Best Quality Application Security - Quotium · Booz Allen Hamilton Northrop Gruman Sega Bathesda...
Transcript of Best Quality Application Security - Quotium · Booz Allen Hamilton Northrop Gruman Sega Bathesda...
Best Quality Application Security
Best Quality Application Security
Agenda
• Introductions
• Cyber is a big word!
• App. Sec Failings
• What App. Sec is
• A Real Solution
• Agile
• Run Time Binary Analysis
• Summary
Best Quality Application Security
Software Provider delivering Quality and Excellence into the Application Security and Performance Domains
• Producers of Seeker
• Founders each with over 15 years of experience in information and application security
• 200+ Enterprise Customers
• Offices in London, New York, Paris
Best Quality Application Security
Your Speaker
Adam Brown
– UK Manager for
– 15 years in application assurance , performance and security.
– GIAC Certified GWAPT Web Application Penetration Tester
– ISEB Practitioner
– Performance Engineer
– Speaker at industry events on security, testing and performance
Best Quality Application Security
Best Quality Application Security
Some Exploit Types
Best Quality Application Security
Applications Remain Vulnerable
More in the press:
Best Quality Application Security
Gamigo
50million customers passwords! April 2013
6.5m records. .5m-1m in initial forensics, 2-3m in remediation
More Famous Web Application Breaches
Epsilon
Sony
Citigroup
Fox News
X-Factor
HB Gary RSAL3
Communications Sony BMGGreece
Injection
URL Tampering
Spear Phishing
3rd Party SW
DDoS
Secure ID
Unkown
LockheedMartin
AZPolice
TurkishGvt
USSenate
NATO
Nintendo
PeruSpecialPolice
SK CommunicationsKorea
Monsanto
Booz AllenHamilton
NorthropGruman
Sega
BathesdaSoftware
Gmail Accounts
PBS
PBS
VanguardDefence
MalaysianGvt. Site
SOCA
Brazil Gvt.
Spannish Nat.Police
Italian PMSiteIMF
Business Impact of Attack
$170 - $1.5bn, XSS, SQLi + Other Methods
$66m, Spear Phishing, US National Security
$2.7m, 360k credit cards, Parameter Tampering
$225m - $4bn March 2011, technique undisclosed
LivingSocial
11m pwds, 8.2m emails – largest leak of 2012
Best Quality Application Security
Best Quality Application Security
Application Security in Numbers
Applications remain vulnerable! Why?
75% of attacks aimed at Application Level
Source: Gartner
85% of application vulnerabilities found at source code level
Source: Gartner
90% of Investment at Network Level
Source: OWASP
97% of Applications are Vulnerable
Source: OWASP
NIST: 92% of Vulnerabilities are in Applications – not in Networks
Best Quality Application Security
App. Sec still a very real problem in 2013
Ponemon 2013 Post Breach Boom Report
Best Quality Application Security
Application Security in Context
Network
Servers
Application++
++
Applications make data useful and are directly connected to the heart of the Organisation.
Networks Present Applications to Hackers – THEY HAVE TO!
Application attacks are a means to and end:
Data
Confidentiality
Integrity
Availability
Best Quality Application Security
Things we have Tried
False Positives - They Stink!
Best Quality Application Security
Application Security Testing Techniques
• Scanning and Static Code Review not Delivering– SAST: Static Application Security Testing– DAST: Dynamic Application Security Testing– Noise & False Positives, False Negatives, Verification Issues– 3rd party issues, complexity & time, skills– Code at rest, not application
• Focus on Technology Instead of Risk– Vulnerability centric, not data centric– Injections & technical problems rather
than business risk– Ignoring application data
• App Pen Testing – Can be very thorough– How can it fit with Agile?– Frequency, scalability, cost.
Best Quality Application Security
Secure Software Approaches
SSDL, SDL-Agile, Microsoft's SDL have all been created to attempt to address information security risks coming from software.
