Using 80 20 rule in application security management
30
© iViZ Security Inc 1 Jan 2013 Bikash Barai, Co-Founder & CEO Using 80/20 rule in Application Security Management
-
Upload
daveedwards12 -
Category
Technology
-
view
480 -
download
0
description
80/20 rule (also known as Pareto Principle) is one of the most beautiful rules which helps to achieve as well as fail. In most of the cases where it goes wrong was finally turned out to be figuring out the “right few”. This is probably one of the most elusive rules. It is easy to understand but extremely difficult to practice.
Transcript of Using 80 20 rule in application security management
© iViZ Security Inc 1Jan 2013
Bikash Barai, Co-Founder & CEO
Using 80/20 rule in Application Security Management
© iViZ Security Inc 2Jan 2013
About iViZ• iViZ – Cloud based Application Penetration Testing
– Zero False Positive Guarantee– Business Logic Testing with 100% WASC (Web Application Security
Consortium) class coverage
• Funded by IDG Ventures• 30+ Zero Day Vulnerabilities discovered• 10+ Recognitions from Analysts and Industry• 300+ Customers• Gartner Hype Cycle- DAST and Application Security
as a Service
© iViZ Security Inc 3Jan 2013
Background: Application Security Statistics 2012
© iViZ Security Inc 4Jan 2013
Application Security Statistics 2012
• Based on real Application Security tests of iViZ– 300+ Customers– 5,000 + Application Security Tests
• 99% of the Apps tested had at least 1 vulnerability• 82% of the web application had at least 1
High/Critical Vulnerability• Very low correlation between Security and
Compliance (Correlation Coefficient: 0.2)• Average number of vulnerability per website: 35
© iViZ Security Inc 5Jan 2013
Average number of Vulnerabilities
© iViZ Security Inc 6Jan 2013
Top 5 Application Flaws
Percentage of websites containing the “Type of Vulnerability”
© iViZ Security Inc 7Jan 2013
5 Common Business Logic Flaws• Weak Password recovery• Abusing Discount Logic/Coupons• Denial of Service using Business Logic• Price Manipulation during Transaction• Insufficient Server Side Validation (One Time
Password (OTP) bypass)
© iViZ Security Inc 8Jan 2013
Using 80/20 rule ..
© iViZ Security Inc 9Jan 2013
80/20 Rule• 80% of the effects come from 20% of the causes• Pareto Principle, Law of Vital Few, 80/20 Rule• Examples
– 80% of your profits come from 20% of your customers– 80% of your complaints come from 20% of your customers– 20% rules detect 80% Spams
• Opposite may also be true in some situations– Long Tail
© iViZ Security Inc 10Jan 2013
Top 7 Mistakes• Cheap Security (Cheap Lock = No Lock)• Lack of prioritization and all round investment:
Building an Iron door but with thatched walls• Security initiative not introduced early on (design
phase)• Lack of proper Appsec organization (roles, KRA,KPI)• Trying too many things at the same time OR Trying to
do everything in-house• Not choosing the right vendor/products• Thinking Secure Seal = Real Security
© iViZ Security Inc 11Jan 2013
80/20 Rule: Top 5 Steps• #1: Identify and Classify all Apps based on Business
Criticality• #2: Regular Testing• #3: Implement efficient Patching Process• #4: Implement Secure SDLC/Secure Dev-Ops• #5: Implement WAF for Business Critical Apps
© iViZ Security Inc 12Jan 2013
#1: Identify and Classify
© iViZ Security Inc 13Jan 2013
Identify and Classify your Apps• 90% of the organizations do not know
– How many Apps they have?– Who owns each of the App?– Which Apps are business critical?
• #1 Step: Identify your Apps– Use automated Application Discovery tools– Ask all your departments
• #2 Step: Classify the Apps– Business Critical: Can cause revenue loss, reputation loss,
legal implications– Non-Business Critical: Every thing else
© iViZ Security Inc 14Jan 2013
#2: Regular Security Testing
© iViZ Security Inc 15Jan 2013
Application Security Vulnerability Management Model
• Type of Test– Comprehensive Penetration Testing (Automated+Manual)– Automated Application Security Testing
• Strategy for Business Critical Apps– Comprehensive Penetration Testing during every major
release (OR at least once a quarter)– Automated Testing once a month
• Strategy for Non-Business Critical Apps– 1 to 4 Automated Test per year (based on budget)– 1 Comprehensive Test per year (if Budget permits)
© iViZ Security Inc 16Jan 2013
DAST vs SAST• Dynamic Application Security Testing (DAST): Does
not need Code• Static Application Security Testing (SAST): Needs
code/binary• Should I choose DAST or SAST?
