virtualizing application security:

8/14/2019 Virtualizing Application Security:

1/22

www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Virtualizing Application Security:

Testing Production Applications

Lars Ewe, CTO / VP of Engineering


2/22

Corporate Security

Internet

Client FirewallWeb

Server

App

Server

Database

Server

IDS/IPS

Application Security2000s

Network Security1990s

Desktop andContentSecurity

1980s

Ports 443 & 80still open

Intrusion DetectionAnd Prevention

Web app layer: 75% ofhacker attacks occur here


3/22

80 443


4/22

Application Security Drivers

400+ New Vulnerabilities a Month and Growing

75% of cyber attacks & Internet security violations are

generated through Internet applications.

Source: Gartner Group

87% of Websites are vulnerable to attack.

Source: SearchSecurity January 2009

Malware on legitimate Websites has doubled in 6 months.

Source: IT PRO 2008

$6.6 Million is the average cost of a data breach.

Source: Ponemon Institute January 2009


5/22

The First Hacked Site


6/22

No One Wants To Be in the Press

Who is responsible when a hack occurs? False sense of Security

Concerns with finding all vulnerabilities Worried


7/22

Corporate Application Environment

1000+ applications

Mixture of internal & external

applications

Multiple BUs in multiple

countries

In-Sourced & Out-Sourced

resources

Worldwide team with varying

degrees of expertise and

experience in Web app

security


8/22

Business

Unit

Dev

QA

App 1

App 2

App 3

BusinessU

nit

Dev

QA

App 1

App 2

App 3

Getting Control Over Security

C-LevelWill I get Hacked?

Business

Unit

Dev

QA

App 1

App 2

App 3

Information Security

Production

Pre-Production

Dev, QA, Staging


9/22

Application Security is NOT a One Time Eventbut a Discipline Over Time!

Web Application SecurityOptimization


10/22

Application DevelopmentLife Cycle

Design Build Deploy Operate Dispose

Identify

securityissues upfront

Securitytraining

Identifysecurityresources peopleand tools

Perform a risk

analysis Automated

test forvulnerabilitiesin Q.A.

Benchmarkagainstrequirements

Securitytraining

Automated

test forvulnerabilities

Ongoingupdates

Continued

testing fornewvulnerabilitiesand forproduction

applications Test new code Ongoing

updates

Ensure that the

disposedapplicationdoesn't haveany links orbackdoors into

activeapplications


11/22

QA

Dev

The Application Challenge

Lots of Web applications

Most of them inproduction (80% or more)

Fewer than 5% are beingtested against hackerattacks, and then only

once People arent testing.

Why? Fear of corrupting

production apps

Resource constrained

Lack of security expertise

Too many groups involved

Ripe forHackers!

over 1,000

Web ApplicationsLess than 20%in developmentor in QA stage

About 80% are in

production anddeployed


12/22

Risks to Testing ProductionApplications

Risk Damage Likelihood Notes

Corruption

of key data

High HighExample: Spider/crawling of admin/privileged accounts(needed for Privilege Escalation SA). Solution: Avoid certain

accounts and SmartAttacks.

Junk shareddata

Low-High

HighExample: 100 fake sales inquiries. Can be caused by nearlyany assessment. Very difficult to avoid. Partial Solution:Gentle ramp of injection attacks & tools to enable blacklisting.

Junk non-shared data

Low High Example: Junk data in my test account that affects only me.

Collateraldamage

High MediumExample: Passing along attacks/junk data to businesspartners. Damage/alerts to connected backend systems potentially even at other companies.

Major lossof data

High LowExample: Delete entire table in database. SQL Disclosure andBlind SQL SmartAttacks. Solution: Avoid these select attacksand strings.

System

non-re-startable

High Very Low

Example: Attack corrupts backend system configuration.Buffer Overflow, Format String and Application Exception &Spider of admin accounts. Partial Solution: Avoid theseattacks.


13/22

Risks to Testing ProductionApplications (contd.)

Risk Damage Likelihood Notes

System crash Medium Very Low

Example: All users unable to access for 5minutes. Buffer Overflow, Format String andApplication Exception or, almost any activity.Partial Solution: Avoid these attacks.

Undesired RealTransactions

Low -High

HighExample: Actually buying a stock. Solution: Avoidby fake data or by blacklisting.

Disclosure ofconfidential data

Varies HighExample: Failure to use test data or to controlaccess to assessment results.

IPS Alarms /Blockage

Low -Medium

MediumExample: Some group of users locked out forhours (based on IP address).

AccountLockouts

Low High Example: Test account locked out.

Disruptive load

on system Low Low

Example: System slow for all users until cause

determined and attacks slowed. Solution: Can beavoided by throttling.


14/22

How Can You BestTest Production Apps?

80% or more of all the Web applications are activelydeployed and in use

Until recently, testing production applications for Web securitycould affect or corrupt the database and/or the application

How can you continuously test your production environment

to stay ahead of the hacker curve?

Solution #1: Safe Attacks

Solution #2: Moderate Attacks

Solution #3: Unsafe Attacks

Solution #4: Virtualization via VMware


15/22

Soln #3Unsafe Attacks

Soln #1Safe Attacks

Breadth

Depth

(% checkedfor Vuln)

(# of Apps)

01,000+

0

100

Soln #2

Moderate Attacks

Testing Production Apps Directly

Production Apps


16/22


17/22

VirtualizedApplication

Testing

Safe Attacks

on All Apps

Breadth

Depth

(% checkedfor Vuln)

(# of Apps)

01,000+

0

100

Attaining Breadth & Depthin Web Application Security

Safe Attacks

on All Apps

Dev / QA

Testing

Dev / QA

Testing


18/22

VMware Managed ServersARCServers

Cenzic Hailstorm ARC integratedWith VMware LabManager

ARC

ESX ESX ESXAEE

1. Enumeratelibrary

2. Prepare totest

3. Request

deploy4. Deploy

5. Assess

6. Requestundeploy

1

23

6

4

5


19/22

VMware Lab Manager /Virtual Center

Two choices for

virtualization

VMware LabManager

VMware Virtual

Center

Settings screen for

VMware Lab Manager

Applies to ARC

deployment


20/22

Cenzic Provides Solution Choices

Solution 1 Virtualizeall apps includingproduction for testing

(most value)

Solution 2 Virtualize

QA and Dev fortesting

Solution 3 Conductsafe attacks onproduction (leastvalue)

Production

Pre-Production

Dev, QA, Staging

1

3

2


21/22

Application Security Best Practices

Risk

Application Security Posture ProactiveReactive

High

Low

1 time test

Dev / QA

Continuous testing

Dev / QA

1 time test

Dev / QA / Prod

(Safe Tests)

Continuous Testing

Entire SDLC


22/22

www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Questions?

Lars Ewe, CTO / VP of Engineering

virtualizing application security:

Documents