web application q.a. - ibm · •wap, gprs, edge, 3g •802.1x •broadband ... we audit it once a...

© 2007 IBM Corporation

Anthony Lim MBA CISSP FCITIL

Director Asia Pacific, Watchfire

IBM Rational, Singapore www.watchfire.com

WEB APPLICATION Q.A.- Ensuring Secure & Compliant Web Services

- YOUR LAST LINE OF DEFENSE


Prolog: Watchfire – Situation of the world today

� HIGH DEPENDENCE ON INTERNET and WEB SERVICES TODAY

– For work, leisure and communications

– Intranets, Extranets, SOA

• B2B, SCM, CRM, ERP, membership portals, e-Government services

– B2C, C2C (Yahoo, Amazon, EBay) – shopping and transactions

• Internet banking, E*Trade, theater tickets, travel reservations, web mail, gaming…

– Community Portals / Social Networking – Google, MySpace, YouTube, BLOGS!

� NO TANGIBLE PROTECTION FOR WEB APPLICATIONS TODAY

– Firewalls, IPS, SSL and other network security devices do not stop Web Traffic

– Hackers specifically target web services / applications / sessions today to try and steal or

compromise information and databases

� SECURITY PEOPLE DO NOT USUALLY HAVE SDLC EXPERIENCE

– Software developers do not usually want to have anything to do with security


State of the Application Security Market

BJ's Settles Case with FTC over Customer Data

JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed

FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions

July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data

Visa, Amex Cut Ties with CardSystems

Jan 18, 2007

Massive Security Breach Reveals Credit Card DataThe TJX Companies, a large retailer that operates more than 2,000 retail stores under brands

such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday

that it suffered a massive computer breach on a portion of its network that handles credit card,

debit card, check and merchandise transactions in the United States and abroad.

CNBC's Easy MoneyBusinessWeek uncovers that the cable channel's own design flaw

may be behind the investigation into its million-dollar stock-picking contest

USDA admits data breach, thousands of social security numbers revealedThursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.


The Security Journey Continues

• New and More …

• Applications

• Services

• Systems

-> Vulnerabilities

-> Hacking methods

-> Viruses, Worms, RATS

(Trojans, Spyware)

-> GOVERNANCE &

COMPLIANCE!

NEW AREAS

OF IT SECURITY

WEAKNESS

ARISE ALL THE TIME


It Gets Worse

•WAP, GPRS, EDGE, 3G• 802.1x• Broadband


Sheer Volume of Applications Keeps You

From Getting Ahead of the Problems

Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555

Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444

Catching Problems Late in the CycleCatching Problems Late in the Cycle333

Lack of Control and VisibilityLack of Control and Visibility222

Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111

Have to do more with less, still; Risk is high, accountability

is prevalent


We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web

server

We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web

server

The Myth: “Our Site Is Safe”

We Have Firewalls in Place

Port 80 & 443 are open for the right reasons

We Have Firewalls in Place

Port 80 & 443 are open for the right reasons

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Use SSL Encryption

Only protects data between site and user not the web

application itself

We Use SSL Encryption

Only protects data between site and user not the web

application itself


SO WHY ARE THESE HAPPENING?Don’t they already have firewalls etc?


Real Example : Parameter TamperingReading another user’s transaction – insufficient authorization

Another customer’s transaction slip is revealed, including the email address


Parameter Tampering - Reading another user’s invoice

The same customer invoice that reveals the address and contact number


The Fact: Attacks targetted at a new area

Sources: Gartner, IDC, Watchfire

Network Server

WebApplications

% of Attacks % of Dollars

75%

10%

25%

90%

Security Spending

& infrastructure

& services

In an organization, IT Security people and developers are poles apart


Top Hack Attacks Today Target Web Services


Web Application Hacks are a Business Issue

Misdirect customers to bogus site

Read/write access to customer databases

Unauthorized Site/Data Access

Forceful Browsing/SQL Injection

Alter distributions and transfer accounts

Fraud, Data TheftParameter Tampering

Access to non-public personal information, fraud, etc.

Access O/S and Application

Stealth Commanding

Larceny, theft, customer mistrust

Identity TheftCross Site scripting

Unauthorized access, privacy liability, site compromised

Admin AccessDebug options

Illegal transactionsSite AlterationHidden fields

Larceny, theftSession HijackingCookie poisoning

Site Unavailable; Customers Gone

Denial of Service (DoS)Buffer overflow

Potential Business ImpactNegative ImpactApplication Threat


Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL

II …

� It is part of doing business

� Business Continuity

� An environment of TRUST

– For doing business

– Ensure Orderliness in Internet world

– Promote Economic growth

� More than just

Confidentiality, Integrity

and Availability

� Privacy

3rd Party Customer Data


Governance addresses Web Application SecurityExample: PCI – BEST PRACTICE BECOMES STANDARD BECOMES LAW (BY 06-2008)

� Visa’s PABP, Payment Application Best Practices – a list of auditable statements regarding the secure development, deployment, and documentation of cardholder

data processing software – is being converted to a new PCI security standard

- PASS, Payment Application Security Standard.

� Requirement 11.2 : Run internal and external vulnerability scans

– At least quarterly

– After any significant change in network

� Requirement 11.3 : Perform penetration testing at least once a year

– 11.3.1 Network-layer penetration tests

– 11.3.2 Application-layer penetration tests

� Requirement 6 : Develop and maintain secure systems and applications

– Requirement 6.6 :Ensure that all web-facing applications are protected against known attacks by having all custom application code reviewed

for common vulnerabilities by an organization that specializes in application security

VISAMASTER

AMEX


Search

Why would anyone want to attack a web site?

anthony

****


Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /Advanced

Routers

Application Security

Firewall

Web Servers

Databases

BackendServer

ApplicationServers

Info Security LandscapeInfo Security Landscape

Web Applications


Security Testing Within the Software Lifecycle

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production


Watchfire Appscan - Intuitive UI


Identify Vulnerabilities


Actionable Fix Recommendations


Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.

We are strengthening the IBM security management portfolio by

acquiring an industry leading provider of application security and

compliance testing solutions to offer a complete end-to-end security solution across Rational, Tivoli and Global Services

Watchfire Acquisition Rationale

� 75% of the cyber attacks today are at the application level with only 10% of security spend1

� 80% of organizations will experience an application security incident by 20102

� Internal security attacks cost US business $400 Billion per³

� 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection4.

1,2 Watchfire analysis with analysts support

3 CSI/FBI Survey 2005

4IBM Service Management Market Needs Study, March 2006


IBM Rational & Watchfire Product Synergy

Build

SDLCSDLC

QA Security ComplianceCodeRequirements Design

Watchfire

IBM Rational

WebXMPrivacy, Quality,

Accessibility

AppScan & AppScan Enterprise

AppScan QA & ASE Integration

ASE QuickScan

Requisite Pro

ROSE, RAM,

Software Architect

RAD ClearCase, Build Forge

CQ, CQTM, RFT, RPT


Rational Software Quality Solutions

Developer Test Functional Test

Automated Manual

Rational RequisitePro Rational ClearQuest Rational ClearQuest

Defects

Project Dashboards Detailed Test Results Quality Reports

Performance Test

SOFTWARE QUALITY SOLUTIONS

Test and Change Management

Test Automation

Quality Metrics

DE

VE

LO

PM

EN

T

OP

ER

AT

OIN

S

BUSINESS

Rational ClearQuest

Requirements Test Change

Rational PurifyPlus

Rational Test RealTime

Rational Functional Tester Plus

Rational Functional Tester

Rational Robot

Rational Manual Tester

Rational Performance Tester

Security and Compliance Test

AppScan

WebXM


AppScan with QA Defect Logger for ClearQuest


AppScan / IBM Rational CQTM Integration – 2H07


Watchfire Company Overview

� Who are we:

– IDC & Gartner : market leader in application

security for 2005 and 2006

– Provider of application security and compliance software and services

– Nearly 1000 companies rely on Watchfire

� Background:

– 200 employees, headquarters- Boston, MA

– Created the first commercially-packaged application security testing product

– Products include:

• Application security solutions – AppScan

• Privacy, quality and compliance solutions – WebXM

#1 in Market Share for Application

Security – Gartner & IDC

* Twice *

#1 in Market Share #1 in Market Share

for Application for Application

Security Security – Gartner & IDC

* Twice *

Best Security Company


Nearly 1000 Companies Depend On Watchfire

8 of the Top 108 of the Top 10

TechnologyTechnology

BrandsBrands

7 of the Top 107 of the Top 10

Pharma / ClinicalPharma / Clinical

CompaniesCompanies

Multiple LargeMultiple Large

GovernmentGovernment

AgenciesAgencies

9 of the Top 10 9 of the Top 10

Largest U.S. RetailLargest U.S. Retail

BanksBanks

Veteran’s Affairs

NavyArmy

Air Force Marines

Large, Complex Web Sites Extensive Customer Data

Highly Regulated High User Volume


Security Industry Leaders Use and/or work with Watchfire solutions in their work

Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies

More …

EDS


Conclusion: Application QA for Security

� The Application Must Defend Itself

– You cannot depend on firewall or infrastructure security to do so

� Bridging the GAP between Software development and Information Security

� Never before was QA Testing for Security integrated and strategic, until now

� We need to move security QA testing back to earlier in the SDLC

– at production or pre-production stage is late and expensive to fix


SDLC QA - YOUR LAST LINE OF DEFENSE


Anthony LimWatchfire.com

IBM

Q&A

Thank You

web application q.a. - ibm · •wap, gprs, edge, 3g •802.1x •broadband ... we audit it once a...

Documents