ibm עמרי וייסמן
DESCRIPTION
TRANSCRIPT
![Page 1: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/1.jpg)
Static and DynamicTechnologiesfor SecuringWeb Applications
Omri WeismanManager, Static Analysis GroupIBM Rational Software, [email protected]
Dec 14, 2010
![Page 2: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/2.jpg)
IBM IL
![Page 3: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/3.jpg)
Web Applications are the greatest risk to organizations
3
Web application vulnerabilities represented the largest category in vulnerability disclosures
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2009 X-Force®
Year End Trend & Risk Report
![Page 4: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/4.jpg)
What is the Root Cause?
1. Developers not trained in security
Most computer science curricula have no security courses
Focus is on developing features
Security vulnerability = BUG
2. Under investment from security teams
Lack of tools, policies, process,
Lack of resources
3. Growth in complex, mission critical online applications
Online banking, commerce, Web 2.0, etc
Result: Application security incidents are on the rise
![Page 5: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/5.jpg)
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Most Issues are found by security auditors prior to
going live.
% o
f Is
su
e F
ou
nd
by S
tag
e o
f S
DL
C
![Page 6: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/6.jpg)
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Desired Profile
% o
f Is
su
e F
ou
nd
by S
tag
e o
f S
DL
C
![Page 7: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/7.jpg)
IBM Rational AppScan Suite –Comprehensive Application Vulnerability Management
7
REQUIREMENTS CODE BUILD PRE-PROD PRODUCTIONQA
AppScan Standard
AppScan SourceAppScan
Tester
Security Requirements
Definition AppScan Standard
Security / compliance testing incorporated
into testing & remediation workflows
Security requirements defined before
design & implementation
Outsourced testing for security audits &
production site monitoring
Security & Compliance
Testing, oversight, control, policy,
audits
Build security testing into the
IDE
Application Security Best Practices – Secure Engineering Framework
Automate Security / Compliance testing in the Build Process
SECURITY
AppScan Build
AppScan Enterprise
AppScan Reporting Console AppScan onDemand
![Page 8: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/8.jpg)
Black
Box
White
Box
“Hacker in a box”
Requires running site
Crawl, Test, Validate
AppScan
Standard Ed.
“Automated code review”
Requires source-code/bytecode
Source-to-Sink Analysis
AppScan
Source Ed.
![Page 9: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/9.jpg)
White-Box: Source-to-Sink Analysis
Sources:
Sinks:
Sanitizers:
Undecidable
problem
Many injection problems:
•SQL Injection
•XSS
•Log Forging
•Path Traversal
•Code Execution
•…
![Page 10: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/10.jpg)
Black-Box vs. White-Box – Paradigm
Cleverly “guesses” behaviors that may
demonstrate vulnerabilities
Examines infinite number of behaviors
in a finite approach (approximation)
Black
Box
White
Box
![Page 11: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/11.jpg)
Black-Box vs. White-Box - Perspective
- Works as an attacker
- HTTP awareness only
- Works on “the big picture”
- Resembles code auditing
- Inspects the small details
- Hard to “connect the dots”
SQL Injection Found
Black
Box
White
Box
![Page 12: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/12.jpg)
Black-Box vs. White-Box – Prerequisite
- Any deployed application
- Mainly used during testing stage
- Application code
- Mainly used in development stage
Black
Box
White
Box
![Page 13: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/13.jpg)
Black-Box vs. White-Box – Compatibility
- Oblivious to languages, platforms
- Different communication protocols
require attention
- Different languages require support
- Some frameworks too
- Oblivious to communication protocols
Black
Box
White
Box
![Page 14: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/14.jpg)
Black-Box vs. White-Box – Scope
Exercises the entire system
- Servers (Application, HTTP, DB, etc.)
- External interfaces
- Network, firewalls
Identifies issues regardless of configuration
Black
Box
White
Box
![Page 15: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/15.jpg)
Black-Box vs. White-Box – Time/Accuracy Tradeoffs
- Crawling takes time
- Testing mutations takes
(infinite) time
- Refined model consumes space
- And time…
- Analyzing only “important” code
- Approximating the rest
>> Summary
Black
Box
White
Box
![Page 16: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/16.jpg)
Black-Box vs. White-Box – Accuracy Challenges
Challenge:
- Cover all attack vectors
Challenge:
- Eliminate non-exploitable issues
Black
Box
White
Box
![Page 17: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/17.jpg)
Black
Box
White
Box
OR
?
![Page 18: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/18.jpg)
Security Testing Technologies... Combination Drives Greater Solution Accuracy
Static Analysis (Whitebox )
Automated Code Review
Dynamic Analysis (Blackbox)
Hacker in a box
Total PotentialSecurity Issues
DynamicAnalysis
StaticAnalysis
Best Coverage
18
![Page 19: Ibm עמרי וייסמן](https://reader034.vdocuments.us/reader034/viewer/2022042813/54bc06534a7959f0138b4691/html5/thumbnails/19.jpg)
Smarter security for a smarter planet