Managed Application Security trends and best practices in application security

Similar documents
OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

Copyright

PT Unified Application Security Enforcement. ptsecurity.com

Development*Process*for*Secure* So2ware

Engineering Your Software For Attack

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

RiskSense Attack Surface Validation for Web Applications

The Top 6 WAF Essentials to Achieve Application Security Efficacy

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Aguascalientes Local Chapter. Kickoff

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Solutions Business Manager Web Application Security Assessment

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Web Application Vulnerabilities: OWASP Top 10 Revisited

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Automating the Top 20 CIS Critical Security Controls

Application Security at Scale

CSWAE Certified Secure Web Application Engineer

Mitigating Security Breaches in Retail Applications WHITE PAPER

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

IBM Future of Work Forum

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

V Conference on Application Security and Modern Technologies

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Certified Secure Web Application Engineer

OWASP TOP OWASP TOP

SECURITY TESTING. Towards a safer web world

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

GOING WHERE NO WAFS HAVE GONE BEFORE

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

DXC Security Training

Application security : going quicker

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Hacking by Numbers OWASP. The OWASP Foundation

Presentation Overview

Protect your apps and your customers against application layer attacks

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Micro Focus Fortify Application Security

Security Solutions. Overview. Business Needs

SIEMLESS THREAT MANAGEMENT

Security Communications and Awareness

Applications Security

Secure DevOps: A Puma s Tail

6-Points Strategy to Get Your Application in Security Shape

TIBCO Cloud Integration Security Overview

Continuously Discover and Eliminate Security Risk in Production Apps

Test Harness for Web Application Attacks

Web Application Security. Philippe Bogaerts

Developing Secure Systems. Associate Professor

90% of data breaches are caused by software vulnerabilities.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Using and Customizing Microsoft Threat Modeling Tool 2016

Application. Security. on line training. Academy. by Appsec Labs

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

TRAINING CURRICULUM 2017 Q2

Welcome to the OWASP TOP 10

Security Communications and Awareness

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

SIEMLESS THREAT DETECTION FOR AWS

Cybersecurity Education Catalog

Simplifying Application Security and Compliance with the OWASP Top 10

Web Application Security GVSAGE Theater

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!


Security Readiness Assessment

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Ingram Micro Cyber Security Portfolio

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web 2.0, Consumerization, and Application Security

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Discover Best of Show März 2016, Düsseldorf

Vulnerabilities in online banking applications

Enabling Security Controls, Supporting Business Results

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Cloud Customer Architecture for Securing Workloads on Cloud Services

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Security

Trustwave Managed Security Testing

Effective Strategies for Managing Cybersecurity Risks

Web Application Penetration Testing

Onapsis: The CISO Imperative Taking Control of SAP

Transcription:

Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro

About Me Adrian Locusteanu is the B2B Delivery Director of Telekom Romania. His background includes the management of selling & delivery of ICT projects within multi-cultural enterprise environment having more than 20 years of experience in the ICT solutions and services market for government & Top100 enterprises. Adrian graduated Facultatea Automatica (UPB) and Academia de Studii Economice. He also holds an Executive MBA degree, a Master in Information Security and is a member of the Association of Chartered Certified Accountants.

MAIN SECURITY ATTACK VECTORS NETWORK USER APPLICATION

COMPELLING & BASIC TRUTHS ABOUT APPLICATION SECURITY Top breaches*: Web Application Attacks 30% CyberEspionage 14.93% Privilege Misuse 14.3 % Miscellaneous Errors 11.5% * source: Verzione Data Breach Investigations Report 2017 Top incidents*: Denial of Service 26.7% Privilege Misuse 18.4% Crimeware 16.5% Web Application Attacks 11.5% Application Security represents the highest risk attack vector with the least amount of strategic planning and spend (read opportunity!!) Attack surface expands as all organizations are continuously increasing web presence and application spend in order to optimize business 4

OWASP Top Application Security Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Access Level Control A8 Cross-Site Request Forgery A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 2017 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Data Protection A8 Cross-Site Request Forgery A9 Using Components with Known Vulnerabilities A10 Underprotected APIs Top3 vulnerabilities remain unchanged Controversed new A7 (Insufficient Data Protection) A10 (Underprotected APIs) reflecting technology evolution (IoT, Cloud, etc ) 5

% of Issue Found by Stage of SDLC Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Most Issues are found by security auditors prior to going live.

