nebezpecny internet novejsi verze
TRANSCRIPT
®
IBM Software Group
© 2007 IBM Corporation
Nebezpečný internetnezapomínejte na aplikace
Jan Valdman, BP IBM
IBM Software Group | Rational software
Agenda Web Application Security Issues
Web Application Security Model
Application Security and Software development
Application Security Maturity Model
© 2007 IBA CZ, s.r.o.
datum
IBM Software Group | Rational software
“Web application vulnerabilities accounted for 69% of vulnerabilities disclosed between July 2005 and June 2006”Gartner
“64% of developers are not confident in their ability to write secure applications”Microsoft Developer Research
“70% of companies today are NOT applying secure application development techniques in their software development practices”Aberdeen Group, May 2007
“90% of applications, when tested are vulnerable”Watchfire
Application Security Today
IBM Software Group | Rational software
Network Server
WebApplications
The Reality: Security and Spending Are Unbalanced
% of Attacks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Security Spending
of All Attacks on Information SecurityAre Directed to the Web Application Layer75%75%
of All Web Applications Are Vulnerable2/32/3
IBM Software Group | Rational software
Why Application Security is a High Priority Web applications are the #1 focus of hackers:
75% of attacks at Application layer (Gartner) XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
Most sites are vulnerable: 90% of sites are vulnerable to application attacks (Watchfire) 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) 80% of organizations will experience an application security incident by 2010 (Gartner)
Web applications are high value targets for hackers: Customer data, credit cards, ID theft, fraud, site defacement, etc
Compliance requirements:
Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
IBM Software Group | Rational software
We Use Network Vulnerability Scanners
The Myth: “Our Site Is Safe”
We Have Firewalls in Place We Audit It Once a
Quarter with Pen Testers
IBM Software Group | Rational software
7
Perimeter IDS IPS
IntrusionDetectionSystem
IntrusionPreventionSystem
Network Defenses for Web Applications
App Firewall
ApplicationFirewall
Firewall
System Incident Event Management (SIEM)
SecuritySecurity
IBM Software Group | Rational software
IBM Software Group | Rational software
12 Most Frequent Hacker Attacks
Cookie Poisoning Hidden Field Manipulation Parameter Tampering Buffer Overflow Cross-site Scripting Backup and Debug Options Forceful Browsing HTTP Response Splitting Stealth commanding 3rd Party Misconfiguration Known vulnerabilities XML & Web service vulnerabilities
IBM Software Group | Rational software
Going Beyond Pointing out Security Problems
IBM Software Group | Rational software
11
Web Application Environment
Database Operating System
Web Server
Web Application Web Services
Database Scanners Host Scanners
NetworkScanners
Web Application Scanners
SecuritySecurity
IBM Software Group | Rational software
12
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /AdvancedRouters
Network vs. Application Security - Complimentary
Firewall
Web ServersDatabases
BackendServer
ApplicationServers
Info Security LandscapeInfo Security Landscape
Network & Application Security solutions address different problems
ISS Rational AppScan
IBM Software Group | Rational software
High Level Web App. Architecture Review
(Presentation) App Server(Business Logic)
Database
Client Tier(Browser)
Middle TierData Tier
Firewall
Sensitive data is stored here
SSL
Protects Transport Protects Network
CustomerApp is deployedhere
Internet
IBM Software Group | Rational software
14
Why Application Security Problems Exist
Root CauseDevelopers are not trained to write or test for secure codeFirewalls and IPS’s don’t block application attacks.
Port 80 is wide open for attack.
Network scanners won’t find application vulnerabilities. Nessus, ISS, Qualys, Nmap, etc.
Network security (firewall, IDS, etc) do nothing once an organization web enables an application.
Current StateOrganizations test tactically at a late & costly stage in the development processA communication gap exists between security and development as such vulnerabilities
are not fixedTesting coverage is incomplete
IBM Software Group | Rational software
Application Security Threats
IBM Software Group | Rational software
Building Security & Compliance into the SDLC
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise on detection and remediation ability
Ensure vulnerabilities are addressed before applications are put into production
IBM Software Group | Rational software
Application Security Maturity Model
AWARENESSPHASE
CORRECTIVEPHASE
OPERATIONSEXCELLENCE PHASE
BLISSFULIGNORANCE
Time
Mat
urity
Duration 2-3 Years
10 %
30 %
30 %
30 %
IBM Software Group | Rational software
Reduced Costs, Increased Coverage
Application Coverage
CostPerApplicationTested
External Security
Internal Tactical
StrategicOperationalized
100%0% 50% 75%25%
IBM Software Group | Rational software
IBM Rational Application Security Testing Products
AppScan EnterpriseAppScan Enterprise
Web Application Security Testing Across the SDLC
Test ApplicationsAs Developed
Test ApplicationsAs Part ofQA Process
Test ApplicationsBeforeDeployment
Monitor orRe-AuditDeployedApplications
ApplicationDevelopment
QualityAssurance
SecurityAudit
ProductionMonitoring
®
IBM Software Group
© 2007 IBM Corporation
Backup Slides
IBM Software Group | Rational software
21
IBM Rational in the IBM Security Portfolio
Assess
Defend
Access
1 – Where are you ? Understand customer security needs and
security exposures
3 – Let the good guys IN ! Manage and control user identities and
access privileges
4 – Monitor and fix ! Centrally manage security
events, report on security posture, remediate
Watchfire Solutions Monitor
2 – Keep the bad guys OUT ! Preemptively protect the enterprise against threats
to the infrastructure, confidential data and services
Watchfire Solutions
IBM Software Group | Rational software
Bad Press Decreases Shareholder Value One-day market cap
drop of $200M
IBM Software Group | Rational software
23
Build Better and More Secure Applications/Websites
IBM Rational AppScan® automates web application security audits to help ensure the security and compliance of web applications
Improve business integrity before you go liveAddress the security issues during the development cycle before applications go live, where
business risk is magnified, and costs to remediate are high.
Reduce application costs by automating manual processes Automate accurate vulnerability and compliance issues detection and their remediation
throughout the entire web application lifecycle, from the development cycle into operations.
Comply to the Government Regulations and Industry Security Requirements Incorporates most comprehensive compliance reporting solution, which generates 41out-of-
the-box regulatory compliance templates and reports
Provide ‘core to perimeter’ view into enterprise securityAdd web-application security and compliance testing to network-level offerings
IBM Software Group | Rational software
24
IBM Rational AppScan Vulnerability Detection AppScan runs following simulated hacker attacks
cross-site scripting
HTTP response splitting
parameter tampering
hidden field manipulation
backdoor/debug options
stealth commanding
forceful browsing
application buffer overflow
cookie poisoning
third-party misconfiguration
known vulnerabilities
HTTP attacks
SQL injections
suspicious content
XML/SOAP tests
content spoofing
Lightweight Directory Access Protocol (LDAP) injection
XPath injection
session fixation