STAY SECURE. Application Security Testing. Jesper Kråkhede

Transcription

1 VELKOMMEN! 1

2 STAY SECURE Application Security Testing Jesper Kråkhede 2

3 Security testing

4 Others call it security and try to avoid it I call it passion and dive right into it Jesper Kråkhede Worked as a security consultant for 18 years Into security since I was 8 years old and started to pick locks Director Cybersecurity at Sogeti with a passion for security architecture Work globally with compliance frameworks CISSP and Member of Mensa Blogs at Rules are great for others Security testing

5 What challenges are enterprises facing? 1 120% increase in breaches reported in Over 500M identities were exposed via breaches in in 8 legitimate websites have a critical vulnerability Web-based attacks: 80% of attacks 5 68% increase in mobile application vulnerability disclosures AST

6 Hacking is Al Capone s new gun Automated attacks Global industry The costs for cyber crime annually is over 400Bn Fraud, extortion, sabotage, industrial espionage, information theft etc. Our adversaries are not 15 year old boys but seasoned and skilled professionals or foreign military Failing to understand who is threatening you will make you underestimate the attack and instead you ll be yet a victim Security testing

7 Connecting the factory to the network opens up a new avenue of possible attacks Connecting a steel mill to the network uncontrolled could have devastating consequences as a German steel company recently experienced Security needs to be present everywhere to enable efficiency and new business models in a secure way Security testing

8 Just a simple pricelist Want to buy cyber crime as a service? Denial-of-service: $5 (Try-before-you buy) Hack website: $350 Facebook, Google mail: $129 Control computer: $5 Bank account (Swedish): $ % 24/7 customer service, Money-Back-Guarantee Cyber crime is now a service making hacking a tool for everyone Security testing

9 They took control of a network of banks undetected and transferred money when the wanted Modern version of pickpocketing An ATM with malfunction An ATM started giving out money uncontrolled A security company started to investigate the issue They found a set of command and control software installed all over the network of banks Money was transferred between accounts just below the radar All automated detection patterns have thresholds; identifying and staying below them marks the skills of the hacker Security testing

10 The hackers spent two months following senior management to learn all processes for money transfer Learning processes Implementing the long con They followed everything senior management did for two months to learn how the banks worked By identifying the processes and thresholds for money transfer they could initiate a long series of money transfers that was not detected By utilising vulnerabilities in many systems it was possible for the hackers to gain control of the systems they needed Security testing

11 They had 100% control of support and could block clients from see when money was stolen from the accounts Hacking service desk Supporting the support When money was started to be siphoned away from accounts the customers called the banks The hackers took the calls and blamed a technical glitch and moved money from other accounts into the customers accounts With this total control the banks have lost all control of the money Security testing

12 All ATMs were under their control and money was dispensed at their convenience Exploited ATM Money was stolen using hacked ATMs With total access to operate the ATMs, money was dispensed when an accomplish where in place to collect the money from the ATM Millions and millions of where stolen using hacked ATMs Even the video surveillance were under the hackers control making the possibility to identify the culprits slim at best Security testing

13 What s the current situation? 56% of organisations have been hacked Attackers are targeting applications rather than networks and hardware 84% of breaches occur at the application layer (Gartner, 2013) By identifying vulnerabilities in applications we are minimising the attack surface and safeguard the information and systems AST is just another layer in the security setup AST

14 HP 2013 Mobile Application Security Study of over 2,000 mobile application from 600+ companies AST

15 Privacy by design and security by design is mandatory from 2018 If your solution needs to comply to PII you MUST show how you thought about security from the beginning Not including this is by definition a breach and generates huge fines AST

16 The cloud has enabled us to work everywhere but also means that information travels with us Evolving firewalls We started to protect our networks and then we moved to protect our devices. Today we need to protect every information object. New legislations create demands of security everywhere Security testing

17 The risk triangle Threat agent Gives rise to Threat Exploits Vulnerability Leads to Directly affects Risk Asset Can damage Security mechanism Exposure Can be counter measured by a And causes an Efficient tool to understand risks, threats and mitigations Security testing

18 Sogeti Security Gate All applications needs to be tested for vulnerabilities as any network with more than 150 users is regarded as an open network Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate AST

19 How it works Upload Test Review Customer uploads software or dynamic access data directly from his portal Dynamic, static and/or mobile testing Expert review of the results, help remediate and prioritize fixes. AST

20 Comprehensive and accurate testing Static Analysis Powered by HP Fortify SCA Dynamic Analysis Powered by HP WebInspect Manual Review Enterprise proven technology 100% code coverage Support for 21 development languages Production safe Three testing levels QA or production environments Security expert review Reduce false positives AST

21 Multiple levels of testing based on application risk Low Medium High Marketing Site Personally identifiable information Business useful Credit card/ SSN information Business critical Basic assessment Standard assessment Premium assessment AST

22 Outcome: Executive dashboard AST

23 Outcome: Application view AST

24 Outcome: Vulnerabilities AST

25 Outcome: Recommendation AST

26 Penetration test or continuous test? Penetration test How often - once a year? Paying a great deal of money for this one time test are you? Do you develop your own application in house or have someone doing it? Either way you will have changes and new releases throughout the year correct? Every change and release potentially introduces risks! Bugs Changed configuration New functionality Deal with risks continuously and not only once per year Security testing

27 Penetration test or continuous test? Traditional penetration test Reducing the risk window 11 month WITHOUT test 1 pentest per year Time between releases and Test at release or change Leave the year of risk behind and move to a year of test for the same cost Security testing

28 The security tester has a specific set of skills Operating systems Networking Security tools Curiosity Programming Scripting Databases A security tester needs a subset of the skills a security architect needs AST

29 Want to become a security tester or specialist? Curiosity and a out-of-the-box thinking is mandatory AST

30 Beside using professional testers there is much you can do yourself Use secure coding Use free testing No matter how good the security testing is writing secure code is the most important part Free code scanners are available at OWASP that find the basic flaws Security is everyone's responsibility but you have to act to stay secure AST

31 But what if I don t bother about security testing? You will be found! You will be hacked! You will lose! Today it only takes 10 seconds before a server is found on internet AST

32 Q & A Don t be bitten by the mad dog, make sure you test your applications Contact information: Jesper Kråkhede jesper.krakhede@sogeti.se Read more at Security testing