Technical Insight-Web Application Security

WhiteHat Certified Secure Developer Program Off to a Roaring Start

Earlier last week, WhiteHat’s Chief Scientist, Eric Sheridan, presented the first in a series of webinars geared towards training and certifying developers to be secure coders. Thus far, the response from developers to this program has been overwhelming, in terms of the number of registrants and very positive comments and feedback provided by webinar attendees. This illustrates the high demand and latent interest that exists in the developer community for foundational security training coupled with certification from a security industry leader, all free-of-charge.

Attendees were from companies of all sizes (e.g., 48% had greater than $1B in annual revenue, while 25% were from smaller organizations of $20M in revenue or less), multiple industries (e.g., 35% in professional, scientific and tech services and 19% in finance and insurance), and roles (ranging from software engineers – the majority – to director, VP and C-level executives).

In this webinar, Eric explained how hackers can exploit vulnerabilities in not only laptops and mobile phones, but also in virtually any device that is connected to the Internet (e.g., electric cars, TVs, and even refrigerators!). He then demonstrated how to actually perform a SQL injection attack using a tool called SQLmap, which enabled him to exploit a single vulnerability to show table names contained in a SQL database and ultimately print out sensitive information such as login usernames and passwords.

E-commerce Application Architecture Example

Eric then walked through an example architecture of a typical e-commerce application. He graphically showed the data flow of a cross-site-scripting (XSS) attack where hackers send malicious scripts through a front-end presentation layer to a service gateway and message queue, where they are stored on a product’s microservices server and then propagated back to the browsers of end users of that website, subjecting them to phishing attacks and malware downloads.

WCSD-Webinar
Stored Cross-Site-Scripting Example

 

The Best Ways to Secure Your Code at Scale

Perhaps the most compelling part of the webinar was when Eric outlined some of the techniques and tools that developers can use to write more secure code and prevent web app attacks with detailed explanations as to why things are done in a certain way. 

These include:

  1. Implementing secure design patterns that can mitigate common security vulnerabilities that may be found in your applications  
  2. Putting an emphasis on integrating security controls (i.e., special-purpose libraries for stopping an attack)
  3. Applying contextual output encoding using auto-encoding templating engines (e.g., JavaEE, Thymeleaf, ERB, Razor, etc.) that encode by default, in order to prevent cross-site-scripting attacks at scale.

Contextual output encoding encodes common characters to their inert equivalents prior to usage by an interpreter and applies the encoder based on the context in which data is consumed. That way malicious command characters injected by a hacker are simply rendered in a browser rather than interpreted as commands.

Eric demystified the intricacies of the various autocoding templates and showed a table which lists the autoencoding template technologies as well as the actual encoders that are available for each as listed in an OWASP XSS cheat sheet. He further explained that the encoding method that you use is highly dependent on where in the browser the untrusted data lands and that there are 4 to 5 rules that indicate which encoding method to use, based on the context where the data lands.

Throughout the webinar, Eric answered many questions from the audience. For example:

  • Would you consider Microsoft’s Anti-XSS library implemented as a generic http runtime encoder a good practice versus implementing contextually?
  • Does using strut tags to render data prevent XSS?
  • Apart from encoding, what other techniques are used to prevent XSS?

Check out all of our resources for DevSecOps here.

 

Tags: web application security