presentatie php benelux groep
TRANSCRIPT
© 2012 Sebyde BV
Protect your image & brand
Application Security
© 2012 Sebyde BV
Who we are
SEBYDE (se-bie-de)
– Secure by Design
Derk Yntema
– 20+ year experience in ICT and IT Security
– IT management architect
– Portfolio manager security
Rob Koch
– 20+ years experience in account management at software companies and telecom industry
IBM business partner
IBM authorised reseller
Gartner: 75% of all attacks on web sites and web applications target the application level and not the infrastructure.
© 2012 Sebyde BV
The Dutch developer
“ The Dutch developer works more iterative (agile) than linear (waterfall).”
(source: automatiseringsgids 10th may 2012)
© 2012 Sebyde BV
Internet has changed the world
© 2012 Sebyde BV
© 2012 Sebyde BV
Is ICT Security important?
The world has changed
– We work differently; “Het nieuwe werken”, BYOD
– More data in more applications
Internet
– Remote access to business networks
– Wireless Networks / Mobile applications
– Populair apps, email, Whatsapp, LinkedIn, Facebook, etc.
Hackers change their tactics
– Infrastructure -> applications
– Risk of digital theft become bigger and bigger …
© 2012 Sebyde BV
Internet / Web-based applications
Internet has become a very important business platform
– B2C
– B2B
Business use Internet for marketing, communication, customer services, customer care etc
2011:
– 2,3 billion Internet users;
– 85% buy online;
– $ 200 billion turnover worldwide;
Applications are “Web-based” or “Web-facing”
© 2012 Sebyde BV
Webshops
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
# of webshops in NL
Aantal webwinkels in
NL
0
2
4
6
8
10
12
Turnover online shopping
Online winkelen (in
miljard euro)
© 2012 Sebyde BV
The Dutch developer
“ the Dutch developer uses little to non supporting resources in the preliminary phase: when gathering requirements, or when making a design. A formal use case method (UML) is very seldom used. Tools like Requisite Pro, ClearCase, Rational Rose, Visual Pardigm are hardly ever used.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Cybercrime
Cybercrime has surpassed illegal drug trafficking as a criminal moneymaker
Every 3 seconds an identity is stolen
Without security, your unprotected PC can become infected within four minutes of connecting to the internet
It is often facilitated by crime-ware programs such as keystroke loggers, viruses, rootkits or Trojan horses.
Software flaws or vulnerabilities often provide the foothold for the attacker. For example, criminals controlling a website may take advantage of a vulnerability in a Web browser to place a Trojan horse on the victim's computer.
© 2012 Sebyde BV
The reality …
Cybercrime is no temporary phenomenon
Two “Leagues”: Junior en Major
If you think safety is expensive … try an accident
Criminals look differently at the value of assets
Effective security needs a short and long term approach
100% security is an illusion … prevention is key !
The “Tone at the top” is important
Source : Summary of KPMG Advisory NV report “Een genuanceerde visie op cybercrime. Nieuwe perspectieven vragen om actie”
© 2012 Sebyde BV
TNO: Damage Cybercrime: yearly € 10 billion
Cybercrime damage NL 10-30 billion / year
9 % aimed at web applications 0,9 – 2,7 billion
60% SQL injection / XSS 0,5 – 1,6 billion
© 2012 Sebyde BV
Vulnerabilities in websites
64%
64%
43%
24%
17%
15%
14%
14%
14%10%
Probability
Information leakage
Cross Site Scripting
Content Spoofing
Cross Site Request Forgery
Brute Force
Insufficient authorisation
Predictable Resource Location
SQL Injection
Session fixation
Abuse of functionality
© 2012 Sebyde BV
The Dutch developer
“ Release management is generally accepted. Coding standards are commonly used.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Target organisations
Financials
– Internet banking
– Financial transactions
Industries
– SCADA networks
Companies
– IP
– Merger & takeovers
– Customer data
Governments
– Espionage
– Identity fraud
Hosting providers
– Image
– Outages
Application developers
– Liability
– High development costs
Healthcare
– Privacy (WBP; EU privacy act)
IBM’s X-Force Report 2011: 41% of all security incidents are caused byWeb applications.
© 2012 Sebyde BV
Damage
Reputation / Brand
– Defacement
– Costs: ????