– #1 Step: Conduct DAST. • This is low hanging fruit. Easy to adopt. Less Expensive. More
mature.
– #2 Step: Conduct SAST+DAST• Lower false negative, Better coverage, More costly, Higher
overhead
© iViZ Security Inc 17Jan 2013
Tools vs Consultant vs Cloud• Tools(License/On Demand)
– Need in-house team to remove false positives and conduct business logic Tests
• Consultants– Good quality, Costly, Cannot Scale
• Cloud (with human intervention)– Good quality, Scalable, Vulnerability Data on Cloud
© iViZ Security Inc 18Jan 2013
Which option should I choose?• Cloud (with human augmentation)
– Most optimal for 80% of cases. No license Cost. No People Cost. Cost Effective. Scalable.
• Automated Tools/On Demand Tools– If you can hire and retain an application security testing team (less
than 1% organization can do it)
• Consultants– Non Standard and Complex Application; You do not have in-house
team. More costly. High Quality
© iViZ Security Inc 19Jan 2013
9 Questions to ask your consultant1. Who (individual) will conduct the test?2. How many Application Security Tests did he conduct before?3. What are the contributions of the testers in security research
(vulnerability discovery, research papers, tools, conference presentations etc)
4. What is the methodology of security testing?5. How will he ensure coverage? Does he have a checklist? Can he share
that or show that?6. How will he conduct business logic testing?7. Where will he store the data? How will the data be kept secure?8. Can he test during non-business hours?9. Can he meet up to your scalability requirements?• Ask Yourself: Can you conduct adequate number of tests within your
current budget using the consultant?
© iViZ Security Inc 20Jan 2013
Top 5 metrics to benchmark a tool1. What is the rate of false positive?2. How many classes of vulnerabilities does it cover?3. Which are the classes it does not cover?4. How good is the coverage of the crawler? Is there
any benchmark?5. How many scans can run in parallel?• If possible: benchmark the tools for False Positives
and False Negatives
© iViZ Security Inc 21Jan 2013
#3: Efficient Remediation Process
© iViZ Security Inc 22Jan 2013
Top Steps for Effective Remediation
• Create awareness among the engineering team members
• Create an effective communication channel (Spokesperson/internal wiki etc) between security testing and engineering team
• Create effective process to raise tickets, manage and monitor them
• Conduct re-validation testing• Average Vulnerability Closing Time should be part of
KPI (internal team) or SLA (for outsourced development)
© iViZ Security Inc 23Jan 2013
#4: Secure SDLC
© iViZ Security Inc 24Jan 2013
Top Application Security Principles• Validate Input data• Encode output data• Implement principle of least privilege, Fail securely by default• Protect sensitive transactions using anti-automation,
challenge/response, re-authentication • Implement secure session management
– Issue/reissue new session cookie for each login, Automatic session expiration etc
• Implement strong known cryptographic storage. Only store data that you require.
• Details:Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
© iViZ Security Inc 25Jan 2013
Top Steps towards Secure SDLC• Phase 1: Create a minimal coding and designing guideline
– Implement, Monitor and Measure
• Phase 2: Create a more advanced coding and design guideline• People are resistant towards change and there is adoption
overhead. Do not try everything in one go.• Select the top 20% of guidelines which will help you the most
in phase 1• Consider Phase 2 as your goal. Phase 1 is your step towards
achieving the goal.
© iViZ Security Inc 26Jan 2013
#5: Web Application Firewall (WAF)
© iViZ Security Inc 27Jan 2013
WAF-pros and cons• Pros:
– Protects applications with known simplistic and common flaws – Protection before even if flaws are patched in the application.
• Cons:– Does not protect against new and advanced attacks/Business logic
flaws.– May Reduce application performance– May block legitimate requests if configured too strictly (false positives)– Do not actually fix the flaws in the code, only protects against some
attacks. WAF cannot be a substitute for secure development practices.
© iViZ Security Inc 28Jan 2013
Recap: 80/20 Rule: Top 5 Steps• #1: Identify and Classify all Apps based on Business
Criticality• #2: Regular Testing• #3: Implement efficient Patching Process• #4: Implement Secure SDLC/Secure Dev-Ops• #5: Implement WAF for Business Critical Apps
© iViZ Security Inc 29Jan 2013
Top Free Online Resources• OWASP Secure Coding Practices Quick Reference:
Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
• OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
• OWASP Secure Code Review Guide: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
• OWASP Projects Page: https://www.owasp.org/index.php/Category:OWASP_Project
© iViZ Security Inc 30Jan 2013
Thank [email protected]
Blog: http://bikashbarai.blogspot.inLinkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669
Twitter: https://twitter.com/bikashbarai1
