Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Name
Title:
Aaron Clark
Security Shifts to the Application
You’re late to the party
Some found that out the hard way
• “Night Dragon”
• Sony
• LizaMoon
• HBGary
Federal
Others were told they had to go
• PCI
• Disa
STIG
• HIPAA
• FISMA
• NERC
Some looked at the costs
1,000,000x
10x
1x
Development Test Deployment
Dam
age
to E
nter
pris
e
Functional Flaw
Security Flaw Unbudgeted Costs:
Customer notification / care
Government fines
Litigation
Reputational
damage
Brand erosion
Cost to repair
The exposure is greater than you think
Web App Vulnerabilities Continue to Dominate
Nearly half (49%) of all vulnerabilities are Web application vulnerabilities
Cross-Site Scripting & SQL injection vulnerabilities continue to dominate
The Smarter Planet
Our world is getting
Instrumented
Our world is getting
Interconnected
Our world is getting
Intelligent
More Justification for Application Security Action
• 89% of records breached from hacks were leverage SQL Injection flaws
• 79% of breached organizations subject to PCI were found to be non-compliant
• 92% of compromised records were compromised using Web applications as the attack pathway
Verizon
2010 data Breach Investigations Report
Security is never first
It should never be last
So, why are there problems ?
• We code the vulnerabilities
Inadequate training of programmers
Inadequate security specifications
Inadequate security review and testing
Lack of security management during SDLC
Lack of adequate technology
• Conflicting objectives
• Network defenses provides protection
• Meets Compliance == Secure
• Website uses SSL, it’s secure
• Vulnerabilities in internal apps are not important
• Annual penetration tests are an adequate safety measure
• Encryption of data is adequate safety measure
Compounded by: Software Security Myths
Security Landscape Distinguishing Technologies• Network Firewalls:
– Perimeter protection mechanisms to block traffic in real-time.
– But websites have to be publicly available, thus port 80 and port 443 are enabled for access which makes Network Firewalls incapable of blocking application-layer attacks
• Intrusion Detection / Prevention Systems (IDS / IPS)
– Also considered a perimeter protection mechanism. They monitor data flow through the network in real-time.
– They are incapable of blocking application-layer attacks since they are not application-aware operating at the network level
Application Firewalls:
Perimeter protection and are generally very effective, but difficult to configure and maintain (every time an application changes the firewall needs to be reconfigured).
They can also reduce website response time and lead to lost revenue
Some percentage of “good”
traffic is inadvertently blocked too
Network Scanners
Network Scanners are incapable of extensive interactions with the application layer (even using “application scanners”
they provide) so no matter how secure an organization makes their network, they would still be vulnerable to application-level attacks
Database Scanners
Do not scan or test web applications
They focus solely on how well information is protected within the database itself
14
So, Why Prioritize Secure Software ?• To protect value
• To protect privacy
• To avoid costs associated with non-compliance
• Some of the impacts due to attacks
Loss of value
• Sensitive data, Trade secrets, Intellectual property, Reputational
damage, Market capitalization,..
Downtime
• Unavailability, Disruption
Regulatory penalties
• Fines, Litigation, PR, Notification
Fraud
A framework for security
Application Safety Protect Valuable Assets
• Multiple points of protection Secure code
development and vulnerability management
Protect Web applications from potential
attacks
Deliver security and performance in Web
services and SOA
Manage secure Web applications
• Identify vulnerabilities and malware
• Actionable information to correct the problems
• Block attacks that aim to exploit Web application vulnerabilities
• Integrate Web application security with existing network infrastructure
• Purpose-built XML and SOA solutions for security and performance
• Ongoing management and security with a suite of identity and access management solutions
End-to-end Web application security
A Path to Secure Applications
Ope
ratio
nal R
isk
Mgm
tPr
oact
ive
Risk
Miti
gatio
n
Deploy Application
Appl
icat
ion
& re
sour
ce
prot
ectio
n in
ope
ratio
n
Secu
re a
pplic
atio
n de
velo
pmen
t acr
oss
desig
n, c
ode,
bui
ld, t
est p
hase
s
Vulnerability Assessment of Source Code
Identity & Access Management
Web Application Protection
Secure Web Services
Vulnerability Assessment Functioning Application
Final Security Audit
Production-Site Monitoring
Policy & Requirements Definition
IBM Security Services
IBM Security
IBM Security
Smarter Security for Smarter Products
Smarter Products require secure applications
Security needs to be built into the
development process
and addressed throughout the development lifecycle
Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
• Provide
integrated testing solutions for developers, QA, Security and Compliance stakeholders
• Leverage multiple appropriate testing technologies (static & dynamic analysis)
• Provide
effortless security that allows development to be part of the solution
• Support governance, reporting and
dashboards
• Can
facilitate collaboration between development and security teams
The Application Security Challenge
What?• Need to mitigate the risk
of a Security breach
• Need to find
and remediate
these vulnerabilities
• Must utilize a cost effective
way of doing this that makes sense
Who?• Software security represents the intersection between
security & development –
solution needs to be a joint collaboration
• Starts with Security Auditor (can also be outsourced)
• Larger organizations require the scaling of security testing into the development organization
Start to finish to start security
Security Testing Within the Software Lifecycle
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity
Security Testing Within the Software Lifecycle
Build
SDLCSDLC
Coding QA Security Production
Most Issues are found by security auditors prior to
going live.
Most Issues are found by security auditors prior to
going live.
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
Security Testing Within the Software Lifecycle
Build
SDLCSDLC
Coding QA Security Production
Desired ProfileDesired Profile
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
Cost Benefits of Early Detection
(Web Application Vulnerability Assessment)
ROI Opportunity of Application Security Testing
Cost Savings –
Testing Early in Dev
Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense
Cost Savings –
Automated Testing
Automated testing provides productivity savings over manual testing
Cost Avoidance –
Of A Security Breach
Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage
80% of development costs are spent identifying and correcting defects
Cost of finding & fixing problems:
code stage is $80, QA/Testing is $960*
Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage.
* Source: GBS Industry standard study
Outsourced audits can cost $10,000 to $50,000 per application
At $20,000 an app, 50 audits will cost $1M.
With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)
The cost to companies is $214 per compromised record**
The average cost per data breach is $7.25 Million**
** Source: Ponemon
Institute, Cost of a Data Breach, 2010
Principles & Perceptions
• Secure Development (mis)Perceptions• Aligned closely with waterfall steps (design, development, delivery)
• Process intensive and heavyweight
• Requires a large number of artifacts
• Agile Principle #1: Our highest priority is to satisfy the customer through early and continuous delivery of valuable
software
• Secure software increases the client value
• Agile focuses on customer need …
and security is a customer need
Automated application security testing
The dynamic (and static) duo
Security Testing Technologies
Combination Drives Greater Solution Accuracy
Static Code Analysis = Whitebox-
Looking at the code for security issues (code-level scanning)
Dynamic Analysis = Blackbox
-
Sending tests to a functioning application
Total PotentialTotal PotentialSecurity IssuesSecurity Issues
DynamicDynamicAnalysisAnalysis
StaticStaticAnalysisAnalysis
Greatest accuracy
Application Security Chart
There are three basic components to securing an application:• The actual application source code• The infrastructure it runs on• External components it requires
Different technologies are needed to fully map the risk
30
Dynamic Security Analysis through Automation
31
Crawl Site
Identify Vulnerabilities
Fuzz with Known Attacks altoro.com/editProfile.jsp
altoro.com/
altoro.com/login.jsp
altoro.com/feedback.jsp
altoro.com/logout.jsp
SQL Injection!
Static Security Analysis through Automation
32
DoPost() {String username =
request.getParameter("username");String password =
request.getParameter("password");
String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'";
ResultSet rs = stmt.executeQuery(query);}
DoPost
GetParam
Str.Append
ExecuteQuery
DoPost
GetParam
Str.Append
ExecuteQuery
DoPost
GetParam
Str.Append
ExecuteQuery
SQL Injection!
Compile & Translate
Apply Vulnerability Rules
Apply API Rules
Complimentary Security Assessment
Static• Findings directly tied to their
locations in the source
• Test earlier in lifecycle
• Test sub-components of an application
• Easier automation
• Fast scanning
• Non-web-applications, infrastructure, middleware
• All control flows
• Illuminate architecture and logic
• Consistent Automation
Dynamic• Simpler configuration
– No cross-domain requirement
• Lower learning curve
• Findings include attack vectors
• Captures dynamic activity (Spring, Struts, CAB)
• Scan unsupported source languages
• 3rd
party applications (no source)
• Find configuration vulnerabilities
• Smaller finding sets
33
The combined result
IBM Rational AppScan
Comprehensive Application Vulnerability Management
REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD PRE-PRODPRE-PROD PRODUCTIONPRODUCTIONQAQA
AppScan
StandardAppScan Source
AppScan
TesterSecurity Requirements
Definition AppScan
Standard
Security / compliance testing incorporated into
testing & remediation workflows
Security requirements defined before design
& implementation
Outsourced testing for security audits & production site
monitoring
Security & Compliance Testing, oversight, control,
policy, audits
Build security testing into the IDE
Application Security Best Practices & Education
Automate Security / Compliance testing in
the Build Process
SECURITYSECURITY
AppScan
Enterprise
AppScan
onDemand
Dynamic Analysis/Blackbox
–
Static Analysis/Whitebox
-
AppScan
Build
36
Monitor
AppScan Source Edition Workflow
Scan Triage
AssignRemediate
ConfigureAppScan
Source for Security
AppScan
Source for Security
AppScan
Source for Security or
AppScan
Source for Remediation AppScan
Source for Security
AppScan
ReportingAppScan
Source for Security, Automation, or
Developer
What’s the first step?
