New IBM Security Scanning Software Protects Businesses From Hackers

New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut

Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications and transactions Leisure and community WEB APPLICATIONS ARE NEW TARGET FOR HACKERS SOA, portals, web services Some recent examples ASUSTEK MONSTER.COM China gaming Panda trojan USA Financial Analyst blog 2

The Myth: Our Site Is Safe We Have Firewalls in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 3

The Reality: Security and Spending Are Unbalanced Security Spending Buffer Overflow Cookie Poisoning Hidden Fields Cross Site Scripting Stealth Commanding Parameter Tampering Forceful Browsing SQL Injection Etc % of Attacks % of Dollars 75% 25% Web Applications Network Server 10% 90% 75% 2/3 of All Attacks on Information Security Are Directed to the Web Application Layer of All Web Applications Are Vulnerable 4 Sources: Gartner, Watchfire

Web Attacks The manipulation of web applications 5

Web Application Hacks are a Business Issue Application Threat Negative Impact Potential Business Impact Buffer overflow Cookie poisoning Hidden fields Denial of Service (DoS) Session Hijacking Site Alteration Site Unavailable; Customers Gone Larceny, theft Illegal transactions Debug options Cross Site scripting Stealth Commanding Admin Access Identity Theft Access O/S and Application Misdirect customers to bogus site Unauthorized access, privacy liability, site compromised Larceny, theft, customer mistrust Access to non-public personal information, fraud, etc. 6 Parameter Tampering Forceful Browsing/ SQL Injection Fraud, Data Theft Unauthorized Site/Data Access Alter distributions and transfer accounts Read/write access to customer databases

Application Security Defects #1 & #2 Vulnerabilities 7

IBM Rational Software Understanding the Problem Info Security Landscape Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Legit Network-level user Port 80 & 443 Firewall Application Servers Backend Server Databases Web Servers 8

Why Application Security Problems Exist Root Cause: Developers are not trained to write or test for secure code Firewalls and IPS s don t block application attacks. Port 80 & 443 are wide open for attack. Network scanners won t find application vulnerabilities. Nessus, ISS, Qualys, Nmap, etc. Network security (firewall, IDS, etc) do nothing once an organization web-enables an application. Current State: Organizations test tactically at a late & costly stage in the SDLC, if at all (<10% market penetration) A communication gap exists between security and development as such vulnerabilities are not fixed Testing coverage is incomplete Goal: To build better and more secure applications/websites 9

Building Security & Compliance into the SDLC SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 10

Rational Software Quality Solutions BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management Requirements Test Change Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Rational ClearQuest DEVELOPMENT Developer Test Rational PurifyPlus Rational Test RealTime Test Automation Functional Test Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Security and Compliance Test AppScan WebXM Performance Test Rational Performance Tester OPERATOINS Rational Robot Quality Metrics Project Dashboards Detailed Test Results Quality Reports 11

Web Application Environment Web Application Scanners Web Application Web Services Network Scanners Web Server Database Operating System Database Scanners Host Scanners 12

A Different Approach AppScan Manual Automated Interface Consultants Online Process Project Based Ongoing 13

How does AppScan work? Approaches an application as a black-box Traverses a web application and builds the site model Determines the attack vectors based on the selected Test policy Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules HTTP Request Web Application HTTP Response 14

AppScan Goes Beyond Pointing out Problems 15

Identify Vulnerabilities 16

Actionable Fix Recommendations 17

Report IBM Rational Software 18

AppScan Reporting Console - Dashboard 19

Governance addresses Web Application Security Example: PCI BEST PRACTICE BECOMES STANDARD BECOMES LAW (BY 06-2008) Visa s PABP, Payment Application Best Practices a list of auditable statements regarding the secure development, deployment, and documentation of cardholder data processing software is being converted to a new PCI security standard - PASS, Payment Application Security Standard. Requirement 11.2 : Run internal and external vulnerability scans At least quarterly After any significant change in network Requirement 11.3 : Perform penetration testing at least once a year 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests Requirement 6 : Develop and maintain secure systems and applications Requirement 6.6 :Ensure that all web-facing applications are protected against known attacks by having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security VISA MASTER AMEX 20

AppScan / IBM Rational CQTM Integration 21

AppScan with QA Defect Logger for ClearQuest 22

AppScan Enterprise / IBM Rational ClearQuest Integration 23

At a First Glance a good candidate if 1. Their website is used to communicate with customers. 2. Their website is used to send and receive sensitive customer data. 3. Their website is subject to having hundreds, thousands (or even millions) of users access it. 4. Their business falls into one of the following verticals - Retail, Government, Financial Services, Insurance, Technology 5. The customer is subject to any type of federal or state legislative regulations PCI/HIPAA/SOX/GLBA 24

Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security Never before was QA Testing for Security integrated and strategic, until now We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix Developers need to learn to write code defensively and securely 25

26