7 Ways to Scale Web Security (SANS AppSec Summit 2012)
-
Upload
jeremiah-grossman -
Category
Technology
-
view
1.520 -
download
0
description
Transcript of 7 Ways to Scale Web Security (SANS AppSec Summit 2012)
![Page 1: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/1.jpg)
© 2012 WhiteHat Security, Inc.
7 Ways to Scale Web Security
Jeremiah GrossmanFounder & Chief Technology Officer
SANS AppSec Summit04.30.2012
1
![Page 2: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/2.jpg)
© 2012 WhiteHat Security, Inc. 2
Jeremiah GrossmanØFounder & CTO of WhiteHat Security Ø6-Continent Public Speaker ØTED AlumniØAn InfoWorld Top 25 CTOØCo-founder of the Web Application Security ConsortiumØCo-author: Cross-Site Scripting AttacksØFormer Yahoo! information security officerØBrazilian Jiu-Jitsu Black Belt
![Page 3: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/3.jpg)
© 2012 WhiteHat Security, Inc.
WhiteHat Security : Company OverviewØHeadquartered in Santa Clara, CAØWhiteHat Sentinel – SaaS end-to-end website risk
management platformØEmployees: 170+ØCustomers: 500+
The FutureNow List
Cool Vendor
![Page 4: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/4.jpg)
© 2012 WhiteHat Security, Inc. 4
We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more.
Cyber-war Cyber-crime Hacktivism
PwC Survey:“Cybercrime is now the second biggest cause of economic crime experienced by the Financial Services sector.”
![Page 5: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/5.jpg)
© 2012 WhiteHat Security, Inc. 5
Website Hacked
![Page 6: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/6.jpg)
© 2012 WhiteHat Security, Inc.
2010 DBIR:“The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications."
2011 DBIR:“The number of Web application breaches increased last year and made up nearly 40% of the overall attacks.“
6
Verizon Data Breach Investigations Report:
2012 DBIR:“Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.”
![Page 7: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/7.jpg)
© 2012 WhiteHat Security, Inc. 7
855 incidents, 174 million compromised records
![Page 8: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/8.jpg)
© 2012 WhiteHat Security, Inc. 8
![Page 9: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/9.jpg)
© 2012 WhiteHat Security, Inc. 9
(Name of the Game)
SCALABILITY“An algorithm, design, networking protocol, program, or other system is said to scale, if it is suitably efficient and practical when applied to large situations (e.g. a large input data set, a large number of outputs or users, or a large number of participating nodes in the case of a distributed system). If the design or system fails when a quantity increases, it does not scale.”
![Page 10: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/10.jpg)
© 2012 WhiteHat Security, Inc. 10
![Page 11: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/11.jpg)
© 2012 WhiteHat Security, Inc. 11
ProcessPeople
Technology
SCALE
• People: Cognitive ability, operate and interpret technology results • Process: Organize and make efficient use of resources• Technology: To scale the people and the process
![Page 12: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/12.jpg)
© 2012 WhiteHat Security, Inc. 12
1) Technology is incapable of eliminating the need for people in any aspect of application security. This includes source code reviews, penetration testing, threat modeling, architectural review, development, etc.
2) Without technology there is far too much work than could ever be completed manually by the number of people available, even if monetary costs were not an issue.
3) The best technology can offer is increasing efficiency and reducing the quantity and skill level of the people necessary to complete a given process.
3 Hard Facts About Technology
![Page 13: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/13.jpg)
500+enterprises from start-ups to fortune 500
1,000,000 vulnerabilities processed per day
6 Terabytesdata stored per day
7,000+websites receiving ~weekly assessments
940,000,000 HTTP(s) requests per month
© 2012 WhiteHat Security, Inc.
WhiteHat Sentinel – Assessment Platform• Software-as-a-Service• Annual Per Website Subscription• Unlimited Assessments / Users
![Page 14: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/14.jpg)
© 2012 WhiteHat Security, Inc. 14
![Page 15: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/15.jpg)
© 2012 WhiteHat Security, Inc. 15
7,000+ Customer Websites
https://blog.whitehatsec.com/our-process-how-we-do-what-we-do-and-why/
![Page 16: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/16.jpg)
© 2012 WhiteHat Security, Inc. 16
1 Game-ification
![Page 17: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/17.jpg)
© 2012 WhiteHat Security, Inc. 17
http://www.microsoft.com/security/sdl/adopt/eop.aspx
Elevation of Privilege (EoP) Card GameElevation of Privilege (EoP) is the easy way to get started threat modeling, which is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
The EoP card game helps clarify the details of threat modeling and examines possible threats to software and computer systems.
