C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation
-
Upload
won-ju-jub -
Category
Documents
-
view
870 -
download
0
description
Transcript of C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation
Certified Secure Software Lifecycle Professional
(CSSLP)Master Degree in Management Information Systems (MSMIS)Faculty of Commerce and Accountancy, Thammasat University
05-April-2010
Surachai Chatchalermpun
Speaker Profile
2
, CSSLP, ECSA , LPT
Agenda
Challenges Today…
What is CSSLP?
What is OWASP?
What is WebGoat?
WebGoat Lesson!
• Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005)
• Software is often not developed with security in mind
• Attack targeted, financially motivated attacks continue to rise
• Attacks are moving up the application stack
• New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments.
Source: Global Information Security & IT Security Personnel Development in USA –trend and hurdles, Prof. Howard A. Schmidt
Challenges Today…
Source: Issue number 9 Info Security Professional Magazine
W. Hord Tipton, CISSP-
ISSEP, CAP, CISA
(ISC)² Executive Director
What is the CSSLP?
• Certified Secure Software Lifecycle Professional (CSSLP)
• Base credential
• Professional certification program
• Takes a holistic approach to security in the software
lifecycle
• Tests candidates competency (KSAs) to significantly
mitigate the security concerns
• Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®.
• Established in 1989 – not-for-profit consortium of industry leaders.
• More than 60,000 certified professionals in over 135 countries.
• Board of Directors - top information security professionals worldwide.
• All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology-related credentials to receive this accreditation.
Over 70% of breaches of security vulnerabilities exist
at the application level.*
* Gartner Group, 2005
Purpose
• Provide a credential that speaks to the individual’s
understanding of and ability to deliver secure
software through the use of best practices.
• The target professionals for this Certification would
be anyone who is directly and in some cases
indirectly, involved in the Software Lifecycle.
Software Lifecycle Stakeholder Chart
Top Management
IT Manager
Business Unit Heads
Developers/
Coders
Client Side PM
Industry Group
Delivery Heads
Business
Analysts
Quality
Assurance
ManagersTechnical
Architects
Project Managers/
Team Leads
Software
Lifecycle
Stakeholders
Secondary Target
Primary Target
Influencers
Application Owners
Security Specialists
Auditors
Market Drivers
• Security is everyone’s responsibility
• Software vulnerabilities have emerged
as a major concern
• Off shoring of software development
• Software is often not developed with
security in mind
• Desire to meet growing industry needs
Certified Secure Software
Lifecycle Professional
(ISC)² CSSLP CBK 7 Domains:
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Coding
• Secure Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance,
and Disposal
CSSLP Certification Requirements
By Experience Assessment:• Experience Assessment will be open until March 31, 2009
• Candidate will be required to submit:– Experience Assessment Application
– Signed candidate agreement and adherence to (ISC)² Code of Ethics
– Detailed resume of experience
– Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas
• Applying Security concepts to Software Development
• Software Design
• Software Implementation/Coding
• Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance, and Disposal
– Fee of $650
By Examination:• The first public exam will be held at the end of June 2009
• Candidate will be required to submit:– Completed examination registration form
– Signed candidate agreement and adherence to the (ISC)² Code of ethics
– Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field
– Fee of $549 early-bird and $599 standard
• Candidate will be required to – Pass the official (ISC)² CSSLP certification examination
– Complete the endorsement process
• The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
CSSLP Certification Requirements
CSSLP
(ISC)²
Professional Certification
Program
CSSLP CBK Overlap between
other Certifications/Programs
CSDA
(IEEE)
Associate Level
Status
CSDP
(IEEE)
Professional
Certification Program
GSSP-C
(SANS)
Software Coder
Certification Program
GSSP-J
(SANS)
Software Coder
Certification Program
Software
Assurance
Initiative(DHS)
Awareness Effort
CSSE(ISSECO)
Entry-level
Education
Program
Certificate of
Completion
Vendor-
Specific
Credentials
Future of CSSLP
• International Marketing Efforts
• ANSI/ISO/IEC17024 accreditation
• Maintenance activities
• Cert Education Program
Hear what Anthony Lim, from IBM,
has to say about CSSLP
CSSLP CertificationMy CSSLP Certification
Why is Web Application Security Important?
• Easiest way to compromise hosts, networks and users.
• Widely deployed.
