Building a Web Application Security Program. Rich Mogull Adrian Lane Securosis, L.L.C.

Similar documents
Building a Web Application Security Program

Application Security in the Software Development Lifecycle

IBM Rational AppScan: Application security and risk management

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

The AppSec How-To: Achieving Security in DevOps

Security and Vulnerability Testing How critical it is?

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

The Web AppSec How-to: The Defenders Toolbox

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL

How to Build a Trusted Application. John Dickson, CISSP

Goals. Understanding security testing

Web application security: automated scanning versus manual penetration testing.

Reference Architecture: Enterprise Security For The Cloud

Cisco Advanced Services for Network Security

How To Protect A Web Application From Attack From A Trusted Environment

THE TOP 4 CONTROLS.

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

10 Things Every Web Application Firewall Should Provide Share this ebook

Avoiding the Top 5 Vulnerability Management Mistakes

Web Application Penetration Testing

Cisco Security Optimization Service

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

A Decision Maker s Guide to Securing an IT Infrastructure

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Where every interaction matters.

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Software Development: The Next Security Frontier

From the Bottom to the Top: The Evolution of Application Monitoring

Application Security Center overview

Rational AppScan & Ounce Products

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

How to Instrument for Advanced Web Application Penetration Testing

The SIEM Evaluator s Guide

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

The Cost of Web Application Attacks

Agile Development for Application Security Managers

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

SaaS-Based Employee Benefits Enrollment System

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Build Your Mobile Strategy Not Just Your Mobile Apps

Vulnerability management lifecycle: defining vulnerability management

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

PENTEST. Pentest Services. VoIP & Web.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The Top Web Application Attacks: Are you vulnerable?

That Point of Sale is a PoS

The Evolution of Enterprise Application Security. Why enterprises need runtime application self-protection

About This Document. Response to Questions. Security Sytems Assessment RFQ

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Assuring Application Security: Deploying Code that Keeps Data Safe

THE EVOLUTION OF ENTERPRISE APPLICATION SECURITY

Vulnerability Management

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Integrating Web Application Security into the IT Curriculum

SAST, DAST and Vulnerability Assessments, = 4

SAFECode Security Development Lifecycle (SDL)

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

How Oracle MAF & Oracle Mobile Cloud can Accelerate Mobile App Development

Information Technology Security Review April 16, 2012

ensuring security the way how we do it

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.

WebGoat for testing your Application Security tools

Passing PCI Compliance How to Address the Application Security Mandates

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

OPC & Security Agenda

Integrated Threat & Security Management.

How To Ensure That Your Computer System Is Safe

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

WEB 2.0 AND SECURITY

A HELPING HAND TO PROTECT YOUR REPUTATION

Cybersecurity and internal audit. August 15, 2014

elearning for Secure Application Development

Web Application Security

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Software that provides secure access to technology, everywhere.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Internet threats: steps to security for your small business

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Transcription:

Building a Web Application Security Program Rich Mogull Adrian Lane Securosis, L.L.C.

Old School, New School, Oh SH*& School

What s Different About This Presentation We are focusing on the business processes of web application security. Although we discuss technologies, our goal is to show you how to build a program by putting the pieces together.

