which describes the threats, attacks, and generalizations of Web applications into categories with common characteristics. The goal of this project is to develop and promote industry standard terminology for the security implications of WEB applications. WASC divides Web application security threats into the following six categories:

Authentication (verification)

A means of attacking to identify a user, service, or application identity.

Authorization (Authorized)

Used to determine whether a user, a service, or an application has the necessary permissions to perform the requested action.

Client-side Attacks (Customer side attack)

Used to disrupt or detect attacks on Web site users.

Command execution (order execution)

The attack means of executing remote commands on the WEB site.

Information disclosure (Information exposure)

An attack method used to obtain specific system information for a WEB site.

Logical Attacks (logical attack)

an attack method used to disrupt or probe the logic flow of a WEB application.

You can access the organization's website at the following URL for more details: www.webappsec.org. You can also learn more about the Web security threat classification project through links in resources.

Open Web Application Security Project (OWASP), which is dedicated to discovering and addressing the root cause of unsafe Web applications. One of their most important projects is "Web application of the top ten security risks", summed up the current Web applications are the most commonly 10 kinds of attack methods, and according to the probability of the attack occurred in order. The goal of this project is to unify the most critical Web application security vulnerabilities in the industry and to enhance enterprise awareness of Web application security.

Figure 3:web Application of ten security risks

You can access the organization through the following URLs for more detailed information: www.owasp.org. You can also learn more about the Web app's top ten security risks project by linking in resources.

IBM Rational, a member of the two organizations mentioned above.

Common examples of Web app attacks

Among the top ten WEB Application security pitfalls listed by the OWASP organization, there are two of the most probabilistic attacks, namely, cross-site scripting attacks (Cross-site Scripting) and injection defects (injection Flaws). Here are some examples of how these two attacks are implemented.

1. Cross-site scripting attacks

First, take a look at the process of cross-site scripting, 4.

Figure 4: The process of cross-site scripting attacks

In, a malicious attacker (here using evil.org) sends a link of a bank's URL to the user via e-mail or HTTP (the bank is represented by bank.com), which is appended with a malicious script (step one); The user accesses the link sent to the bank's website, and The script embedded in the link is executed by the user's browser (step two or three), and all actions of the user on the bank's website, including the user's cookie and session information, are collected by the script and sent to a malicious attacker without the user's knowledge (step four); a malicious attacker who uses stolen Session information, disguised as the user, access to the bank website, illegal activities (step five).

Therefore, as long as the WEB application, there can be exploited by malicious attackers to execute scripts, there are great security implications. Hackers can allow users to execute the script they provide, can steal his personal information from the domain that the user is browsing, can completely modify the content of the page that the user sees, keep track of every action of the user in the browser, and even take full control of the user's machine with the flaw of the user's browser.

Currently, cross-site scripting attacks are the greatest security risk.

2. Injection defects

In the current WEB application, the vast majority of users will provide an interface for authorization, search, query information and other functions. For example, an online banking application, first there will be registered customers to authenticate the login interface, after the correct login, will provide more interactive functions, such as according to the customer's bank card number information, check the customer's recent transactions, transfer details and so on. These are the best use scenarios for injecting defects. The so-called injection defect is that in the above scenario, the data entered by the user is interpreted as part of the command and query and sent to the back-end interpreter for execution. If the user's input is normal and legitimate, the Web application will naturally return normal and reasonable results, but if a malicious attacker, using the input data can be executed in the background principle, rescue, using illegal input, fragile Web applications?

Let's take an example to illustrate how the injection defect is going to work. In a trading site, the user must enter the product ID number to view the product details. In order to implement this requirement, SQL statements are usually used to query the database for implementation. When writing an application, developers may use the following SQL statement for this purpose (just for example):

1)Select * from products where product_id = ` + 用户输入的 ID + `

The products here are the tables used in the database to store product information, and the + number indicates that the SQL statement needs to be spliced with the actual ID entered by the user. If the user enters 325, the statement is executed in the time-variant:

Select * FROM products where product_id = ' 325 '

The database returns the product information with ID 325 to the user.

2) in the interface, where the user is required to enter the product ID, the hacker will enter the following data:

' or ' 1 ' = ' 1

As you can see, the hacker did not enter a normal legal product number.

3) by hacking the illegal input, the SQL statement that needs to be executed becomes:

Select * FROM products where product_id = ' or ' 1 ' = ' 1 '

As can be seen, the meaning of the SQL statement completely changed, when the product ID is empty or 1=1, return the product all information, and 1=1 is always set up the condition, therefore, the hacker did not enter any product number, you can return to all products in the database details.

In this example, we can see that the injection of defects is a very high risk of security vulnerabilities, once the WEB application to provide users with the need for their input data interface, it is possible to be attacked, the background data is completely exposed to the user.

The above description of "cross-site Scripting attack" and "injection defect attack", is currently the highest proportion of WEB applications of the two attacks, according to the OWASP project sequencing, there are eight more risky attack methods:

• Malicious file execution (execution of malicious files);
• Insecure Direct Object Reference (unsafe directly referenced);
• Cross-site Request forgery (cross-site requests forgery);
• Information leakage and improper error handling (information leaks and incorrect error handling);
• Broken Authentication & Session Management (damaged authentication and session management);
• Insecure Cryptographic Storage (insecure password storage);
• Insecure Communications (unsecured communication);
• Failure to Restrict URL access (failed to restrict URL access)

Here, we will not discuss these security problems too much, you can use the links provided in section 3.1 to get more descriptive information.

