Presentation Overview

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

Aguascalientes Local Chapter. Kickoff

SDLC Maturity Models

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

V Conference on Application Security and Modern Technologies

Copyright

Continuously Discover and Eliminate Security Risk in Production Apps

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

OWASP TOP OWASP TOP

Simplifying Application Security and Compliance with the OWASP Top 10

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

C1: Define Security Requirements

Solutions Business Manager Web Application Security Assessment

Ingram Micro Cyber Security Portfolio

Application Security Approach

RiskSense Attack Surface Validation for Web Applications

Securing Your Company s Web Presence

10 FOCUS AREAS FOR BREACH PREVENTION

Microsoft Security Management

Protect Your Organization from Cyber Attacks

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Cyber Security Audit & Roadmap Business Process and

Security Communications and Awareness

Development*Process*for*Secure* So2ware

What is Penetration Testing?

Compliance Audit Readiness. Bob Kral Tenable Network Security

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Keys to a more secure data environment

Web Application Penetration Testing

90% of data breaches are caused by software vulnerabilities.

Top 10 Web Application Vulnerabilities

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Security Communications and Awareness

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

CSWAE Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

A (sample) computerized system for publishing the daily currency exchange rates

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Automating the Top 20 CIS Critical Security Controls

Designing and Building a Cybersecurity Program

F5 Application Security. Radovan Gibala Field Systems Engineer

Trustwave Managed Security Testing

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Security Solutions. Overview. Business Needs

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

QUICK WINS: Why You Must Get Defensive About Application Security

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

PT Unified Application Security Enforcement. ptsecurity.com

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Must Have Items for Your Cybersecurity or IT Budget in 2018

Secure Application Development. OWASP September 28, The OWASP Foundation

Application. Security. on line training. Academy. by Appsec Labs

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Vulnerability Management

External Supplier Control Obligations. Cyber Security

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Managed Application Security trends and best practices in application security

The Honest Advantage

5 IT security hot topics How safe are you?

Total Security Management PCI DSS Compliance Guide

GOING WHERE NO WAFS HAVE GONE BEFORE

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Effective Strategies for Managing Cybersecurity Risks

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Certified Secure Web Application Engineer

Information Security Controls Policy

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

How NOT To Get Hacked

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Best Practices in Securing a Multicloud World

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Transcription:

Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application Testing More Than Simple Scans How to Include AppSec in Annual Risk Assessments Tools and Resources to Assess and Audit AppSec Maturity 1

Application Security Fundamentals Application security includes measures taken throughout an application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.* The primary focus is on Layer 7 of the OSI Model AppSec should be part of an organization s or vendor s Software (or System) Development Life- Cycle (SDLC) A key component of application security should be for developers and their managers to be aware of basic AppSec requirements, common threats and effective countermeasures AppSec knowledge and maturity is significantly lower today than traditional network security * Wikipedia 2

Risks Associated With Vulnerable Applications Unauthorized access to sensitive customer or company data Theft of sensitive data to conduct identity theft, credit card fraud or other crimes Defacement of websites; strong potential for brand damage Manipulation of data impacting data integrity, quality and organization s reputation Redirection of users to malicious web sites; phishing and malware distribution Denial of service; availability of data Attackers can assume valid user identities Access to hidden web pages using forged URLs Attacker s hostile data can trick the interpreter to execute unintended commands 3

What Is Your Software Attack Surface? To assess application security, many organizations focus on obvious software resources, but overlook their overall inventory of applications and code from less obvious sources when they analyze their assets. Software You Currently Know About What s Normally In This Category? Critical legacy systems Notable web applications Why Do These Usually Merit Consideration? Lots of monetary or brand value flows through them Compliance requirements (e.g. PCI, HIPAA, FFIEC, etc.) Formal SLAs with customers You ve had one or more previous security incidents (or near misses) 4

What Is Your Software Attack Surface Part 2? Add In the Rest of the Web Applications Your Organization Actually Develops and Maintains What s Normally in This Category? Line of business applications Event-specific applications, e.g. holiday apps, sales support, open enrollments Why Could You Miss Them in Your Analysis? Lack of knowledge, overlooked or forgot they were there Line of business procured through nonstandard channels Added through a merger or acquisition Believed to be retired but still active 5

What Is Your Software Attack Surface Part 3? What s Normally in This Category? Less known or utilized line of business applications Support applications Infrastructure applications Add In the Software You Bought from Somewhere Why Could You Miss Them in Your Analysis? Automated scanners are good at finding web applications. Non-web, not so much. Contract language or un-validated assumptions that the application vendor has security covered 6

What Is Your Software Attack Surface Part 4? What s Normally in This Category? Support for line of business functions General marketing and promotion Financial analysis applications Software as a Service (SaaS) Mobile applications User procured software Mobile Cloud Why Could You Miss Them in Your Analysis? Decentralized procurement Ineffective security policies Use of prohibited software Lack of awareness 7