The Web Application Security Problem Universal Availability Highly Distributed Eternal Beta No Built-In Security, or Security Design Quiet vs. Noisy Light, Fast Development Organic Development Open to Everyone Before web applications, very few businesses exposed their internal transactional systems to the outside world. Even those which did expose systems to business partners on a restricted basis rarely exposed them directly to customers. Web applications grew organically starting from informational websites that were little more than online catalogs, through basic services, to robust online applications connected to critical back-end systems. Applications developed slowly over time, with increased functionality leading to increased reliance, often without the oversight they might have gotten had they been designed as massive projects from the beginning. This transition is the classic frog in a frying pan problem: Drop a frog into a hot frying pan, and it will hop right out. Slowly increase the heat, and it will fry to death without noticing or trying to escape. Web application protocols were designed to be lightweight and flexible; and lacked privacy, integrity, and security features. Web application development tools and techniques evolve rapidly, but we still rely on massive amounts of legacy code. Both internal and external systems, once deployed, migrate to new systems but only rarely are we able to clean up any of the existing complex interdependencies. Web application threats evolve as quickly as our applications, and apply to everything we ve done in the past. We re constantly discovering entirely new classes of vulnerabilities we didn t anticipate before. The web itself was never designed to securely run mission critical applications, so we are building on a platform that was not intended to support its current uses. Few web applications are designed securely from the ground up, or maintained with processes designed to keep them secure over time. When security breaches do occur, they can be difficult to detect, analyze and measure. In light of all these factors, web application security is typically underfunded in most organizations. And like all application development, web applications are subject to time pressures and deadlines that result in deployment tradeoffs and compromised functionality to meet business objectives. We categorize the web application security problems as follows:few web applications were designed to be secure. The application is reliant on a remote web browser which is neither secure nor trusted. Web applications evolved to connect our most sensitive back end systems to an open, public network without inherent security controls. The web was not designed to be a secure platform, and is thus subject to trivial attacks on confidentiality, integrity and availability. Only a small percentage of security breaches are detected and noisy enough to result in measurable losses and/or gain management attention. We have a large volume of old application code to fix, while constantly writing new code. Web applications are complex combinations of platforms, tools, and services from multiple providers, each with its own security challenges. Many web applications are mission critical, but may not have been when they were designed. Due to the design of the web (and VPNs), even internal web applications are external applications. Web applications are custom applications; we are the vendors, and no one else will provide security fixes. Web application projects are funded to offer more services, easier, faster, and cheaper than before, while security tends to limit these benefits. No single web application security tool provides effective security on its own.

Web App Dependancies JSP AJAX Applet Database Server Connectivity Services Supporting Applications Application Server Authentication Services Frameworks Middleware Abstraction / ORM ecurosis.com

How Web Application Security is Different Reliant on browser for UI Custom code == custom vulnerabilities You are the vendor Dynamic content Complex platforms and frameworks Reliant on browser for UICustom code == custom vulnerabilitiesyou are the vendordynamic contentcomplex platforms and frameworks

Business Justifications

Application Security

Securing Web Applications

Application Security Cycle

Secure Development

Training & SDLC

Static Analysis IDE Integration Prioritization Reports Code base covered Accuracy Vulnerability updates Integration with DAST Inspection of codegood at detecting common errors and poor programming practicessupplements manual code inspectiondoes not account for all code pathways

Dynamic Analysis Inspect asdfl;kjasdf 2345sdfg fvadfadsf6 adsfhkjladsf Tainted Input Instrument Application Fuzzing Taint methods Instrumentation Prioritization Coverage Inspect code during runtime Fuzzers send intentionally harmful inputworks with any web applicationbehaves like attacker wouldskill of user indicative of effectivenessnot a focused analysis

Secure Deployment

Web Vulnerability Assessment { Software vs. Service Credentialed and Non-Credentialed Configuration, Logic, and Platform Flaws Scans for configuration weaknessesscans for known vulnerabilities Credentialed and non-credentialed scansavailable as software and service

Penetration Testing Pen testing helps measure risk and validates vulnerabilities, it s not about just breaking in. Begun testing in the development process. Be extremely cautious about testing live apps. Use a combination of tools and manual process. Perform periodic testing post-deployment, especially as new exploits appear.

Secure Operations

Web Application Firewalls Inline Out of Band Inspects inbound requests for threatscan monitor, block or reset connectionsgood for addressing broad classes of threatsrequires significant custom policy development

Web Application Firewalls No WAF can ever fully understand a custom application behind it out of the box. These are *not* the same as network firewalls. Require extensive tuning for good results. Inspects inbound requests for threatscan monitor, block or reset connectionsgood for addressing broad classes of threatsrequires significant custom policy development

Activity Monitoring WAF App DAM Monitors activity but does not blockmonitors database activityno negative impact on business processcost effective

WAF + VA

Use Case: Large Enterprise Customer WebApps provide core business functions Primary drivers are fraud reduction, compliance, service reliability Reputation and asset protection Lots of legacy code Security expertise, but not in IT or Dev

Large Enterprise Recommendations

Use case: Mid-Sized Retailer Need to meet PCI-DSS Missing basic controls and requirements Lack in house security expertise Small body of code, but core to business

Retailer Recommendations

Internal Web Apps Dozens of internal web applications Supports HR, sales, workflow, BI and partners Security and integrity are major concerns Insider fraud and breach deterrence are primary drivers

Internal WebApp Security Recommendations

Rich Mogull Securosis, L.L.C. rmogull@securosis.com http://securosis.com Twitter: rmogull AIM: securosis Skype: rmogull

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information