% of Issue Found by Stage of SDLC Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Desired Profile

TYPICAL DEVELOPMENT CYCLE SHORTCUTS and issues Ambitious time-to-market puts pressure on security testing schedule Compromise on security to reach desired functionalities Deviations from security development methodologies No investment in specialized testing tools Not involving specialized security consultants in testing process Insufficient or no security training/awareness for developers 8

HOW SHOULD APPLICATION SECURITY BE APPROACHED an example from a related area Device Requirements PCI Compliance PCI-DSS PTS Secret Management Sofware Authentication PCI PIN (equivalent) PA-DSS Key Injection Key Management Requirements Software Requirements 9

HOW SHOULD APPLICATION SECURITY BE APPROACHED Lessons learned from POS Application End2End secured environment : strict and inter-related security requirements at all levels (hardware, kernel, key management, communication, software) Standardized application security testing: Visa/Mastercard application testing Control mechanisms (audits), discipline and penalties 10

The Need to Scale Security Testing Phase 1 Introducing Automated Security Testing Phase 2 Extending Automation Phase 3 Completely Integrated Automation People Involved Development Team Security Team Development Team QA Team Security Team QA Team Security Team Low % Applications Tested High

DAST and SAST Issue Type Coverage SAST Only Null pointer dereference Threading issues Code quality issues Issues in dead code Insecure crypto functions Issues in back-end application code Complex injection issues Issues in non-web app code Manual Testing Business logic issues Total Potential Security Issues DAST Only Environment configuration issues Patch level issues Runtime privileges issues Authentication issues Protocol parser issues Session management issues Issues in 3rd party web components Cross-site request forgery Malware analysis DAST & SAST SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection XPath Injection Path Traversal Buffer Overflows Format String Issues

Find more vulnerabilities using the most advanced techniques Static Analysis Analyze Source Code Use during development Uses Taint Analysis / Pattern Matching Total Potential Security Issues Dynamic Analysis Analyze Live Web Application Use during testing Uses HTTP tampering More adv. Techniques Client-Side Analysis Analyze downloaded Javascript code which runs in client Unique in the industry Run-Time Analysis Combines Dynamic Analysis with run-time agent More results, better accuracy Hybrid Analysis Correlate Dynamic and Static results Assists remediation by identification of line of code

Advanced security testing collaboration & governance through application lifecycle Blackbox security testing Whitebox code analysis End2end security testing

RECENT DRIVERS/Constraints FOR APPLICATION SECURITY SECURE TRANSPARENCY The data subject needs to know what personal information we collect, we manipulate, to what purpose, and have control in the process. All personal data should be secured and remain private during the entire lifecycle. INFORMATION LIFECYCLE MANAGEMENT policy-based approach to managing the flow of information through a life cycle from creation to final disposition. GDPR was developed to ensure organization deal with personal information in a responsible manner SECURITY TRANSPARENCY GDPR was developed to ensure the end user has visibility to his data GDPR was developed to ensure the end user that his personal information remains private SECURITY BY DESIGN! SECURITY BY DEFAULT! 15

DECISION: IN-HOUSE VERSUS OUTSOURCE Outsource Complexity :HIGH Strategic Importance: LOW Minimize Effort Complexity : LOW Strategic Importance: LOW OUTSOURCE Minimum effort process improvement Automate Process Improvement Complexity :HIGH Strategic Importance: HiGH Automate Complexity : LOW Strategic Importance: HIGH

SERVICE CENTRIC APPLICATION SECURITY Dynamic Application Security Testing Static Code Review Services Integration with Incident management Security Operations Center Integration with Threat Intelligence Application Firewall Integration with Vulnerability management

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback