best quality application security - quotium · booz allen hamilton northrop gruman sega bathesda...

Best Quality Application Security


Agenda

• Introductions

• Cyber is a big word!

• App. Sec Failings

• What App. Sec is

• A Real Solution

• Agile

• Run Time Binary Analysis

• Summary


Software Provider delivering Quality and Excellence into the Application Security and Performance Domains

• Producers of Seeker

• Founders each with over 15 years of experience in information and application security

• 200+ Enterprise Customers

• Offices in London, New York, Paris


Your Speaker

Adam Brown

– UK Manager for

– 15 years in application assurance , performance and security.

– GIAC Certified GWAPT Web Application Penetration Tester

– ISEB Practitioner

– Performance Engineer

– Speaker at industry events on security, testing and performance


Some Exploit Types


Applications Remain Vulnerable

More in the press:


Gamigo

50million customers passwords! April 2013

6.5m records. .5m-1m in initial forensics, 2-3m in remediation

LinkedIn

More Famous Web Application Breaches

Epsilon

Sony

Citigroup

Fox News

X-Factor

HB Gary RSAL3

Communications Sony BMGGreece

Injection

URL Tampering

Spear Phishing

3rd Party SW

DDoS

Secure ID

Unkown

LockheedMartin

AZPolice

TurkishGvt

USSenate

NATO

Nintendo

PeruSpecialPolice

SK CommunicationsKorea

Monsanto

Booz AllenHamilton

NorthropGruman

Sega

BathesdaSoftware

Gmail Accounts

PBS

PBS

VanguardDefence

MalaysianGvt. Site

SOCA

Brazil Gvt.

Spannish Nat.Police

Italian PMSiteIMF

Business Impact of Attack

$170 - $1.5bn, XSS, SQLi + Other Methods

$66m, Spear Phishing, US National Security

$2.7m, 360k credit cards, Parameter Tampering

$225m - $4bn March 2011, technique undisclosed

LivingSocial

11m pwds, 8.2m emails – largest leak of 2012


Application Security in Numbers

Applications remain vulnerable! Why?

75% of attacks aimed at Application Level

Source: Gartner

85% of application vulnerabilities found at source code level

Source: Gartner

90% of Investment at Network Level

Source: OWASP

97% of Applications are Vulnerable

Source: OWASP

NIST: 92% of Vulnerabilities are in Applications – not in Networks


App. Sec still a very real problem in 2013

Ponemon 2013 Post Breach Boom Report


Application Security in Context

Network

Servers

Application++

++

Applications make data useful and are directly connected to the heart of the Organisation.

Networks Present Applications to Hackers – THEY HAVE TO!

Application attacks are a means to and end:

Data

Confidentiality

Integrity

Availability


Things we have Tried

False Positives - They Stink!


Application Security Testing Techniques

• Scanning and Static Code Review not Delivering– SAST: Static Application Security Testing– DAST: Dynamic Application Security Testing– Noise & False Positives, False Negatives, Verification Issues– 3rd party issues, complexity & time, skills– Code at rest, not application

• Focus on Technology Instead of Risk– Vulnerability centric, not data centric– Injections & technical problems rather

than business risk– Ignoring application data

• App Pen Testing – Can be very thorough– How can it fit with Agile?– Frequency, scalability, cost.


Secure Software Approaches

SSDL, SDL-Agile, Microsoft's SDL have all been created to attempt to address information security risks coming from software.


Current Techniques – Complex & Heavy

Scanning & Static Code Analysis failings:– Examined from Vulnerability Perspective

• Focus on Injections and Technical Problems

• Analysis of Code, rather than Application

• Ignoring Application

• Focus on Technology instead of Risk

Pen Testing– Expensive in Time, Resource and Money

SDL– Hard to fit into development lifecycle


Definitions

Application Security is NOT Controls

Network Protocols Firewalls, Routers, Operating Systems, VPN’s and Network Vulnerability Scanners

Operating Systems, Web Servers, Application Servers

Patches, Hardening & Configuration, OS Authentication, Disk Encryption, Infrastructure Vulnerability Scanners / Patch Validation etc.

Application Security IS Controls

COTS Web Applications Application Configuration, Application Level Authentication & AuthorisationTesting Thereof / Secure Software

Customised COTS Applications &Custom Applications

Application Configuration, Application Level Authentication & AuthorisationTesting Thereof / Secure Software


New OWASP Top 10 in 2013


OWAPS Top 10 Calculation


OWASP Top 10 Calculation


What works Really well?


Three Fundamentals to a Security Solution


Move Application Security Left

% B

ugs

85%

$100

$250

$1,000

$16,000

Coding UnitTest

FunctionTest

SystemTest

AfterRelease

% Defects Introduced

% Defects Discovered

$ Cost

Capers Jones Graph


A

C

B

Cost of Software SecurityFailures

Cost of Software SecurityMeasures

D

Costs

Software Security Assurance

Costs and Benefits of Application Security


Secure ALM

SecureApplicationLifecycleManagement Yogi always preferred Salmon to Red Herring!


IAST at its Best: Context and Data

Front End

Back End

Database

Data LayerStored ProceduresData

Presentation LayerProtocol & EncryptionEncoding & Presentation

Client Side Business FunctionsUser LibrariesRuntime LibrariesApplication Server


• Agile Firms: 37% faster, 30% more profit

• What does this mean for Security?– Done the right way mitigates risk

– Visible progress in right direction

– Developers more responsive

– For secure applications we need security by design

• Secure Software = Secure Applications– Discovery on eve of delivery is no longer an option

– Find issues early and test to maturity

Agile & Security


Secure Application Lifecycle Management

=> Analysis=> Project REVIEW=> Iteration PLANNING=> Work procedures review

Prioritised ‘to do’ listGeneral View of

Project

Client

Analysis

Develop

Test

Integrate

Prioritised ‘to do’ list

for this iteration

Fixed Duration Iterations(typically 2 weeks each)

Info

rmatio

n in

side th

e team

On each iteration we work on the items that give us most value.

Until the list is empty or resources run out (time or money)

Working Software Application (and other deliverables).

Public Presentation

Info

rmatio

n o

utsid

e the team

‘to do’ things must be

done, done.

All stakeholders should be informed about


Continuous Integration – Check Every Build

Verification Build

Integration Tests

Build / Integration Environment

Developer

Tester

Application Security Tests

BugTracker

Build Server


RTBA (IAST) Process in SDLC (SALMan)

Integration Environment

Execute RTBA Tests

Stop RTBA CaptureBuild Server

Control and Scheduling

Run Time Binary Analyser

RTBA Tests Run here and RTBA agents connect into

here.

Start RTBA Capture

Run Auto Test(s)

Log RTBA Result/Output

Push RTBA Report

Auto Scripts


Summary

“can’t build a secure application without performing security testing on it” (OWASP Testing Guide)

• Vulnerabilities are Software Bugs - Dangerous Ones.

• Application Security is a Quality Issue

• Security Bugs are Complex and must be Fixed at Code level

• Leverage Existing Processes and Resources

• Modern Software Development is and Application Security must be Implicit


Feedback &Questions?


Stand n°15

best quality application security - quotium · booz allen hamilton northrop gruman sega bathesda...

Documents