evolving threats
DESCRIPTION
End to end Application Security: a pre-emptive approach Michael Weider, Director of Security Products IBM Rational. Evolving Threats. Agenda. Introduction to Application Security Application Security Best Practices IBM Vision for Application Security. Desktop. Transport. Network. - PowerPoint PPT PresentationTRANSCRIPT
© 2008 IBM Corporation
Governance and Risk Management
End to end Application Security: a pre-emptive approach
Michael Weider, Director of Security Products
IBM Rational
© 2008 IBM Corporation
Governance & Risk Management
IBM Security2
Evolving Threats
© 2008 IBM Corporation
Governance & Risk Management
IBM Security3
Agenda
Introduction to Application Security
Application Security Best Practices
IBM Vision for Application Security
© 2008 IBM Corporation
Governance & Risk Management
IBM Security4
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /IDS / IPS
Firewall
Web ServersDatabases
BackendServer
ApplicationServers
Info Security LandscapeInfo Security Landscape
Application Security - Understanding the Problem
© 2008 IBM Corporation
Governance & Risk Management
IBM Security5
Hackers Exploit Unintended Functionality to Attack Apps
Intended Functionality
Unintended Functionality
Actual Functionality
© 2008 IBM Corporation
Governance and Risk Management
Application Security Hacking Example
© 2008 IBM Corporation
Governance & Risk Management
IBM Security7
01/01/2006 union select userid,null,username+','+password,null from users--
Application responds with user names and passwords of other account
holders!
© 2008 IBM Corporation
Governance & Risk Management
IBM Security8
Application Threat Negative Impact Example Impact
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page
The OWASP Top 10
© 2008 IBM Corporation
Governance & Risk Management
IBM Security9
Where Do These Problems Exist?
Type: Customer facing services Partner portals Employee intranets
Source:1. Applications you buy – e.g. COTS
2. Applications you build internally
3. Applications you outsource
© 2008 IBM Corporation
Governance & Risk Management
IBM Security10
How Common Are These Problems?
80% of Websites and applications are vulnerable to these attacks – Watchfire Research
© 2008 IBM Corporation
Governance & Risk Management
IBM Security11
Motives Behind Application Hacking Incidents
Source: Breach/WASC 2007 Web Hacking Incident Annual Report
© 2008 IBM Corporation
Governance & Risk Management
IBM Security12
Growth In Browser Vulnerabilities
Source: IBM Xforce 2007 Annual Report
© 2008 IBM Corporation
Governance & Risk Management
IBM Security13
Web Hacking Incidents by Industry
Source: WASC 2007 Web Hacking Incident Annual Report
© 2008 IBM Corporation
Governance & Risk Management
IBM Security14
PCI Application Security Requirements
© 2008 IBM Corporation
Governance & Risk Management
IBM Security15
What is the Root Cause?
1. Developers not trained in security Most computer science curricula have no security courses
2. Under investment from security teams Lack of tools, policies, process, etc.
3. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc
4. Number one focus by hackers 75% of attacks focused on applications - Gartner
Result: Application security incidents and lost data on the rise
© 2008 IBM Corporation
Governance & Risk Management
IBM Security16
Agenda
Introduction to Application Security
Application Security Best Practices
IBM Vision for Application Security
© 2008 IBM Corporation
Governance & Risk Management
IBM Security17
Application Security Maturity Model
AWARENESSPHASE
CORRECTIVEPHASE
OPERATIONSEXCELLENCE PHASE
UNAWARE
Time
Mat
uri
ty
Duration 2-3 Years
10 %
30 %
30 %
30 %
© 2008 IBM Corporation
Governance & Risk Management
IBM Security18
Building Security Into the Development Process
*Graphics from OWASP.com
• Test existing deployed apps• Eliminate security exposure
inlive applications
Production
• Test apps before going to production
• Deploy secure web applications
Deploy
• Test apps for security issues in QA organization along with performance and functional testing
• Reduce costs of security testing
Test
• Test apps for security issues in Development identifying issues at their earliest point
• Realize optimum security testing efficiencies (cost reduction)
Development• Security requirements, architecture, threat modeling, etc
Define/Design
© 2008 IBM Corporation
Governance & Risk Management
IBM Security19
Security Testing Within the Software Lifecycle
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity
© 2008 IBM Corporation
Governance & Risk Management
IBM Security20
Application Security Adoption Within the SDLC
Difficulty & Cost of Test
% Applications Tested
High
Low
Low High
Security Team
Security Team
Security Team
QA TeamQA Team
Development Team
Phase 1 Phase 2 Phase 3
Criticality & Risk
of App.Developmen
t Team
© 2008 IBM Corporation
Governance & Risk Management
IBM Security21
Risk Oriented Approach to Application Security
Risk Exposur
e
Security Investment
High
Low
Low High
© 2008 IBM Corporation
Governance & Risk Management
IBM Security22
Educating Developers and Getting “Buy in”
Establish security accountability and stds for shipping Create a “security architect” role Create a security community of practice Create a secure development portal or wiki Conduct hacking demos to demonstrate risks Online & offline courses for secure coding Put developers through secure coding exams Security reviews of real applications Pay premiums for security architects
© 2008 IBM Corporation
Governance & Risk Management
IBM Security23
Agenda
Introduction to Application Security
Application Security Best Practices
IBM Vision for Application Security
© 2008 IBM Corporation
Governance & Risk Management
IBM Security24
The IBM Security Framework
Common Policy, Event Handling and Reporting
The IBM Security Framework
Common Policy, Event Handling and Reporting
Security Governance, Risk Management and Compliance
Security Governance, Risk Management and Compliance
IBM Security FrameworkExternal Representation
Network, Server, and End-point
Physical Infrastructure
People and Identity
Data and Information
Application and Process
Managed Security Services
Security Hardware and
Software
Professional Services
Physical Security Solutions
Security Governance, Risk & Compliance Solutions
Threat and Vulnerability Mgmt & Monitoring Solutions
Application Security Lifecycle Mgmt Solutions
Identity and Access Management Solutions
Information Security Solutions
© 2008 IBM Corporation
Governance & Risk Management
IBM Security25
BuildCoding SecurityQAQA
Software Security Development Ecosystem
Security Auditor
scanningDevelopers Build System Quality Assurance Testing
Control, Monitor and Report
Web Based Security Training
© 2008 IBM Corporation
Governance & Risk Management
IBM Security26
Product and Services
Products:– AppScan: Application Security Vulnerability Assessment Tools
Services:– AppScan OnDemand
Training:– Application security Web based training and onsite courses
For more information see: www.watchfire.com
© 2008 IBM Corporation
Governance & Risk Management
IBM Security27