Name Aaron Clark. Title: Security Shifts to the Application

Transcription

1 Name Aaron Clark Title: Security Shifts to the Application

2 You re late to the party

3 Some found that out the hard way Night Dragon Sony LizaMoon HBGary Federal

4 Others were told they had to go PCI Disa STIG HIPAA FISMA NERC

5 Some looked at the costs 1,000,000x Security Flaw Unbudgeted Costs: Damage to Enterprise 10x 1x Functional Flaw Development Test Deployment Customer notification / care Government fines Litigation Reputational damage Brand erosion Cost to repair

6 The exposure is greater than you think

7 Web App Vulnerabilities Continue to Dominate Nearly half (49%) of all vulnerabilities are Web application vulnerabilities Cross-Site Scripting & SQL injection vulnerabilities continue to dominate

8 The Smarter Planet Our world is getting Instrumented Our world is getting Interconnected Our world is getting Intelligent

9 More Justification for Application Security Action 89% of records breached from hacks were leverage SQL Injection flaws 79% of breached organizations subject to PCI were found to be non-compliant 92% of compromised records were compromised using Web applications as the attack pathway Verizon 2010 data Breach Investigations Report

10 Security is never first It should never be last

11 So, why are there problems? We code the vulnerabilities Inadequate training of programmers Inadequate security specifications Inadequate security review and testing Lack of security management during SDLC Lack of adequate technology Conflicting objectives

12 Compounded by: Software Security Myths Network defenses provides protection Meets Compliance == Secure Website uses SSL, it s secure Vulnerabilities in internal apps are not important Annual penetration tests are an adequate safety measure Encryption of data is adequate safety measure

13 Security Landscape Technologies Distinguishing Network Firewalls: Perimeter protection mechanisms to block traffic in real-time. But websites have to be publicly available, thus port 80 and port 443 are enabled for access which makes Network Firewalls incapable of blocking application-layer attacks Intrusion Detection / Prevention Systems (IDS / IPS) Also considered a perimeter protection mechanism. They monitor data flow through the network in real-time. They are incapable of blocking application-layer attacks since they are not application-aware operating at the network level Application Firewalls: Perimeter protection and are generally very effective, but difficult to configure and maintain (every time an application changes the firewall needs to be reconfigured). They can also reduce website response time and lead to lost revenue Some percentage of good traffic is inadvertently blocked too Network Scanners Network Scanners are incapable of extensive interactions with the application layer (even using application scanners they provide) so no matter how secure an organization makes their network, they would still be vulnerable to application-level attacks Database Scanners Do not scan or test web applications They focus solely on how well information is protected within the database itself

14 So, Why Prioritize Secure Software? To protect value To protect privacy To avoid costs associated with non-compliance Some of the impacts due to attacks Loss of value Sensitive data, Trade secrets, Intellectual property, Reputational damage, Market capitalization,.. Downtime Unavailability, Disruption Regulatory penalties Fines, Litigation, PR, Notification Fraud

15 A framework for security

16 Application Safety Protect Valuable Assets Multiple points of protection Manage secure Web applications Ongoing management and security with a suite of identity and access management solutions Secure code development and vulnerability management Identify vulnerabilities and malware Actionable information to correct the problems End-to-end Web application security Deliver security and performance in Web services and SOA Purpose-built XML and SOA solutions for security and performance Protect Web applications from potential attacks Block attacks that aim to exploit Web application vulnerabilities Integrate Web application security with existing network infrastructure

17 A Path to Secure Applications Application & resource protection in operation Web Application Protection IBM Security Identity & Access Management IBM Security Secure Web Services Production-Site Monitoring Operational Risk Mgmt Secure application development across design, code, build, test phases Deploy Application Final Security Audit Vulnerability Assessment Functioning Application Vulnerability Assessment of Source Code Policy & Requirements Definition IBM Security Services Proactive Risk Mitigation

18 Smarter Security for Smarter Products Smarter Products require secure applications Security needs to be built into the development process and addressed throughout the development lifecycle Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that: Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders Leverage multiple appropriate testing technologies (static & dynamic analysis) Provide effortless security that allows development to be part of the solution Support governance, reporting and dashboards Can facilitate collaboration between development and security teams

19 The Application Security Challenge What? Need to mitigate the risk of a Security breach Need to find and remediate these vulnerabilities Must utilize a cost effective way of doing this that makes sense Who? Software security represents the intersection between security & development solution needs to be a joint collaboration Starts with Security Auditor (can also be outsourced) Larger organizations require the scaling of security testing into the development organization

20 Start to finish to start security

21 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers Application Security Testing Maturity

22 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live. Agile / Waterfall threshold? Application Deployed

23 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Desired Profile Agile / Waterfall threshold? Application Deployed

24 Cost Benefits of Early Detection (Web Application Vulnerability Assessment)

25 ROI Opportunity of Application Security Testing Cost Avoidance Of A Security Breach Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage Cost Savings Automated Testing Automated testing provides productivity savings over manual testing Cost Savings Testing Early in Dev Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense The cost to companies is $214 per compromised record** The average cost per data breach is $7.25 Million** ** Source: Ponemon Institute, Cost of a Data Breach, 2010 Outsourced audits can cost $10,000 to $50,000 per application At $20,000 an app, 50 audits will cost $1M. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software) 80% of development costs are spent identifying and correcting defects Cost of finding & fixing problems: code stage is $80, QA/Testing is $960* Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage. * Source: GBS Industry standard study

