CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Similar documents
Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Managed Application Security trends and best practices in application security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Security Solutions. Overview. Business Needs

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Engineer

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

INNOV-09 How to Keep Hackers Out of your Web Application

Web Application Threats and Remediation. Terry Labach, IST Security Team

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Web Application Security. Philippe Bogaerts

Presentation Overview

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Curso: Ethical Hacking and Countermeasures

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Application. Security. on line training. Academy. by Appsec Labs

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Copyright

TRAINING CURRICULUM 2017 Q2

Solutions Business Manager Web Application Security Assessment

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Continuously Discover and Eliminate Security Risk in Production Apps

V Conference on Application Security and Modern Technologies

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Web Application Penetration Testing

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

SECURITY TESTING. Towards a safer web world

TIBCO Cloud Integration Security Overview

Development*Process*for*Secure* So2ware

Improving Security in the Application Development Life-cycle

Your Turn to Hack the OWASP Top 10!

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Aguascalientes Local Chapter. Kickoff

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

RiskSense Attack Surface Validation for Web Applications

F5 Application Security. Radovan Gibala Field Systems Engineer

Hacking 102 Integrating Web Application Security Testing into Development

Security Communications and Awareness

OWASP TOP OWASP TOP

Security Communications and Awareness

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

GOING WHERE NO WAFS HAVE GONE BEFORE

Web Applications Security. Radovan Gibala F5 Networks

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

IBM Rational Software

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web Application Vulnerabilities: OWASP Top 10 Revisited

Welcome to the OWASP TOP 10

Applications Security

Top 10 Web Application Vulnerabilities

Security Testing for Benefits Screening & Management Project

Sichere Software vom Java-Entwickler

How NOT To Get Hacked

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

200 IT Security Job Interview Questions The Questions IT Leaders Ask

Certified Ethical Hacker (CEH)

Security

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Cybersecurity Education Catalog

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

IBM SmartCloud Engage Security

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

1 About Web Security. What is application security? So what can happen? see [?]

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Spotlight Report. Information Security. Presented by. Group Partner

Training Program Catalog SECURITY INNOVATION

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Vulnerabilities in online banking applications

Simplifying Application Security and Compliance with the OWASP Top 10

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Bank Infrastructure - Video - 1

Web Applications (Part 2) The Hackers New Target

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Secure Access & SWIFT Customer Security Controls Framework

Ethical Hacker Foundation and Security Analysts Course Semester 2

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Developing Secure Systems. Associate Professor

Hacking by Numbers OWASP. The OWASP Foundation

Transcription:

IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM, Singapore Advisor & Secretary, Security & Governance, www.sitf.org.sg 1 The premiere software and product delivery event. August 10 Bangkok, Thailand

Prolog: The Security Journey Continues Every year - New, More, Bigger, Better SYSTEMS & ARCHITECTURE APPLICATIONS SERVICES -> New Risks -> New Vulnerabilities -> New Hacking methods Viruses, Worms, RATS, Bots (Remote Access TROJANS = Spyware) ->GOVERNANCE & COMPLIANCE! -> DATA PRIVACY, POLICIES AUDIT -> MOBILITY -> DATA LEAKAGE /LOSS -> S.O.A., S.A.A.S. -> CLOUD COMPUTING APPLICATION AS A SERVICE PLATFORM AS A SERVICE SERVICE AS A SERVICE (?!) 2

3

The Wonders of Cloud Computing Governance & Risk Management PC Laptop / Netbook Thin Client Mobile Device The Network is the computer?! The Internet Is The Cloud (or vice versa?!) 4 Client-server Architecture? <-> Private Cloud? Virtualization? <-> What s Where?! Thin Client?!

Welcome to THE SMARTER PLANET * Web 2.0 Globalization and Globally Available Resources Billions of mobile devices accessing the Web SOA CLOUD Access to streams of information in the Real Time New Possibilities.. 5 ITS ALL ABOUT SOFTWARE!

It Gets Worse WAP, GPRS, EDGE, 3G 802.1x Broadband 6 A hacker no longer needs a big machine

CLOUD COMPUTING SECURITY CONSIDERATIONS Confidentiality: Data exposure & leakage Integrity: Data compromise Availability: Reliability of service, business continuity Reduced Ability to Demonstrate Compliance: Reduced Ability to Manage the Security Environment: Storage and Backup, disaster recover Can the provider segregate and protect individual groups of data within the remote, distributed shared environment? Firewalls & IPS etc to prevent network/infra hacking attacks Standard perimeter defense is still first and foremost! Viruses, worms, trojans, malware, bots Identity and access management, user provisioning Authentication & Encryption Availability prevent againt Denial of Service Vigilant monitoring, S.I.E.M. 7

The Myth: Our Site Is Safe We Have Firewalls and IPS in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 8

SOMETHING Governance & Risk Management IS STILL OUT THERE 9

10

WORST CREDIT CARD IDENTITY THEFT CASE - DONE BY A SOFTWARE ATTACK! STRAITS TIMES SINGAPORE 19AUG09 11

12

13

Cloud Computing Security The Soft Spot - Application Security Issues Applications can be CRASHED to reveal source, logic, script or infrastructure information that can give a hacker intelligence Applications can be COMPROMISED to make it provide unauthorised entry access or unauthorised access to read, copy or manipulate data stores, or reveal information that it otherwise would not. Eg. Parameter tampering, cookie poisoning Applications can be HIJACKED to make it perform its tasks but for an authorised user, or send data to an unauthorised recipient, etc. Eg. Cross-site Scripting, SQL Injection 14

These are real examples hackers Love these error message pages 15

16 Why is your debug tool shown to the world?

More information to entice a would-be hacker?! 17

18

A File List in HTML session?! 19

20 International Service for Renewal of Paper-mailed Magazine Subscription

Real Example: Online Travel Reservation Portal Change the reserid to 2001200 21

Real Example : Governance & Risk Management Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the email address 22

Parameter Tampering Reading another user s invoice Governance & Risk Management The same customer invoice that reveals the address and contact number 23 Boolean Logic?!

