Appsec Introduction

Security Verified

© 2012 iCode information security All rights reserved

Next-Gen Applications & Data Security conference, March 6th 2012

Security Verified


Introduction to Web Application Security

Mohamed Ridha Chebbi, CISSP iCode InfoSec – CEO & Head of PS [email protected]

mailto:[email protected]�

Security Verified



Security Verified


• Application InSecurity • TOP 10 Risks in APPSEC • Addressing the Problem • APPSEC Training • APPSEC Verification Process • APPSEC Standard (Security Levels) • APPSEC Protection Infrastructure

Agenda

Security Verified



Security Verified


Application InSecurity

Mohamed Ridha Chebbi, CISSP

Security Verified



Security Verified


Web Application Security Defined

Web app layer: 75% of hacker attacks occur here

Desktop & Content Security

1980s 1990s Network Security

2000s Application Security

WEB APPLICATION SECURITY EVOLUTION

Desktop / Client

Internet

Firewall

Intrusion Detection and Prevention

Web Server

App Server

Database Server

Ports 443 & 80 still open

Security Verified



Security Verified


400+ New

Vulnerabilities a Month

and Growing

$7.2+ Million is the average cost of a data breach

Ponemon Institute –2011

75%+ of cyber attacks & Internet security violations are generated through applications

Gartner Group – 2011

75% of enterprises experienced some form of cyber attack in 2011

Symantec Internet Security Report – April 2011

79% of victims subject to PCI DSS had not achieved compliance

Verizon Business Data Breach Report – July 2011

Why Website Security Matters

Security Verified



Security Verified


Today’s Web Application Vulnerabilities (Q1-Q2 2010)

Web Application Vulnerabilities (% of total)

Security Verified



Security Verified



Web Application Vulnerabilities by Class (Commercial Applications)

Security Verified



Security Verified



Other Category

Security Verified



Security Verified



Web Application Vulnerabilities (Proprietary Applications)

Security Verified



Security Verified



Vulnerable Web Applications by type (Proprietary Applications)

Security Verified



Security Verified


Hacking Continues …

Security Verified



Security Verified


Average Number of Days from when a breach occurred and when it was Discovered = 156 Days (Between 5 & 6 Months)

Main reason why an investigation launched?

Because the Credit Card company detected a data pattern of unauthorized use.

Breach Time to Detection

Security Verified



Security Verified


The Top 10 Risks in Application Security

Security Verified



Security Verified


OWASP Top Ten (2010 Edition)

http://www.owasp.org/index.php/Top_10

http://www.owasp.org/index.php/Top_10�

Security Verified



Security Verified


VERACODE Assessment Results

Security Verified



Security Verified


Addressing the Problem

Security Verified



Security Verified


How to Start ?

1- Develop Secure Code Use Application Security Standard – Risk Mitigation Best Practices Training in Secure Coding

2- Test and Review Applications in accordance to Application Security Standard - Verification Process

Security Considerations during the SDLC : Static Assessment (during build) Dynamic Assessment (during Testing) Internal Reviews (during design & build) PEN Testing (during operation)

3- Protect & Monitor Applications and Databases in accordance to Application Security Standard – Protection & Monitoring Architecture

Protect applications & data by using : Web Application Firewalls (WAF) Database Firewalls (DBF) File Firewalls (FF)

Security Verified



Security Verified


Application Security Training

iCode in-Class Courses

Application Security Fundamentals

TOP 10 OWASP In detail

Secure Coding Java

Secure Coding .NET

Mobile Application Security

Security Testing

SDL

iCode Virtual Class Courses

50+ Hours of Online Courses

33+ Course Modules (from security fundamentals to Secure Coding)

Security Verified



Security Verified


Design Build Test Deploy

Static Assessment

PEN Testing

Dynamic Assessment

Web Application & Data Protection & Monitoring

Internal Review

New Versions/Releases

Application Security Life Cycle

Annually

Operate

…

…

Security Verified



Security Verified


Application Security Levels

Security Verified



Security Verified


Security Requirements & Levels

V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security

Level 2 Level 1

Level of rigor

Sections

Level of rigor

Security Verified



Security Verified


Application Security Level 1

Level 1 Verification is typically appropriate for applications where some confidence in the correct use of security controls is required.

