What? Why? Who? How? Of Application Security Testing

Presented by: Declan O’Riordan

@DeclanTestingIT

www.eurostarconferences.com

Application Security

www.eurostarconferences.com

www.eurostarconferences.com

What is Application Security? I tried ISO 27001

www.eurostarconferences.com

Threat growth

Source: Verizon

2013 - 20% more breaches

2012 - 30% higher cost per breach

2014 - Commercial cyber security spending $46 billion

www.eurostarconferences.com

What is Application Security?It is NOT Building, or Network Security!

84% of attacks targetthe applications (Source: HP)

90% of sites are vulnerableto application attacks (Watchfire)

www.eurostarconferences.com

What is the money spent on?

Source: OWASP AppSec USA 2014

www.eurostarconferences.com

The Web was not designed to be secure in the beginning. Security features are afterthoughts.

Source: OWASP

www.eurostarconferences.com

I started to understand the #1 risk: Injection

‘ ; < > & | \Space newline

&apos; &semi; &lt; &gt; &amp; &vert; &bsol;

<script > <ScRiPt> %00<script><scr%00ipt> expr/***/ession %3cscript%3e <scr<script>ipt>

HTML encoding, URL encoding,Unicode encoding, Base64 encoding, Hex encoding

www.eurostarconferences.com

What are Application Vulnerabilities?

Source: OWASP

www.eurostarconferences.com

Why Can’t Penetration Testers and Tools take care of Security?

www.eurostarconferences.com

When will the Penetration Tests happen?

Source: OWASP

www.eurostarconferences.com

Using Web Security Scanners to Detect Vulnerabilities in Web ServicesMarco Vieira, Nuno Antunes, and Henrique MadeiraCISUC, Department of Informatics Engineering, University of Coimbra – Portugal

“The differences in the vulnerabilities detected and the high number of false-positives (35% and 40% in two cases) and low coverage (less than 20% for two of the scanners) observed highlight the limitations of web vulnerability scanners on detecting security vulnerabilities in web services.”

www.eurostarconferences.com

Differing results found by scanners:

Coverage is not consistent. Only 21 matching results found.

www.eurostarconferences.com

And so to Firewallsw.w.w. data is exploding: 2010 = 1.2 zettabytes2015 = 7.9 zettabytes2020 = 40 zettabytes?

1.2 million variants of malware per day

20%-30% of malware iscaught by anti-virus

www.eurostarconferences.com

HP alone sift through 2.5 Billion security events per day

Perimeter / Network defences are failing

Web Application Firewalls, IDS, & IPS filter HTTP conversations by applying rules to block common attacks.

BUT They cannot read HTTPS messages.

They cannot identify zero-day (new or obfuscated) attacks.

They need significant effort to customize and maintain.

Methods of attack and defence change over time.

www.eurostarconferences.com

Attackers are using asymmetric economics

www.eurostarconferences.com

Why is Application Security important?

Make that 153m accounts

www.eurostarconferences.com

Why does it take so long to find out?

Source: Verizon

www.eurostarconferences.com

Who is targeted?

Source: Verizon

www.eurostarconferences.com

Who should be doing what?

• We can reverse the asymmetric economics

• Security experts are experts in security, not your system!

• We are the experts in our applications.

• We can build security into the whole SDLC.

• We need to understand the subject.

• Identify what can be done now, and what requires experts.

• We need to make everyone aware of application security.

www.eurostarconferences.com

How?

www.eurostarconferences.com

I became familiar with ‘the’ Top 10 Risks

www.eurostarconferences.com

I created Application Security Testing Proceduresand Development Guidelines

www.eurostarconferences.com

Apply the defences!

www.eurostarconferences.com

Validate Security Requirements

www.eurostarconferences.com

Now get Everyone on board!