Auditing Web ApplicationsNSAA Information Technology Workshop and ConferenceSeptember 24, 2019Gina Alvarado, IT Auditor, Office of the Auditor General (AZ)Sajay Rai, President and CEO, Securely Yours LLC
Auditing Web Applications Outline Arizona audit plan Web application testing and web application development Recommendations/common findings Secure coding standards Case study
Arizona Auditor General 207 Staff Financial, Federal and Performance Audits State Agency, School District, University, County, Boards, Commissions Audits In FY 2018 issued over 200 reports: 104 performance audits/follow-ups of state agencies and school districts,7 financial investigations and alerts,47 financial and federal compliance audits,54 accountability reviews,5 special audits/reviews Information Technology Audit Team 1 audit manager 6 IT auditors
Arizona – ExperienceAuditing and reporting on web application issues since2006Varied practices by IT audito Have scanned, tested, and exploited web applicationso Worked with various IT consultants via an RFP processo Also worked without IT consultants
Arizona – common security toolsSecurity AuditMachinesBurp SuiteNMAPNessusMetasploitQualys SSLScan
Arizona – training Trainings Training from consultants during audit engagements SANS trainings Cybrary cybersecurity trainings and labs Hands-on team exercises and hackathons Arizona Cyber Warfare Range Hacksplaining Scan our own network monthly
Audit PlanningFirst decide the depth of the web app auditingScan and provide resultsTest and analyze the likelihood of an exploitManual testing
Audit Planning – root causeConsider the root cause What processes might contribute to vulnerabilities identified in scanningand testing?We might consider other IT areas such as: Web application development Vulnerability management Patch management Configuration management
Audit Plan Objectives Objective: Web application testing Perform web app scanning and security testing of the entity’s missioncritical applications using a risk-based approach Arizona - Audit Methodology Step 1: Gather information Step 2: Define testing parameters Step 3: Perform reconnaissance Step 4: Perform scanning and testing Step 5: Communicate testing results and issues Step 6: Assess and document best practices, cause, and effect
Gather Information Ask entity to fill out application inventory spreadsheet Identifies the entity’s mission critical applications Includes web and non-web-based applications Provides key information about each application Description Type of data stored/processed Number of users How the application was developed Size of the application IP address
Define Testing ParametersSelect web applications using a risk-basedapproach Factors to consider: Sensitive data stored or processed in the application Accessibility (internet accessible vs. internallyaccessible) Number of dynamic pages and number of users Purpose of the application and how it ties into otheraudit objectives Input from the entity
Define Testing Parameters Fill out Security Testing Notification LetterProvides notification of our activitiesDefines technical logisticsNecessary accessTechnical point of contactService degradation and/orinterruptionScanning and testing periodConfidentiality of scanning andtesting resultsExamples of tests to beperformed and tools to be usedScope of testing (IP ranges)
Perform Reconnaissance Perform a discovery scan of external-facing IP range Discovers live hosts, open ports, and services running on these livehosts Compare the results of the discovery scan to the IP addresses in theapplication inventory For all IP addresses not in the application inventory, follow-up with the entity Common tools NMAP Nessus
NMAP – Host DiscoveryHost Discovery nmap -sn –n -v -oA outputfile -iL inputfile.txt -sn instructs NMAP to not perform a port scan -n instructs NMAP to not resolve any DNS names -v instructs NMAP to increase verbosity during the scan -oA instructs NMAP to export scan in normal, XML, and Grepable format -iL instructs NMAP to scan all IP addresses listed in the specified fileNMAP Reference Guide – nmap.org
Nessus – Discovery Scan
Nessus – Discovery Scan Results
Nessus – Discovery Scan ResultsPlugin ID10180HostProtocol111.11.11.01 tcpNamePlugin OutputPing theThe remote host is upremote host The remote hostreplied to a TCP SYNpacket sent to port443 with a SYN, ACKpacket
Perform Reconnaissance Identify and research potential vulnerabilities Query service versions/configurations of the entity’s infrastructure Cross reference services and versions to vulnerabilities to identifyexploitable conditions Common security tools we use Qualys SSL Server Test Exploit-DB/ SearchSploit Common Vulnerabilities and Exposures (CVE) listing Security Headers scan
Qualys SSL Server Testwww.ssllabs.com/ssltest/
Qualys SSL Server Test
Qualys SSL Test – detailed results
Scanning and Testing – getting started Before starting scanning or testing Update and configure all scanners and security tools Remind the web application owners of the testing windows The entity should take necessary precautions to avoid unexpected outages The entity should not make any changes to the application during the testing window Email the entity at the start and end of testing each day
Perform Web Application Scanning Web application scanning – uses automated scannersto crawl a website to identify vulnerabilities. Common web application scanners: Burp Suite Nessus Nexpose Evidence and documentation Burp Suite issues report Screenshots Screen capture videos Keep an open eye for any strange behaviors or issues
Perform Web Application Testing Web application testing – simulating attacks on a webapplication to exploit identified vulnerabilities. Once a vulnerability is found, continue to test for that vulnerability inother areas of the application Common web application testing tools: Burp Suite Metasploit Nikto Responder Guidance – OWASP Testing Guide
Communicate Testing Results Communicate the testing results as soon as possible Share vulnerabilities discovered on specific applications Schedule a meeting to discuss testing results verbally Share the detailed testing reports Recommend remediation solutions, when possible
Arizona – challengesGetting thenotificationletter signedLack of nonproductionenvironmentfor testingSharing thetestingresultsverballyReportingtestingissues in apublic report
Root Cause of VulnerabilitiesPatch gementWeb ApplicationDevelopmentWebApplicationVulnerability
Vulnerability ManagementScanningPenetrationTestingRemediation orRisk Acceptance Review entity’s vulnerability management policies and procedures Conduct interviews about the entity’s processes Perform vulnerability management remediation testwork
Missing vulnerability management components mayhave contributed to auditors’ ability to identify andexploit vulnerabilities.
Web App Development AuditingReview entity’s policies and proceduresInterview web app developers and make observationsTie-in web application testing resultsSummarize the entity’s efforts
Web App Development CriteriaWhen developing web applications, organizations should:1.Gather security requirements2.Use up-to-date secure coding standards3.Perform threat modeling during development4.Review source code5.Perform security testing before releasing a web applicationto the live environment6.Provide role-based training to web application developers
Web App Development Best Practices Open Web Application Security Project (OWASP) OWASP Testing Guide OWASP Code Review Guide OWASP Top 10 – 2017 OWASP Top 10 Proactive Controls National Institute of Standards and Technology (NIST) NIST Special Publication 800-53 revision 4 (AT-3)
Lack of some web app security components may havecontributed to auditors’ ability to identify and exploitvulnerabilities.
Recommendations
Auditing Web ApplicationsNSAA Information Technology Workshop and ConferenceGrand RapidsSeptember 24, 2019Sajay Rai, CPA, CISSP, CISMsajayrai@securelyyoursllc.com248-723-5224
Web Application Risks &Vulnerabilities
Web Application Risks3
Why Web Application Vulnerabilities OccurSecurityProfessionalsDon’t Know TheApplications“As a NetworkSecurityProfessional, I don’tknow how mycompanies webapplications aresupposed to work soI deploy a protectivesolution but don’tknow if it’sprotecting what it’ssupposed to.”The Web ApplicationSecurity GapWeb ApplicationDevelopersDon’t KnowSecurity“As anApplicationDeveloper, I canbuild greatfeatures andfunctions whilemeetingdeadlines, but Idon’t know howto develop myweb applicationwith security as afeature.”4
Web Application Vulnerabilities“If builders built buildings the wayprogrammers wrote programs, then the firstwoodpecker that came along would destroycivilization.”-Weinberg's Second Law5
Web Application VulnerabilitiesWeb application vulnerabilities occurin multiple areas.ApplicationAdministration Extension Checking Common File ChecksPlatformKnown Vulnerabilitiesin Operating Systems,Databases, andsupportinginfrastructure Data ExtensionChecking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom ApplicationScripting Parameter Manipulation Reverse DirectoryTransversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting6
Web Application VulnerabilitiesApplication Programming: Application Application Mapping Cookie Manipulation Custom ApplicationScripting Parameter Manipulation Reverse DirectoryTransversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do notnecessarily include securityInput is assumed to be valid, but nottestedUnexamined input from a browsercan inject scripts into page for replayagainst later visitorsUnhandled error messages revealapplication and database structuresUnchecked database calls can be‘piggybacked’ with a hacker’s owndatabase call, giving direct access tobusiness data through a webbrowser7
Secure Coding Standards Secure coding refers to the practice of building securesoftware with a high level of security and qualitysoftware with a high level of security requires:– Understanding common software weaknesses thatlead to security vulnerabilities– Following secure coding standards and practices– Performing in-depth code reviews8
Open Web Application SecurityProject (OWASP)
OWASP OWASP provides the following:– Application security tools and standards– Complete books on application security testing, securecode development, and secure code review– Presentations and videos– “cheat sheets” on many common topics– Standard security controls and libraries– Local chapters– Cutting edge research– Conferences and education10
OWASP – Top 10 Vulnerabilities1. Injection2. Broken Authentication3. Sensitive Data Exposure4. XML External Entities (XXE)5. Broken Access Control6. Security Misconfiguration7. Cross-Site Scripting (XSS)8. Insecure Deserialization9. Using components with Known Vulnerabilities10. Insufficient Logging and Monitoring11
OWASP – 1. Injection12
OWASP – 2. Broken Authentication13
OWASP – 3. Sensitive Data Exposure14
OWASP – 4. XML External Entities (XXE)15
OWASP – 5. Broken Access Control16
OWASP – 6. Security Misconfiguration17
