Appsec Introduction
-
Upload
mohamed-ridha-chebbi-cissp -
Category
Documents
-
view
543 -
download
1
description
Transcript of Appsec Introduction
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Introduction to Web Application Security
Mohamed Ridha Chebbi, CISSP iCode InfoSec – CEO & Head of PS [email protected]
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
• Application InSecurity • TOP 10 Risks in APPSEC • Addressing the Problem • APPSEC Training • APPSEC Verification Process • APPSEC Standard (Security Levels) • APPSEC Protection Infrastructure
Agenda
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application InSecurity
Mohamed Ridha Chebbi, CISSP
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Web Application Security Defined
Web app layer: 75% of hacker attacks occur here
Desktop & Content Security
1980s 1990s Network Security
2000s Application Security
WEB APPLICATION SECURITY EVOLUTION
Desktop / Client
Internet
Firewall
Intrusion Detection and Prevention
Web Server
App Server
Database Server
Ports 443 & 80 still open
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
400+ New
Vulnerabilities a Month
and Growing
$7.2+ Million is the average cost of a data breach
Ponemon Institute –2011
75%+ of cyber attacks & Internet security violations are generated through applications
Gartner Group – 2011
75% of enterprises experienced some form of cyber attack in 2011
Symantec Internet Security Report – April 2011
79% of victims subject to PCI DSS had not achieved compliance
Verizon Business Data Breach Report – July 2011
Why Website Security Matters
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)
Web Application Vulnerabilities (% of total)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)
Web Application Vulnerabilities by Class (Commercial Applications)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)
Other Category
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)
Web Application Vulnerabilities (Proprietary Applications)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)
Vulnerable Web Applications by type (Proprietary Applications)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Hacking Continues …
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Average Number of Days from when a breach occurred and when it was Discovered = 156 Days (Between 5 & 6 Months)
Main reason why an investigation launched?
Because the Credit Card company detected a data pattern of unauthorized use.
Breach Time to Detection
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
The Top 10 Risks in Application Security
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
OWASP Top Ten (2010 Edition)
http://www.owasp.org/index.php/Top_10
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
VERACODE Assessment Results
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
VERACODE Assessment Results
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Addressing the Problem
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
How to Start ?
1- Develop Secure Code Use Application Security Standard – Risk Mitigation Best Practices Training in Secure Coding
2- Test and Review Applications in accordance to Application Security Standard - Verification Process
Security Considerations during the SDLC : Static Assessment (during build) Dynamic Assessment (during Testing) Internal Reviews (during design & build) PEN Testing (during operation)
3- Protect & Monitor Applications and Databases in accordance to Application Security Standard – Protection & Monitoring Architecture
Protect applications & data by using : Web Application Firewalls (WAF) Database Firewalls (DBF) File Firewalls (FF)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Training
iCode in-Class Courses
Application Security Fundamentals
TOP 10 OWASP In detail
Secure Coding Java
Secure Coding .NET
Mobile Application Security
Security Testing
SDL
iCode Virtual Class Courses
50+ Hours of Online Courses
33+ Course Modules (from security fundamentals to Secure Coding)
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Design Build Test Deploy
Static Assessment
PEN Testing
Dynamic Assessment
Web Application & Data Protection & Monitoring
Internal Review
New Versions/Releases
Application Security Life Cycle
Annually
Operate
…
…
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Levels
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Security Requirements & Levels
V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control V5. Input Validation V6. Output Encoding/Escaping V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security
Level 2 Level 1
Level of rigor
Sections
Level of rigor
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Level 1
Level 1 Verification is typically appropriate for applications where some confidence in the correct use of security controls is required.
Threats to security will be typically viruses, warms and misuse.
There are two constituent components for Level 1.
- Level 1A is for the use of automated application vulnerability scanning (dynamic analysis)
- Level 1B is for the use of automated source code scanning (static analysis).
Level 1A Level 1B Level 1 + =
NOTE : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap.
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Level 2
Level 2 is appropriate for applications that handle personal transactions, conduct business-to-business transactions, or process personally identifiable information.
Threats to security will be typically viruses, warms and opportunists such as malicious attackers. There are two constituent components for Level 2. - Level 2A is for the use of automated application vulnerability scanning (dynamic
analysis) - Level 2B is for the use of automated source code scanning (static analysis).
Level 2A Level 2B Level 2 + =
Note 1 : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap.
Note 2 : The verifier needs to manually review and augment all the results for each Level 2 requirement.
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Level 1
Example : ADB/ASS-V2 Authentication Verification Requirements for Level 1
Verification Requirement
Leve
l 1A
Leve
l 1B
V2.1 Verify that all pages and resources require authentication except those specifically intended to be public.
V2.2 Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled.
V2.3 Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks.
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application Security Level 2
Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2
Verification Requirement
Leve
l 2A
Leve
l 2B
V2.1 Verify that all pages and resources require authentication except those specifically intended to be public.
V2.2 Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled.
V2.3 Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks.
V2.4 Verify that all authentication controls are enforced on the server side.
V2.5 Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation.
V2.6 Verify that all authentication controls fail securely. V2.7 Verify that the strength of any authentication credentials are
sufficient to withstand attacks that are typical of the threats in the deployed environment.
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Verification Requirement
Leve
l 2A
Leve
l 2B
V2.8 Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism.
V2.9 Verify that re-authentication is required before any application-specific sensitive operations are permitted.
V2.10 Verify that after an administratively-configurable period of time, authentication credentials expire.
V2.11 Verify that all authentication decisions are logged. V2.12 Verify that account passwords are salted using a salt that is unique to
that account (e.g., internal user ID, account creation) and hashed before storing.
V2.13 Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source code).
Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2 (Continue)
Application Security Level 2
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Verification Output Report
Level Pass Fail
Requirement
• Verdict
• Verdict justification (Level 2)
• Verdict
• Location (URL w/parameters and/or source file path, name and line number(s))
• Description (including configuration information as appropriate)
• Risk rating
• Risk justification Any remediation of vulnerabilities that was discovered shall be provided apart of the report.
Level 1 or Level 2 Verification Report shall document the results of the analysis, including any remediation of vulnerabilities that was required.
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Accreditation & Baselines
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Example of Accreditation Document
Application Security Accreditation Form Application Category Version Release Date Application Supports The following Business Functions : Application makes use of the following Technology : Application makes use of the following IT Infrastructure : Application Developer/Vendor Primary Contact Information
First Name Title Department Last Name Telephone email
1 Security Verification Process
P F N/T N/R Ref./Comments
L1A Level 1A Verification L1B Level 1B Verification L2A Level 2A Verification L2B Level 2B Verification
Accreditation Zone Production Date : Notes/Comments
Accreditation Envolved Patries …
Accreditation
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Applications & Data Protection
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Application & Data Protection
Web
Databases
Web Application
Firewall
Database Firewall
Database Activity Monitoring
or Discovery and
Assessment Server
Management Server
Database Local Agent
Network Monitoring
Native Audit
Security Operating Center
Security Verified
© 2012 iCode information security All rights reserved
Next-Gen Applications & Data Security conference, March 6th 2012
Security Verified
© 2012 iCode information security All rights reserved
Thanks