– Indirect (ISP)
Liability claims
Information damage
Theft
– Financial
– Business information
– Privacy info
– Identity
System outage
– Availability
81% of the Web applications do not comply to the PCI-DSS standard (Payment Card Industry Digital Security Standard).
© 2012 Sebyde BV
But still ….
Security is not my responsibility.
Security? “That is done by the ICT department”
I do not work with computers so I can’t be hurt!
I don’t work with sensitive information.
Our company is not a target.
I am not a target!
What can they steal here?
We have several firewalls.
We are safe, we have security guidelines.
It is not our responsibility, we have out-sourced our IT.
We use the cloud so our cloud provider has arranged security
On average, every 1,000 lines of code has at least 5 to 15 defects (United States Department of Defense)
© 2012 Sebyde BV
I am no target?
Febelfin
– Belgium federation of the financial sector.
http://www.youtube.com/watch?v=F7pYHN9iC9I
© 2012 Sebyde BV
“What can they get here?”
© 2012 Sebyde BV
“We will not be hacked!”
© 2012 Sebyde BV
“We have firewalls”
© 2012 Sebyde BV
“We have procedures!”
© 2012 Sebyde BV
Security in real life
We have to
– Government
– Noted on exchange (NYSE)
– Law and directives
– Privacy
– Industry standards
Incidents
– Reactive
Fear
– Panic
Testing is done for
– Functionality
– Performance
Google : Over 2 million searches every month on “how to hack”.
© 2012 Sebyde BV
The Dutch developer
“ Too little time is spend on testing. Still testing, traditionally done at the end of development, is being compromised.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Focus shift hackers
FromInfrastructure
75% of all hacks are performed on Web applications / Websites
ToApplications
© 2012 Sebyde BV
From Chinese walls to integrated security
© 2012 Sebyde BV
More facts …
60-80% of the Web applications / Websites have a minimum of one security weak point.
75% of all hacks are performed on Web applications / Websites
IDC Research: 25% of all companies are “exploited” via a weak spot in Web Application security.
Ignorant users are contaminated by websites with malware on it.
Google : >2 Million searches on “how to hack” every month, or to download hacking tools etcetera.
© 2012 Sebyde BV
Why are applications unsafe?
Time to market
– Business pressure
– Project budget
Software is complex
– Windows 7 contains 50 million lines of code
Networking
– Internet technology
Globalizing
– Software comes from everywhere
Extensibility
– JAVA VM, .NET, …etc.
No education
Chinese walls
– False sense of security
Security awareness
– Continue process
– Attitude / behavior
Software ages
Application security is not sexy
© 2012 Sebyde BV
1) SQL-Injection
2) Cross Site Scripting (XSS)
3) Broken Authentication and Session Management
4) Insecure Direct Object References
5) Cross Site Request Forgery (CSRF)
6) Security Misconfiguration
7) Failure to Restrict URL Access
8) Unvalidated Redirects and Forwards
9) Insecure Cryptographic Storage
10) Insufficient Transport Layer Protection
60% of all attacks !!!
OWASP top ten
© 2012 Sebyde BV
1. Injection
Ability to inject commandstrings
– Database (SQL)
– Operating System
– LDAP
– Directories
© 2012 Sebyde BV
Vulnerability
The best way to determine whether an application is vulnerable to injection is by checking whether input data is kept separate from a command or query.Poor error handling makes injection vulnerability easy to detect.
© 2012 Sebyde BV
Example
The application uses non-validated data in the composition of the SQL call:
String query = "SELECT * FROM accounts WHEREcustID = '" + request.getParameter ("id") + "'";
The attacker changes the 'id' parameter in their browser and sends: 'or '1' = '1. This change will query all records returned from the accounts database, instead of just one customer.
http://example.com/app/accountView?id = 'or '1' = '1
In the worst case, the attacker can control a stored procedure so that the entire database is copied or even the operating system is controlled.
© 2012 Sebyde BV
Mitigation
For SQL calls, this means the use of static queries or stored procedures. Avoid dynamic SQL!
Use parameters to commands to send. Please note that improper use of parameters.
Validate input through a white list. So only that which you know do you allow.
Apply strict access control to what an application may systems; least privilege.
