Keeping the Bad Guys Out- Safeguarding Applications and Data

Similar documents
The Top Web Application Attacks: Are you vulnerable?

Rational AppScan & Ounce Products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Security for a Smarter Planet IBM Corporation All Rights Reserved.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Where every interaction matters.

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Web Application Report

Web Applications The Hacker s New Target

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web Engineering Web Application Security Issues

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Penetration Testing

Criteria for web application security check. Version

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web application security

What is Web Security? Motivation

Table of Contents. Page 2/13

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

05.0 Application Development

OWASP AND APPLICATION SECURITY

WEB APPLICATION SECURITY

Overview of the Penetration Test Implementation and Service. Peter Kanters

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Application Security Testing

OWASP Top Ten Tools and Tactics

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

IBM X-Force 2012 Cyber Security Threat Landscape

Secure Web Applications. The front line defense

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

New IBM Security Scanning Software Protects Businesses From Hackers

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

The Business Case for Security Information Management

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Preemptive security solutions for healthcare

A Network Administrator s Guide to Web App Security

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE HACKERS NEXT TARGET

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

8 Steps to Holistic Database Security

Why The Security You Bought Yesterday, Won t Save You Today

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Key to Secure Online Financial Transactions

Secure Your Mobile Workplace

Hack Proof Your Webapps

IBM MOBILE SECURITY SOLUTIONS - Identity and Access Management Focus

Reducing Application Vulnerabilities by Security Engineering

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to complete the Secure Internet Site Declaration (SISD) form

SecurityMetrics Vision whitepaper

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Application security testing: Protecting your application and data

Streamlining Web and Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Thick Client Application Security

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Securing Endpoints without a Security Expert

Society for Information Management

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Sophistication of attacks will keep improving, especially APT and zero-day exploits

How To Ensure That Your Computer System Is Safe

Cutting the Cost of Application Security

Reducing the Cost and Complexity of Web Vulnerability Management

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Passing PCI Compliance How to Address the Application Security Mandates

How To Protect Yourself From Cyber Threats

2012 Data Breach Investigations Report

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

The monsters under the bed are real World Tour

Web Application Security Assessment and Vulnerability Mitigation Tests

SERENA SOFTWARE Serena Service Manager Security

Global Partner Management Notice

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Transcription:

Keeping the Bad Guys Out- Safeguarding Applications and Data Susann Ulrich North America Security Practice Leader, Rational Software sulrich@us.ibm.com

Agenda Current Trends in Application Security Understanding Attacks Protecting Data and Information 2

Smarter planet opportunities driven by Web-enabled applications The Opportunity smarter planet Globalization and Globally Available Resources Access to streams of information in the Realtime Billions of mobile devices accessing the Web New Forms of Collaboration 3

The Costs from Security Breaches are Staggering Verizon 2010 Data Breach Investigations Report 2010 Annual Study: U.S. Cost of a Data Breach Ponemon Institute LLC 2010 Annual Study: U.S. Cost of a Data Breach Ponemon Institute LLC

Damage to Enterprise IBM Security Solutions Sources of Security Breach Costs 1,000,000x Security Flaw Unbudgeted Costs: Customer notification / care Government fines Litigation Reputational damage Brand erosion Cost to repair 10x 1x Functional Flaw Development Test Deployment 5

The Evolution of the Security Landscape Early 90s Now Fun & personal glory $$$ Light website Critical data & business Network level vulnerabilities System level vulnerabilities System code level vulnerabilities Application level vulnerabilities Organizations got better at firewalling, using switch technology and encryption OS vendors started locking down their systems out of the box and users started to get better at managing security configurations OS vendors such as Microsoft and Linux have scrubbed out most of the defects in the OS code It s the thousands of applications, produced by thousands of software makers, that make up this huge 4th wave. Web Application Security testing with IBM Rational AppScan

Hackers Continue to Focus on Web Applications because they are easy points of entry and there is valuable of data exchanged in the business processes run by the applications Web Application Vulnerabilities on the Rise Source: 2010 IBM ISS X-Force Mid Year Report 7

Hackers Continue to Focus on Web Applications Web Application Vulnerabilities on the Rise Unfortunately, it appears that the volume of SQL injection disclosure is back up during the first half of 2010 Over half (55 percent) of all vulnerabilities disclosed in the first half of 2010 have no vendor-supplied patch at the end of the period. Source: 2010 IBM ISS X-Force Mid Year Report 8

2010 Breach Trends Source: VERIZON 2010 DATA BREACH INVESTIGATIONS REPORT

2010 Breach Trends Source: VERIZON 2010 DATA BREACH INVESTIGATIONS REPORT

2010 Breach Trends Hacking (40% of breaches, 94% of records) Source: VERIZON 2010 DATA BREACH INVESTIGATIONS REPORT

2010 Breach Trends Source: VERIZON 2010 DATA BREACH INVESTIGATIONS REPORT

2010 Breach Trends Source: VERIZON 2010 DATA BREACH INVESTIGATIONS REPORT

Understanding the Web Application Organization Client Application Development Secure Hosting Environment Defend Network Protect Data across Internet Desktop Backend Server Application Server Requirements Secure Design Database Web Server Vulnerability management Network Firewall IDS / IPS SSL Encryption Anti-virus Anti-malware Dynamic Analysis Host Web App Firewall Personal firewall Static Analysis Application Anti-virus Incident & event management Identity & access management Malware detection Hacking 102: Integrating Web Application Security Testing into Development 14

