virtualizing application security:
TRANSCRIPT
-
8/14/2019 Virtualizing Application Security:
1/22
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Virtualizing Application Security:
Testing Production Applications
Lars Ewe, CTO / VP of Engineering
-
8/14/2019 Virtualizing Application Security:
2/22
Corporate Security
Internet
Client FirewallWeb
Server
App
Server
Database
Server
IDS/IPS
Application Security2000s
Network Security1990s
Desktop andContentSecurity
1980s
Ports 443 & 80still open
Intrusion DetectionAnd Prevention
Web app layer: 75% ofhacker attacks occur here
-
8/14/2019 Virtualizing Application Security:
3/22
80 443
-
8/14/2019 Virtualizing Application Security:
4/22
Application Security Drivers
400+ New Vulnerabilities a Month and Growing
75% of cyber attacks & Internet security violations are
generated through Internet applications.
Source: Gartner Group
87% of Websites are vulnerable to attack.
Source: SearchSecurity January 2009
Malware on legitimate Websites has doubled in 6 months.
Source: IT PRO 2008
$6.6 Million is the average cost of a data breach.
Source: Ponemon Institute January 2009
-
8/14/2019 Virtualizing Application Security:
5/22
The First Hacked Site
-
8/14/2019 Virtualizing Application Security:
6/22
No One Wants To Be in the Press
Who is responsible when a hack occurs? False sense of Security
Concerns with finding all vulnerabilities Worried
-
8/14/2019 Virtualizing Application Security:
7/22
Corporate Application Environment
1000+ applications
Mixture of internal & external
applications
Multiple BUs in multiple
countries
In-Sourced & Out-Sourced
resources
Worldwide team with varying
degrees of expertise and
experience in Web app
security
-
8/14/2019 Virtualizing Application Security:
8/22
Business
Unit
Dev
QA
App 1
App 2
App 3
BusinessU
nit
Dev
QA
App 1
App 2
App 3
Getting Control Over Security
C-LevelWill I get Hacked?
Business
Unit
Dev
QA
App 1
App 2
App 3
Information Security
Production
Pre-Production
Dev, QA, Staging
-
8/14/2019 Virtualizing Application Security:
9/22
Application Security is NOT a One Time Eventbut a Discipline Over Time!
Web Application SecurityOptimization
-
8/14/2019 Virtualizing Application Security:
10/22
Application DevelopmentLife Cycle
Design Build Deploy Operate Dispose
Identify
securityissues upfront
Securitytraining
Identifysecurityresources peopleand tools
Perform a risk
analysis Automated
test forvulnerabilitiesin Q.A.
Benchmarkagainstrequirements
Securitytraining
Automated
test forvulnerabilities
Ongoingupdates
Continued
testing fornewvulnerabilitiesand forproduction
applications Test new code Ongoing
updates
Ensure that the
disposedapplicationdoesn't haveany links orbackdoors into
activeapplications
-
8/14/2019 Virtualizing Application Security:
11/22
QA
Dev
The Application Challenge
Lots of Web applications
Most of them inproduction (80% or more)
Fewer than 5% are beingtested against hackerattacks, and then only
once People arent testing.
Why? Fear of corrupting
production apps
Resource constrained
Lack of security expertise
Too many groups involved
Ripe forHackers!
over 1,000
Web ApplicationsLess than 20%in developmentor in QA stage
About 80% are in
production anddeployed
-
8/14/2019 Virtualizing Application Security:
12/22
Risks to Testing ProductionApplications
Risk Damage Likelihood Notes
Corruption
of key data
High HighExample: Spider/crawling of admin/privileged accounts(needed for Privilege Escalation SA). Solution: Avoid certain
accounts and SmartAttacks.
Junk shareddata
Low-High
HighExample: 100 fake sales inquiries. Can be caused by nearlyany assessment. Very difficult to avoid. Partial Solution:Gentle ramp of injection attacks & tools to enable blacklisting.
Junk non-shared data
Low High Example: Junk data in my test account that affects only me.
