WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE

Similar documents
CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

IBM Rational Software

Security

Cybersecurity The Evolving Landscape

PCI Compliance. What is it? Who uses it? Why is it important?

The Top 6 WAF Essentials to Achieve Application Security Efficacy

PCI compliance the what and the why Executing through excellence

Simplifying Application Security and Compliance with the OWASP Top 10

Hacking 102 Integrating Web Application Security Testing into Development

Web Applications (Part 2) The Hackers New Target

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Practical Guide to Securing the SDLC

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Cybersecurity Today Avoid Becoming a News Headline

The Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Secure Application Development. OWASP September 28, The OWASP Foundation

Compliance in 5 Steps

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

New World, New IT, New Security

Combating Cyber Risk in the Supply Chain

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

Cyber Fraud What can you do about it?

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Security and PCI Compliance for Retail Point-of-Sale Systems

The Realities of Data Security and Compliance: Compliance Security

The Value of Automated Penetration Testing White Paper

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

How Breaches Really Happen

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

Cyber Security Audit & Roadmap Business Process and

Integrigy Consulting Overview

Towards an Egyptian Framework for CyberSecurity

The Honest Advantage

PT Unified Application Security Enforcement. ptsecurity.com

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Vulnerability Management Trends In APAC

Mobile Security / Mobile Payments

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Copyright

Mitigating Security Breaches in Retail Applications WHITE PAPER

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

THE PCI DSS IS NOT THE RESULT OF A KNEE-JERK REACTION TO AN INCREASE IN SECURITY BREACHES BUT IT IS A STUDIED APPROACH TO DATA SECURITY

Vulnerabilities in online banking applications

Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks

CCISO Blueprint v1. EC-Council

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Web Application Firewall Subscription on Cyberoam UTM appliances

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Detect Fraud & Financial Crime

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Device Discovery for Vulnerability Assessment: Automating the Handoff

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

A QUICK PRIMER ON PCI DSS VERSION 3.0

Questions to Add to Your Network Access Control Request for Proposal

COMPLETING THE PAYMENT SECURITY PUZZLE

Reinvent Your 2013 Security Management Strategy

Will you be PCI DSS Compliant by September 2010?

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Securing Your Secured Data

Cyber Attacks & Breaches It s not if, it s When

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Vulnerability Assessment with Application Security

McAfee Database Security

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Delivering Cyber Security Confidence for the Modern Enterprise

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Comodo Certificate Manager

Securing Information Systems

SECURING DEVICES IN THE INTERNET OF THINGS

Complying with PCI DSS 3.0

What is Penetration Testing?

Table of Content Security Trend

2017 RIMS CYBER SURVEY

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Sirius Security Overview

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

5 IT security hot topics How safe are you?

SECURING DEVICES IN THE INTERNET OF THINGS

Why you MUST protect your customer data

Safeguarding Cardholder Account Data

Background FAST FACTS

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Transcription:

WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL Director Asia Pacific, Watchfire IBM Rational, Singapore www.watchfire.com 2007 IBM Corporation

Prolog: Watchfire Situation of the world today HIGH DEPENDENCE ON INTERNET and WEB SERVICES TODAY For work, leisure and communications Intranets, Extranets, SOA B2B, SCM, CRM, ERP, membership portals, e-government services B2C, C2C (Yahoo, Amazon, EBay) shopping and transactions Internet banking, E*Trade, theater tickets, travel reservations, web mail, gaming Community Portals / Social Networking Google, MySpace, YouTube, BLOGS! NO TANGIBLE PROTECTION FOR WEB APPLICATIONS TODAY Firewalls, IPS, SSL and other network security devices do not stop Web Traffic Hackers specifically target web services / applications / sessions today to try and steal or compromise information and databases SECURITY PEOPLE DO NOT USUALLY HAVE SDLC EXPERIENCE Software developers do not usually want to have anything to do with security

State of the Application Security Market Visa, Amex Cut Ties with CardSystems July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data Jan 18, 2007 Massive Security Breach Reveals Credit Card Data The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad. CNBC's Easy Money BusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stockpicking contest BJ's Settles Case with FTC over Customer Data FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed USDA admits data breach, thousands of social security numbers revealed Thursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.

The Security Journey Continues New and More Applications Services Systems -> Vulnerabilities -> Hacking methods -> Viruses, Worms, RATS (Trojans, Spyware) -> GOVERNANCE & COMPLIANCE! NEW AREAS OF IT SECURITY WEAKNESS ARISE ALL THE TIME

It Gets Worse WAP, GPRS, EDGE, 3G 802.1x Broadband

Sheer Volume of Applications Keeps You From Getting Ahead of the Problems 1 2 3 4 5 Security Team Has Become a Bottleneck Lack of Control and Visibility Catching Problems Late in the Cycle Not Monitoring Deployed Applications Difficulty Managing 3 rd Party Vendors Have to do more with less, still; Risk is high, accountability is prevalent

The Myth: Our Site Is Safe We Have Firewalls in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself

SO WHY ARE THESE HAPPENING? Don t they already have firewalls etc?