Attack Vectors

Why are Web Applications so Vulnerable? Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated software for a Smarter Planet Network scanners won t find application vulnerabilities and firewalls/ips don t block application attacks Volumes of applications continue to be deployed that are riddled with security flaws and are non compliant with industry regulations 16

Perimeter defenses no longer sufficient Insiders (DBAs, developers, outsourcers, etc.) Outsourcing Web-Facing Apps Stolen Credentials (Zeus, etc.) Employee Self-Service, Partners & Suppliers A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls. -- William J. Lynn III, U.S. Deputy Defense Secretary

Agenda Current Trends in Application Security Understanding Attacks Protecting Data and Information 18

OWASP Top 10 Threat Negative Impact Example Impact OWASP Top 10 Vulnerabilities Cross Site scripting Identity Theft, Sensitive Information Leakage, Browser control Hackers can impersonate legitimate users, and control their accounts. Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross-Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access Attacker can manipulate queries to the DB / LDAP / Other system Execute shell commands on server, up to full control Attacker can access sensitive files and resources Attacker can invoke blind actions on web applications, impersonating as a trusted user Attackers can gain detailed system information Session tokens not guarded or invalidated properly Weak encryption techniques may lead to broken encryption Sensitive info sent unencrypted over insecure channel Hacker can access unauthorized resources Hackers can access backend database information, alter it or steal it. Site modified to transfer all interactions to the hacker. Web application returns contents of sensitive file (instead of harmless one) Blind requests to bank account transfer money to hacker Malicious system reconnaissance may assist in developing further attacks Hacker can force session token on victim; session tokens can be stolen after logout Confidential information (SSN, Credit Cards) can be decrypted by malicious users Unencrypted credentials sniffed and used by hacker to impersonate user Hacker can forcefully browse and access a page past the login page Ha www.owasp.org

Cross-Site Scripting (XSS) What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context What are the implications? Session Tokens stolen (browser security circumvented) Complete page content compromised Future pages in browser compromised Ha 20

XSS Demonstration HTML code: Ha 21

XSS Demonstration HTML code: Ha 22

Cross Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP 5) Evil.org uses stolen session information to impersonate user User 4) Script sends user s cookie and session information without the user s consent or knowledge 2) User sends script embedded as data bank.com 3) Script/data returned, executed by browser Ha 23

Injection Flaws What is it? User-supplied data is sent to an interpreter as part of a command, query or data. What are the implications? SQL Injection Access/modify data in DB XPath Injection Access/modify data in XML format SSI Injection Execute commands on server and access sensitive data LDAP Injection Bypass authentication MX Injection Use mail server as a spam machine HTTP Injection Modify or poison web caches Etc. Ha 24

SQL Injection Illustrated Name: Balance Account: 876398 or 1 = 1 ---------------------------- All Account: records 876398 are returned or 1 Select = 1 * from Account where acct = ACME 876398 Bank or 1 = 1 21,234,345 Custom Code Exxon 92,873,739 HP 99,734,123 Smith Financials 23,239,329 Xter 9,439,231 Hardened App Server Hardened Web Server Hardened OS Web Services Database HRMS Legacy Systems HTTP Request Firewall Intrusion detection, firewalls, and hardened OS s won t detect or prevent most application attacks

Night Dragon Successful attacks on 5+ global oil & gas co s Attacks began with SQL-injection, which compromised external web servers Common hacking tools were then used to access intranets, giving attackers access to internal servers and desktops Usernames and passwords were then harvested and after disabling Internet Explorer proxy settings Hackers were able to establish direct communication from infected machines to the Internet.

Agenda Current Trends in Application Security Understanding Attacks Protecting Data and Information 27

The Framework identifies five security focus areas as starting points PEOPLE AND IDENTITY Mitigate the risks associated with user access to corporate resources DATA AND INFORMATION Understand, deploy, and properly test controls for access to and usage of sensitive data APPLICATION AND PROCESS Keep applications secure, protected from malicious or fraudulent use, and hardened against failure NETWORK, SERVER AND END POINT Optimize service availability by mitigating risks to network components PHYSICAL INFRASTRUCTURE Provide actionable intelligence on the desired state of physical infrastructure security and make improvements Click for more information 28

IBM Security portfolio can help you meet challenges in each security focus area Framework PEOPLE AND IDENTITY Challenges Manage identities Control access to applications Audit, report and manage access to resources DATA AND INFORMATION Protect Critical Databases Messaging Security and Content Filtering Monitor & manage data access Prevent Data Loss Encryption APPLICATION AND PROCESS Ensure Security in App Development Discover App Vulnerabilities Embed App Access Controls Provide SOA Security NETWORK, SERVERS & ENDPOINTS Protect Servers, Endpoints, Networks, Mainframes PHYSICAL INFRASTRUCTURE Video Surveillance Command and Control Video Analytics Click for more information 29

Protect your most valuable information Continuously monitor access to high-value databases to: 1. Prevent data breaches Mitigate external and internal threats 2. Ensure the integrity of sensitive data Prevent unauthorized changes to sensitive data or structures 3. Reduce cost of compliance Automate and centralize controls 1. Across PCI DSS, data privacy regulations, HIPAA/HITECH, 2. Across databases and applications Simplify processes 92% of all breached records originate in database servers (2010 Data Breach Report)

Addressing the full database security lifecycle 31

32

Trademarks and notes IBM Corporation 2010 IBM, the IBM logo, ibm.com, AppScan, DataPower, Rational, Tivoli and WebSphere are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information