1

Cenzic Live! Webinar: Top 10 Application Security Predictions for 2014

Chris Harget

Agenda

2013 In Review

2014 Predictions

New Year’s Resolutions

2 Cenzic, Inc. - Confidential, All Rights Reserved.

3

2013 AppSec In Review

2013 Developments/News

4 Cenzic, Inc. - Confidential, All Rights Reserved.

160 Million Cards Stolen Via SQLi

5 Cenzic, Inc. - Confidential, All Rights Reserved.

Vulnerabilities Trended Down…

6 Cenzic, Inc. - Confidential, All Rights Reserved.

Source: Cenzic Application

Vulnerability Trends Report 2013

…Slightly

OWASP Updated Its Top 10

Broadening of URL access control flaws to now include actual application functions

Expansion and merger of data-in-transit and data-at-rest flaws on both the server side and client side

Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)

Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)-related flaws

7 Cenzic, Inc. - Confidential, All Rights Reserved.

https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/

Compliance: Hello PCI 3.0

8 Cenzic, Inc. - Confidential, All Rights Reserved.

Penetration testing activities (internal and external) now must follow an "industry-accepted penetration testing methodology," such as that specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.

2013 Was Kind Of A Stormy Year

9 Cenzic, Inc. - Confidential, All Rights Reserved.

=

10

7.2

2014 AppSec Predictions

1.The Internet Of Things = App Risk2

“The Internet of Things (or IoT for short) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.”

– http://en.wikipedia.org/wiki/Internet_of_things

“A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.”

– http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf

Many of these devices will be managed via apps

11 Cenzic, Inc. - Confidential, All Rights Reserved.

New Attack Surfaces Include:

– Smart Televisions

– Home Alarms

– Smart Meters

– Smartphone cameras and microphones

– Security Cameras

– Baby monitors

– Medical Equipment

– Supply Chain Goods

– Smart Thermostats

– Cars

1.The Internet Of Things = App Risk2

12 Cenzic, Inc. - Confidential, All Rights Reserved.

1.The Internet Of Things = App Risk2

Top Ten Connected Applications in 2020 Value to the Connected Life

Connected Car $600 billion

Clinical Remote Monitoring $350 billion

Assisted Living $270 billion

Home and Building Security $250 billion

Pay-As-You-Drive Car Insurance $245 billion

New Business Models for Car Usage $225 billion

Smart Meters $105 billion

Traffic Management $100 billion

Electric Vehicle Charging $75 billion

Building Automation $40 billion

13 Cenzic, Inc. - Confidential, All Rights Reserved.

http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020

2. Enterprise App Stores Explode…

14

Cenzic, Inc. - Confidential, All Rights Reserved.

2. Enterprise App Stores Explode…

…Not Necessarily In a Good Way

Risks:

– Apps have privileged access to corporate data

– Malware sent via links in SMS or downloaded

– Rogue apps can act as a key logger

– Vulnerabilities doubly problematic

15 Cenzic, Inc. - Confidential, All Rights Reserved.

3: Bug Bounties Go Large

Glory, prizes and cash offered to crowd source finding security flaws in social networks, cloud apps, etc.

May give COTS an edge over open source

220 Bugs found at OWASP’s November Hackathon

16 Cenzic, Inc. - Confidential, All Rights Reserved.

http://www.bugsheet.com/bug-bounties

4: Developers Incentivized on Security Evolve

Status Quo: Developers primarily compensated for code completed on schedule

Enterprises experimenting with 10-20% of MBO based on vulnerability scores (HARM™ or CVE)

Intriguing…yet to be proven

17 Cenzic, Inc. - Confidential, All Rights Reserved.

5: Increased Hacking Via Partner API

Programmable Web now lists >10,000 APIs

>100% compound annual growth.

18 Cenzic, Inc. - Confidential, All Rights Reserved.

http://blog.programmableweb.com/2013/10/26/hack-of-

buffer-should-raise-security-concerns-for-all-api-

providers/

6: A Major Supply Chain Hack

An F1000 Enterprise will lose data or be vandalized via a partner’s application

19 Cenzic, Inc. - Confidential, All Rights Reserved.

Partners provide services,

goods, distribution,

marketing, & outsourcing.

An enterprise’s total app

ecosystem may include

hundreds of partner apps

The bigger brand will take

the hit

7: CSRF Crosses The Chasm

Vulnerability Prevalence Exploit Prevalence – SQL Injection vulnerabilities were found in only 18% of apps1, but

from 2005-2011 were responsible for 83% of the records stolen2

– A famous 2005 incident (Card Systems Solutions) put SQL Injection on the map3.

Cross Site Request Forgery – Caused by a lack of randomness in requests that allows hacker

to predict the request format and exploit it

– Breaches can be innocuous or devastating

If one CSRF attack gets big headlines, could be the new attack du jour.

1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html

2: http://www.darkreading.com/views/lets-ask-why/240003593

3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century

20 Cenzic, Inc. - Confidential, All Rights Reserved.

=

8: Mobile Hacking Goes Up

21 Cenzic, Inc. - Confidential, All Rights Reserved.

Projected MobileOS Data Volume Growth

8: Mobile Hacking Goes Up

Mobile App Security Lags – Mobile malware increasingly sophisticated – BYOD/MDM challenges persist

Security measures so far:

– Sandbox enterprise apps on phone

– Virtualize apps

– Biometric authentication

– Mobile Application Firewall

– Geofencing

It’s unclear if they will limit breaches from application vulnerabilities.

22 Cenzic, Inc. - Confidential, All Rights Reserved.

9. Hacking Prosecutions Will Go Up

First Ever Cybercrime RICO Trial Began

– Nov. 20, 2013 http://www.wired.com/threatlevel/2013/11/open-market-trial-begins/

A hacker dealing in stolen credit cards is being charged with the Racketeering

If successful, others in his organization could be prosecuted for criminal conspiracy

This could dramatically expand the reach of cybercrime prosecution.

23 Cenzic, Inc. - Confidential, All Rights Reserved.

10: Public Layer 7 Government Hack

A nation-state will be implicated in a large Layer 7 app breach…

Probably trying to steal credentials to target

– User sensitive info (dissident info)

– Financial info (for business advantage)

– Energy sector (critical infrastructure).

The most sophisticated actors are the nation states.

24 Cenzic, Inc. - Confidential, All Rights Reserved.

25

Suggested AppSec New Year’s Resolutions

Internet of Things Resolutions

26 Cenzic, Inc. - Confidential, All Rights Reserved.

Bake application security into your IoT plans early!

Enterprise App Store Resolutions

Hold apps with privileged access to corporate data to the highest vulnerability testing standards.

Be 100% responsible for the security of your store apps…no one else will.

27 Cenzic, Inc. - Confidential, All Rights Reserved.

Mobile Resolutions

28 Cenzic, Inc. - Confidential, All Rights Reserved.

Encourage users to check the General Settings for new mobile apps to turn off unnecessary permissions.

Test mobile apps for vulnerabilities proportionately to their usage and data value

Evaluate Mobile Antivirus

Educate yourself

App Design Resolutions

29 Cenzic, Inc. - Confidential, All Rights Reserved.

Leverage anti-CSRF frameworks

Validate inputs

Implement tighter session management

Confirm your off-the-shelf application components have no known vulnerabilities before use

Partner Apps & API

Note: Cenzic’s New Service Can Help

30 Cenzic, Inc. - Confidential, All Rights Reserved.

Ensure Partners’ Web Services are tested and hardened for security with the same standards as your company-owned applications.

31 Cenzic, Inc. - Confidential, All Rights Reserved.

Pre-production &

App Development Production

Partner /

Supply Chain

Enterprise Application Security

3 Pillars of Enterprise App Security

Detects Web & Mobile App Vulnerabilities

Easy-to-use Software, SaaS, or Managed Service

Accurate behavior-based Scanning protects

– 500,000+ online applications

– $Trillion+ of commerce

Delivers best continuous real-world Risk Management

32 Cenzic, Inc. - Confidential, All Rights Reserved.

33 Cenzic, Inc. - Confidential, All Rights Reserved.

One-click virtual patching

via tight integration with leading

Web Application Firewalls

Application Vulnerability Monitoring In Production

.

+

Identify Risk

Mitigate

Risk

=

=

Managed Services Offerings – At-a-glance

34 Cenzic, Inc. - Confidential, All Rights Reserved.

Bronze Silver Gold Platinum Industry Best-Practices for

Brochureware sites

Industry Best-Practices for forms and login protected

sites

Compliance for sites with user

data

Comprehensive scans for Mission

critical applications

Phishing X X X x

Light input validation X X X

x

Data Security X X X x

Session management X X

x

OWASP compliance X

x

PCI compliance X x

Business logic testing

x

Application logic testing

x

Manual penetration testing

x

Cenzic Can Help

Train your people

Give them better gear

Have someone else carry the baton

35 Cenzic, Inc. - Confidential, All Rights Reserved.

Good Luck In The New Year!

36 Cenzic, Inc. - Confidential, All Rights Reserved.

www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Questions?

request@cenzic.com or 1.866-4-Cenzic

Blog: https://blog.cenzic.com