• No Logs! (POST Request payload)
• Incredibly hard to defend against or detect.
• Most don’t think of locking down web applications.
• Intrusion detection is a joke.
• Firewall? What firewall? I don’t see no firewall…
• SSL Encrypted transport layer does nothing.
Source: White Hat Security
Web Application Hacking
Outer
Inner
DMZ Zone
Server farm Zone
Source: White Hat Security
Ou
ter Firewall
Hardened OS
Web Server
App Server
Inn
er Firew
all
Dat
abas
es
Lega
cy S
yste
ms
We
b S
erv
ice
s
Dir
ect
ori
es
Hu
man
Res
ou
rce
Bill
ingCustom Developed
Application Code
APPLICATIONATTACK
You can’t use network layer protection (Firewall, SSL, IDS, hardening)to stop or detect application layer attacks
Net
wo
rk L
ayer
Ap
plic
atio
n L
aye
r Your security “perimeter” has huge holes at the “Application layer”
Your “Code” is Part of Your Security Perimeter
Source: White Hat Security
• Web Applications are vulnerable:– exposing its own vulnerabilities.
– Change frequently, requiring constant tuning of application security.
– Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network)
• Web Applications are threatened:– New business models drive “for profit” hacking.– Performed by Black hat professionals enabling complex
attacks.
• Potential impact may be severe:– Web applications are used for sensitive information and
important transactions.
The Web Application Security Risk
Source: White Hat Security
• Web Attacks are Stealth:– Victims hide breaches.– Incidents are not
detected.
• Statistics are Skewed:– Number of incident
reported is statistically insignificant.
Threat is Difficult to Assess
Source: Breach Security
Source: Web Hacking Incidents Database
Source: Web Hacking Incidents Database
• Zone-H (The Hacker Community)– http://www.zone-h.org– The most comprehensive attack repository, very
important for public awareness.– Reported by hackers and focus on defacements.
• WASC Statistics Project – http://www.webappsec.org
• OWASP top 10– http://www.owasp.org
Available Sources Attacks
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
31
People
Technology
(Tool)
Process
Confidentiality
AvailabilityIntegrity
3 Pillars of ICT 3 Pillars of SecurityDisclosure
Alteration Disruption
Key Principle
PPT CIA
Root Causes of Application Insecurity : PPT
• People and Organization Examples– Lack of Application Security training– Roles & Responsibilities not clear– No budget allocated
• Process Examples– Underestimated risks– Missed requirements– Inadequate testing and reviews– Lack of metrics– Lack of implementing Best Practices or
Standards– No detection of attacks
• Technology Examples– Lack of appropriate tools– Lack of common infrastructure– Configuration errors
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Untrained People and
Organizational Structure Issues
Missing or Inadequate Processes
Missing or Inadequate
Tools, Libraries, or
Infrastructure
Source: OWASP
33
People / Processes / Technology
Awareness
Training
Guidelines
Secure Development
Secure Configuration
Security Testing
Secure Code Review
AutomatedTesting
ApplicationFirewalls
34
SDLC & OWASP Guidelines
Source: OWASP
Source: OWASP
Source: OWASP
Source: OWASP
Source: Microsoft
CSSLP CertificationWhat is OWASP?
The Open Web Application Security Project (OWASP) is:
A not-for-profit worldwide charitable organization focused on improving the security of application software.
Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
Source: http://www.owasp.org
OWASP Foundation has over 130 Local Chapters
41
CSSLP CertificationWhat is WebGoat?
WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons.
In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
CSSLP CertificationWhat is WebGoat?
Windows - (Download, Extract, Double Click Release)
1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“
2. start your browser and browse to... (Notice the capital 'W' and 'G')http://localhost/WebGoat/attack
3. login in as: user = guest, password = guest
4. To stop WebGoat, simply close the window you launched it from.
CSSLP CertificationWebGoat Installation
tionWebGoat Lesson 1
tionWebGoat Lesson 2
tionWebGoat Lesson 3
tionSolution: WebGoat Lesson 3
tionSolution: WebGoat Lesson 3
True OR ? = True
tionWebGoat Lesson 4
tionSolution: WebGoat Lesson 4
tionWebGoat Lesson 5
tionSolution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value:AccessControlMatrix.help" | net user"
Question & AnswerThank You
Surachai [email protected]