Build a secure WEB application

Functionality and performance are often metrics that we measure whether the application meets demand, but security is also a necessary consideration for special application-web applications that are carriers for the Internet, with, Mao? If the security is lost, even if the function is complete, the performance of the reliable Web application, once attacked and destroyed by hackers, everything lost meaning. Therefore, enterprises, especially those providing WEB applications, must strengthen the importance of application security.

In view of the current low security of Web applications, IBM Rational proposes a solution to secure Web applications.

Strengthen the awareness of application safety

A fundamental, low-level strategic approach is to strengthen the application of corporate security awareness. As explained above, for the application, whether developers, testers, quality management personnel or project managers, business executives, will be more attention to its function and performance, which is due to the early application of the C/s architecture of the application, security issues are not prominent. But in today's environment, security has to be used as a basis for quality of application.

The features, ease of use, reliability, performance, and support in Figure 5 are the Furps quality models defined by the Rational Unified Process (RUP), which tells us that the quality of the application needs to be measured from these aspects, for WEB applications, Security must be used as the base condition for the quality model.

Figure 5: Quality model for WEB applications

In order to strengthen the application of safety awareness, it is necessary to implement safety requirements for each relevant role.

1) For demand analysis, designers, whether the product safety has taken into account the requirements of the product design, so as to ensure that in the early stages of the project, safety factors have been concerned;

2) for developers, in the application of identity authentication and other security functions, does not mean that in the programming has taken into account the application security, they must also master the WEB application security programming norms and other technologies;

3) for testers, verify the application of the Furps, can not guarantee that the product has security, but also need to use other tools or platforms, the application of security risks, automated scanning, to obtain a comprehensive security report;

4) for quality management personnel, product quality clearance, also does not mean that the product has been safe and reliable, they and testers, like the need to use tools to master the WEB application of comprehensive security risks summary and analysis.

Ensure security in the software development lifecycle with advanced tools

After the enterprise all has the application safety consciousness, must carry on the consciousness to the project the concrete work, in addition to requires everyone to have the rigorous earnest, unceasingly studies the attitude, also needs to use the advanced tool, to the development Web application to carry on the automated security hidden Trouble discovery, the analysis, the report, provides the repair opinion and so on work, Establish complete safeguards for manual inspection and automated tool coordination. IBM Rational AppScan is one such WEB application Automation Diagnostic Tool, which we introduce briefly below.

Rational AppScan, a black-box tool for automating security scanning of Web applications and Web Services, simplifies the process of discovering and repairing Web application security vulnerabilities (because these jobs have historically been done manually, with relatively high costs, But the efficiency is very low), but also can be based on the identified security risks, the proposed targeted repair recommendations, and can form a variety of compliance with regulations, industry standards of reports, to facilitate the relevant personnel to fully understand the security situation of enterprise applications. Figure 6 illustrates the various stages of the software development lifecycle that AppScan can assist in diagnosing security hazards.

Figure 6:appscan Support for the software development life cycle

1) Safety and security in the development process

AppScan DE (AppScan development) can be used as a plug-in for multiple platforms, including Eclipse, WebSphere, Visual Studio, JBuilder, to assist developers in self-security diagnostics of the modules they write. Figure 7 is an example of the use of AppScan DE as a Visual Studio plug-in.

Figure 7:appscan DE as a plugin for Visual Studio

2) Safety Assurance in the process of quality management

With the integration of Rational ClearQuest, AppScan can easily import discovered security risks into the change management platform, ensuring that every problem found is recorded and detailed to track their state changes throughout the repair process. As shown in 8.

Figure 8:appscan and Rational ClearQuest integration

In addition to Rational ClearQuest, AppScan can also be integrated with Mercury's quality Center.

3) security in the integration and release phases

In the integration and release phase, the application can be fully scanned using AppScan with a simple configuration, and the enterprise only needs to indicate the portal link for the Web app, and AppScan uses the Web crawling (crawling) technology to traverse all the links in the app that need to be tested. and send a variety of test parameters for each link, to diagnose its vulnerabilities can be exploited. Finally, the results are presented in front of the user. 9 is the result of a diagnosis of the sample site Http://demo.testfire.net.

From the results can be seen, the diagnosis of the total found 88 security risks, and according to the severity of the statistics. The middle of the diagnostic results shows the application structure scanned by AppScan, the number of vulnerabilities each module or link contains, and the severity of the vulnerability in the upper right to classify the vulnerabilities, and the bottom right of the results is explained for each of the hidden hazards, and the detailed repair suggestions are presented, as well as to identify the vulnerability , which test parameters are sent by AppScan, and so on.

Example of diagnostic results for figure 9:appscan

4) comprehensive analysis and reporting of diagnostic results

The Rational AppScan not only automates the scanning of WEB applications, points out the remediation of security vulnerabilities, but also provides a comprehensive understanding of the application security posture and compliance by using different industry standards and regulations to create targeted reports. 10, the image on the left is an industry standard report that AppScan can generate automatically, while on the right there are nearly 40 compliance reports, such as Saibans compliance.

Figure 10: Auto-generated industry standard report

Summary

Through the analysis of the present situation of Web application and the common example of Web application attack, we can see that the Web application on the Internet has great security hidden danger and risk, and the security protection of the Web application is urgent. IBM Rational AppScan, as an advanced Web application Automation Diagnostic tool, can help enterprises in the entire Web application development life cycle, the security awareness to the enterprise full of specific work, the efficient discovery of the application of security risks, give detailed repair recommendations, and generate a variety of industry standards and regulatory reports, has nearly thousands of successful cases around the world, is a complete, end-to-end Web application security solution, can really put the enterprise's Web application Security armor.

Reprinted from: http://www.ibm.com/developerworks/cn/rational/r-cn-appscan1/

Securing Web applications with Rational AppScan part 1th: Getting Started with web security and Rational AppScan