7 Ways to Scale Web Security

Transcription

1 7 Ways to Scale Web Security Jeremiah Grossman Founder & Chief Technology Officer SANS AppSec Summit WhiteHat Security, Inc. 1

2 Jeremiah Grossman Ø Founder & CTO of WhiteHat Security Ø 6-Continent Public Speaker Ø TED Alumni Ø An InfoWorld Top 25 CTO Ø Co-founder of the Web Application Security Consortium Ø Co-author: Cross-Site Scripting Attacks Ø Former Yahoo! information security officer Ø Brazilian Jiu-Jitsu Black Belt 2012 WhiteHat Security, Inc. 2

3 WhiteHat Security : Company Overview Ø Headquartered in Santa Clara, CA Ø WhiteHat Sentinel SaaS end-to-end website risk management platform Ø Employees: 170+ Ø Customers: 500+ Cool Vendor The FutureNow List 2012 WhiteHat Security, Inc.

4 We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more. Cyber-war Cyber-crime Hacktivism PwC Survey: Cybercrime is now the second biggest cause of economic crime experienced by the Financial Services sector WhiteHat Security, Inc. 4

5 Website Hacked 2012 WhiteHat Security, Inc. 5

6 Verizon Data Breach Investigations Report: 2010 DBIR: The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." 2011 DBIR: The number of Web application breaches increased last year and made up nearly 40% of the overall attacks DBIR: Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector WhiteHat Security, Inc. 6

7 855 incidents, 174 million compromised records 2012 WhiteHat Security, Inc. 7

8 2012 WhiteHat Security, Inc. 8

9 (Name of the Game) SCALABILITY An algorithm, design, networking protocol, program, or other system is said to scale, if it is suitably efficient and practical when applied to large situations (e.g. a large input data set, a large number of outputs or users, or a large number of participating nodes in the case of a distributed system). If the design or system fails when a quantity increases, it does not scale WhiteHat Security, Inc. 9

10 2012 WhiteHat Security, Inc. 10

11 People Process SCALE Technology People: Cognitive ability, operate and interpret technology results Process: Organize and make efficient use of resources Technology: To scale the people and the process 2012 WhiteHat Security, Inc. 11

12 3 Hard Facts About Technology 1) Technology is incapable of eliminating the need for people in any aspect of application security. This includes source code reviews, penetration testing, threat modeling, architectural review, development, etc. 2) Without technology there is far too much work than could ever be completed manually by the number of people available, even if monetary costs were not an issue. 3) The best technology can offer is increasing efficiency and reducing the quantity and skill level of the people necessary to complete a given process WhiteHat Security, Inc. 12

13 WhiteHat Sentinel Assessment Platform Software-as-a-Service Annual Per Website Subscription Unlimited Assessments / Users 500+ enterprises from start-ups to fortune 500 1,000,000 vulnerabilities processed per day 6 Terabytes data stored per day 7,000+ websites receiving ~weekly assessments 940,000,000 HTTP(s) requests per month 2012 WhiteHat Security, Inc.

14 2012 WhiteHat Security, Inc. 14

15 7,000+ Customer Websites WhiteHat Security, Inc. 15

16 1 Game-ification 2012 WhiteHat Security, Inc. 16

17 Elevation of Privilege (EoP) Card Game Elevation of Privilege (EoP) is the easy way to get started threat modeling, which is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL). The EoP card game helps clarify the details of threat modeling and examines possible threats to software and computer systems. The EoP game focuses on the following threats: Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege EoP uses a simple point system that allows you to challenge other developers and become your opponent's biggest threat WhiteHat Security, Inc. 17

18 Capture the Flag 2012 WhiteHat Security, Inc. 18

19 2 (Security Scorecards) Peer Pressure 2012 WhiteHat Security, Inc. 19

20 Publish Scorecards Internally & Regularly -- For All To See Group High Severity Vulnerabili7es Avg. Time- to- Fix (Days) Remedia7on Rate Window of Exposure (Days) 2012 Corporate Goal % 100 Industry Average % 223 Business Unit % 195 Business Unit % 161 Business Unit % 237 Business Unit % WhiteHat Security, Inc. 20

21 3 Computer-Based Training (CBT) 2012 WhiteHat Security, Inc. 21

22 The biggest problem in application security today: The huge shortage of qualified application security people WhiteHat Security, Inc. 22

