Upload
cenzic
View
1.679
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Chris Harget shares consolidated research data from Cenzic's security team, industry experts and security luminaries. The research-grounded predictions include: >>> WHAT emerging initiatives (e.g., Enterprise App Stores, API proliferation) are most likely to increase appsec risk and what to do about it. >>> WHY Cross Site Request Forgery (CSRF) may be the next exploitation to "go large." >>> HOW the "Internet of Things" may have a huge impact on application security. ... plus several more predictions. 2013 is coming to a close but online application threats won't be taking a holiday. Prepare for a secure 2014 by checking out "Top 10 Application Security Predictions for 2014."
Citation preview
1
Cenzic Live! Webinar: Top 10 Application Security Predictions for 2014
Chris Harget
Agenda
2013 In Review
2014 Predictions
New Year’s Resolutions
2 Cenzic, Inc. - Confidential, All Rights Reserved.
3
2013 AppSec In Review
2013 Developments/News
4 Cenzic, Inc. - Confidential, All Rights Reserved.
160 Million Cards Stolen Via SQLi
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Vulnerabilities Trended Down…
6 Cenzic, Inc. - Confidential, All Rights Reserved.
Source: Cenzic Application
Vulnerability Trends Report 2013
…Slightly
OWASP Updated Its Top 10
Broadening of URL access control flaws to now include actual application functions
Expansion and merger of data-in-transit and data-at-rest flaws on both the server side and client side
Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)
Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)-related flaws
7 Cenzic, Inc. - Confidential, All Rights Reserved.
https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/
Compliance: Hello PCI 3.0
8 Cenzic, Inc. - Confidential, All Rights Reserved.
Penetration testing activities (internal and external) now must follow an "industry-accepted penetration testing methodology," such as that specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.
2013 Was Kind Of A Stormy Year
9 Cenzic, Inc. - Confidential, All Rights Reserved.
=
10
7.2
2014 AppSec Predictions
1.The Internet Of Things = App Risk2
“The Internet of Things (or IoT for short) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.”
– http://en.wikipedia.org/wiki/Internet_of_things
“A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.”
– http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf
Many of these devices will be managed via apps
11 Cenzic, Inc. - Confidential, All Rights Reserved.
New Attack Surfaces Include:
– Smart Televisions
– Home Alarms
– Smart Meters
– Smartphone cameras and microphones
– Security Cameras
– Baby monitors
– Medical Equipment
– Supply Chain Goods
– Smart Thermostats
– Cars
1.The Internet Of Things = App Risk2
12 Cenzic, Inc. - Confidential, All Rights Reserved.
1.The Internet Of Things = App Risk2
Top Ten Connected Applications in 2020 Value to the Connected Life
Connected Car $600 billion
Clinical Remote Monitoring $350 billion
Assisted Living $270 billion
Home and Building Security $250 billion
Pay-As-You-Drive Car Insurance $245 billion
New Business Models for Car Usage $225 billion
Smart Meters $105 billion
Traffic Management $100 billion
Electric Vehicle Charging $75 billion
Building Automation $40 billion
13 Cenzic, Inc. - Confidential, All Rights Reserved.
http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020
2. Enterprise App Stores Explode…
14
Cenzic, Inc. - Confidential, All Rights Reserved.
2. Enterprise App Stores Explode…
…Not Necessarily In a Good Way
Risks:
– Apps have privileged access to corporate data
– Malware sent via links in SMS or downloaded
– Rogue apps can act as a key logger
– Vulnerabilities doubly problematic
15 Cenzic, Inc. - Confidential, All Rights Reserved.
3: Bug Bounties Go Large
Glory, prizes and cash offered to crowd source finding security flaws in social networks, cloud apps, etc.
May give COTS an edge over open source
220 Bugs found at OWASP’s November Hackathon
16 Cenzic, Inc. - Confidential, All Rights Reserved.
http://www.bugsheet.com/bug-bounties
4: Developers Incentivized on Security Evolve
Status Quo: Developers primarily compensated for code completed on schedule
Enterprises experimenting with 10-20% of MBO based on vulnerability scores (HARM™ or CVE)
Intriguing…yet to be proven
17 Cenzic, Inc. - Confidential, All Rights Reserved.
5: Increased Hacking Via Partner API
Programmable Web now lists >10,000 APIs
>100% compound annual growth.
18 Cenzic, Inc. - Confidential, All Rights Reserved.
http://blog.programmableweb.com/2013/10/26/hack-of-
buffer-should-raise-security-concerns-for-all-api-
providers/
6: A Major Supply Chain Hack
An F1000 Enterprise will lose data or be vandalized via a partner’s application
19 Cenzic, Inc. - Confidential, All Rights Reserved.
Partners provide services,
goods, distribution,
marketing, & outsourcing.