Real Example : Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the email address

Parameter Tampering - Reading another user s invoice The same customer invoice that reveals the address and contact number

The Fact: Attacks targetted at a new area Security Spending % of Attacks % of Dollars 75% Web Applications & services 10% 90% 25% Network Server & infrastructure In an organization, IT Security people and developers are poles apart Sources: Gartner, IDC, Watchfire

Top Hack Attacks Today Target Web Services

Web Application Hacks are a Business Issue Application Threat Buffer overflow Cookie poisoning Hidden fields Debug options Negative Impact Denial of Service (DoS) Session Hijacking Site Alteration Admin Access Potential Business Impact Site Unavailable; Customers Gone Larceny, theft Illegal transactions Unauthorized access, privacy liability, site compromised Cross Site scripting Stealth Commanding Identity Theft Access O/S and Application Misdirect customers to bogus site Larceny, theft, customer mistrust Access to non-public personal information, fraud, etc. Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts Forceful Browsing/ SQL Injection Unauthorized Site/Data Access Read/write access to customer databases

Regulation & Compliance II It is part of doing business Business Continuity An environment of TRUST For doing business Ensure Orderliness in Internet world Promote Economic growth SARBANES-OXLEY, HIPAA, BASEL More than just Confidentiality, Integrity and Availability Privacy 3 rd Party Customer Data

Governance addresses Web Application Security Example: PCI BEST PRACTICE BECOMES STANDARD BECOMES LAW (BY 06-2008) Visa s PABP, Payment Application Best Practices a list of auditable statements regarding the secure development, deployment, and documentation of cardholder data processing software is being converted to a new PCI security standard - PASS, Payment Application Security Standard. Requirement 11.2 : Run internal and external vulnerability scans At least quarterly After any significant change in network VISA MASTER AMEX Requirement 11.3 : Perform penetration testing at least once a year 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests Requirement 6 : Develop and maintain secure systems and applications Requirement 6.6 :Ensure that all web-facing applications are protected against known attacks by having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

Why would anyone want to attack a web site? Search anthony ****

Application Security Info Security Landscape Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / Advanced Routers Firewall Application Servers Backend Server Web Servers Databases

Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers

Watchfire Appscan - Intuitive UI

Identify Vulnerabilities

Actionable Fix Recommendations

Watchfire Acquisition Rationale Security and compliance integrity risks have serious adverse impacts on a company s identity, customer relations and business results. 75% of the cyber attacks today are at the application level with only 10% of security spend 1 80% of organizations will experience an application security incident by 2010 2 Internal security attacks cost US business $400 Billion per³ 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection 4. We are strengthening the IBM security management portfolio by acquiring an industry leading provider of application security and compliance testing solutions to offer a complete end-to-end security solution across Rational, Tivoli and Global Services 1,2 Watchfire analysis with analysts support 3 CSI/FBI Survey 2005 4IBM Service Management Market Needs Study, March 2006

IBM Rational & Watchfire Product Synergy SDLC Requirements Design Code Build QA Security Compliance IBM Rational Requisite Pro ROSE, RAM, Software Architect RAD ClearCase, Build Forge ASE QuickScan CQ, CQTM, RFT, RPT AppScan QA & ASE Integration AppScan & AppScan Enterprise WebXM Privacy, Quality, Accessibility Watchfire

Rational Software Quality Solutions BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management Requirements Test Change Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Rational ClearQuest DEVELOPMENT Developer Test Rational PurifyPlus Rational Test RealTime Functional Test Test Automation Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Security and Compliance Test AppScan WebXM Performance Test Rational Performance Tester OPERATOINS Rational Robot Quality Metrics Project Dashboards Detailed Test Results Quality Reports

AppScan with QA Defect Logger for ClearQuest

AppScan / IBM Rational CQTM Integration 2H07

Watchfire Company Overview Who are we: IDC & Gartner : market leader in application security for 2005 and 2006 Provider of application security and compliance software and services Nearly 1000 companies rely on Watchfire Background: 200 employees, headquarters- Boston, MA Created the first commercially-packaged application security testing product Products include: Application security solutions AppScan Privacy, quality and compliance solutions WebXM #1 in Market Share for Application Security Gartner & IDC * Twice * Best Security Company

Nearly 1000 Companies Depend On Watchfire 9 of the Top 10 Largest U.S. Retail Banks 8 of the Top 10 Technology Brands 7 of the Top 10 Pharma / Clinical Companies Multiple Large Government Agencies Veteran s Affairs Army Navy Air Force Marines Large, Complex Web Sites Highly Regulated High User Volume Extensive Customer Data

Security Industry Leaders Use and/or work with Watchfire solutions in their work Technology Companies Consultants and Researchers More EDS

Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security Never before was QA Testing for Security integrated and strategic, until now We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix

SDLC QA - YOUR LAST LINE OF DEFENSE

Q&A Thank You Anthony Lim Watchfire.com IBM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback