Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Similar documents
CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

The Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere

Value of managing and running automated functional tests with Rational Quality Manager

IBM Rational Software

Managed Application Security trends and best practices in application security

WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE

OWASP Top 10 The Ten Most Critical Web Application Security Risks

IBM Security Network Protection Solutions

Web Applications (Part 2) The Hackers New Target

20 years of Lotus Notes and a look into the next 20 years Lotusphere Comes To You

How to Secure Your Cloud with...a Cloud?

TRAINING CURRICULUM 2017 Q2

IBM Next Generation Intrusion Prevention System

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition

Hacking 102 Integrating Web Application Security Testing into Development

Lab DSE Designing User Experience Concepts in Multi-Stream Configuration Management

Name Aaron Clark. Title: Security Shifts to the Application

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Improving Security in the Application Development Life-cycle

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

IBM Security Systems IBM X-Force 2012 Annual Trend and Risk Report

CSWAE Certified Secure Web Application Engineer

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

IBM Threat Protection System: XGS - QRadar Integration

Security Solutions. Overview. Business Needs

IBM Rational Software

Benchmarking z/os Development Tasks - Comparing Programmer Productivity using RDz and ISPF

Innovate 2013 Automated Mobile Testing

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

New World, New IT, New Security

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Automating the Top 20 CIS Critical Security Controls

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Angelo Gentili Head of Business Development, EMEA Region, PartnerNET

Cloud-Security: Show-Stopper or Enabling Technology?

ISAM Advanced Access Control

5 IT security hot topics How safe are you?

INNOV-09 How to Keep Hackers Out of your Web Application

Unit Level Secure by Design Approach

SDLC Maturity Models

Design your network to aid forensics investigation

Copyright

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Ethical Hacker Foundation and Security Analysts Course Semester 2

A Guide to Closing All Potential VDI Security Gaps

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

WebSphere Commerce Developer Professional

CoreMax Consulting s Cyber Security Roadmap

Presentation Overview

Mitigating Security Breaches in Retail Applications WHITE PAPER

IBM MaaS360 Kiosk Mode Settings

IBM Future of Work Forum

How NOT To Get Hacked

SECURITY TRAINING SECURITY TRAINING

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Ingram Micro Cyber Security Portfolio

What s New in the IBM Lotus Notes Client. Kevin O Connell, Consulting Manager, IBM Asia Pacific

200 IT Security Job Interview Questions The Questions IT Leaders Ask

TIBCO Cloud Integration Security Overview

Continuously Discover and Eliminate Security Risk in Production Apps

Bank Infrastructure - Video - 1

Advanced Security Tester Course Outline

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Imperva Incapsula Website Security

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Web 2.0, Consumerization, and Application Security

Understanding scan coverage in AppScan Standard

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

CICS Product Update. Danny Mace Director, CICS Products IBM Software. August 2012 Session Number 11417

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Security Support Open Mic Build Your Own POC Setup

Solutions Business Manager Web Application Security Assessment

Security

Getting Started with Rational Team Concert

Secure Access & SWIFT Customer Security Controls Framework

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security Update PCI Compliance

SECURITY TESTING. Towards a safer web world

Optimize Your Heterogeneous SOA Infrastructure

Integrigy Consulting Overview

Vulnerabilities in online banking applications

Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

May the (IBM) X-Force Be With You

Transcription:

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009

Welcome to THE SMARTER PLANET * Web 2.0 Billions of mobile devices accessing the Web Globalization and Globally Available Resources SOA CLOUD Access to streams of information in the Real Time New Possibilities.. 2

SMARTER PLANET. means SOFTWARE IS EVERYWHERE NOT JUST COMPUTERS -millions of lines of code everywhere - Mobile smart phones, home appliances, motor vehicles, planes - National infrastucture (eg utilities grid, traffic controls) HIGH AND INCREASING DEPENDENCY ON WEB APPS - For work: Intranet, Extranet, Corporate Services, Accounting, Data - Communications: email, Instant Messaging, Blog, Web pages data transfer LinkedIn - Transactions : e-banking, e-trading, SCM, CRM, logistics scheduling, - Research and Education - Recreation : Facebook, Youtube, Second Life etc New Possibilities, New Complexities NEW RISKS! 3

The Myth: Our Site Is Safe We Have Firewalls and IPS in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 4

SOMETHING Governance & Risk Management IS STILL OUT THERE 5

6

WORST CREDIT CARD IDENTITY THEFT CASE - DONE BY SQL INJECTION : A WEB APP ATTACK! STRAITS TIMES SINGAPORE 19AUG09 7

2008 Web Threats Take Center Stage Web application vulnerabilities Represent largest category in vuln disclosures (55% in 2008) 74% of Web application vulnerabilities disclosed in 2008 have no patch to fix them Even ISS X-Force, which normally reports on network security, start talking about app security now 8 8

