omri
DESCRIPTION
TRANSCRIPT
Static and DynamicTechnologiesfor SecuringWeb Applications
Omri WeismanManager, Static Analysis GroupIBM Rational Software, [email protected]
Dec 14, 2010
Web Applications are the greatest risk to organizations
3
Web application vulnerabilities represented the largest category in vulnerability disclosures
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2009 X-Force®
Year End Trend & Risk Report
What is the Root Cause?
1. Developers not trained in security
Most computer science curricula have no security courses
Focus is on developing features
Security vulnerability = BUG
2. Under investment from security teams
Lack of tools, policies, process,
Lack of resources
3. Growth in complex, mission critical online applications
Online banking, commerce, Web 2.0, etc
Result: Application security incidents are on the rise
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Most Issues are found by security auditors prior to
going live.
% o
f Is
su
e F
ou
nd
by S
tag
e o
f S
DL
C
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Desired Profile
% o
f Is
su
e F
ou
nd
by S
tag
e o
f S
DL
C
IBM Rational AppScan Suite –Comprehensive Application Vulnerability Management
7
REQUIREMENTS CODE BUILD PRE-PROD PRODUCTIONQA
AppScan Standard
AppScan SourceAppScan
Tester
Security Requirements
Definition AppScan Standard
Security / compliance testing incorporated
into testing & remediation workflows
Security requirements defined before
design & implementation
Outsourced testing for security audits &
production site monitoring
Security & Compliance
Testing, oversight, control, policy,
audits
Build security testing into the
IDE
Application Security Best Practices – Secure Engineering Framework
Automate Security / Compliance testing in the Build Process
SECURITY
AppScan Build
AppScan Enterprise
AppScan Reporting Console AppScan onDemand
Black
Box
White
Box
“Hacker in a box”
Requires running site
Crawl, Test, Validate
AppScan
Standard Ed.
“Automated code review”
Requires source-code/bytecode
Source-to-Sink Analysis
AppScan
Source Ed.
White-Box: Source-to-Sink Analysis
Sources:
Sinks:
Sanitizers:
Undecidable
problem
Many injection problems:
•SQL Injection
•XSS
•Log Forging
•Path Traversal
•Code Execution
•…
Black-Box vs. White-Box – Paradigm
Cleverly “guesses” behaviors that may
demonstrate vulnerabilities
Examines infinite number of behaviors
in a finite approach (approximation)
Black
Box
White
Box
Black-Box vs. White-Box - Perspective
- Works as an attacker
- HTTP awareness only
- Works on “the big picture”
- Resembles code auditing
- Inspects the small details
- Hard to “connect the dots”
SQL Injection Found
Black
Box
White
Box
Black-Box vs. White-Box – Prerequisite
- Any deployed application
- Mainly used during testing stage
- Application code
- Mainly used in development stage
Black
Box
White
Box
Black-Box vs. White-Box – Compatibility
- Oblivious to languages, platforms
- Different communication protocols
require attention
- Different languages require support
- Some frameworks too
- Oblivious to communication protocols
Black
Box
White
Box
Black-Box vs. White-Box – Scope
Exercises the entire system
- Servers (Application, HTTP, DB, etc.)
- External interfaces
- Network, firewalls
Identifies issues regardless of configuration
Black
Box
White
Box
Black-Box vs. White-Box – Time/Accuracy Tradeoffs
- Crawling takes time
- Testing mutations takes
(infinite) time
- Refined model consumes space
- And time…
- Analyzing only “important” code
- Approximating the rest
>> Summary
Black
Box
White
Box
Black-Box vs. White-Box – Accuracy Challenges
Challenge:
- Cover all attack vectors
Challenge:
- Eliminate non-exploitable issues
Black
Box
White
Box
Security Testing Technologies... Combination Drives Greater Solution Accuracy
Static Analysis (Whitebox )
Automated Code Review
Dynamic Analysis (Blackbox)
Hacker in a box
Total PotentialSecurity Issues
DynamicAnalysis
StaticAnalysis
Best Coverage
18