Threats to security will be typically viruses, warms and misuse.

There are two constituent components for Level 1.

- Level 1A is for the use of automated application vulnerability scanning (dynamic analysis)

- Level 1B is for the use of automated source code scanning (static analysis).

Level 1A Level 1B Level 1 + =

NOTE : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap.

Security Verified



Security Verified



Level 2 is appropriate for applications that handle personal transactions, conduct business-to-business transactions, or process personally identifiable information.

Threats to security will be typically viruses, warms and opportunists such as malicious attackers. There are two constituent components for Level 2. - Level 2A is for the use of automated application vulnerability scanning (dynamic

analysis) - Level 2B is for the use of automated source code scanning (static analysis).

Level 2A Level 2B Level 2 + =

Note 1 : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap.

Note 2 : The verifier needs to manually review and augment all the results for each Level 2 requirement.

Security Verified



Security Verified



Example : ADB/ASS-V2 Authentication Verification Requirements for Level 1

Verification Requirement

Leve

l 1A

Leve

l 1B

V2.1 Verify that all pages and resources require authentication except those specifically intended to be public.

V2.2 Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled.

V2.3 Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks.

Security Verified



Security Verified



Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2


Leve

l 2A

Leve

l 2B

V2.1 Verify that all pages and resources require authentication except those specifically intended to be public.

V2.2 Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled.

V2.3 Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks.

V2.4 Verify that all authentication controls are enforced on the server side.

V2.5 Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation.

V2.6 Verify that all authentication controls fail securely. V2.7 Verify that the strength of any authentication credentials are

sufficient to withstand attacks that are typical of the threats in the deployed environment.

Security Verified



Security Verified



Leve

l 2A

Leve

l 2B

V2.8 Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism.

V2.9 Verify that re-authentication is required before any application-specific sensitive operations are permitted.

V2.10 Verify that after an administratively-configurable period of time, authentication credentials expire.

V2.11 Verify that all authentication decisions are logged. V2.12 Verify that account passwords are salted using a salt that is unique to

that account (e.g., internal user ID, account creation) and hashed before storing.

V2.13 Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source code).

Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2 (Continue)


Security Verified



Security Verified


Verification Output Report

Level Pass Fail

Requirement

• Verdict

• Verdict justification (Level 2)

• Verdict

• Location (URL w/parameters and/or source file path, name and line number(s))

• Description (including configuration information as appropriate)

• Risk rating

• Risk justification Any remediation of vulnerabilities that was discovered shall be provided apart of the report.

Level 1 or Level 2 Verification Report shall document the results of the analysis, including any remediation of vulnerabilities that was required.

Security Verified



Security Verified


Accreditation & Baselines

Security Verified



Security Verified


Example of Accreditation Document

Application Security Accreditation Form Application Category Version Release Date Application Supports The following Business Functions : Application makes use of the following Technology : Application makes use of the following IT Infrastructure : Application Developer/Vendor Primary Contact Information

First Name Title Department Last Name Telephone email

1 Security Verification Process

P F N/T N/R Ref./Comments

L1A Level 1A Verification L1B Level 1B Verification L2A Level 2A Verification L2B Level 2B Verification

Accreditation Zone Production Date : Notes/Comments

Accreditation Envolved Patries …

Accreditation

Security Verified



Security Verified


Applications & Data Protection

Security Verified



Security Verified


Application & Data Protection

Web

Databases

Web Application

Firewall

Database Firewall

Database Activity Monitoring

or Discovery and

Assessment Server

Management Server

Database Local Agent

Network Monitoring

Native Audit

Security Operating Center

Security Verified



Security Verified


Thanks

Appsec Introduction

Documents

Transcript of Appsec Introduction