WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL Director Asia Pacific, Watchfire IBM Rational, Singapore www.watchfire.com 2007 IBM Corporation
Prolog: Watchfire Situation of the world today HIGH DEPENDENCE ON INTERNET and WEB SERVICES TODAY For work, leisure and communications Intranets, Extranets, SOA B2B, SCM, CRM, ERP, membership portals, e-government services B2C, C2C (Yahoo, Amazon, EBay) shopping and transactions Internet banking, E*Trade, theater tickets, travel reservations, web mail, gaming Community Portals / Social Networking Google, MySpace, YouTube, BLOGS! NO TANGIBLE PROTECTION FOR WEB APPLICATIONS TODAY Firewalls, IPS, SSL and other network security devices do not stop Web Traffic Hackers specifically target web services / applications / sessions today to try and steal or compromise information and databases SECURITY PEOPLE DO NOT USUALLY HAVE SDLC EXPERIENCE Software developers do not usually want to have anything to do with security
State of the Application Security Market Visa, Amex Cut Ties with CardSystems July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data Jan 18, 2007 Massive Security Breach Reveals Credit Card Data The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad. CNBC's Easy Money BusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stockpicking contest BJ's Settles Case with FTC over Customer Data FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed USDA admits data breach, thousands of social security numbers revealed Thursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.
The Security Journey Continues New and More Applications Services Systems -> Vulnerabilities -> Hacking methods -> Viruses, Worms, RATS (Trojans, Spyware) -> GOVERNANCE & COMPLIANCE! NEW AREAS OF IT SECURITY WEAKNESS ARISE ALL THE TIME
It Gets Worse WAP, GPRS, EDGE, 3G 802.1x Broadband
Sheer Volume of Applications Keeps You From Getting Ahead of the Problems 1 2 3 4 5 Security Team Has Become a Bottleneck Lack of Control and Visibility Catching Problems Late in the Cycle Not Monitoring Deployed Applications Difficulty Managing 3 rd Party Vendors Have to do more with less, still; Risk is high, accountability is prevalent
The Myth: Our Site Is Safe We Have Firewalls in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself
SO WHY ARE THESE HAPPENING? Don t they already have firewalls etc?
Real Example : Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the email address
Parameter Tampering - Reading another user s invoice The same customer invoice that reveals the address and contact number
The Fact: Attacks targetted at a new area Security Spending % of Attacks % of Dollars 75% Web Applications & services 10% 90% 25% Network Server & infrastructure In an organization, IT Security people and developers are poles apart Sources: Gartner, IDC, Watchfire
Top Hack Attacks Today Target Web Services
Web Application Hacks are a Business Issue Application Threat Buffer overflow Cookie poisoning Hidden fields Debug options Negative Impact Denial of Service (DoS) Session Hijacking Site Alteration Admin Access Potential Business Impact Site Unavailable; Customers Gone Larceny, theft Illegal transactions Unauthorized access, privacy liability, site compromised Cross Site scripting Stealth Commanding Identity Theft Access O/S and Application Misdirect customers to bogus site Larceny, theft, customer mistrust Access to non-public personal information, fraud, etc. Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts Forceful Browsing/ SQL Injection Unauthorized Site/Data Access Read/write access to customer databases
Regulation & Compliance II It is part of doing business Business Continuity An environment of TRUST For doing business Ensure Orderliness in Internet world Promote Economic growth SARBANES-OXLEY, HIPAA, BASEL More than just Confidentiality, Integrity and Availability Privacy 3 rd Party Customer Data
Governance addresses Web Application Security Example: PCI BEST PRACTICE BECOMES STANDARD BECOMES LAW (BY 06-2008) Visa s PABP, Payment Application Best Practices a list of auditable statements regarding the secure development, deployment, and documentation of cardholder data processing software is being converted to a new PCI security standard - PASS, Payment Application Security Standard. Requirement 11.2 : Run internal and external vulnerability scans At least quarterly After any significant change in network VISA MASTER AMEX Requirement 11.3 : Perform penetration testing at least once a year 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests Requirement 6 : Develop and maintain secure systems and applications Requirement 6.6 :Ensure that all web-facing applications are protected against known attacks by having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
Why would anyone want to attack a web site? Search anthony ****
Application Security Info Security Landscape Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / Advanced Routers Firewall Application Servers Backend Server Web Servers Databases
Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers
Watchfire Appscan - Intuitive UI
Identify Vulnerabilities
Actionable Fix Recommendations
Watchfire Acquisition Rationale Security and compliance integrity risks have serious adverse impacts on a company s identity, customer relations and business results. 75% of the cyber attacks today are at the application level with only 10% of security spend 1 80% of organizations will experience an application security incident by 2010 2 Internal security attacks cost US business $400 Billion per³ 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection 4. We are strengthening the IBM security management portfolio by acquiring an industry leading provider of application security and compliance testing solutions to offer a complete end-to-end security solution across Rational, Tivoli and Global Services 1,2 Watchfire analysis with analysts support 3 CSI/FBI Survey 2005 4IBM Service Management Market Needs Study, March 2006
IBM Rational & Watchfire Product Synergy SDLC Requirements Design Code Build QA Security Compliance IBM Rational Requisite Pro ROSE, RAM, Software Architect RAD ClearCase, Build Forge ASE QuickScan CQ, CQTM, RFT, RPT AppScan QA & ASE Integration AppScan & AppScan Enterprise WebXM Privacy, Quality, Accessibility Watchfire
Rational Software Quality Solutions BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management Requirements Test Change Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Rational ClearQuest DEVELOPMENT Developer Test Rational PurifyPlus Rational Test RealTime Functional Test Test Automation Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Security and Compliance Test AppScan WebXM Performance Test Rational Performance Tester OPERATOINS Rational Robot Quality Metrics Project Dashboards Detailed Test Results Quality Reports
AppScan with QA Defect Logger for ClearQuest
AppScan / IBM Rational CQTM Integration 2H07
Watchfire Company Overview Who are we: IDC & Gartner : market leader in application security for 2005 and 2006 Provider of application security and compliance software and services Nearly 1000 companies rely on Watchfire Background: 200 employees, headquarters- Boston, MA Created the first commercially-packaged application security testing product Products include: Application security solutions AppScan Privacy, quality and compliance solutions WebXM #1 in Market Share for Application Security Gartner & IDC * Twice * Best Security Company
Nearly 1000 Companies Depend On Watchfire 9 of the Top 10 Largest U.S. Retail Banks 8 of the Top 10 Technology Brands 7 of the Top 10 Pharma / Clinical Companies Multiple Large Government Agencies Veteran s Affairs Army Navy Air Force Marines Large, Complex Web Sites Highly Regulated High User Volume Extensive Customer Data
Security Industry Leaders Use and/or work with Watchfire solutions in their work Technology Companies Consultants and Researchers More EDS
Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security Never before was QA Testing for Security integrated and strategic, until now We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix
SDLC QA - YOUR LAST LINE OF DEFENSE
Q&A Thank You Anthony Lim Watchfire.com IBM