Download - Evolving Threats

© 2008 IBM Corporation

Governance and Risk Management

End to end Application Security: a pre-emptive approach

Michael Weider, Director of Security Products

IBM Rational


Governance & Risk Management

IBM Security2

Evolving Threats



IBM Security3

Agenda

Introduction to Application Security

Application Security Best Practices

IBM Vision for Application Security



IBM Security4

Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /IDS / IPS

Firewall

Web ServersDatabases

BackendServer

ApplicationServers

Info Security LandscapeInfo Security Landscape

Application Security - Understanding the Problem



IBM Security5

Hackers Exploit Unintended Functionality to Attack Apps

Intended Functionality

Unintended Functionality

Actual Functionality


Governance and Risk Management

Application Security Hacking Example



IBM Security7

01/01/2006 union select userid,null,username+','+password,null from users--

Application responds with user names and passwords of other account

holders!



IBM Security8

Application Threat Negative Impact Example Impact

Cross Site scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up to full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling

Attackers can gain detailed system information

Malicious system reconnaissance may assist in developing further attacks

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page

The OWASP Top 10



IBM Security9

Where Do These Problems Exist?

Type: Customer facing services Partner portals Employee intranets

Source:1. Applications you buy – e.g. COTS

2. Applications you build internally

3. Applications you outsource



IBM Security10

How Common Are These Problems?

80% of Websites and applications are vulnerable to these attacks – Watchfire Research



IBM Security11

Motives Behind Application Hacking Incidents

Source: Breach/WASC 2007 Web Hacking Incident Annual Report



IBM Security12

Growth In Browser Vulnerabilities

Source: IBM Xforce 2007 Annual Report



IBM Security13

Web Hacking Incidents by Industry

Source: WASC 2007 Web Hacking Incident Annual Report



IBM Security14

PCI Application Security Requirements



IBM Security15

What is the Root Cause?

1. Developers not trained in security Most computer science curricula have no security courses

2. Under investment from security teams Lack of tools, policies, process, etc.

3. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc

4. Number one focus by hackers 75% of attacks focused on applications - Gartner

Result: Application security incidents and lost data on the rise



IBM Security16

Agenda






IBM Security17

Application Security Maturity Model

AWARENESSPHASE

CORRECTIVEPHASE

OPERATIONSEXCELLENCE PHASE

UNAWARE

Time

Mat

uri

ty

Duration 2-3 Years

10 %

30 %

30 %

30 %



IBM Security18

Building Security Into the Development Process

*Graphics from OWASP.com

• Test existing deployed apps• Eliminate security exposure

inlive applications

Production

• Test apps before going to production

• Deploy secure web applications

Deploy

• Test apps for security issues in QA organization along with performance and functional testing

• Reduce costs of security testing

Test

• Test apps for security issues in Development identifying issues at their earliest point

• Realize optimum security testing efficiencies (cost reduction)

Development• Security requirements, architecture, threat modeling, etc

Define/Design



IBM Security19

Security Testing Within the Software Lifecycle

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

Application Security Testing Maturity



IBM Security20

Application Security Adoption Within the SDLC

Difficulty & Cost of Test

% Applications Tested

High

Low

Low High

Security Team

Security Team

Security Team

QA TeamQA Team

Development Team

Phase 1 Phase 2 Phase 3

Criticality & Risk

of App.Developmen

t Team



IBM Security21

Risk Oriented Approach to Application Security

Risk Exposur

e

Security Investment

High

Low

Low High



IBM Security22

Educating Developers and Getting “Buy in”

Establish security accountability and stds for shipping Create a “security architect” role Create a security community of practice Create a secure development portal or wiki Conduct hacking demos to demonstrate risks Online & offline courses for secure coding Put developers through secure coding exams Security reviews of real applications Pay premiums for security architects



IBM Security23

Agenda






IBM Security24

The IBM Security Framework

Common Policy, Event Handling and Reporting

The IBM Security Framework

Common Policy, Event Handling and Reporting

Security Governance, Risk Management and Compliance

Security Governance, Risk Management and Compliance

IBM Security FrameworkExternal Representation

Network, Server, and End-point

Physical Infrastructure

People and Identity

Data and Information

Application and Process

Managed Security Services

Security Hardware and

Software

Professional Services

Physical Security Solutions

Security Governance, Risk & Compliance Solutions

Threat and Vulnerability Mgmt & Monitoring Solutions

Application Security Lifecycle Mgmt Solutions

Identity and Access Management Solutions

Information Security Solutions



IBM Security25

BuildCoding SecurityQAQA

Software Security Development Ecosystem

Security Auditor

scanningDevelopers Build System Quality Assurance Testing

Control, Monitor and Report

Web Based Security Training



IBM Security26

Product and Services

Products:– AppScan: Application Security Vulnerability Assessment Tools

Services:– AppScan OnDemand

Training:– Application security Web based training and onsite courses

For more information see: www.watchfire.com



IBM Security27

Download - Evolving Threats

Top Related