Collateraldamage
High MediumExample: Passing along attacks/junk data to businesspartners. Damage/alerts to connected backend systems potentially even at other companies.
Major lossof data
High LowExample: Delete entire table in database. SQL Disclosure andBlind SQL SmartAttacks. Solution: Avoid these select attacksand strings.
System
non-re-startable
High Very Low
Example: Attack corrupts backend system configuration.Buffer Overflow, Format String and Application Exception &Spider of admin accounts. Partial Solution: Avoid theseattacks.
-
8/14/2019 Virtualizing Application Security:
13/22
Risks to Testing ProductionApplications (contd.)
Risk Damage Likelihood Notes
System crash Medium Very Low
Example: All users unable to access for 5minutes. Buffer Overflow, Format String andApplication Exception or, almost any activity.Partial Solution: Avoid these attacks.
Undesired RealTransactions
Low -High
HighExample: Actually buying a stock. Solution: Avoidby fake data or by blacklisting.
Disclosure ofconfidential data
Varies HighExample: Failure to use test data or to controlaccess to assessment results.
IPS Alarms /Blockage
Low -Medium
MediumExample: Some group of users locked out forhours (based on IP address).
AccountLockouts
Low High Example: Test account locked out.
Disruptive load
on system Low Low
Example: System slow for all users until cause
determined and attacks slowed. Solution: Can beavoided by throttling.
-
8/14/2019 Virtualizing Application Security:
14/22
How Can You BestTest Production Apps?
80% or more of all the Web applications are activelydeployed and in use
Until recently, testing production applications for Web securitycould affect or corrupt the database and/or the application
How can you continuously test your production environment
to stay ahead of the hacker curve?
Solution #1: Safe Attacks
Solution #2: Moderate Attacks
Solution #3: Unsafe Attacks
Solution #4: Virtualization via VMware
-
8/14/2019 Virtualizing Application Security:
15/22
Soln #3Unsafe Attacks
Soln #1Safe Attacks
Breadth
Depth
(% checkedfor Vuln)
(# of Apps)
01,000+
0
100
Soln #2
Moderate Attacks
Testing Production Apps Directly
Production Apps
-
8/14/2019 Virtualizing Application Security:
16/22
-
8/14/2019 Virtualizing Application Security:
17/22
VirtualizedApplication
Testing
Safe Attacks
on All Apps
Breadth
Depth
(% checkedfor Vuln)
(# of Apps)
01,000+
0
100
Attaining Breadth & Depthin Web Application Security
Safe Attacks
on All Apps
Dev / QA
Testing
Dev / QA
Testing
-
8/14/2019 Virtualizing Application Security:
18/22
VMware Managed ServersARCServers
Cenzic Hailstorm ARC integratedWith VMware LabManager
ARC
ESX ESX ESXAEE
1. Enumeratelibrary
2. Prepare totest
3. Request
deploy4. Deploy
5. Assess
6. Requestundeploy
1
23
6
4
5
-
8/14/2019 Virtualizing Application Security:
19/22
VMware Lab Manager /Virtual Center
Two choices for
virtualization
VMware LabManager
VMware Virtual
Center
Settings screen for
VMware Lab Manager
Applies to ARC
deployment
-
8/14/2019 Virtualizing Application Security:
20/22
Cenzic Provides Solution Choices
Solution 1 Virtualizeall apps includingproduction for testing
(most value)
Solution 2 Virtualize
QA and Dev fortesting
Solution 3 Conductsafe attacks onproduction (leastvalue)
Production
Pre-Production
Dev, QA, Staging
1
3
2
-
8/14/2019 Virtualizing Application Security:
21/22
Application Security Best Practices
Risk
Application Security Posture ProactiveReactive
High
Low
1 time test
Dev / QA
Continuous testing
Dev / QA
1 time test
Dev / QA / Prod
(Safe Tests)
Continuous Testing
Entire SDLC
-
8/14/2019 Virtualizing Application Security:
22/22
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Questions?
Lars Ewe, CTO / VP of Engineering