Upload
co3-systems
View
411
Download
0
Embed Size (px)
DESCRIPTION
Software applications, like outward facing Web applications, are consistently ranked as one of the top threat vectors. For example, according to a recent report from Trustwave, SQL injection was the attack method for 26% of all reported breaches. Indeed despite being a decade-old, well understood vulnerability, SQL injection flaws remain present in 32% of applications. This webinar will first explain software application vulnerabilities and define their various types. It will also present recent research findings about the prevalence of these vulnerabilities and their impact. From there it will discuss what organizations can do to harden their applications. Finally, the webinar will cover best practices for responding to a successful application attack. Our featured speaker for this timely webinar is Chris Wysopal, Co-Founder, CTO & Chief Information Security Officer at Veracode.
Citation preview
Breached! App Attacks,
Application Protection,
and Incident Response
Page 2
Agenda
• Introductions
• Application Security 101
• How To Improve Application Security
• Application Security IR Best Practices
• Q&A
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems • Ted is a serial entrepreneur who has launched four companies
during his ~20 years in the security / compliance industry.
• Chris Wysopal, Co-Founder, CTO & CISO,
Veracode • Director of Development, Symantec; VP Research & Development,
@stake
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
Page 5
About Veracode
• Founded in 2006 by a world class team of
application security experts from @stake,
Guardent, Symantec, and VeriSign, Veracode
provides the world’s leading Application Risk
Management Platform. Veracode's patented and
proven cloud-based capabilities allow customers to
govern and mitigate software security risk across a
single application or an enterprise portfolio with
unmatched simplicity.
• Veracode has received considerable recognition
and awards in the industry including being named
a Gartner “Cool Vendor,” The Wall Street Journal’s
“Technology Innovation Award,” and was listed as
#20 on Forbes’ “America’s Most Promising
Companies”
Page 6
Your Apps, In The Crosshairs
Corporations are targeted for their IP and other
valuables which sit behind a porous security perimeter
Page 7
Your Apps, In The Crosshairs
It is porous because of the way businesses interact with
their customers, suppliers, and partners via email and
web applications. Mobile apps coming soon!
Page 8
But I Already Have Security!
• Firewalls – Don’t block data moving to and from trusted
computers. You trust your web servers. You trust your
employees desktops. Won’t stop spear phishing or web app
attacks.
• Encryption – You encrypt data so it can’t be snooped over
network or read from stolen hard drive. Attackers access
encrypted data through applications posing as legitimate
users
• Antivirus – Can only stop known malware. Attackers make
brand new custom malware to attack you.
Spearphishing and web app vulnerabilities bypass all 3!
Page 9
Insecure Apps Are A Leading Cause Of Breaches
POLL
Page 11
Biggest SQL Injection Breaches of 2012
Page 12
Case Study: Night Dragon
• Impacted the Energy Sector from
Nov 2009 – Feb 2011
• Information targeted:
• Energy field production
information
• Financial information
• Industrial Control System
information
POLL
Page 14
How It Works: SQL Injection Attack
Page 15
70+% of Web Apps Fail Security Testing
Page 16
OWASP Top 10 Vulnerability Types
Page 17
Top Vulnerability Types (% of Affected Web App Builds)
Page 18
Techniques To Test Application Security
• Universe of application security
vulnerabilities is extensive
• There is no “silver bullet” – each technique
has strengths and weaknesses
• A complete analysis includes:
• Static analysis (i.e. White Box)
• Dynamic analysis (i.e. Black Box)
• Penetration testing
• Design review
• Threat modeling
• Automation allows manual penetration
testers to focus on vulnerabilities only
humans can find
Automated Static
Automated Dynamic
Penetration Testing
POLL
Page 20
Application Security Incident Response (IR)
PREPARE
Minimize Risk
• Inventory your apps
• Remove vulnerabilities in
advance
• Simulate application security
incidents
• Verify data collection for key
apps
• ID organizational / skill-set gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Short and Long-Term fix
• Track historical performance
• Lots of App Sec incidents?
• Update app inventory and re-scan
• Annual IR report / infographic
ASSESS
Characterize Impact
• Gather forensics
• Any PII?
• Send notice to IR team
• App you didn't know about? How
crucial is it to the business?
MANAGE
Tune The Incident Response
Plan
• Triage the app
• Pull it? Patch it? Monitor it?
• Assign tasks: who/what/when
• Time to fix?
• Monitor progress to completion
Page 21
Application Security IR - Prepare
• Inventory applications
• Web apps, Mobile apps, 3rd Party apps
• Rank by importance / severity / difficulty to fix
• Quadrant or other metaphor to prioritize on the critical that
are easy?
• Verify data collection on key apps
• Simulate an App Sec breach
• Anything they are likely to learn from the simulation / fire
drill other than they may need skills they don’t have?
It is cheapest to fix these issues in advance
Page 22
Application Security IR - Report
• Post-mortem
• What went well? What didn’t?
• People, Process, and Technology remediation
• Report to management in business impact terms
• Technology remediation plan
• Quick fixes? Compensating controls?
• Update application inventory
• Web apps, Mobile apps, 3rd Party apps
• Report by incident type and business unit
• What incident types and business units are the main
problems?
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
www.veracode.com
Page 25
About Chris Wysopal
Co-Founder, CTO & CISO, Veracode • Chris is responsible for the security analysis capabilities of
Veracode technology. Mr. Wysopal is recognized as an expert and a well known speaker in the information security field and was recently named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by the editorial staffs of eWeek, CIO Insight and Baseline Magazine. Chris has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. He also has spoken as the keynote at West Point, to the Defense Information Systems Agency (DISA) and before the International Financial Futures and Options Exchange in London. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work.