The EoP game focuses on the following threats:• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of Privilege
EoP uses a simple point system that allows you to challenge other developers and become your opponent's biggest threat.
![Page 18: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/18.jpg)
© 2012 WhiteHat Security, Inc. 18
Capture the Flag
![Page 19: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/19.jpg)
© 2012 WhiteHat Security, Inc. 19
2(Security Scorecards)
Peer Pressure
![Page 20: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/20.jpg)
© 2012 WhiteHat Security, Inc. 20
Group High Severity Vulnerabili5es
Avg. Time-‐to-‐Fix
(Days)
Remedia5on Rate
Window of Exposure (Days)
2012 Corporate Goal 20 30 75% 100
Industry Average 55 32 63% 223
Business Unit 1 17 45 74% 195
Business Unit 2 53 30 46% 161
Business Unit 3 67 66 63% 237
Business Unit 4 48 35 69% 232
Publish Scorecards Internally & Regularly -- For All To See
![Page 21: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/21.jpg)
© 2012 WhiteHat Security, Inc. 21
3 Computer-Based Training (CBT)
![Page 22: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/22.jpg)
© 2012 WhiteHat Security, Inc. 22
The biggest problem in application security today:
The huge shortage of qualified application security people.
![Page 23: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/23.jpg)
© 2012 WhiteHat Security, Inc.
Gary McGraw (CTO, Cigital) says roughly 2% of all programmers should be software security pros, or “Builders” in our case. Gary, through a project called BSIMM, arrived at 2% by surveying dozens of software security programs among large companies and measuring what they do.
Programmer Population (Worldwide): 17 million
We’ll need 340,000 “Builders”
23
![Page 24: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/24.jpg)
© 2012 WhiteHat Security, Inc.
We’ll use a ratio of 1 “breaker” per to 100 websites. This ratio comes from internal metrics at WhiteHat Security generated from assessment conducted over the last 8 years and encompassing more than 7,000 websites.
“Important” (SSL) website population: 1.2 million
We’ll need 12,000 “Breakers”
24
![Page 25: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/25.jpg)
© 2012 WhiteHat Security, Inc.
No idea how to begin to estimate the Defender need, but it’ll be in the tens of thousands at least. Considering the vast number of website assets that must be protected, the 1 billion online users who someone needs to ensure are playing nice, and monitoring the serious volume of Web traffic they generate.
?25
![Page 26: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/26.jpg)
© 2012 WhiteHat Security, Inc. 26
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
OWASP Appsec Tutorial Series
The OWASP AppSec Tutorial Series project provides a video based means of conveying complex application security concepts in an easily accessible and understandable way. Each video is approximately 5-10 minutes long and highlights one or more specific application security concepts, tools, or methodologies. The goal of the project is quite simple and yet quite audacious - provide top notch application security video based training... for free!
![Page 27: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/27.jpg)
© 2012 WhiteHat Security, Inc. 27
4 Centralized Security Controls
![Page 28: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/28.jpg)
© 2012 WhiteHat Security, Inc. 28
Development Frameworks
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
ESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.
![Page 29: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/29.jpg)
© 2012 WhiteHat Security, Inc. 29
5 Work Flow
![Page 30: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/30.jpg)
© 2012 WhiteHat Security, Inc. 30
http://sdelements.com/
Model an Application
![Page 31: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/31.jpg)
© 2012 WhiteHat Security, Inc. 31
Check against library of security tasks with rules
![Page 32: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/32.jpg)
© 2012 WhiteHat Security, Inc. 32
Produce tailored security tasks
• Distills application security personnel expertise to developers.• Fits cleanly into development processes.• Tasks are continuously updated to keep up with new technologies & threats.• In retroactive analysis of years of penetration-testing data, following SDE would
have prevented approximately 85% of secure coding weaknesses.