Tip:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
© 2012 Sebyde BV
The pressure mounts
Government
– EU
– NCSC
Law & regulations
– Privacy law (CBP)
– Industry regulations (PCI-DSS, Basel III, NEN7510)
© 2012 Sebyde BV
What can we do
Prevent
– Awareness
– Design & build secure
Reduce
– Monitor
– Manage
Transfer
– Insurance
Accept
© 2012 Sebyde BV
The Dutch developer
“Documenting is reluctantly done. This is considered the most annoying aspect of the work.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Complete security
People
Process
Security
Secure byDesign
Technology
© 2012 Sebyde BV
Mens
Zero incident culture
Security awareness
– Training
– Education
– Awareness
– Motivation
– Attitude
From “unconscious unsafe” to“unconscious safe”
Security awareness must rest in the cortex
IDC research: 25% van alle bedrijven worden “exploited” via een zwakke plek in de Web Application security.
© 2012 Sebyde BV
Awareness: Information has value
Customer data
annual figures, the profit forecast
(Re)modelling plans
Employee data
Tenders and contracts
Bookkeeping
Phone & email lists
“Smoelenboek”
Adding security during coding costs 6.5 times more than architecting it during software design process.
© 2012 Sebyde BV
Unconscious unsafe
Conscious unsafe
Conscious safe
Unconscious safe
What to achieve?
Not only doing the right things, but do things right
Attitude
Behavior
Training
Education
Instruction
Repetition
© 2012 Sebyde BV
© 2012 Sebyde BV
The Dutch developer
“The appeal to the creativity and solving logical problems is considered to be the best aspect of his work, more fun than delivering a useful product.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Processes
Policy
– Laws and regulations
– Guidelines, standards, rules
Organisation
– Helpdesk
– CERT-team
Processes
– Identity/access management
– Incident management
– Patch management
– SDLC
IDC research: 25% of all companies are exploited through a weakspot in their Web Application security.
Check
Evaluate
Analyse
Resolve
© 2012 Sebyde BV
Prevent: Test
Manual
Automated
Black box
White box
Network
– Pentesting
Systems
Applications
– Dynamic
– Source code
© 2012 Sebyde BV
Design
Secure by Design
Development
Static testen
Test phase
Acceptance testen
Deployment phase
Dynamic testen
Test early!
Early on testing saves a lot of money. 80% of development costs are spent on finding and solving problems.
Solving a vulnerability in the production phase costs 100 times more than addressing it in the design phase.
1x
6,5 x
15x
100x
Loss of customer trust
Lawsuits
Brand damage
© 2012 Sebyde BV
Test often
New releases
– Application
– Infrastructure
Periodic
– ½ year, a year
Framework upgrades
Integral part of the Software Development Life Cycle (UTAP)
© 2012 Sebyde BV
Technology
Network
– Zoning (ie. DMZ)
– Firewalls, IPS, WAF
Systemen
– Hardening
– Accesscontrol
– Updates / Patching
– Malware scanners
Applicaties
– Testing
– Audits
– Secure by Design
© 2012 Sebyde BV
Why secure coding
Governance
– Manageability
Risk
– Reputation
Compliance
– PCI-DSS
– Privacy law
– EU directive
Efficiency
– Early on security saves money
© 2012 Sebyde BV
About the Dutch developer
“Repetitive tasks, like testing, is the most annoying aspect of the work.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV
Best practices
Prevention is key; test early & often
Validate all input and output
Deny by default, Fail Secure (closed)
Fail Safe
Make it simple (KISS)
Defense in depth
Only as secure as your weakest link
Wrong: “Security by obscurity”
https://www.owasp.org/index.php/How_to_write_insecure_code
© 2012 Sebyde BV
Important sources
OWASP www.owasp.org
Sans www.sans.org
NCSC www.ncsc.nl
CVE http://cve.mitre.org/
www.waarschuwingsdienst.nl
© 2012 Sebyde BV
Contact us
E-mail [email protected]
Web www.sebyde.nl
Twitter http://www.twitter.com/SebydeBV
LinkedIn http://www.linkedin.com/company/sebyde-bv
Facebook http://facebook.com/SebydeBV
Prezi http://t.co/eKr7VzE8