Best Quality Application Security
Current Techniques – Complex & Heavy
Scanning & Static Code Analysis failings:– Examined from Vulnerability Perspective
• Focus on Injections and Technical Problems
• Analysis of Code, rather than Application
• Ignoring Application
• Focus on Technology instead of Risk
Pen Testing– Expensive in Time, Resource and Money
SDL– Hard to fit into development lifecycle
Best Quality Application Security
Best Quality Application Security
Definitions
Application Security is NOT Controls
Network Protocols Firewalls, Routers, Operating Systems, VPN’s and Network Vulnerability Scanners
Operating Systems, Web Servers, Application Servers
Patches, Hardening & Configuration, OS Authentication, Disk Encryption, Infrastructure Vulnerability Scanners / Patch Validation etc.
Application Security IS Controls
COTS Web Applications Application Configuration, Application Level Authentication & AuthorisationTesting Thereof / Secure Software
Customised COTS Applications &Custom Applications
Application Configuration, Application Level Authentication & AuthorisationTesting Thereof / Secure Software
Best Quality Application Security
New OWASP Top 10 in 2013
Best Quality Application Security
OWAPS Top 10 Calculation
Best Quality Application Security
OWASP Top 10 Calculation
Best Quality Application Security
What works Really well?
Best Quality Application Security
Three Fundamentals to a Security Solution
Best Quality Application Security
Move Application Security Left
% B
ugs
85%
$100
$250
$1,000
$16,000
Coding UnitTest
FunctionTest
SystemTest
AfterRelease
% Defects Introduced
% Defects Discovered
$ Cost
Capers Jones Graph
Best Quality Application Security
A
C
B
Cost of Software SecurityFailures
Cost of Software SecurityMeasures
D
Costs
Software Security Assurance
Costs and Benefits of Application Security
Best Quality Application Security
Secure ALM
SecureApplicationLifecycleManagement Yogi always preferred Salmon to Red Herring!
Best Quality Application Security
IAST at its Best: Context and Data
Front End
Back End
Database
Data LayerStored ProceduresData
Presentation LayerProtocol & EncryptionEncoding & Presentation
Client Side Business FunctionsUser LibrariesRuntime LibrariesApplication Server
Best Quality Application Security
• Agile Firms: 37% faster, 30% more profit
• What does this mean for Security?– Done the right way mitigates risk
– Visible progress in right direction
– Developers more responsive
– For secure applications we need security by design
• Secure Software = Secure Applications– Discovery on eve of delivery is no longer an option
– Find issues early and test to maturity
Agile & Security
Best Quality Application Security
Secure Application Lifecycle Management
=> Analysis=> Project REVIEW=> Iteration PLANNING=> Work procedures review
Prioritised ‘to do’ listGeneral View of
Project
Client
Analysis
Develop
Test
Integrate
Prioritised ‘to do’ list
for this iteration
Fixed Duration Iterations(typically 2 weeks each)
Info
rmatio
n in
side th
e team
On each iteration we work on the items that give us most value.
Until the list is empty or resources run out (time or money)
Working Software Application (and other deliverables).
Public Presentation
Info
rmatio
n o
utsid
e the team
‘to do’ things must be
done, done.
All stakeholders should be informed about
Best Quality Application Security
Continuous Integration – Check Every Build
Verification Build
Integration Tests
Build / Integration Environment
Developer
Tester
Application Security Tests
BugTracker
Build Server
Best Quality Application Security
RTBA (IAST) Process in SDLC (SALMan)
Integration Environment
Execute RTBA Tests
Stop RTBA CaptureBuild Server
Control and Scheduling
Run Time Binary Analyser
RTBA Tests Run here and RTBA agents connect into
here.
Start RTBA Capture
Run Auto Test(s)
Log RTBA Result/Output
Push RTBA Report
Auto Scripts
Best Quality Application Security
Summary
“can’t build a secure application without performing security testing on it” (OWASP Testing Guide)
• Vulnerabilities are Software Bugs - Dangerous Ones.
• Application Security is a Quality Issue
• Security Bugs are Complex and must be Fixed at Code level
• Leverage Existing Processes and Resources
• Modern Software Development is and Application Security must be Implicit
Best Quality Application Security
Feedback &Questions?
Best Quality Application Security
Stand n°15