Secure Coding

MicroCourse
Time
9 hours 31 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

This lesson starts out with the definition of sensitive data. Many web applications do not properly protect sensitive data such as credit card information and social security numbers. This makes it easy for attackers to steal a person's information to commit fraud and other crimes. It has a difficult exploitability and the most common flaw in this area is the lack of data encryption. This lesson also discusses unprotected passwords, e.g, passwords used by users and passwords used by applications. In addition, this lesson also covers data leakage through memory compiler settings and logging, which is about not logging sensitive information without masking it. Participants actually get to see a non-compliant code example which leaks information about an IP address of a remote client in the event of an exception. Finally, participants learn about a case study that involves a particular web site called Plain Text Offenders.com which alerts end-users about web site where password information is not being hashed within a database, making them vulnerable and easy to lift.

Video Transcription

00:04
Hello and welcome to the cyber very secure coding course. My name is Sonny Wear, and this is a WASP top 10 for 2013 a six sensitive data exposure. So first, let's take a look. At our definition.
00:19
Many Web applications do not properly protect sensitive data.
00:24
Now, examples of sensitive data can include but are not limited to credit card numbers as ascends authentication credentials. And so when they don't protect thes sensitive data elements or fields with appropriate encryption or hashing,
00:42
Attackers can then steal or modify
00:46
this data and, of course, conduct identity theft, credit card fraud and other crimes.
00:53
Now, if we take a look at our AWAS chart for a six sensitive data exposure, we can see that the attack vector exploit ability is difficult
01:04
and that the technical impacts or business impacts are very severe. Now, if we take a look at the description for the security weakness, it says, the most common flaw in this area is simply not encrypting data
01:21
that deserves encryption.
01:23
When encryption is employed, unsafe key generation and storage not rotating keys and weak algorithm usage is common.
01:34
Use of weak or unsalted hash is to protect passwords is also common.
01:40
External Attackers have difficulty detecting such flaws. Due to limited access,
01:48
they usually must exploit something else first,
01:51
to gain the needed access we're gonna describe in more detail some of these actual scenarios, as well as a better understanding of the difference between
02:02
using encryption algorithms and hashing functions. So first, let's talk about unprotected passwords. Now there are passwords that are used for different purposes. There are, of course, passwords that are used by users in order to log into an application.
02:22
And then there are passwords that are used by applications to actually connect to other systems, usually databases. So if we first take a look at the passwords used by users,
02:37
these passwords should always be hashed
02:40
when they're stored in the database.
02:44
Now half is a one way encryption,
02:47
and it is not reversible, and it also needs to have something called a salt. So a salt is some sort of peace of randomness that is added to the hashing function
03:02
in order to strengthen the algorithm.
03:07
And so the salt is usually added with the password that you're going to hash
03:13
and then together that information is stored securely in the database. And there's a lot of reasons for this. The main reason. It's so that programmers or system people or whomever, cannot just see somebody's password, right. So it protects the user's password
03:31
from actually being seen by unauthorized eyes.
03:37
Now, in the case of passwords that are used by applications,
03:40
these actually do need to be reversible. And so these passwords generally will use some sort of symmetric algorithm. They'll actually use encryption algorithms in order to be encrypted and decrypted.
03:58
Now, applications that connect to databases or other back in systems
04:02
use some sort of account i D. And they have a password. Ah, lot of times this information can be stored inside of configuration files.
04:14
It's very important that they are not stored in clear text. Obviously, this exposes the sensitive information,
04:21
and it makes it much easier for an attacker that is able to sniff, let's say, on an unencrypted line
04:31
to sniff that password and be able to connect to the database.
04:36
Now, another area where we could have a problem with exposing sensitive data is data leakage through memory compiler settings. And really, this is
04:48
to address any kind of memory leakage issues where data could be exposed.
04:56
So in this particular example, we're looking at some C code,
05:00
and the use of mem set here
05:03
with an optimized compiler setting will actually leave the buffer as a dead code.
05:13
Now, that could be a problem, because that dead code is left resident in memory.
05:18
And so if attacker were able to sniff
05:24
information or rented a bugger on this process, you would very easily be able to see
05:30
any kind of sensitive data that could have been, maybe in a transaction. Maybe it was a credit card transaction or something like that. And so the contents of that buffer would still be viewable. Now, another area that programmers may forget is logging.
05:48
So from the CERT secure coding standard. We're looking at this rule, and it's basically states do not log sensitive information outside a trust boundary.
06:01
I'm actually gonna take that one step further
06:04
to say that you should never log sensitive information, And if you do, you should mask it in some way. If you need that piece of information for
06:16
troubleshooting purposes, client assistance purposes, then make sure that that information is properly masked. Sensitive data can be a number of different things. As you'll see in the demos it can include I p addresses, maybe of
06:34
remote client connections that come in.
06:36
It could include, of course, user names and passwords,
06:41
email addresses. Now that's an interesting one, because we probably normally don't think of our e mail addresses being sensitive. But
06:48
if it's being used for the user name,
06:53
then certainly that could make it sensitive. And also,
06:58
if it's being used
07:00
for, say, a password reset type function.
07:03
And so it's important that that information get protected. And that, of course, any credit card information,
07:11
whether it's the credit card number, the expiration date, et cetera, all of those type of fields which fall under PC Idea says regulation also must be protected
07:20
in the realm of personally identifiable information or P i. I we have things like so security numbers, driver's license numbers, passport numbers, et cetera,
07:31
fields that uniquely identify you. And so, if those air stolen, of course, you could be susceptible to identity theft. Now, in our noncompliant example that we have here,
07:46
we can see that
07:46
in this try catch block,
07:49
there is a remote I P address that is captured from the
07:56
I met address dot get by name.
08:00
And if there's some sort of exception,
08:03
then that actual machines host address is then logged. This has the potential of exposing sensitive data, namely the I. P address of our remote client.
08:16
Now, in this compliant example,
08:18
we can see that the programmer is only going to log information that's captured in the security exception. Class itself
08:26
now realize that that class, of course, has to also not be written to log in the sensitive data. So I'm making this compliant contingent upon that the custom class isn't logging any sensitive information.
08:43
Now our case study is on an interesting website
08:48
that is plain text offenders dot com.
08:52
Basically, this is a website that alerts and users of various sites where password information is not being hashed in the database, and this is made known because
09:09
when the user goes to maybe reset their password or they forgot their password or something like that,
09:16
the actual password is e mailed back to the user.
09:20
So that tells you that
09:22
either they're not hashing the password, leaving it in plain text or they're using an encryption algorithm that is reversible and so they are decrypting it. But either way it could have, ah, memory exposure. It could also,
09:41
of course, being sent through email be very easily lifted
09:46
in various email Web accounts. And so this is a very good example of sensitive data exposure.
09:54
Now let's move to the demo portion of our modules.

Up Next