23 Gary McGraw (CTO, Cigital) says roughly 2% of all programmers should be software security pros, or Builders in our case. Gary, through a project called BSIMM, arrived at 2% by surveying dozens of software security programs among large companies and measuring what they do. Programmer Population (Worldwide): 17 million We ll need 340,000 Builders 2012 WhiteHat Security, Inc. 23

24 We ll use a ratio of 1 breaker per to 100 websites. This ratio comes from internal metrics at WhiteHat Security generated from assessment conducted over the last 8 years and encompassing more than 7,000 websites. Important (SSL) website population: 1.2 million We ll need 12,000 Breakers 2012 WhiteHat Security, Inc. 24

25 No idea how to begin to estimate the Defender need, but it ll be in the tens of thousands at least. Considering the vast number of website assets that must be protected, the 1 billion online users who someone needs to ensure are playing nice, and monitoring the serious volume of Web traffic they generate.? WhiteHat Security, Inc.

26 OWASP Appsec Tutorial Series The OWASP AppSec Tutorial Series project provides a video based means of conveying complex application security concepts in an easily accessible and understandable way. Each video is approximately 5-10 minutes long and highlights one or more specific application security concepts, tools, or methodologies. The goal of the project is quite simple and yet quite audacious - provide top notch application security video based training... for free! WhiteHat Security, Inc. 26

27 4 Centralized Security Controls 2012 WhiteHat Security, Inc. 27

28 Development Frameworks ESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development WhiteHat Security, Inc. 28

29 5 Work Flow 2012 WhiteHat Security, Inc. 29

30 Model an Application WhiteHat Security, Inc. 30

31 Check against library of security tasks with rules 2012 WhiteHat Security, Inc. 31

32 Produce tailored security tasks Distills application security personnel expertise to developers. Fits cleanly into development processes. Tasks are continuously updated to keep up with new technologies & threats. In retroactive analysis of years of penetration-testing data, following SDE would have prevented approximately 85% of secure coding weaknesses WhiteHat Security, Inc. 32

33 6 Virtual-Patching 2012 WhiteHat Security, Inc. 33

34 8 out of 10 websites have serious* vulnerabilities (10 out of 10 if you are willing to wait long enough.) * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI- DSS severity HIGH, CRITICAL, or URGENT) WhiteHat Security, Inc. 34

35 Average annual amount of new serious* vulnerabilities introduced per website per year VulnerabiliWes are counted by unique Web applicawon and vulnerability class. If three of the five parameters of a single Web applicawon (/foo/webapp.cgi) are vulnerable to SQL InjecWon, this is counted as 3 individual vulnerabiliwes (e.g. a^ack vectors) WhiteHat Security, Inc. 35

36 Websites 676,919, million since March (Producing more code / websites than the industry is able to review.) WhiteHat Security, Inc. 36

37 SSL Websites 1,200, WhiteHat Security, Inc. 37

38 1.2 million x 79 vulns per year = 94,800,000 Undiscovered serious* vulnerabilities on just the SSL websites WhiteHat Security, Inc. 38

39 Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discovered Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say: A WAF could feasible help mitigate the risk of at least 71% of all custom Web application vulnerabilities WhiteHat Security, Inc. 39

40 7 (Crowd-Sourcing Vulnerability Assessment) Bug Bounties 2012 WhiteHat Security, Inc. 40

41 Websites Accepting $ Security Research 1) Paypal 2) Facebook 3) 37 Signals 4) Salesforce 5) Microsoft 6) Google 7) Twitter 8) Mozilla 9) ebay 10) Adobe 11) Reddit 12) GitHub 13) Constant Contact 14) Zeggio 15) Simplify, LLC 16) Team Unify 17) Skoodat 18) Relaso 19) Modus CSR 20) CloudNetz 21) EMPTrust 22) Apriva Millions of dollars to hundreds of researchers. Closed hundreds, if not thousands, of vulnerabilities. Protected hundreds of millions of users WhiteHat Security, Inc. 41

42 How to develop secure-(enough) software? 2012 WhiteHat Security, Inc. 42

43 Little-to-No Supporting Data WhiteHat Security, Inc. 43

44 Connect the Dots... (SDL) Security Controls Production Vulnerabilities Attack Traffic Breaches BSIMM WhiteHat Security Akamai IBM Verizon DBIR Trustwave Then we ll start getting some real answers about how to product secure-enough WhiteHat Security, Inc. 44

45 Thank You! Blog: Twitter: WhiteHat Security, Inc. 45