OWASP – 7. Cross-Site Scripting (XSS)18
OWASP – 8. Insecure Deserialization19
OWASP – 9. Using Components with knownVulnerabilities20
OWASP – 10. Insufficient Logging & Monitoring21
OWASP Learning Tool – Juice Shophttps://sy-juice-app.herokuapp.com/#/Help with understanding the Juice Shop h22
Securing Web Applications - WAF
How does the user transmit / receive data? WAF works atLayers 5-7 Normal F/W works atLayer 3 or 424
How does the user transmit / receive data?25
Web Application Firewalls26
Web Application Firewalls How does it work?https://www.youtube.com/watch?v p8CQcF 928027
Auditing Web Applications –Guidelines and Demos
Audit Guidelines Source Code Scan (as part of contract if theapplication is outsourced) Vulnerability scan of the URL Credentialed internal scan Penetration Testing29
Lab/Demo 1Vulnerability Scan1. The website (URL: http://52.38.65.32/ ) never went throughproper vulnerability scanning. This is one of the externalfacing web application2. The IT department would like you to perform a vulnerabilityscan on the URL and determine if there are any securityrisks. Use any vulnerability scanning tool you wish: Forexample; “OWASP ZAP (Zed Attack Proxy)” which can befound in Kali Linux or downloaded oads”Please note that it is illegal to scan any website without priorauthorization. We have given you the authorization to only scanthis URL. Please do not use this tool to scan other websites priorto approval from the owners of the websites)3. Be prepared to discuss the experience with others30
Lab/Demo 2Source Code ScanWe have installed a free source code scan software .amazonaws.com/rips-0.55/rips-0.55/The source code is at:/inetpub\wwwroot\index.phpGood version:The source code is at:/inetpub\wwwroot\index2.php31
OWASP Testing Guide OWASP Code Review Guide OWASP Top 10 – 2017 OWASP Top 10 Proactive Controls National Institute of Standards and Techn
Chapter 05 - Auditing and Advanced Threat Analytics 1h 28m Topic A: Configuring Auditing for Windows Server 2016 Overview of Auditing The Purpose of Auditing Types of Events Auditing Goals Auditing File and Object Access Demo - Configuring Auditing Topic B: Advanced Auditing and Management Advanced Auditing
of Auditing and Assurance-Introduction (Auditing 1) and Auditing and Assurance-Intermediate (Auditing 2). This course is designed to provide an introduction to auditing and assurance services. Level of Proficiency in Auditing 1: Foundation Subject Learning Outcome Upon completion of the subj
SECTION-1 (AUDITING) INTRODUCTION TO AUDITING STRUCTURE: 1.1 Objectives 1.2 Introduction -an overview of auditing 1.3 Origin and evolution 1.4 Definition 1.5 Salient features 1.6 Scope of auditing 1.7 Principles of auditing 1.8 Objects of audit 1.9 Detection and prevention of fraud 1.2 1.10 Concept of " true and fair view"
5 GMP Auditing 6 GCP Auditing 7 GLP Auditing 8 Pharmacovigilance Auditing 9 Vendor/Supplier Auditing 10 Remediation 11 Staff Augmentation 12 Data Integrity & Computer System Validation . the training it needs to maintain quality processes in the future. GxP Auditing, Remediation, and Staff Augmentation The FDAGroupcom 9
Introduction to Assurance and Financial Statement Auditing 1 Chapter 1 An Introduction to Assurance and Financial Statement Auditing 2 Tips for Learning Auditing 4 The Demand for Auditing and Assurance 5 Principals and Agents 5 The Role of Auditing 6 An Assurance Analogy: The Case of
Auditing-B.com 3rd Year Unit I Introduction to Auditing Meaning and Definition of Auditing The word Audit is derived from Latin word “Audire” which means ‘to hear’. Auditing is the verification of financial position as discl
1. AD and Azure AD change auditing and reporting 2. File server auditing (Windows, NetApp, EMC, Synology) 3. Group Policy settings change auditing 4. Windows server and member server auditing and reporting 5. Workstations auditing 6. User behavior analytics (UBA) 7. Privileged user monitoring www.adauditplus.com
auditing, performance auditing, comprehensive auditing, internal auditing and forensic auditing, as well as providing assurance on subject matter other than historical financial information. Major chapter sections The framework for assurance engagements and the types of assurance engagements