Post on 16-Jan-2015
description
August 13, 2013
Application Hackers Have a Handbook. . .Why Shouldn't You?
1Today’s Vulnerabilities2Real World Application Security Lifecycle 3Holistic Application Security Solution
AGENDA
Web Application Vulnerabilities
3
Improving Business Intelligence
Your Objective:• Improve visibility across systems
• Monitor, control and detect anomalies and compromise
• Correlate events and instruct devices across the network
• Dynamically enforce policies and rules across technologies
Cybercriminals aggressively exploit the weakness of siloed monitoring and controls.
ONLY 24% OF BREACHES ARE SELF-DETECTED
Business and Threat Intelligence• Security Information and Event
Management (SIEM)
• Web Application Firewall
• Global Threat Database
• Threat Research and Advisory Services
Source: 2013 Trustwave Global Security Report
2011 2013* 2015*0
10
20
30
40
50
60
Tablet apps
Smartphone apps
March 2012 “Mobile App is the new fact of engagement”
Mobile apps: $6 billion Market today
Will hit $ 55.7 billion by 2015
Mobile Apps are Taking Off
5
iOS Architecture – Security Weaknesses• All processes of interest run with
administrative privileges• iPhone does not utilize some widely
accepted practices– Address randomization
• The stack, heap, and executable code located at precisely the same spot in memory
– Non-executable heaps• Buffer overflow on heap can
write executable instructions
6
Android Architecture – Security Weaknesses • Google decided against (in initial release)
– stack and heap non-execute protections• GIF image vulnerability
– Decode function uses logical screen width and height to allocate heap
– Can overflow the heap buffer allowing hacker to control the phone
• Vulnerability is in the multimedia subsystem made by PacketVideo– Due to insufficient boundary checking – It’s possible to corrupt the heap and
execute arbitrary code on the device
7
Securing Web & Mobile Applications
Your Objective:• Ensure secure development of web and
mobile applications
• Prevent Layer 7 attacks and dynamically protect web applications
• Maintain application performance
360 Application Security
• Secure App Development Training
• Secure Code Review
• Mobile Application Penetration Testing
• Web Application Penetration Testing
• Web Application Firewall
• SSL Certificates
TOP APP ATTACK METHODS
e-commerce sites are the #1 targeted asset of hackers.
Source: 2013 Trustwave Global Security Report
9
Application Security -- A Lifecycle View
Security reviewArchitecture audits
Code reviewStatic analysis
Dynamic testing Penetration testing Application firewalls
SDLC Production
Application security training
10
Challenges to Implement Application Security
Manual processError prone
Lack of expertiseLack of incentive Complex to carry outTime-to-market pressure
Lack of influence Lack of code visibilityDifferent priorities
No code & design visibilityNo root cause infoLack of influence
Lack of visibility and integration
Application security training
Securing Web & eMail
Your Objective:• Create a layered defense
• Improve anti-malware power at the gateway
• Enable safe and productive use of social media
• Get control of data from creation to destruction
Content Security and Control• Threat Research & Advisory
Services/Feeds
• Secure Web Gateway
• Web Application Firewall
• Secure Email Gateway
• Data Loss Prevention
• Data Encryption
• Security Awareness Education
Web-based systems are the most utilized threat vector of hackers.
AVERAGE TIME FROM BREACH TO DETECTION: 210 DAYS
Source: 2013 Trustwave Global Security Report
This Means …• Defects are found later in
the lifecycle– Increased remediation cost
• Often security defects are not fixed due to separate agenda and accountability structures – Developers are under
time-to-market pressure
• Silo-ed model does not scale– How many auditors do you need
to cover all your apps?
30x
Development Integration Audit/test Production0
5
10
15
20
25
30
Cost for defect fixes
Source: NIST
1x5x
10x
12
Why Application Security?
• Applications are vulnerable• 44% of organizations feel that application vulnerabilities pose the
greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey.
• Fixing them is expensive• A recent study of more than 150 organizations found the average total
cost to remediate a single application security incident is approximately $300,000.
• Late fixes are even more expensive• It is 5 times more expensive to fix a flaw in development than during
design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology.
13
14
What We Need: The Shape of An Ideal Solution
More automated design audits andthreat modeling
• Easy to use static analysis • Suitable for developers• Meaningful remediation guidance • Integrated with dynamic tests
• Integrated with static analysis• Provide input back to dev• Scanning and intelligent pen testing
• Virtual patching• Real time attack blocking• Continuous deployment
support
Application security training
That said --
You don’t have to tackle everything at once, but you need a strategy to get there!
15
Recommendations• Immediate to-do list
– Invest in WAF technology for all your external-facing web applications
– Invest in developer training, focusing on on-the-job training– Invest in static analysis technology, start small
• Medium-term to-do list– Perform dynamic scan on all of your applications – Define your selective penetration testing strategy– Populate static analysis– Prioritize remediation
• Long-term to-do list– Build your complete application security competency
16
Ready To Get Started?
• Get “Addressing the OWASP Top 10 with Trustwave WebDefend” White Paper – https://www.trustwave.com/application-security/
• Take the OWASP Top 10 Threats & Mitigations Course for free!
• We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now!
1717
About TrustwaveFounded in 1995
Almost 1100 employees in 26 locations worldwide
Nearly 2.5 million merchants trust us for their compliance and security needs
Robust portfolio of risk management, compliance and security solutions
Leading provider of Cloud Security through our award-winning TrustKeeper portal
Leading provider of Managed Security Services, with global 365x24x7 operations
Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations
18
Simple Solutions to Complex Challenges
19
360 Application Security
• The industry’s only holistic application security lifecycle solution
• Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way
Unique to
Market
20
Summary
• Application security should be addressed from design to production
• Best practice is with a lifecycle approach
• Trustwave’s 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today
21
QUESTIONS