Attack Surface: The Security Officer s and Auditor s Perspective As perception of the problem of attack surface grows, the scope of the problem increases or, the more you know, the more you need to assess Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications Insight Perception 8

Value and Risk Are Not Equally Distributed Some Applications Matter More Than Others Value and character of data being managed Value of the transactions being processed Cost of downtime and breaches Therefore All Applications Should Not Be Treated the Same Allocate different levels of resources to assurance Select different assurance activities Also must often address compliance and regulatory requirements 9

Myth #1 I Don t Need AppSec Because My Network is Secure Technical Rationale Non-Technical Rationale 10

Mean Time to Fix (MTTF) A 2013 industry study from White Hat Security revealed that the Mean Time to Fix for web application flaws categorized as serious averaged 193 days across all industries. In the same study, for one industry (Education) the figure jumped to 342 days of exposure In a similar study from Veracode, 70% of 22,430 applications submitted to their testing platform in 2012 contained exploitable security vulnerabilities How would you report to your management that a serious and likely exploitable vulnerability was present on your primary public facing web site or a 3 rd party hosted portal for more than six months? What compensating control or controls do you think you could explain to placate management that a serious vulnerability could not be exploited? Verizon s 2013 Breach Report says 90% of attacks last year were perpetrated by outsiders and 52% used some form of hacking. How does this help you explain application risk? 11

Myth #2 An Automated Scanner Can Find All The Application Vulnerabilities That Exist There is no silver bullet for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means. Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do. But wait, there s more 12

What Goes Into An Application Test? Application security goes well beyond simply running a scanning tool. For critical or high value applications, or those that process sensitive data, thorough testing may actually include a combination of several methods. Unauthenticated Automated Scan Authenticated Automated Scan Automated Binary Analysis Blind Penetration Testing Manual Source Code Review Manual Binary Analysis Informed Manual Testing Automated Source Code Scanning 13

AppSec What Can You Do and Why? Information Security Professionals Promote AppSec awareness in your organization Confirm that application security testing is part of your overall security program Demand that all applications developed by 3 rd parties be tested and remediated prior to being placed in production Get all developers and their managers trained on AppSec Obtain and review the SDLC from a security perspective IT Auditors Influence your Chief Audit Executive to include AppSec in the organization s annual risk assessment Increase your relevance and value to your organization by identifying risks associated with poorly coded applications Conduct a simple initial audit to assess what controls are in place Conduct a subsequent audit to determine the effectiveness of those controls; measure MTTF 14

Tools and Resources Open Software Assurance Maturity Model (OpenSAMM) A freely available open source framework that organizations can use to build and assess their software security programs www.opensamm.org The Open Web Application Security Project (OWASP) Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources www.owasp.org Open Source or Low Cost Application Security Scanners OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work 15

The OWASP Top 10 For 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards https://www.owasp.org/index.php/category:owasp_top_ten_project 16

Example AppSec Audit Work Program So#ware Assurance Maturity Model (SAMM) Scorecard Business Functions Governance Construction Verification Deployment Level 1 Maturity Activity # Security Practices/Phase Level A B 1 Strategy & Metrics 0.5 0 1 2 Policy & Compliance 0.5 0 1 3 Education & Guidance 0 0 0 4 Threat Assessment 0 0 0 5 Security Requirements 0.5 0 1 6 Secure Architecture 0 0 0 7 Design Review 0.5 0 1 8 Code Review 0 0 0 9 Security Testing 0 0 0 10 Vulnerability Management 1 1 1 11 Environment Hardening 1 1 1 12 Operational Enablement 0 0 0 SAMM Valid Maturity Levels 0 Implicit star:ng point represen:ng the ac:vi:es in the Prac:ce being unfulfilled 1 Ini:al understanding and ad hoc provision of Security Prac:ce 2 Increase efficiency and/or effec:veness of the Security Prac:ce 3 Comprehensive mastery of the Security Prac:ce at scale Legend Objective Activity was met. Objective Activity was not met. 17

Open Source Software Vulnerability Management Tool Supports consolidation and de-duplication of imported results from scanner tools, manual testing and threat modeling Provides reports on application security status and trending over time Translates application vulnerabilities into software defects and pushes tasks to developers in the tools and systems they are already using Creates virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections. Compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers ThreadFix Auditor Currently in Development Virtual Application Scanner Will allow audit and security professionals to identify, track and report on application security vulnerabilities and remediation activities/effectiveness 18

Questions / Contact Information Joe Krull Director jkrull@denimgroup.com (210) 572-4400 www.denimgroup.com blog.denimgroup.com 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback