Application Security Testing Jesper Kråkhede
AST 2015-10-22 2
Others call it security and try to avoid it I call it passion and dive right into it Jesper Kråkhede Worked as a security consultant for 17 years Into security since I was 8 years old and started to pick locks Director Cybersecurity at Sogeti with a passion for security architecture Work globally with compliance frameworks CISSP and Member of Mensa Blogs at www.crowmoor.se Rules are great for others AST 2015-10-22 3
What challenges are enterprises facing? 1 120% increase in breaches reported in 2014 2 Over 500M identities were exposed via breaches in 2013 3 4 1 in 8 legitimate websites have a critical vulnerability Web-based attacks: 80% of attacks 5 68% increase in mobile application vulnerability disclosures 4
Hacking is Al Capone s new gun Automated attacks Global industry The costs for cyber crime annually is over 400Bn Fraud, extortion, sabotage, industrial espionage, information theft etc. Our adversaries are not 15 year old boys but seasoned and skilled professionals or foreign military Failing to understand who is threatening you will make you underestimate the attack and instead you ll be yet a victim AST 2015-10-22 5
They took control of a network of banks undetected and transferred money when the wanted Modern version of pickpocketing An ATM with malfunction An ATM started giving out money uncontrolled A security company started to investigate the issue They found a set of command and control software installed all over the network of banks Money was transferred between accounts just below the radar All automated detection patterns have thresholds; identifying and staying below them marks the skills of the hacker AST 2015-10-22 6
The hackers spent two months following senior management to learn all processes for money transfer Learning processes Implementing the long con They followed everything senior management did for two months to learn how the banks worked By identifying the processes and thresholds for money transfer they could initiate a long series of money transfers that was not detected By utilising vulnerabilities in many systems it was possible for the hackers to gain control of the systems they needed AST 2015-10-22 7
They had 100% control of support and could block clients from see when money was stolen from the accounts Hacking service desk Supporting the support When money was started to be siphoned away from accounts the customers called the banks The hackers took the calls and blamed a technical glitch and moved money from other accounts into the customers accounts With this total control the banks have lost all control of the money AST 2015-10-22 8
All ATMs were under their control and money was dispensed at their convenience Exploited ATM Money was stolen using hacked ATMs With total access to operate the ATMs, money was dispensed when an accomplish where in place to collect the money from the ATM Millions and millions of where stolen using hacked ATMs Even the video surveillance were under the hackers control making the possibility to identify the culprits slim at best AST 2015-10-22 9
What s the current situation? 56% of organisations have been hacked Attackers are targeting applications rather than networks and hardware 84% of breaches occur at the application layer (Gartner, 2013) By identifying vulnerabilities in applications we are minimising the attack surface and safeguard the information and systems AST is just another layer in the security setup 10
HP 2013 Mobile Application Security Study of over 2,000 mobile application from 600+ companies 11
Sogeti Security Gate Secure ALL your applications before deployment Web, Facebook, Mobile In-house, out-sourced, third-party Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate 12
How it works Upload Test Review Customer uploads software or dynamic access data directly from his portal Dynamic, static and/or mobile testing Expert review of the results, help remediate and prioritize fixes. 13
Comprehensive and accurate testing Static Analysis Powered by HP Fortify SCA Dynamic Analysis Powered by HP WebInspect Manual Review Enterprise proven technology 100% code coverage Support for 21 development languages Production safe Three testing levels QA or production environments Security expert review Reduce false positives 14
Multiple levels of testing based on application risk Low Medium High Marketing Site Personally identifiable information Business useful Credit card/ SSN information Business critical Basic assessment Standard assessment Premium assessment 15
Outcome: Overview 16
Outcome: Issue information 17
Outcome: Fix recommendation 18
The security tester has a specific set of skills Operating systems Networking Security tools Curiosity Programming Scripting Databases A security tester needs a subset of the skills a security architect needs 19
Want to become a security tester or specialist? Curiosity and a out-of-the-box thinking is mandatory 20
But what if I don t bother about security testing? You will be found! You will be hacked! You will lose! Today it only takes 10 seconds before a server is found on internet 21
Q & A Got any mor-r-r-e questions? Contact information: Jesper Kråkhede jesper.krakhede@sogeti.se +46 725 27 65 87 Read more at www.crowmoor.se AST 2015-10-22 22