El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

The Traditional Approach is Changing. Security is no longer controlled and enforced through the network perimeter Trusted Intranet Online Banking Application DMZ Untrusted Internet Employee Application

. With Mobile and Cloud There Is No Perimeter Security must be centered on applications and transactions Trusted Intranet DMZ Untrusted Internet Online Banking Application Deliver Mobile App Employee Application Leverage Public Clouds Investment API Services Consume Apps and Services

Threats increase along with old and new targets Escalating Threats Source: IBM X-Force 2013 Mid-Year Trend and Risk Report 31 % of new attacks in 1H 2013 targeted Web app vulnerabilities?????????????????????? Web Apps Targeted Source: IBM X-Force 2013 Mid-Year Trend and Risk Report 50 % + of Web app vulnerabilities are cross-site scripting Mobile Devices Targeted?????????????????????? Mobile Malware Increasing Mobile devices are twice as appealing hackers can obtain personal and business data Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 3/13

A New Security Reality Is Here 61 % of organizations say Data theft and cybercrime are the greatest threats to their reputation 70 % of security exec s are concerned about cloud and mobile security 83 % of enterprises have difficulty finding the security skills they need 2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research Mobile malware grew Average U.S. breach cost $7million+ 614 % in one year from March 2012 to March 2013 85 45 tools from vendors 2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report IBM client example

Agenda IBM as Security Solution Provider IBM Security Framework X-Force, Security Reports and SecurityIntelligence.com Standards and regulations (NIST) Challenges for Security team at Application Security. Application Security Framework. Vulnerability at different SDLC Stage. Dynamic and static analysis. Self-assessment and recommendations.

IBM Security: Market-changing milestones Access Management Mainframe and Server Security SOA Management and Security Identity Management 1976 Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security 1999 Dascom is acquired for access management Compliance Management Network Intrusion Prevention 2002 Access360 is acquired for identity management MetaMerge is acquired for directory integration 2005 DataPower is acquired for SOA management and security 2006 Internet Security Systems, Inc. is acquired for security research and network protection Database Monitoring Application Security 2008 Encentuate 2007 is acquired Watchfire is for enterprise acquired for single-sign-on security and compliance Consul is acquired for risk management Princeton Softech is acquired for data management Security Analytics 2009 Ounce Labs is acquired for application security Guardium is acquired for enterprise database monitoring and protection Security Intelligence 2010 Big Fix is acquired for endpoint security management NISC is acquired for information and analytics management IBM Security Investment 6,000+ IBM Security experts worldwide 3,000+ IBM security patents Advanced Fraud Protection 2011 4,000+ IBM managed security services clients worldwide 25 IBM Security labs worldwide Q1 Labs is acquired for security intelligence 2012 2013 Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection IBM Security Systems division is created

IBM Security Framework http://www.redbooks.ibm.com/abstracts/sg248100.html

X-Force Threat Intelligence: The IBM Differentiator Advanced Security and Threat Research The mission of X-Force is to: Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow s security challenges Educate our customers and the general public URL/Web Filtering Anti-Spam IP Reputation Web Application Control Provides access to one of the world s largest URL filter databases containing more than 20 billion evaluated Web pages and images Detect spam using known signatures, discover new spam types automatically, 99.9% accurate, near 0% overblocking Categorize malicious websites via their IP address into different threat segments, including malware hosts, spam sources, and anonymous proxies Identifying and providing actions for application traffic, both web-based, such as Gmail, and client based, such as Skype IBM Confidential

http://securityintelligence.com/ http://www-03.ibm.com/security/xforce/

Security functionality examples Protect critical infrastructure for the smart grid Safeguard patient data Reduce online banking fraud Secure the credit card environment Control access to auto designs and intellectual property Protect self-service DMV portal Secure data exchange among insurance providers

Standards and Regulations v1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Executive Order 13636 from President Obama was issued on February 12th 2014 Software Risk and the Framework Software security is a critical component of cybersecurity. If the apps you re running can be exploited, the services they re running are at risk. And though there isn t a special section devoted to applications or building software in the NIST Framework, software is mentioned a number of times and should be addressed as part of the broader cybersecurity program. http://securityintelligence.com/nistcybersecurity-framework-application-securityrisk-management/

Security team challenges What is our application security status? Which are our most important applications? How many of them have we assessed? Which ones present the highest risk? Which vulnerabilities should we fix first? What are the most common mistakes developers make? 14

Applications Reducing the costs of developing secure applications and assuring the privacy and integrity of trusted information Portfolio Overview AppScan Enterprise Edition Enterprise-class solution for implementing and managing an application security program, includes high-level dashboards, test policies, scan templates and issue management Multi-user solution providing simultaneous security scanning and centralized reporting AppScan Standard Edition Desktop solution to automate web application security testing for IT Security, auditors, and penetration testers AppScan Source Edition Static application security testing to identify vulnerabilities at the line of code. Enables early detection within the development life cycle.

Application Security Framework Security Intelligence, Policy and Governance Activity monitoring, context, risk assessment, compliance reporting Development Test Assure Protect Deployment Integrations elearning Correlation Vuln Disclosure Scan & Remediate Static Source Dynamic Pre-Launch Static Binary Dynamic Production Rank & Validate Application Reputation Vendor Rankings Compliance Scanning Research Updates Static, Dynamic, Binary of Manifest testing based on access Block & Prevent Web Application Firewall Intrusion Prevention Database Activity Monitoring Containerization / Sandbox Dynamic Scanning (light) Integrations White/Black Lists Big Data Analytics Procurement Key Trends Application Testing Services from the Cloud Full managed service easy to start and easy to test third party apps Mobile Application Testing Mobile Application Reputation Services Integrated Solutions From Development to Deployment Risk Management and Visibility

The Old Story Still Valid But There s More. 80% of development costs are spent identifying and correcting defects!* Average Cost of a Data Breach $7.2M** from law suits, loss of customer trust, damage to brand Find during Development $80/defect Find during Build $240/defect Find during QA/Test $960/defect Find in Production $7,600 / defect * Source: National Institute of Standards and Technology ** Source: Ponemon Institute 2009-10

Applications Finding more vulnerabilities using advanced techniques Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Total Potential Security Issues Dynamic Analysis - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 19 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry

Important Questions to Consider Do the applications contain sensitive data? Is the data protected? How do you know if it s protected? Do you outsource your mobile application development? How do you keep pace with the constant mobile updates? How do you determine risk? Do you have mobile specific security expertise? Do you have acceptance criteria? Do you check application security every release? Do you have a way to automate testing?

Application Security Awareness From Do Nothing to Reactive to Proactive! What is application security testing? Just got breached, how do we prevent this? How do we protect our mobile apps? Where are you on this spectrum?

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.