Is Your Web Application Really Secure? Ken Graf, Watchfire

Similar documents
Improving Security in the Application Development Life-cycle

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Certified Information Security Manager (CISM) Course Overview

A Risk Management Platform

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Development*Process*for*Secure* So2ware

Session 5311 Critical Testing Programs for Security Operations

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference

Cybersecurity Today Avoid Becoming a News Headline

Think Vulnerability Management Has Been Commoditized? You're using the wrong vendor.

CSWAE Certified Secure Web Application Engineer

locuz.com SOC Services

Practical Guide to Securing the SDLC

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Secure Development Lifecycle

HP Fortify Software Security Center

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

WHITE PAPER. Best Practices for Web Application Firewall Management

Effective Threat Modeling using TAM

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

SDLC Maturity Models

Continuously Discover and Eliminate Security Risk in Production Apps

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Threat Hunting in Modern Networks. David Biser

How to construct a sustainable vulnerability management program

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

YOUR WEAKEST IT SECURITY LINK?

Understanding IT Audit and Risk Management

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Vulnerability Management From B Movie to Blockbuster Rahim Jina

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Protect your apps and your customers against application layer attacks

Hacker Academy UK. Black Suits, White Hats!

THE ART OF SECURING 100 PRODUCTS. Nir

Practical SCADA Cyber Security Lifecycle Steps

Security Testing. John Slankas

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Reinvent Your 2013 Security Management Strategy

Train as you Fight: Are you ready for the Red Team?

PT Unified Application Security Enforcement. ptsecurity.com

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

A company built on security

Device Discovery for Vulnerability Assessment: Automating the Handoff

Insurance Industry - PCI DSS

MARCH Secure Software Development WHAT TO CONSIDER

A Security Practice Evaluation Framework

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

SECURITY TRAINING SECURITY TRAINING

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Centralized Control System Architecture

Security Issues and Best Practices for Water Facilities

SIEM: Five Requirements that Solve the Bigger Business Issues

Best Practices in ICS Security for System Operators

MIS Class 2. The Threat Environment

Fortify Software Security Content 2017 Update 4 December 15, 2017

Security at the Digital Cocktail Party. Social Networking meets IAM

Advanced Security Tester Course Outline

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Training and Certifying Security Testers Beyond Penetration Testing

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Enabling Performance & Stress Test throughout the Application Lifecycle

Automating the Top 20 CIS Critical Security Controls

Cybersecurity Session IIA Conference 2018

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

CSE 565 Computer Security Fall 2018

Metrics That Matter:

SHA-1 to SHA-2. Migration Guide

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Building Security Into Applications

Evolution Of The Need For IAM. Securing connections between people, applications, and networks

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

The Need for Confluence

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

Transcription:

Is Your Web Application Really Secure? Ken Graf, Watchfire

What we will discuss today Pressures on the application lifecycle Why application security defects matter How to create hacker resistant business logic in the development environment

Processes changing at Microsoft "Under the old structure, you wrote the code and then reviewed it for bugs. But that doesn't work anymore. You have to change your processes and techniques from cradle to grave to develop software that can withstand a malicious attack." - Michael Howard, Senior Security Program Manager at Microsoft http://www.microsoft.com/indonesia/msdn/sdl.asp

Typical Challenges for a Financial Service Company Well known and attractive site Thousands of legacy and new applications Application development spread across many business units Corporate mandate to build applications securely Reduce overall cost of development lifecycle Outsourcing >$1M a year for ethical hacking Developers had limited knowledge of security issues

Current processes lead to security cost challenges Operational Inefficiencies Multiple owners Disparate tools/skills Deadline pressure Lack of automation Budget constraints Competition Requirements Design Development Testing Integration Production? Defect Discovery Defects are introduced and discovered at every level. Cost based on which stage you must go return to.

How much do security defects cost? Found in Design Found in Coding Found in Integration Found in Beta Found in GA Design Errors 1x 5x 10x 15x 30x Coding Errors 1x 10x 20x 30x Integration Errors 1x 10x 20x NIST 2002 Software Quality Study Estimates of relative cost factors of correcting errors as a function of where errors were introduced and found A very technical and detailed report on the economics http://www.nist.gov/director/prog-ofc/report02-3.pdf

What are the common causes of defects? Poor technology selection Unaware of security risks Incomplete test support Lack of error and nonfunctional testing Poor code coverage User policy errors Social Engineering Requirements Design Development Testing Integration Production Unaware of security risks Missing requirements Application security testing omitted Poor data validation Insecure IDE wizards Unaware of security risks 3 rd party vulnerabilities Vendor misconfigurations Operational error

What are the typical threats applications face

Sample XSS and SQL attacks

How should you address application security threats? Testing Education Process Principles Tools

Testing Write tests first then the code. Application testing should be capable of being run on demand, including production. Development teams must know the proper use of the test framework. Security testing must be considered at the beginning of the process as part of the requirements and design stages. Automate testing.

Education Have everyone understand that application security relies on, but is separate from, network and host security. Development teams must know the proper use of the development framework. Education is ongoing, at least annual review. Implement dashboards of organizational wide metrics pertaining to application security certification and status.

What is your Application Security Maturity? Optimizing Striving for continuous process improvement Quantitatively Managed Security reviews completed in all process stages Published organizational standards for secure development Defined Early stage security reviews Security awareness is provided for all process stages Predetermined policy is enforced for the entire organization Managed Audits Use of automated scanning tools prior to deployment Organizational policy statement (exceptions permitted) Performed Infrastructure penetration tests Application policy statement (limited enforcement)

Why Principles? You can not cover all situations. Principles are basic rules from which more specific and targeted rules can be derived. Understanding secure web programming principles enables a reasonable programmer to find the right (=secure) solution for a new problem. Can be applied independently of IDE, languages, and tools in use at your site.

Principle #1 - All Input is Evil What is (web application) Input? Anything HTTP: Method Path Query parameters HTTP headers (e.g. User-Agent, Range) Body parameters SSL client data (certificate data) Use the.net validation classes

Principle #2 - Use a Positive Security Model Positive security Define exactly what the application is willing to accept and process. Accepting only what the application can process prevents false positives. Negative security Define what is hostile or not acceptable. Addresses current (known) attacks and must be updated to handle future (unknown) attacks. Broad (loose) definitions cause false negatives.

Principle #3 - Validate in a Trusted Environment Do you trust the application clients? Hint: all input is evil Do you trust your client s machine/browser? If it s worth doing, it s worth doing yourself (on your own machine). Client side validation is good for user experience. Security-wise, it is meaningless.

Principle #4 - Defensive Programming Applications are built in layers. Applications use 3 rd party code (3 rd party = the next department). Each layer has security responsibilities: Do not trust the previous layer. Validate your input. Do not trust libraries/internal data. Validate the data (indirect input). Do not provide the next layer with bad data contain the problem. Halt the system as soon as questionable/inconsistent data is detected. Exit gracefully, clean behind you. Don t leave the system in an undefined state. Coarse vs. Fine Grain Validation

Principle #5 - Don t Reinvent the Wheel A lot of security (and programming) facilities are available with your programming environment, especially with Microsoft ASP.NET. Usually, this is (well) debugged code, with (some) security in mind. Get to know your programming environment/libraries. Use what you can. Use well, avoid pitfalls, and keep track of security issues as they get published.

Principle #6 - Eliminate Security by Obscurity Assume the user can guess/reconstruct your application information. Database structure, field names, data types, etc... Information contained in cookies or tokens. 3 rd party products used in the application. Location of application files. Acknowledge that hostile parties will have access to your application. Ex-employees. Outsourced developers. Customers and Partners (via service agreements). Competitors (via all of the above).

Principles Review Trust nothing All Input is Evil Use a positive security model Validate in a trusted environment Defensive programming Use existing infrastructure Eliminate security by obscurity

Security Testing Demonstration

How do we make it happen? Improve security awareness. Security testing integrated into development process. Categorize application risk and liability. Security reviews should be part of requirements, design, and development stages. Give developers access to automated tools. Zero tolerance enforcement.

Questions & Answers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback