rich mogull securosis, l.l.c
TRANSCRIPT
![Page 1: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/1.jpg)
Taming the Beast(s): Securing Major Enterprise Applications
Rich MogullSecurosis, L.L.C.
![Page 2: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/2.jpg)
Old School/New School/Oh SH&$ School
![Page 3: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/3.jpg)
Major Enterprise Application Classes
![Page 4: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/4.jpg)
Enterprise Software
![Page 5: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/5.jpg)
Web Application Servers
![Page 6: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/6.jpg)
Custom Applications
![Page 7: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/7.jpg)
● All major enterprise applications implement mostly custom code● Custom vulnerabilities exist only on your systems● Attackers now use refined, repeatable techniques to find custom
vulnerabilities● Common classes of remotely exploitable vulnerabilities
– SQL injection– Buffer overflows– Cross-site scripting– Logic flaws
Custom Code = Custom Vulnerabilities
![Page 8: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/8.jpg)
System
Database
Network/Domain
Inhe
ritR
emap
Application
Batch Jobs OLAP Hertiage
User Credentials Break
![Page 9: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/9.jpg)
Privileged Access
Developers Administrators Direct Query
Static Accounts
Downstream Data
Reports(Excel) EDI OLAP Backups
Batch Jobs Other Apps. Other DBs
Traditional Security
Sniffing Vulns RemoteAccess
PrivilegeEscalation Availability
Vulnerability Classes
![Page 10: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/10.jpg)
Virtualization Apocalypse
![Page 11: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/11.jpg)
Defensive Security Stack
![Page 12: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/12.jpg)
Application Security
![Page 13: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/13.jpg)
Application Security Cycle
![Page 14: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/14.jpg)
Secure Development
![Page 15: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/15.jpg)
Secure Deployment
![Page 16: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/16.jpg)
Harden TiersMinimize open ports
• Network segmentationEncrypt Connections
• Use network hardware to manage performance
Control Authentication• Minimize static passwords• Minimize administration access
Simplification!
ApplicationServer
VPNAppliance
VPNAppliance
Database
Encrypted
Hardening Tiers
![Page 17: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/17.jpg)
Database Security
![Page 18: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/18.jpg)
• SAP is very flexible and complex- Most deployments use extensive custom code
Understand differences between R/3 and NetWeaver/ECC• SAP built on WebAS
- A full application server- J2EE and ABAP offer different security options- Extensive customization may require same security approach as a Web
application server• SAP focuses security efforts on roles/authorization
- Many enterprises lose control of entitlements- Role transfers and poor role management are biggest sources of security
issues- Manage through Profile Generator, but beware conflicts/config errors
• Multiple, complex auditing options
SAP
![Page 19: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/19.jpg)
• Many security features across product lines - Not all features in all products; large variation- Expect to pay extra for them
• Consider Oracle Identity Management or third-party IAM- E-business suite built in account management sufficient for isolated deployments
• Take advantage of system roles/responsibilities• Use digital certificates for systems with static connections• Use client ID (CID) where possible• Double-check encryption
- Some fields default encrypted; confirm DBA limits• Data Vault can limit access on existing applications• Use Enterprise Manager for patching
- Patching features cost extra, so push Oracle on pricing- Manual patching unreliable
• Use a DB Activity Monitoring tool to monitor privileged accounts- Audit Vault with Fine Grained Auditing can accomplish this, but is not feature-competitive
with third-party tools• Enable audit trails
Oracle
![Page 20: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/20.jpg)
Securing Web Applications
![Page 21: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/21.jpg)
Managing Virtualization
![Page 22: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/22.jpg)
Production Development
Data Masking
![Page 23: Rich Mogull Securosis, L.L.C](https://reader033.vdocuments.mx/reader033/viewer/2022042412/625ef16a5e038c7b662e369a/html5/thumbnails/23.jpg)
● Profile/inventory your applications.
● Good identity management is the key to any enterprise software security.
● Tightly manage/secure network connections- sniffing is on the rise.
● All enterprise software needs secure development standards.
● Use new standards moving forward, while shielding then cleaning heritage applications.
Summary