Your Web and Applications

Similar documents
THE HACKERS NEXT TARGET

WEB APPLICATION SECURITY

New IBM Security Scanning Software Protects Businesses From Hackers

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Applications The Hacker s New Target

Rational AppScan & Ounce Products

The Top Web Application Attacks: Are you vulnerable?

Reducing Application Vulnerabilities by Security Engineering

Where every interaction matters.

How to Build a Trusted Application. John Dickson, CISSP

Application Security Testing

EC Council Certified Ethical Hacker V8

The monsters under the bed are real World Tour

Penetration Testing Service. By Comsec Information Security Consulting

A Network Administrator s Guide to Web App Security

FORBIDDEN - Ethical Hacking Workshop Duration

Web Application Report

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Attacks from the Inside

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web App Security Audit Services

[CEH]: Ethical Hacking and Countermeasures

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

CS5008: Internet Computing

Barracuda Web Site Firewall Ensures PCI DSS Compliance

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

IJMIE Volume 2, Issue 9 ISSN:

Cyber Exploits: Improving Defenses Against Penetration Attempts

CEH Version8 Course Outline

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Secure Web Applications. The front line defense

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Certified Ethical Hacker Exam Version Comparison. Version Comparison

COORDINATED THREAT CONTROL

What Do You Mean My Cloud Data Isn t Secure?

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Loophole+ with Ethical Hacking and Penetration Testing

The Roles of Software Testing & QA in Security Testing

Web Application Security 101

Detailed Description about course module wise:

Passing PCI Compliance How to Address the Application Security Mandates

Mobile Application Security Sharing Session May 2013

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Firewall and UTM Solutions Guide

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Agnitum SMB Solutions. Outpost Network Security Version 3.2 Securing your network

Spyware Linkages to Malware and its Affects A Multi-Layered Approach to Stopping Information Theft

Intrusion Detection and Threat Vectors Michael Arent EDS-Global Information Security

Data Center security trends

Top five strategies for combating modern threats Is anti-virus dead?

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Our Security Education Curriculum PREPARED FOR ASPE TECHNOLOGY BY SI, INC. toll-free:

Protect Your Business and Customers from Online Fraud

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

elearning for Secure Application Development

Integrating Security Testing into Quality Control

Enterprise-Grade Security from the Cloud

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Functional vs. Load Testing

Application Security in the Software Development Lifecycle

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Student Tech Security Training. ITS Security Office

The Web AppSec How-to: The Defenders Toolbox

GlobalSign Malware Monitoring

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

How Web Application Security Can Prevent Malicious Attacks

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

HP Application Security Center

Comprehensive Approach to Database Security

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

Web Application Penetration Testing

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

A Systems Engineering Approach to Developing Cyber Security Professionals

Introducing IBM s Advanced Threat Protection Platform

Certified Ethical Hacker (CEH)

Strategic Information Security. Attacking and Defending Web Services

The risks borne by one are shared by all: web site compromises

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Security and the Small Business

The Key to Secure Online Financial Transactions

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Penetration Testing. How Government Can Achieve Better Outcomes. Delivered by Murray Goldschmidt, Chief Operating Officer

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Introduction: 1. Daily 360 Website Scanning for Malware

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Transcription:

Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business World July 9, 2009 Organized by:

Prolog: The Security Journey Continues New, More, Bigger, Better SYSTEMS APPLICATIONS SERVICES -> New Risks -> New Vulnerabilities -> New Hacking methods Viruses, Worms, RATS, Bots (Remote Access TROJANS = Spyware) 2 -> NEW: GOVERNANCE & COMPLIANCE! CEP Points! Data Privacy Data Leakage

Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL II It is part of doing business Business Continuity An environment of TRUST For doing business Ensure Orderliness in Internet world Promote Economic growth More than just Confidentiality, Integrity and Availability Privacy 3 rd Party Customer Data 3

Governance & Risk Management GOVERNANCE AND COMPLIANCE ILLEGAL TO STEAL AND /OR MISUSE DATA INCLUDING ELECTRONIC DATA 4

It Gets Worse WAP, GPRS, EDGE, 3G 802.1x Broadband 5 A hacker no longer needs a big machine

The Security Equation Has Changed How businesses look at security has changed Security is now business driven not technology driven Security is now defined through risk management and compliance disciplines instead of threat and technology disciplines The threat landscape has changed Traditional operating system and native client application security risks have become somewhat passé Client threats are now all about the browser environment Server threats are now all about web applications 6

The Security Landscape of the past Traditional Infrastructure was easier to protect... Concrete entities that were easy to understand Attack surface and vectors were very well-defined Application footprint very static Perimeter defense was king 7

Changing Security Landscape of Today Webification has changed everything... Infrastructure is more abstract and less defined Everything needs a web interface Agents and heavy clients are no longer acceptable Traditional defenses no longer apply Web Applications 8

The Myth: Our Site Is Safe We Have Firewalls and IPS in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 9

SO Governance WHY & Risk Management ARE THESE HAPPENING? 10

11

12

May 7, 2009 CNet Tech News Governance & Risk Management Report: Hackers broke into FAA air traffic control systems 13

14

Reality: Security and Spending Are Unbalanced of All Attacks on Information Security are 75% Directed to the Web Application Layer 2/3 of All Web Applications are Vulnerable **Gartner 15

WHY DO HACKERS TODAY TARGET APPLICATIONS? Because they know you have firewalls So its not very convenient to attack the network anymore But they still want to attack cos they still want to steal data Because firewalls do not protect against app attacks! So the hackers are having a field day! Very few people are actively aware of application security issues Because web sites have a large footprint No need to worry anymore about cumbersome IP addresses Because they can! It is difficult or impossible to write a comprehensively robust application Developers are yet to have secure coding as second nature Developers think differently from hackers Cheap, Fast, Good choose two, you can t have it all It is also a nightmare to manually QA the application White-box static code analyzers don t test for inter-app relationships Many companies today still do not have a software security QA policy or resource 16

Top Hack Attacks Today Target Web Applications 17

Web Application Hacks are a Business Issue Application Threat Negative Impact Potential Business Impact Buffer overflow Denial of Service (DoS) Site Unavailable; Customers Gone Cookie poisoning Session Hijacking Larceny, theft Hidden fields Site Alteration Illegal transactions Debug options Admin Access Unauthorized access, privacy liability, site compromised Cross Site scripting Identity Theft Larceny, theft, customer mistrust Misdirect customers to bogus site Stealth Commanding Access O/S and Application Access to non-public personal information, fraud, etc. Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts Forceful Browsing/ SQL Injection 18 Unauthorized Site/Data Access Read/write access to customer databases

19

20

21

22

25-27 FEB 2009, GOLD COAST, AUSTRALIA NOW WITH ANTI CROSS-SITE-SCRIPTING FILTER! 23

24

Now there s Web Man-in-the Middle Attacks First presented at OWASP AP Conference Mar 09 Brisbane 25

Malware on Web Applications Malware can be delivered in many ways: E-mail, IM, network vulnerabilities Today, Malware is primarily delivered via Web Applications: Aims to infect those browsing the site Installed via Client-Side (e.g. Browser) Vulnerabilities & Social Engineering Malicious content can be downloaded: From the web application itself Through frames & images leading to other websites Through links leading to malicious destinations Legitimate Sites Hijacked to distribute Malware! McAfee, Asus, US Govt Staff Travel Site, Wordpress.org, SuperBowl, http://host.com <script src=file.js> IFrame (ads.com) Image (host.com) http://evil.org 2626

Real Example: Online Travel Reservation Portal Governance & Risk Management Change the reserid to 2001200 27

Real Example : Governance & Risk Management Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the email address 28

Parameter Tampering Reading another user s invoice Governance & Risk Management The same customer invoice that reveals the address and contact number 29

Attacks Sophistication vs. Intruder Knowledge High Intruder Knowledge Tools Low Attack Sophistication 1980 1985 1990 1995 2000 2005 Today 30

DON T TRY THIS AT HOME! Governance & Risk Management 31

NEW GOOGLE CHROME WEB BROWSER 32

33

34

GOOGLE CHROME VIEW PAGE SOURCE 35

WHY DO APPLICATION SECURITY PROBLEMS EXIST? IT security solutions and professionals are normally from the network /infrastructure /sysadmin side They usually have little or no experience in application development And developers typically don t know or don t care about security or networking Most companies today still do not have an application security QA policy or resource IT security staff are focused on other things and are swarmed App Sec is their job but they don t understand it and don t want to deal with it Developers think its not their job or problem to have security in coding People who outsource expect the 3 rd party to security-qa for them It is cultural currently to not associate security with coding Buffer Overflow has been around for 25 years! Input Validation is still often overlooked. 36

SECURITY TESTING IS PART OF SDLC QUALITY TESTING Collaborative Application Lifecycle Management SDLC Quality Assurance Quality Dashboard Requirements Management Test Management and Execution Defect Management Create Plan Build Tests Manage Test Lab Report Results Open Platform Best Practice Processes Functional Testing SAP Java Performance Testing TEAM SERVER Open Lifecycle Service Integrations Web Service Quality Code Quality System z, i.net Security and Compliance homegrown 37

Building security & compliance into the SDLC further back SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 38

You need a professional solution to Governance & Risk Management Identify Vulnerabilities 39

With Rich Report Options 44 Regulatory Compliance Standards, for Executive, Security, Developers. 40

And Most Important : Governance & Risk Management Actionable Fix Recommendations 41

THE NEED FOR SECURITY IN SOFTWARE DEVELOPMENT HAS COME OF AGE 1. Secure Software Concepts 2. Secure Software Requirements 3. Secure Software Design 4. Secure Software Coding and Implementation 5. Secure Software Testing 6. Software Acceptance 7. Software Deployment, Operations, Maintenance and Disposal 42

Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security QA Testing for Security must now be integrated and strategic We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix Developers need to learn to write code defensively and securely Lower Compliance & Security Costs by: Ensuring Security Quality in the Application up front Not having to do a lot of rework after production 43

SDLC Governance & QA Risk Management - YOUR LAST LINE OF DEFENSE 44

Governance and Risk Management WEB APPLICATION SECURITY YOUR LAST LINE OF DEFENSE Thank You Anthony LIM MBA CISSP CSSLP FCITIL

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information