the web application security crisis

Cenzic Confidential 1

The Web Application Security Crisis

June 2010Jon Zucker - Senior Product Manager

Cenzic

Survey

Web App Security and evolution

Case Studies

Vulnerability examples

The “Tops”

Practical Approaches

Discussion/Q&A

Cenzic Confidential 2

Agenda

Cenzic secures Websites against hacker attacks via its automated Web vulnerability scanning technology (on-premise software and SaaS products)

Cenzic helps its customers secure trillions of dollars in Web commerce

Cenzic provides compliance testing for GLBA / PCI / SOX & other regulations

Cenzic Confidential 3

About Cenzic

Hailstorm

Current situationSolutions deployed

• Manual• Dynamic• Static• WAF• Other

On PremiseSaaSHow often

Cenzic Confidential 4

Survey…

Cenzic Confidential 5

Internet

Client Firewall Web Server

AppServer

DatabaseServer

IDS/IPS

Application Security2000s

Network Security1990s

Desktop andContent Security

1980s

Ports 443 & 80 still open

Intrusion DetectionAnd Prevention

Corporate Security Evolution

Cenzic Confidential 6

80 443

Why Web security?

Cenzic Confidential 7

Protecting brands• Security breach at App layer can seriously

hurt customer trust

Complying with regulations • PCI, GLBA, HIPAA, AB 1950, and many

others

Testing all applications on a continuous basis

• To stay ahead of new vulnerabilities

8

Protect from the 400+ new threats per month by continually testing Production Applications

Drivers for Web Application Security

Cenzic Confidential

So what’s in my Web Application?

9

User

UI Layer

Middleware Layer

Source Code - Individual Applications

Web Browser

JavaScriptPlug-Ins/ APIJava DOM

HTML/DHTML Cookies

HTTPSSL

HTTP-SAuthentication Certificates

Digital SignaturesCommunication Layer

Web Server SW/HW

COMLDAP Server

App ServerASP CORBA DCOM

Data LayerDatabases HTML Raw Data CSS/XSLXML File System

Financial Order Management

HRInventory

Cenzic Confidential

Hackers are attacking everyone…• Banks, Credit Unions, Government Agencies, Small companies, Large

companies – Equal opportunity

87% of Websites are vulnerable to attack Source: SearchSecurity – January 2009

75% of enterprises experienced some form of cyber attack in 2009

Source: Symantec Internet Security Report – April 2010

90% of Websites are vulnerable to attackSource: Verizon Business Data Breach Report – April 2009

$6.6 Million is the average cost of a data breachSource: Ponemon Institute – January 2009

Cenzic Confidential 10

Stats

Cenzic Confidential 11

Source: Cenzic Q3-Q4, 2009 Application Trends Report

Vulnerability trends

Cenzic Confidential 12

Source: Cenzic Q3-Q4, 2009 Application Trends Report

Web Vulnerabilities by class –(Commercial Apps)

Vulnerability Breakdown ofMisc. Category

Cenzic Confidential 13

Source: Cenzic Q3-Q4, 2009 Application Trends Report

Cenzic Confidential 14

Source: Cenzic Q3-Q4, 2009 Application Trends Report

Web Vulnerabilities by class –(Proprietary apps)

Findings from Cenzic ClickToSecureManaged

Cenzic Confidential 15

Source: Cenzic Q3-Q4, 2009 Application Trends Report

No One Wants To Be in the Press

Cenzic Confidential 16

“Who is responsible when a hack occurs?” “False sense of Security”

“Concerns with finding all vulnerabilities” “Worried”

Why worry?

A total of 81 government Web sites in China were tampered from May 10 to May 16, down 35 percent compared to the previous week, according to a report released by National Computer Network Emergency Response Technical Team.

As of 12 p.m. on Monday, 29 hacked government Web sites had still not been restored, including four provincial Web sites. Monitoring shows major threats are from software risk loopholes, spread of malicious codes and page revisions.

The report revealed 150 .CN malicious domain names, five malicious codes and five software loopholes. And .xorg.pl, a malicious domain group registered in Poland, has more than 100 malicious domain names and has been used to tamper with many Chinese Web sites and users.

Data shows security awareness and security measures should be strengthened. And 124 government Web sites were hacked from May 2 to May 9.

81 govt sites May 10th-16th

down 35% 29 hacked sites…still not been

restored 150 .CN malicious domain names 5 malicious codes 5 software loopholes Malicious domain group registered

in Poland 100 malicious domain names Security awareness and security

measure should be strengthened 124 Web sites were hacked form

May 2-9

Cenzic Confidential 17

Source: People's Daily Online 5-19-10

Case Studies

Cenzic Confidential 18

Specific Hacking Case Studies:Heartland

Disclosed in January, 2009 Up to 130M cards exposed – largest attack (more than TJX)

• Not discovered until late 2008• Impact:

• Stock price went down 78%• Breach related expenses of $140 million• Millions of dollars in damages and recovery• Embarrassment for the company• Revenue loss

• Learning:• PCI compliance ≠ App security

Cenzic Confidential 19

Specific Hacking Case Studies:RBS World Pay

Disclosed in December, 2008 Up to 1.5M cards stolen

• Installed Malware • Cloned cards were given to an army of “cashers” across 49 cities

around the world• Visited 2,100 ATM machines in 280 cities

• Impact:• $9M stolen in less than 12 hours• Embarrassment for the company• Reputation damage

• Learning:• Hackers are getting very sophisticated and organized

Cenzic Confidential 20

Vulnerability Examples

Cenzic Confidential 21

Cross-Site Scripting (XSS)

What is it?: Found in web applications which allow code injection by malicious web users into the web pages viewed by other users. The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.