Hackers love such error pages 9

10 Parameters encourage one to try

11 Why does you debug tool appear

This info is for the developer not the hacker 12

A file list on html? 13

Real Example: Online Travel Reservation Portal Governance & Risk Management Change the reserid to 2001200 14

Real Example : Governance & Risk Management Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the email address 15

Parameter Tampering Reading another user s invoice Governance & Risk Management The same customer invoice that reveals the address and contact number 16

Now there s Web Man-in-the Middle Attacks First presented at OWASP AP Conference Mar 09 Brisbane 17

Malware on Web Applications Malware can be delivered in many ways: E-mail, IM, network vulnerabilities Today, Malware is primarily delivered via Web Applications: Aims to infect those browsing the site Installed via Client-Side (e.g. Browser) Vulnerabilities & Social Engineering Malicious content can be downloaded: From the web application itself Through frames & images leading to other websites Through links leading to malicious destinations Legitimate Sites Hijacked to distribute Malware! McAfee, Asus, US Govt Staff Travel Site, Wordpress.org, SuperBowl, http://host.com <script src=file.js> IFrame (ads.com) Image (host.com) http://evil.org 1818

DON T TRY THIS AT HOME! Governance & Risk Management 19

Top 10 OWASP Critical Web Application Security Issues 09 1 Unvalidated Input 2 Broken Access Control 3 Broken Authentication and Session Management 4 Cross Site Scripting Flaws 5 Buffer Overflows 6 Injection Flaws 7 Improper Error Handling 8 Insecure Storage 9 Denial of Service 10 Insecure Configuration Management 20

WHY ARE SOFTWARE APPLICATIONS FLAWED? Today I m being asked to: Deliver product faster (a lot faster!) Increase product innovation Improve quality Reduce cost Deliver a secure product (?) Cheap Fast Good - Choose 2 21

WHY DO APPLICATION SECURITY PROBLEMS EXIST? IT security solutions and professionals are normally from the network /infrastructure /sysadmin side They usually have little or no experience in application development And developers typically don t know or don t care about security or networking Most companies today still do not have an application security QA policy or resource IT security staff are focused on other things and are swarmed App Sec is their job but they don t understand it and don t want to deal with it Developers think its not their job or problem to have security in coding People who outsource expect the 3 rd party to security-qa for them It is cultural currently to not associate security with coding Buffer Overflow has been around for 25 years! Input Validation is still often overlooked. Back then coding was done by engineers Then came Y2K 22

SECURITY TESTING IS PART OF SDLC QUALITY TESTING Collaborative Application Lifecycle Management SDLC Quality Assurance Quality Dashboard Requirements Management Test Management and Execution Defect Management Create Plan Build Tests Manage Test Lab Report Results Open Platform Best Practice Processes Functional Testing SAP Java Performance Testing TEAM SERVER Open Lifecycle Service Integrations Web Service Quality Code Quality System z, i.net Security and Compliance homegrown 23

Building security & compliance into the SDLC further back SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 24

You need a professional solution to Governance & Risk Management Identify Vulnerabilities 25

With Rich Report Options 44 Regulatory Compliance Standards, for Executive, Security, Developers. 26

And Most Important : Actionable Fix Recommendations Governance & Risk Management 27

AppScan Enterprise Dashboards and Metrics 28 28

29

AppScan - CQTM & RQM Integration 30

Software Security Testing Technologies Primer Static Code Analysis = Whitebox - Looking at the code for security issues (code-level scanning) Code integrity Total Potential Security Issues Dynamic Analysis = Blackbox - Sending tests to a functioning application Static Analysis Complete Coverage Dynamic Analysis Relationship with: -Other apps, o/s -Middleware, infra 31

SOFTWARE APPLICATION SECURITY two Areas BLACK BOX (Dynamic APP Analysis) WHITE BOX (State CODE Analysis) - don t need to worry about code - good for developers (good for security folks who are who are not into security not into code) - good for interim audit - Test for relationship between App and - test for more than just * other apps (eg SOA, Web 2.0) HTML/HTTP code * network / OS / infra * middleware - Like IPS : tests for unknown - Like Firewall: checks for known 32

Rational End-to-End Application Security at the Source REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req ts Definition (security templates) AppScan Developer AppScan Build (desktop) (scanning agent) W H I T E B O X AppScan Tester (scan agent & clients) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) AppScan Standard (desktop) B L A C K B O X AppScan OnDemand (SaaS) Security requirements defined before design & implementation Build security testing into the IDE* Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices Address security from the start Security audit solutions for IT Security Security for the development lifecycle 3333

Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security QA Testing for Security must now be integrated and strategic We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix Developers need to learn to write code defensively and securely 34 Lower Compliance & Security Costs by: Ensuring Security Quality in the Application up front Not having to do a lot of rework after production

WEB APPLICATIONS PART 1: THE WEAK LINK IN INFORMATION SECURITY http://www.ibm.com/software/rational/offerings/websecurity/ T h a n k Y o u Anthony LIM MBA CISSP CSSLP FCITIL Copyright IBM Corporation 2009. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 35 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback