Automating TLS Configuration Verification on the Back-End of the Web Application Stack

Presented at AppSec USA 2017, Sept. 22, 2017, 2:30 p.m. (45 minutes)

Best practices for HTTPS deployment have been steadily improving over the past decade. TLS usage on web servers has been steadily increasing and there are dozens of tools (O-Saft being the most popular) now available to test the correctness of the TLS configuration of a front-end web server. All good news. But what about the other services and protocols used in a web application stack? What about the connection between the web application server and the backing data store? Unfortunately, the state of the art regarding proper TLS configuration in popular databases has not progressed as quickly as it has for HTTPS.   Virtually all important data sent between a client and a web application, will also be sent between the application server and its backing data store. The network IS hostile and any connection to the backing data store of a web application needs to have the same level of network confidentiality and integrity as the front-end client.   This talk will look at the current TLS capabilities of popular web application data stores (MySQL, PostgreSQL, and MongoDB), including both the most recent versions as well as the most widely deployed versions. We'll discuss best practices for defining TLS configuration within these data stores, which are somewhat different from HTTPS, and improvements in tools made by the presenter, to help verify proper server configuration of TLS. Finally, with these new tools we'll survey actual TLS configurations of publicly connected data stores to determine adherence to best practices in the wild.

Presenters:

• Steven Danneman - Security Engineer - Security Innovation
  Steven Danneman is a Security Engineer at Security Innovation in Seattle, WA, making application software more secure through targeted penetration testing. Previously, he lead the team responsible for all authentication and identity services development within the OneFS operating system. Steven has a history of experience in storage, storage protocols, and implementation of the server side of the client-server relationship. Steven received a B.S. in Computer Science from the University of Washington.

Links:

• https://appsecusa2017.sched.com/event/B267/automating-tls-configuration-verification-on-the-back-end-of-the-web-application-stack
• https://www.youtube.com/watch?v=XBEUEQSFMhc

Similar Presentations:

• Black Hat USA 2021 / ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
• Black Hat USA 2014 / The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP
• DeepSec 2016 „Ten“ / Deploying Secure Applications with TLS (closed)