Infosec 2012 | 25/4/12

Application PerformanceMonitoring

Ofer MAOR

CTO

Infosec 2012

Infosec 2012 | 25/4/12

Introduction

• Application Security vs. Data Security

• Current Application Security Approach– Vulnerability vs. Risk– Technique vs. Goal

• Challenges of Existing Application Security Solutions

• New Approach for Application Data Security

Infosec 2012 | 25/4/12

About Myself

• 16 years in information/application security (Over 10 years hands on penetration testing)

• Research, Development, Enhancement – Attack & Defense Techniques– WAF / AppSec Testing Products

• Regular Speaker in Security Conferences

• OWASP Global Membership Committee & Chairman of OWASP Israel

Infosec 2012 | 25/4/12

The Problem

• Application Security – Goal or Mean?

• Importance of Protecting Persistent Data

• DB Security Solutions – Is It Enough?

• Influence of App Vulns on Data Security

• AppSec As a Mean for Data Protection

• AppSec As Integrate Part of R&D?

Infosec 2012 | 25/4/12

Current Approach

• Approach Too Technical

• Focus on Technical Aspects– Examine it from the vulnerability perspective– Focus on injections & technical problems– Analysis of code, rather than application– Ignoring application data

• Focus on technology instead of risk

• Hard to fit into the development lifecycle

Infosec 2012 | 25/4/12

Too Many Vulnerabilities…

SQL Injection

Cross Site Scripting

Cross Site Request Forgery

Parameter Tampering

Forceful Browsing

Session Riding

Hidden Field Manipulation

LDAP Injection

Cookie PoisoningCRLF Injection

HTTP Response Splitting

XPath Injection

Directory TraversalOS Commanding

Session Hijacking

Insecure Redirect

Flow Bypassing

Director Listing

Insecure Password Storage

File Inclusion

No User LockoutUnauthenticated Access

Buffer Overflow

No SSLSession Fixation

Detailed Error Messages

Misconfiguration

Information Leakage

URL Encoding

Infosec 2012 | 25/4/12

Going Back to the Roots

• Risk Based Approach

• CIA– Confidentiality– Integrity (+ Non Repudiation) – Availability

• Assess Application Vulnerabilities Based on Data Risk

Infosec 2012 | 25/4/12

Data Oriented Approach

• Taking a Data-Oriented Approach to Application Security Testing

• Logical vs Technical

• Business Impact

• Level of Exploitability

• Risk, Risk, Risk

Infosec 2012 | 25/4/12

Example:Unauthorized Data Modification• The Attack is Data Modification

• Can be performed in various ways:– Parameter Tampering– Flow Bypassing– SQL Injection– Cross Site Scripting– Cross Site Request Forgery

Infosec 2012 | 25/4/12

The Problem – Take II

• Existing Solutions – Too Technical

• No One Used Data Oriented Approach– DAST (Scanners)

• Analyze Request/Responses – No Data Access• Focused on Technical Vulnerabilities

– SAST (Static Analyzers)• Only Static Code – No Data Access• Focused on Technical Vulnerabilities

– Pentesters – Better, But Still Mostly Technical

Infosec 2012 | 25/4/12

The Problem – Take II

• Result – Low Security ROI – €€€ spent on solutions not focused on data

risk– €€€ spent on professional services trying to

sort through the thousands of results– €€€ spent on R&D hours of fixing unnecessary

fixes

• High Costs, Unfocused Efforts, Inefficient.

Infosec 2012 | 25/4/12

The Solution:Data Centric Application Security• Analysis of Actual Data Handling in System• Automatic Data Classification

– Sensitivity– Ownership– Accessibility– etc.

• Identifying Vulns Which Pose Real Risk• Verification of Actual Risk Level

Infosec 2012 | 25/4/12

Advantages

• Focus on Real Vulnerabilities• Holistic Approach (Application, not Code)

• Support for Business Transactions– Multi Tier, Multi Step Components, etc.

• Identify Vulnerabilities Otherwise Unidentified

• Identify Potential Data Breaches

• Easy to Integrate into R&D

Infosec 2012 | 25/4/12

The Data Centric Approach

More REAL Vulnerabilities

No IRRELEVANT Vulnerabilities

Efficient, Practical, Focused

Fits R&D Security Program

Provides High Security ROI

Infosec 2012 | 25/4/12

About Quotium

• New Generation Application Security

• Data Oriented Approach

• Utilizes new Runtime Analysis Engine– Analysis of application data and code– Exploit verification to classify risk.

• Intuitive & Easy to Use

• Adaptive to the Development Process

Infosec 2012 | 25/4/12

Application PerformanceMonitoring

Ofer Maorofer@quotium.com

Come Visit Us!

Booth #F51