IBM Security SolutionsIBM Internal Use Only
38IBM Internal Use Only
QA Team
Development Team
Security Team
QA Team
Development Team
Security Team
Application Security Maturity Model
CORRECTIVE BOLT ON BUILT INUNAWARE
Time
Secu
rity
ass
essm
ent
cov
erag
e Doing nothing External tests on production applications
and security team centric testing
Security testing before deployment
Fully integrated system security
Improve Security Testing Coverage
Improve Collaboration of security issues
Assure Secure SDLC
Improve Compliance and Management reporting
Security Team
Security maturity Corrective
Build
SDLCSDLC
Coding QA Security Production
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
3rd Party Pen Test
Build
SDLCSDLC
Coding QA Security Production
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
Manual Pen Test
Manual CodeReview
Automated Pen Test
Automated Code Scan
3rd Party Pen Test
Security maturity Bolt-On
Build
SDLCSDLC
Coding QA Security Production
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
Manual Pen Test
Manual CodeReview
Automated Pen Test
Automated Code Scan
3rd Party Pen Test
Security maturity Built-In
Manual Pen Test
Manual CodeReview
Automated Pen Test
Automated Code Scan
Manual Pen Test
Manual CodeReview
Automated Pen Test
Automated Code Scan
Automated Pen Test
Build
SDLCSDLC
Coding QA Security Production
% o
f Iss
ue F
ound
by
Stag
e of
SD
LC
Application Deployed
Agile / Waterfall threshold?
Manual Pen Test
Manual CodeReview
Automated Pen Test
Automated Code Scan
3rd Party Pen Test
Security maturity what works
Automated Code Scan
Automated Code Scan
Automated Pen Test
Legal Disclaimer© IBM Corporation 2011. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries
in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance
characteristics may vary by customer.
Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus®
Sametime®
Unyte™). Subsequent references can drop “IBM”
but should include the proper branding (e.g., Lotus Sametime
Gateway, or WebSphere
Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml
for guidance on which trademarks require the ®
or ™
symbol. Do not use abbreviations for IBM product names in your
presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld
and Lotusphere
are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte
is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
If you reference Adobe®
in the text, please mark the first use and include the following; otherwise delete:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
If you reference Java™
in the text, please mark the first use and include the following; otherwise delete:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
If you reference Microsoft®
and/or Windows®
in the text, please mark the first use and include the following, as applicable; otherwise delete:
Microsoft and Windows are trademarks of Microsoft Corporation in
the United States, other countries, or both.
If you reference Intel®
and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and
other countries.
If you reference UNIX®
in the text, please mark the first use and include the following; otherwise delete:
UNIX is a registered trademark of The Open Group in the United States and other countries.
If you reference Linux®
in your presentation, please mark the first use and include the
following; otherwise delete:
Linux is a registered trademark of Linus
Torvalds
in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
If the text/graphics include screenshots, no actual IBM employee
names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete:
All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.
Try the new Rational AppScan
ROI calculator…
Use ROI calculator on a Web application testing solution.
Discover how you can:
Automate application security analysis.
Detect exploitable vulnerabilities, protecting against the threat of cyber-attack.
Reduce the costs associated with manual vulnerability testing.
Visit our Rational Application & Security Website
and get the newest updates
Free trial download of IBM Rational AppScan
software
• Protect against the threat of attacks, and data breaches with Rational AppScan• IBM Rational application security
software helps IT and security professionals protect against the threat of attacks and data breaches. If you use applications to collect
or exchange sensitive or personal data, your job as a security professional is harder now than ever before.
• Download it now at no charge!
Improvement Between Application Testing Cycles
Significant decline in the likelihood of finding application vulnerabilities in a retest
In many cases this reduction is more than half that of the original
Demonstrates the importance of testing applications but also follow up and mitigation
Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry
False Positives
49
Most of the time they are not actually false positives. These false ‘false positives’
are one of two things
• Sources the business doesn’t care about (getProperty
is far too common an example)
• Data flows that are validated by validators
that haven’t been marked up
There are cases where false positives are a problem, 9 out of 10
of these occur because we can’t set a rule for the validation
• Set in a config
file (servlet
validators, struts validators, etc)
• Validators
declared with annotations (aspect oriented coding does this)
• Validators
that occur before one of our ‘Source’
rules are triggered
• Microsoft built-in validation (this one is more of a false false
positive)