26 Principles & Perceptions Secure Development (mis)perceptions Aligned closely with waterfall steps (design, development, delivery) Process intensive and heavyweight Requires a large number of artifacts Agile Principle #1: Our highest priority is to satisfy the customer through early and continuous delivery of valuable software Secure software increases the client value Agile focuses on customer need and security is a customer need

27 Automated application security testing The dynamic (and static) duo

28 Security Testing Technologies Combination Drives Greater Solution Accuracy Static Code Analysis = Whitebox - Looking at the code for security issues (code-level scanning) Total Potential Security Issues Dynamic Analysis = Blackbox Static Analysis Greatest accuracy Dynamic Analysis - Sending tests to a functioning application

29 Application Security Chart There are three basic components to securing an application: The actual application source code The infrastructure it runs on External components it requires Different technologies are needed to fully map the risk 30

30 31 Dynamic Security Analysis through Automation altoro.com/ altoro.com/feedback.jsp Crawl Site altoro.com/login.jsp altoro.com/logout.jsp Fuzz with Known Attacks altoro.com/editprofile.jsp Identify Vulnerabilities SQL Injection!

31 32 Static Security Analysis through DoPost() { String username = request.getparameter("username"); String password = request.getparameter("password"); String query = "SELECT * from tusers where " + "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executequery(query); } DoPost Automation Compile & Translate Apply API Rules DoPost GetParam Str.Append ExecuteQuery DoPost GetParam Str.Append Apply Vulnerability Rules GetParam SQL Injection! Str.Append ExecuteQuery ExecuteQuery

32 Complimentary Security Assessment Static Findings directly tied to their locations in the source Test earlier in lifecycle Test sub-components of an application Easier automation Fast scanning Non-web-applications, infrastructure, middleware All control flows Illuminate architecture and logic Consistent Automation Dynamic Simpler configuration No cross-domain requirement Lower learning curve Findings include attack vectors Captures dynamic activity (Spring, Struts, CAB) Scan unsupported source languages 3 rd party applications (no source) Find configuration vulnerabilities Smaller finding sets 33

33 The combined result

34 IBM Rational AppScan Comprehensive Application Vulnerability Management SECURITY REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan ondemand Security Requirements Definition AppScan Source AppScan Build AppScan Tester AppScan Standard AppScan Standard Security requirements defined before design & implementation Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices & Education Dynamic Analysis/Blackbox Static Analysis/Whitebox -

35 AppScan Source Edition Workflow AppScan Source for Security Configure AppScan Source for Security, Automation, or Developer AppScan Source for Security AppScan Reporting Monitor Scan Triage AppScan Source for Security or AppScan Source for Remediation Remediate Assign AppScan Source for Security 36

36 What s the first step?

37 Application Security Maturity IBM Internal Use Only IBM Security Solutions Model UNAWARE CORRECTIVE BOLT ON BUILT IN Security assessment coverage Doing nothing External tests on production applications and security team centric testing Improve Security Testing Coverage Security testing before deployment Development Team QA Team Development Team QA Team Fully integrated system security Improve Collaboration of security issues Improve Compliance and Management reporting Assure Secure SDLC Security Team Security Team Security Team Time IBM Internal Use Only 38

38 Security maturity Corrective SDLC Coding Build QA Security Production 3 rd Party Pen Test % of Issue Found by Stage of SDLC Agile / Waterfall threshold? Application Deployed

39 Security maturity Bolt-On SDLC Coding Build QA Security Production 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed

40 Security maturity Built-In SDLC Coding Build QA Security Production Manual Pen Test Manual Pen Test 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Manual Code Review Automated Pen Test Automated Code Scan Manual Code Review Automated Pen Test Automated Code Scan Automated Pen Test Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed

41 Security maturity what works SDLC Coding Build QA Security Production 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Automated Code Scan Automated Code Scan Automated Pen Test Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed

42 Patrick Vandenberg IBM Rational Security Ben Mayrides Cigital

43 Legal Disclaimer IBM Corporation All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus Sametime Unyte ). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. If you reference Adobe in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

44 Try the new Rational AppScan ROI calculator Use ROI calculator on a Web application testing solution. Discover how you can: Automate application security analysis. Detect exploitable vulnerabilities, protecting against the threat of cyber-attack. Reduce the costs associated with manual vulnerability testing. Visit our Rational Application & Security Website and get the newest updates

45 Free trial download of IBM Rational AppScan software Protect against the threat of attacks, and data breaches with Rational AppScan IBM Rational application security software helps IT and security professionals protect against the threat of attacks and data breaches. If you use applications to collect or exchange sensitive or personal data, your job as a security professional is harder now than ever before. Download it now at no charge!

46 Improvement Between Application Testing Cycles Significant decline in the likelihood of finding application vulnerabilities in a retest In many cases this reduction is more than half that of the original Demonstrates the importance of testing applications but also follow up and mitigation Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry

47

48 False Positives Most of the time they are not actually false positives. These false false positives are one of two things Sources the business doesn t care about (getproperty is far too common an example) Data flows that are validated by validators that haven t been marked up There are cases where false positives are a problem, 9 out of 10 of these occur because we can t set a rule for the validation Set in a config file (servlet validators, struts validators, etc) Validators declared with annotations (aspect oriented coding does this) Validators that occur before one of our Source rules are triggered Microsoft built-in validation (this one is more of a false false positive) 49