An enterprise’s total app
ecosystem may include
hundreds of partner apps
The bigger brand will take
the hit
7: CSRF Crosses The Chasm
Vulnerability Prevalence Exploit Prevalence – SQL Injection vulnerabilities were found in only 18% of apps1, but
from 2005-2011 were responsible for 83% of the records stolen2
– A famous 2005 incident (Card Systems Solutions) put SQL Injection on the map3.
Cross Site Request Forgery – Caused by a lack of randomness in requests that allows hacker
to predict the request format and exploit it
– Breaches can be innocuous or devastating
If one CSRF attack gets big headlines, could be the new attack du jour.
1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html
2: http://www.darkreading.com/views/lets-ask-why/240003593
3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century
20 Cenzic, Inc. - Confidential, All Rights Reserved.
=
8: Mobile Hacking Goes Up
21 Cenzic, Inc. - Confidential, All Rights Reserved.
Projected MobileOS Data Volume Growth
8: Mobile Hacking Goes Up
Mobile App Security Lags – Mobile malware increasingly sophisticated – BYOD/MDM challenges persist
Security measures so far:
– Sandbox enterprise apps on phone
– Virtualize apps
– Biometric authentication
– Mobile Application Firewall
– Geofencing
It’s unclear if they will limit breaches from application vulnerabilities.
22 Cenzic, Inc. - Confidential, All Rights Reserved.
9. Hacking Prosecutions Will Go Up
First Ever Cybercrime RICO Trial Began
– Nov. 20, 2013 http://www.wired.com/threatlevel/2013/11/open-market-trial-begins/
A hacker dealing in stolen credit cards is being charged with the Racketeering
If successful, others in his organization could be prosecuted for criminal conspiracy
This could dramatically expand the reach of cybercrime prosecution.
23 Cenzic, Inc. - Confidential, All Rights Reserved.
10: Public Layer 7 Government Hack
A nation-state will be implicated in a large Layer 7 app breach…
Probably trying to steal credentials to target
– User sensitive info (dissident info)
– Financial info (for business advantage)
– Energy sector (critical infrastructure).
The most sophisticated actors are the nation states.
24 Cenzic, Inc. - Confidential, All Rights Reserved.
25
Suggested AppSec New Year’s Resolutions
Internet of Things Resolutions
26 Cenzic, Inc. - Confidential, All Rights Reserved.
Bake application security into your IoT plans early!
Enterprise App Store Resolutions
Hold apps with privileged access to corporate data to the highest vulnerability testing standards.
Be 100% responsible for the security of your store apps…no one else will.
27 Cenzic, Inc. - Confidential, All Rights Reserved.
Mobile Resolutions
28 Cenzic, Inc. - Confidential, All Rights Reserved.
Encourage users to check the General Settings for new mobile apps to turn off unnecessary permissions.
Test mobile apps for vulnerabilities proportionately to their usage and data value
Evaluate Mobile Antivirus
Educate yourself
App Design Resolutions
29 Cenzic, Inc. - Confidential, All Rights Reserved.
Leverage anti-CSRF frameworks
Validate inputs
Implement tighter session management
Confirm your off-the-shelf application components have no known vulnerabilities before use
Partner Apps & API
Note: Cenzic’s New Service Can Help
30 Cenzic, Inc. - Confidential, All Rights Reserved.
Ensure Partners’ Web Services are tested and hardened for security with the same standards as your company-owned applications.
31 Cenzic, Inc. - Confidential, All Rights Reserved.
Pre-production &
App Development Production
Partner /
Supply Chain
Enterprise Application Security
3 Pillars of Enterprise App Security
Detects Web & Mobile App Vulnerabilities
Easy-to-use Software, SaaS, or Managed Service
Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce
Delivers best continuous real-world Risk Management
32 Cenzic, Inc. - Confidential, All Rights Reserved.
33 Cenzic, Inc. - Confidential, All Rights Reserved.
One-click virtual patching
via tight integration with leading
Web Application Firewalls
Application Vulnerability Monitoring In Production
.
+
Identify Risk
Mitigate
Risk
=
=
Managed Services Offerings – At-a-glance
34 Cenzic, Inc. - Confidential, All Rights Reserved.
Bronze Silver Gold Platinum Industry Best-Practices for
Brochureware sites
Industry Best-Practices for forms and login protected
sites
Compliance for sites with user
data
Comprehensive scans for Mission
critical applications
Phishing X X X x
Light input validation X X X
x
Data Security X X X x
Session management X X
x
OWASP compliance X
x
PCI compliance X x
Business logic testing
x
Application logic testing
x
Manual penetration testing
x
Cenzic Can Help
Train your people
Give them better gear
Have someone else carry the baton
35 Cenzic, Inc. - Confidential, All Rights Reserved.
Good Luck In The New Year!
36 Cenzic, Inc. - Confidential, All Rights Reserved.
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Questions?
[email protected] or 1.866-4-Cenzic
Blog: https://blog.cenzic.com