aws webcast - top 3 ways to improve web app security

28
Top 3 Ways to Improve Web App Security in AWS

Upload: amazon-web-services

Post on 07-Jul-2015

593 views

Category:

Technology


4 download

DESCRIPTION

In this session you will learn why you need to shift from vulnerability detection only to a holistic web application defense strategy. We’ll outline the top three ways to improve your web app security and share how others have developed an integrated, comprehensive strategy that reduces costs and improves the balance between security and app functionality.

TRANSCRIPT

Page 1: AWS Webcast - Top 3 Ways to Improve Web App Security

Top 3 Ways to Improve Web App Security in AWS

Page 2: AWS Webcast - Top 3 Ways to Improve Web App Security

Ryan Holland

Sr Manager, Partner Solution Architects

Amazon Web Services

Page 3: AWS Webcast - Top 3 Ways to Improve Web App Security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer applications & contentC

ust

om

ers

Security & Compliance is a Shared Responsibility

Customers are responsible for

their security INthe Cloud

AWS is responsible for the security OF

the Cloud

Page 4: AWS Webcast - Top 3 Ways to Improve Web App Security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer applications & content

Culture of security and continual

improvement

Ongoing audit and assurance program

Your content

Your controls

AWS Marketplace

Security & Compliance is a Shared ResponsibilityC

ust

om

ers

Page 5: AWS Webcast - Top 3 Ways to Improve Web App Security

Every customer has access to the same security capabilities

AWS maintains a formal control environment

• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)

• SOC 2 Security

• ISO 27001 Certification

• Certified PCI DSS Level 1 Service Provider

• FedRAMP (FISMA), ITAR, FIPS 140-2

• HIPAA and MPAA capable

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Page 6: AWS Webcast - Top 3 Ways to Improve Web App Security

Let AWS take care of the heavy lifting for you

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Applications

Proper service configuration

AuthN & acct management

Authorization policies

+ =

Customer

Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.

Page 7: AWS Webcast - Top 3 Ways to Improve Web App Security

AWS partners can help you build secure solutions

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Fine-grained IAM capability

+ =

AWS partner solutions

These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management

Your secure AWS

solutions

Page 8: AWS Webcast - Top 3 Ways to Improve Web App Security

Top 3 Ways to Improve Web App Security in AWS

Dawn SmeatonProduct Marketing, Web App Security

Page 9: AWS Webcast - Top 3 Ways to Improve Web App Security

Cloud Security is a Shared Responsibility

Copyright 2014 Trend Micro Inc.

Cloud Service Provider

Facilities

Physical security

Physical infrastructure

Network infrastructure

Virtualization infrastructure

Cloud User

Operation System

Applications

Data

Identity & Access

Security Groups

Page 10: AWS Webcast - Top 3 Ways to Improve Web App Security

Anti-malware

Intrusion Prevention

Host Firewall

Integrity Monitoring

Log Inspection

Application Scanning

Data Encryption

ADAPTIVEIntelligent, dynamic provisioning & policy enforcement

CONTEXTWorkload &

application-aware

SCALABLEAuto-detect new instances and rapidly applies security

PLATFORMComprehensive

capabilities across data center & cloud

Copyright 2014 Trend Micro Inc.

Page 11: AWS Webcast - Top 3 Ways to Improve Web App Security

Web Apps are a Favorite Target

Copyright 2014 Trend Micro Inc.

Easy to develop exploits

High value of data

Page 12: AWS Webcast - Top 3 Ways to Improve Web App Security

Ripped from the headlines

Copyright © 2014 Trend Micro Inc.

1.2 billion internet credentials

stolen by Russian hackers

4.5 million Healthcare records stolen

by exploiting Heartbleed vulnerability

Page 13: AWS Webcast - Top 3 Ways to Improve Web App Security

SQL Injection example

1. Application presents a form

2. Attacker enters a SQL query in the form data

3. Application forwards query to database Account Summary

Acct:5424-6066-2134-4334

Acct:4128-7574-3921-0192

Acct:5424-9383-2039-4029

Acct:4128-0004-1234-0293

4. Database runs the attack query and sends encrypted results back to app

5. Application decrypts data as normal and sends results to the attacker

Username:

Password:

“SELECT * FROM acc"SELECT * FROM

accounts WHERE

acct=‘’ OR 1=1--’"

Confidential | Copyright 2013 Trend Micro Inc. 13

Page 14: AWS Webcast - Top 3 Ways to Improve Web App Security

We

b A

pp

Vu

lne

rab

iliti

es

Injection

Broken authentication

XSS

Sensitive data exposure

Cross site request forgery

Insecure direct object references

Security misconfiguration

Missing Function level access control

Unvalidated redirects

Tech

nic

al Im

pac

ts Site defacement

Access to databases & internal networks

Loss of sensitive data

Google search blacklisting

Malware

User accounts hijacked

Web server availability

Bu

sin

ess

Imp

acts Damage to brand

reputation

Loss of customer trust

Revenue loss

Fail PCI Compliance

The impact of vulnerabilities can be huge

Copyright 2014 Trend Micro Inc.

Page 15: AWS Webcast - Top 3 Ways to Improve Web App Security

Top Three ways to improve Web App Security

Expand Detection

Strengthen Defenses

Centralize Visibility

1

2

3

Copyright 2014 Trend Micro Inc.

Page 16: AWS Webcast - Top 3 Ways to Improve Web App Security

Expand Detection1

Page 17: AWS Webcast - Top 3 Ways to Improve Web App Security

Expand Detection

Operating System(Known Vulnerabilities)

Web Server(Known Vulnerabilities)

Web Apps

Copyright 2014 Trend Micro Inc.

Page 18: AWS Webcast - Top 3 Ways to Improve Web App Security

TECHNICAL FLAWS

OGICAL FLAWS

Different vulnerabilities need different approaches

• Automated tools crawl websites, imitating

user interaction to find errors in code,

malware or links to inappropriate sites

• Find common coding errors like SQL

injection, cross site scripting, ineffective

security controls

Technical Flaws

• Looking at site in context to find

potential weaknesses

• Manual testing uncovers flaws that are

difficult or impossible to find with

automated tools

Logical Flaws

18Copyright 2014 Trend Micro Inc.

Page 19: AWS Webcast - Top 3 Ways to Improve Web App Security

Demo

Page 20: AWS Webcast - Top 3 Ways to Improve Web App Security

Strengthen Defenses2

Page 21: AWS Webcast - Top 3 Ways to Improve Web App Security

Traditional web app protection

• Detects & blocks malicious activityat platform (Web server and OS)

• Virtual patching from some offerings can shield discovered platform vulnerabilities without requiring code updates, patches, or configuration fixes

• Analyzes traffic, including SSL-encrypted communication

• Rules govern application behavior and block attacks without requiring app modification

• Can help with PCI-DSS compliance

Web Application Firewall (WAF) Intrusion Prevention

Copyright 2014 Trend Micro Inc.

Page 22: AWS Webcast - Top 3 Ways to Improve Web App Security

Continuous Visibility3

Page 23: AWS Webcast - Top 3 Ways to Improve Web App Security

Web App security that fits the cloud

BUT… AWS requires pre-approval before scanning

Hosting on AWS provides agility & scalability

Copyright 2014 Trend Micro Inc.

Auto Scaling group

www.example.com

security group

root volume

data volume

Elastic Load

BalancingEC2 instance

web app

server

UNLESS you use an AWS pre-authorized scanner like Trend Micro

Page 24: AWS Webcast - Top 3 Ways to Improve Web App Security

Demo

Page 25: AWS Webcast - Top 3 Ways to Improve Web App Security

Continuous Visibility

• Need actionable insights

• Reduce number of solutions– App scanning– Manual testing– Platform scanning– SSL

• Understand countermeasures available in overall security architecture

Copyright 2014 Trend Micro Inc.

“Single dashboard take lots of info and

boils it down to make it easy to

consume and share”

Page 26: AWS Webcast - Top 3 Ways to Improve Web App Security

Comprehensive Detection: Automated scanning of applications and platforms, plus app logic testing by security experts

AWS Pre-authorized Scanner: No manual scan approvals required, Trend Micro is pre-authorized to scan web apps hosted on AWS

1

2

3Integrated Management: Cloud-based, centralized single console for scanning, SSL certificates and protection

Trend Micro Delivers Unparalleled Web App Security

Copyright 2014 Trend Micro Inc.

Page 27: AWS Webcast - Top 3 Ways to Improve Web App Security

Get Started!

• Schedule a personal product demo

• Get a free trial– Scanning of up to 3 web apps in AWS,

including full vulnerability report and SSL certificates

Request your trial at

webappsecurity.trendmicro.com

Copyright 2014 Trend Micro Inc.

Page 28: AWS Webcast - Top 3 Ways to Improve Web App Security

Q&A