![Page 33: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/33.jpg)
© 2012 WhiteHat Security, Inc. 33
6 Virtual-Patching
![Page 34: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/34.jpg)
© 2012 WhiteHat Security, Inc. 34
(10 out of 10 if you are willing to wait long enough.)
http://news.netcraft.com/archives/2012/04/04/april-2012-web-server-survey.html
* Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-‐DSS severity HIGH, CRITICAL, or URGENT)
8 out of 10 websites have serious* vulnerabilities
![Page 35: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/35.jpg)
© 2012 WhiteHat Security, Inc.
2007
1111 795 480 79
2008 2009 2010 2011
230
35
VulnerabiliQes are counted by unique Web applicaQon and vulnerability class. If three of the five parameters of a single Web applicaQon (/foo/webapp.cgi) are vulnerable to SQL InjecQon, this is counted as 3 individual vulnerabiliQes (e.g. aZack vectors).
Average annual amount of new serious* vulnerabilities introduced per
website per year
![Page 36: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/36.jpg)
© 2012 WhiteHat Security, Inc. 36
Websites
676,919,707+32.6 million since March
(Producing more code / websites than the industry is able to review.)
http://news.netcraft.com/archives/2012/04/04/april-2012-web-server-survey.html
![Page 37: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/37.jpg)
© 2012 WhiteHat Security, Inc. 37
SSL Websites
1,200,000
![Page 38: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/38.jpg)
© 2012 WhiteHat Security, Inc. 38
94,800,000Undiscovered serious* vulnerabilities
on just the SSL websites.
1.2 million x 79 vulns per year =
![Page 39: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/39.jpg)
© 2012 WhiteHat Security, Inc. 39
Overall Vulnerability Population (2011)Percentage breakdown of all the serious* vulnerabilities discovered
Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say:
A WAF could feasible help mitigate the risk of at least 71% of all custom Web application vulnerabilities.
![Page 40: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/40.jpg)
© 2012 WhiteHat Security, Inc. 40
7 (Crowd-Sourcing Vulnerability Assessment)
Bug Bounties
![Page 41: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/41.jpg)
© 2012 WhiteHat Security, Inc. 41
http://dankaminsky.com/2012/02/26/review/
1) Paypal2) Facebook3) 37 Signals4) Salesforce5) Microsoft6) Google7) Twitter8) Mozilla9) eBay10) Adobe11) Reddit
12) GitHub13) Constant Contact14) Zeggio15) Simplify, LLC16) Team Unify17) Skoodat18) Relaso19) Modus CSR20) CloudNetz21) EMPTrust22) Apriva
Websites Accepting “Security Research” $
Millions of dollars to hundreds of researchers. Closed hundreds, if not thousands, of vulnerabilities. Protected hundreds of millions of users.
![Page 42: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/42.jpg)
© 2012 WhiteHat Security, Inc. 42
How to develop secure-(enough) software?
![Page 43: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/43.jpg)
© 2012 WhiteHat Security, Inc. 43
Little-to-No Supporting Data.
![Page 44: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/44.jpg)
© 2012 WhiteHat Security, Inc. 44
ProductionVulnerabilities
Attack Traffic Breaches
(SDL) Security Controls
BSIMM WhiteHat Security AkamaiIBM
Verizon DBIRTrustwave
Connect the Dots...
Then we’ll start getting some real answers about how to product secure-enough.
![Page 45: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/45.jpg)
© 2012 WhiteHat Security, Inc.
Thank You!Blog: http://blog.whitehatsec.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
45
![Page 46: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/46.jpg)
© 2012 WhiteHat Security, Inc. 46
Why do vulnerabilities go unfixed?
• No one at the organization understands or is responsible for maintaining the code.
• Development group does not understand or respect the vulnerability.
• Lack of budget to fix the issues.
• Affected code is owned by an unresponsive third-party vendor.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Solution conflicts with business use case.
• Compliance does not require fixing the issue.
• Feature enhancements are prioritized ahead of security fixes.
![Page 47: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/47.jpg)
© 2012 WhiteHat Security, Inc. 47
Testing Speed & Frequency Matters
![Page 48: 7 Ways to Scale Web Security (SANS AppSec Summit 2012)](https://reader035.fdocuments.us/reader035/viewer/2022062513/554cf2a5b4c905ae138b4cbd/html5/thumbnails/48.jpg)
© 2012 WhiteHat Security, Inc. 48
Remediation Rates by Industry (Trend)
A steady improvement in the percentage of reported vulnerabilities that have been resolved during each of the last four years, which now
resides at 63%. Progress!