Speaker: Kenneth Van Wyk
Today's web-based software applications have grown substantially in importance over those of just a few years ago. As a result, the impact of security failures has increased commensurately, often with potentially large-scale financial impact to the enterprise. Yet, security failures occur in often times spectacular ways.
A common failing occurs in how enterprise software interacts with security infrastructures, from enterprise event logging through intrusion detection and prevention systems. These security facilities frequently go untouched by application developers, leaving security staff to seek bolt-on solutions to application-layer security issues.
In this session, a common web application user interface component known as a servlet is examined and enhanced, to build a web app example that is not only secure against attack, but able to stand up to the rigors of a modern enterprise computing environment. Starting from a simple, highly vulnerable servlet is examined and discussed as a case study, with particular attention paid to some of today's most prevalent web-based attacks like SQL injection and cross-site scripting. First, security features are added to the servlet to provide defense against these most common attacks (e.g., OWASP Top-10 2010). Next, enterprise event logging is added, with the use cases of the CSIRT in mind specifically. Finally, the servlet is enhanced to provide the ability to take evasive actions when attacks are detected, based on policies set by the CSIRT and/or CISO staff.
By highlighting these building blocks in source code case studies, we clearly illustrate the urgent need for close collaboration among the CSIRT, software development, and business staff