Used by attackers to bypass access controls such as the same origin policy. Recently, used to craft powerful phishing attacks and browser exploits.

Root Cause: Failure to proactively reject or scrub malicious characters from input vectors.

22Cenzic Confidential

Session Hijacking: Hacker can steal the session id of the user and use it conduct transactions Record Key Strokes: Hacker can record all the keystrokes of

the victim Entry point: Hacker can use XSS to hack into the network

and go deeper into other servers Steal information: A victim’s files and PII can be accessed

and exploited by the hacker

23

Impacts of XSS

Cenzic Confidential

What is it?: Database contents are compromised or disclosed by the use of specially crafted form input that manipulates SQL Query Logic. Root Cause: Failure to properly sanitize, reject, or escape

domain-specific SQL characters from an input vector.

24

SQL Injection

Cenzic Confidential

Impacts of SQL Injection

Customer information: Hacker can get access to all your customer records Public Defacement: Hackers can easily deface thousands of

sites with one attack Database Server: Hacker can compromise a database

server with SQL attacks Bypass Log-in: By using simple SQL commands, a hacker

can bypass the log-in credentials

25Cenzic Confidential

Cenzic Confidential 26

The “tops”

Cenzic Confidential 27

Top 5 Web Security Myths

I have SSL so that’ll protect my Web site• SSL ≠ App Security

Have never been hacked• How do you know?

PCI compliant• Heartland, Hannaford…

I can test few of my Web applications once a year• Any vulnerable site is your weakest link

Expensive • Many flexible options to get you jump started

Cenzic Confidential 28

Top Reason #1

Cenzic Confidential 29

Web Applications Are Getting More Complex Web 2.0 technologies exacerbate the problem

• Think you are not using Web 2.0? Think again!

e.g. Software mashups• How do you know any of

the original app is secure? • How do you know the

resulting app does not include new vulns?

Top Reason #2

Cenzic Confidential 30

Compliance Pressure Isn’t Letting Up(PCI, SOX, GLBA, HIPAA, FIECC, …)

Each regulation may have some level of implication on application security

PCI section 6 has specific provision requirements for Web security

We expect more regulations to follow suite • California AB 211, section 1, 56.36 (b)

Top Reason #3

Third Party Code is Prevalent • Outsourced, open source, and packaged applications

Enterprises use more open source code than they know

• Apache, Net SNMP, Zlib, JBoss

Few software outsourcing providers have secure coding provisions or service level guarantees

Do you know the security quality of third-party code and apps?

Cenzic Confidential 31

Practical Approaches

Cenzic Confidential 32

Application Security Maturity Model

LowLow

High

High

People & Process

Tool

s &

Tec

hnol

ogy

Pit of Despair Security as Core Business ProcessPanic Scramble

33

Enterprise Security Challenge

Cenzic Confidential 34Cenzic Confidential 34

Business U

nit

Dev

QA

App 2

App 3

Business U

nit

Dev

QA

App 1

App 2

C-LevelWill I get Hacked?

Business U

nit

Dev

QA

App 1

App 2

App 3

Information Security

Production

Pre-Production

Dev, QA, Staging

App 3

App 1

Web & Software Security Lifecycle

Cenzic Confidential 35

Application Security is NOT a One Time Event but a Discipline Over Time!

Dev Begins Alpha/BetaProduction/

Launch update1 update2

...

Planning Scanning/Testing

Training

SDLC & Black Box Testing

Cenzic Confidential 36

Pen Test

Software Development Life Cycle

Decision Support & Process Optimization

Black Box Testing

White Box Testing

Build & Test Automation

Code Review

Design Build Deploy Operate

You May Have To Change Internal Procedures & Processes

Buy in• Management• Grass roots

Create a dedicated application security role

• Align this role with business, operations, and development and QA

• Define responsibility and accountability structure

Engage business to define priorities, standards, and policies

Cenzic Confidential 37

Seat at the table…

You May Have To Change Internal Procedures & Processes

Move certain security functions into operations• Security measures must be simple enough for non-experts• Must integrate with existing operational procedures and tools

Metrics• Implement reporting and metrics to measure risk• Identify technology solutions/services that will provide

meaningful metrics • Review, rinse, repeat

Cenzic Confidential 38

START!

Final Thoughts

This is real

Bad guys are getting smarter

Think about process/strategy

Test frequently

Starting Early = less $$

Cenzic Confidential 39

Cenzic Confidential 40

www.Cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Jon Zucker jon@cenzic.com