Upload
stian
View
31
Download
1
Embed Size (px)
DESCRIPTION
Business Risk & Compliance Considerations for Application Security. Malathi Carthigaser Principal Consultant b-sec Consulting [email protected] + 61 3 9682 0233. 28 th February 2008. What will this talk cover?. Drivers to App Sec Requirements and Controls Business Risk - PowerPoint PPT Presentation
Citation preview
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Asia Pacific Conference 2008
Business Risk & Compliance Considerations for Application Security
Malathi CarthigaserPrincipal Consultantb-sec [email protected]+ 61 3 9682 0233
28th February 2008
OWASP 2
What will this talk cover?
Drivers to App Sec Requirements and ControlsBusiness Risk
Compliance Considerations
Common Problems due to risk management process failures (b-sec Consulting observations)
OWASP
How will this talk help you?
Awareness of common problems
Assessment of all risks
Addressing risks appropriately
3
OWASP
Business Risks and Application Security
“In 2005 and 2006 alone, over 100 million private records were reported stolen from American businesses; a significant portion (65 percent) of which was compromised as a direct result of a software breach.”
“The Case for Application Security”, Fortify Software
4
OWASP
Security Breach – Financial Costs
5
“Calculating the Cost of a Security Breach” April 10, 2007, Forrester ResearchAverage cost of a data breach, involving 20,000 to 30,000 data records
OWASP
What is Risk?
6
Threat
Vulnerability in asset/process
Risk
ImpactLikelihood
Exploit
OWASP
What is Security Risk?
Probability of a compromise to Confidentiality, Integrity or Availability
Occurs due to inadequate Security Controls
7
OWASP
Business Risk vs Technical Risk
Business Risk Negative impacts at the Organisational level
e.g. Damage to reputation
Technical Risk Negative impacts at the System (application / data) level
e.g. Privilege escalation
8
OWASP
Business vs Technical Risk : An Example
9
OWASP
Business Risk - Causes
10
Application and Data
Policy / Process
People
MediaPortable Devices
Physical
Infrastructure
Business Risk
OWASP
“Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year” [SANS Top 20 2007]
Targeted attacks (data theft) and the “professionalisation of cybercrime” motivated by financial gain [CSI Survey 2007] Credit card fraud (financial data) Identity theft (personal data)
Not all security breaches are reportedNot all security breaches are detected
Majority of applications tested by b-sec Consulting has at least one high severity security vulnerability
Trends - Application Security impacts on Business Risk
11
OWASP
Attacker Skills and Attack Types
12
Number of Unique Visitors 79 unique visitors
Number of Attacks 17,122 total 7,564 XSS 4,477 Unhandled
Exceptions 2,381 Decoy
Tampering 1,694 SQL
Injection
Number of Successful Attacks 0 Attacks
exploited the application
27 Attacks deemed sophisticated
Results collated by Fortify Software during Black Hat 2007Attacks against the “MyRewards” on-line shopping web site protected by Fortify Defender
XSS
No Code Words
Identified
Identified Code Word
0%
20%
40%
60%
80%
100%
People Attacks
XSS
Unhandled Exception
SQL Injection
Decoy Tampering
Command Injection
No Code Words
Identified
Identified Code Word
17,12279
OWASP
Security = Risk Management
“Risk management is the term applied to a logical and systematic method of establishing the context of, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimise losses.” [Handbook 231]
13
OWASP
Addressing Risk
14
Select and implement appropriate security controls to reduce the risk to an
acceptable level
Business Risk Application Security Requirements and Controls
Risks ControlsGAP
OWASP
When to Consider Risks
15
OWASP
Compliance Considerations for Application Security
16
OWASP
Compliance Considerations
17
Security Requirements
OWASP
Which compliance areas apply to a given application?
Examples:Privacy data Privacy Principles
Credit card data PCI DSS
18
OWASP
Legal Obligations: Privacy Principles
19
OWASP
Regulatory Obligations: PCI DSS
20
OWASP
Common problems - b-sec Consulting observations
Weak Authorisation Controls
Poor Management of Outsourced Software Development / Application Hosting
21
OWASP
“Authorisation ensures that the authenticated user has the appropriate privileges to access resources. The resources a user has access to depends on his/her role.” [OWASP Guide]
Weak Authorisation Controls
22
(Based on over 200+ web applications in the last 4 years)
Direct URL access, parameter manipulation, sequential IDs, SQL injection, Cross-Site Scripting etc…
OWASP
Example : Financial Institution
Financial transactions implemented well Access to bank account statements
implemented poorlyUnauthorised access to dataExposure of sensitive data; potentially across
entire systemActivity not logged; not detected
23
Unauthorised data access via URL manipulation and sequential IDs
https://www.highly-sensitive-data.com/sensitive-record.aspx?ID=100
OWASP 24
Technical RisksBreach of data confidentiality
Privilege escalation
Weak Authorisation Controls
Business RisksSensitive data exposure (potentially across entire
system)
Negative Reputational impacts
Non-compliance with Privacy Principles
Non-compliance with PCI DSS
OWASP
Poor Management of Outsourced Software Development / Application Hosting
Remain accountable for Security and Risk Management
Need to clearly specify Security Requirements in contracts with your service provider
Ensure compliance with Security Requirements
25
OWASP
Contract Security Requirements
Compliance with organisation’s security policy (for handling, storing and processing data etc) including security throughout development
Security requirements based on legal, regulatory and other compliance considerations
Segregation from other hosted applications / organisations
26
OWASP
Contract Security Requirements – Cont… Mechanism to ensure compliance with contract, for
example, to perform audits and testing with access to premises, resources and all records
Mechanism to address any shortfalls in security by the outsourced service provider
Mechanism for notification by the outsourced service provider of any security incidents
Mechanism for transferring data etc. at the end of a contract
27
OWASP
Root Cause
Inadequate risk management processes
Resolution
Security requirements should incorporate risk and compliance obligations
28
OWASP
Summary of Key Points
Application Security Requirements and Controls are driven by:Business RiskCompliance Considerations
Common Problems - b-sec Consulting observations
29
OWASP
Questions?
30