DON T TRY THIS AT HOME! Governance & Risk Management 24

WHY DO HACKERS TODAY ATTACK APPLICATIONS? Because they know you have firewalls So its not very convenient to attack the network anymore But they still want to attack cos they still want to steal data Because firewalls do not protect against app attacks! So the hackers are having a field day! Very few people are actively aware of application security issues Because web sites have a large footprint No need to worry anymore about cumbersome IP addresses Because they can! It is difficult or impossible to write a comprehensively robust application Developers are yet to have secure coding as second nature Developers think differently from hackers Cheap, Fast, Good choose two, you can t have it all It is a nightmare to manually QA the application Many companies today still do not have a software security QA policy or resource 25

Software Application Development Pressures Today I m being asked to: Deliver product faster (a lot faster!) Increase product innovation Improve quality Reduce cost Deliver a secure product (?) Singapore Mercedes Cheap Fast Good -> Choose 2 26

Top 10 OWASP Critical Web Application Security Issues 09 www.owasp.org 1 Unvalidated Input 2 Broken Access Control 3 Broken Authentication and Session Management 4 Cross Site Scripting Flaws 5 Buffer Overflows 6 Injection Flaws 7 Improper Error Handling 8 Insecure Storage 9 Denial of Service 10 Insecure Configuration Management 2010 1 Injection 2 Cross-Site Scripting (XSS) 3 Broken Authentication and Session Management 4 Insecure Direct Object References 5 Cross-Site Request Forgery (CSRF) 6 Security Misconfiguration 7 Insecure Cryptographic Storage 8 Failure to Restrict URL Access 9 Insufficient Transport Layer Protection 10 Unvalidated Redirects and Forwards 27

WHY DO APPLICATION SECURITY PROBLEMS EXIST? IT security solutions and professionals are normally from the network /infrastructure /sysadmin side They usually have little or no experience in application development And developers typically don t know or don t care about security or networking Most companies today still do not have an application security QA policy or resource IT security staff are focused on other things and are swarmed App Sec is their job but they don t understand it and don t want to deal with it Developers think its not their job or problem to have security in coding People who outsource expect the 3 rd party to security-qa for them It is cultural currently to not associate security with coding Buffer Overflow has been around for 25 years! Input Validation is still often overlooked. Back then coding was done by engineers Then came Y2K Dotcom boom etc 28

SECURITY TESTING IS PART OF SDLC QUALITY TESTING Collaborative Application Lifecycle Management SDLC Quality Assurance Quality Dashboard Requirements Management Test Management and Execution Defect Management Create Plan Build Tests Manage Test Lab Report Results Open Platform Best Practice Processes Functional Testing SAP Java Performance Testing TEAM SERVER Open Lifecycle Service Integrations Web Service Quality Code Quality System z, i.net Security and Compliance homegrown 29

You need a professional solution to Identify Vulnerabilities 30

With Rich Report Options 44 Regulatory Compliance Standards, for Executive, Security, Developers. 31

And Most Important : Actionable Fix Recommendations 32

33

Building security & compliance into the SDLC further back Software Development Life Cycle Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 34

Application Development Security Testing Domains "BLACK BOX IBM Rational Appscan Source Edition Dynamic APPLICATION Analysis WHITE BOX IBM Rational Appscan Standard Edition State CODE Analysis Good for security folks who are not experienced in application development Good for developers who are not experienced in security Don't need to worry about code Provides learning for developers Simulates real-world exploit attack Good for interim audit of half-written code Tests for relation between App and other apps, O/S, middleware, network Can test for more than just HTTP /HTML code - eg. C, C++, C#, Perl, Codefusion, Javascript Like IPS, checks for "unknown" threats Like Firewall, checks for "known" threats 35

Conclusion: Application Develppment Quality for Security The Application Must Defend Itself Traditional FIREWALLS AND IPS WILL NOT STOP APPLICATION ATTACKS YOU CANNOT STOP AN APPLICATION ATTACK FROM HAPPENING The best way to protect against an application attack is to ensure the robustness of the application, that its written properly, if not defensively, that it s Q.A ed for bugs, vulnerabilities, logic errors etc Bridging the GAP between Software development and Information Security QA Testing for Security must now be integrated and strategic We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix Developers need to learn to write code defensively and securely Lower Compliance & Security Costs by: 36 Ensuring Security Quality in the Application up front Not having to do a lot of rework after production Automated software security scanning & remediation solution backed by world class R&D

T h a n k Y o u Anthony LIM MBA CISSP CSSLP FCITIL ISC2 CLOUD COMPUTING SECURITY THE SOFT SPOT www.isc2.org www.ibm.com/security www.owasp.org 37 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback