Nebezpecny Internet Novejsi Verze

®

IBM Software Group

© 2007 IBM Corporation

Nebezpečný internetnezapomínejte na aplikace

Jan Valdman, BP IBM

IBM Software Group | Rational software

Agenda Web Application Security Issues

Web Application Security Model

Application Security and Software development

Application Security Maturity Model

© 2007 IBA CZ, s.r.o.

datum


“Web application vulnerabilities accounted for 69% of vulnerabilities disclosed between July 2005 and June 2006”Gartner

“64% of developers are not confident in their ability to write secure applications”Microsoft Developer Research

“70% of companies today are NOT applying secure application development techniques in their software development practices”Aberdeen Group, May 2007

“90% of applications, when tested are vulnerable”Watchfire

Application Security Today


Network Server

WebApplications

The Reality: Security and Spending Are Unbalanced

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information SecurityAre Directed to the Web Application Layer75%75%

of All Web Applications Are Vulnerable2/32/3


Why Application Security is a High Priority Web applications are the #1 focus of hackers:

75% of attacks at Application layer (Gartner) XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)

Most sites are vulnerable: 90% of sites are vulnerable to application attacks (Watchfire) 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) 80% of organizations will experience an application security incident by 2010 (Gartner)

Web applications are high value targets for hackers: Customer data, credit cards, ID theft, fraud, site defacement, etc

Compliance requirements:

Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,


We Use Network Vulnerability Scanners

The Myth: “Our Site Is Safe”

We Have Firewalls in Place We Audit It Once a

Quarter with Pen Testers


7

Perimeter IDS IPS

IntrusionDetectionSystem

IntrusionPreventionSystem

Network Defenses for Web Applications

App Firewall

ApplicationFirewall

Firewall

System Incident Event Management (SIEM)

SecuritySecurity



12 Most Frequent Hacker Attacks

Cookie Poisoning Hidden Field Manipulation Parameter Tampering Buffer Overflow Cross-site Scripting Backup and Debug Options Forceful Browsing HTTP Response Splitting Stealth commanding 3rd Party Misconfiguration Known vulnerabilities XML & Web service vulnerabilities


Going Beyond Pointing out Security Problems


11

Web Application Environment

Database Operating System

Web Server

Web Application Web Services

Database Scanners Host Scanners

NetworkScanners

Web Application Scanners

SecuritySecurity


12

Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /AdvancedRouters

Network vs. Application Security - Complimentary

Firewall

Web ServersDatabases

BackendServer

ApplicationServers

Info Security LandscapeInfo Security Landscape

Network & Application Security solutions address different problems

ISS Rational AppScan


High Level Web App. Architecture Review

(Presentation) App Server(Business Logic)

Database

Client Tier(Browser)

Middle TierData Tier

Firewall

Sensitive data is stored here

SSL

Protects Transport Protects Network

CustomerApp is deployedhere

Internet


14

Why Application Security Problems Exist

Root CauseDevelopers are not trained to write or test for secure codeFirewalls and IPS’s don’t block application attacks.

Port 80 is wide open for attack.

Network scanners won’t find application vulnerabilities. Nessus, ISS, Qualys, Nmap, etc.

Network security (firewall, IDS, etc) do nothing once an organization web enables an application.

Current StateOrganizations test tactically at a late & costly stage in the development processA communication gap exists between security and development as such vulnerabilities

are not fixedTesting coverage is incomplete


Application Security Threats


Building Security & Compliance into the SDLC

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

Enable Security to effectively drive remediation into development

Provides Developers and Testers with expertise on detection and remediation ability

Ensure vulnerabilities are addressed before applications are put into production


Application Security Maturity Model

AWARENESSPHASE

CORRECTIVEPHASE

OPERATIONSEXCELLENCE PHASE

BLISSFULIGNORANCE

Time

Mat

urity

Duration 2-3 Years

10 %

30 %

30 %

30 %


Reduced Costs, Increased Coverage

Application Coverage

CostPerApplicationTested

External Security

Internal Tactical

StrategicOperationalized

100%0% 50% 75%25%


IBM Rational Application Security Testing Products

AppScan EnterpriseAppScan Enterprise

Web Application Security Testing Across the SDLC

Test ApplicationsAs Developed

Test ApplicationsAs Part ofQA Process

Test ApplicationsBeforeDeployment

Monitor orRe-AuditDeployedApplications

ApplicationDevelopment

QualityAssurance

SecurityAudit

ProductionMonitoring

®

IBM Software Group

© 2007 IBM Corporation

Backup Slides


21

IBM Rational in the IBM Security Portfolio

Assess

Defend

Access

1 – Where are you ? Understand customer security needs and

security exposures

3 – Let the good guys IN ! Manage and control user identities and

access privileges

4 – Monitor and fix ! Centrally manage security

events, report on security posture, remediate

Watchfire Solutions Monitor

2 – Keep the bad guys OUT ! Preemptively protect the enterprise against threats

to the infrastructure, confidential data and services

Watchfire Solutions


Bad Press Decreases Shareholder Value One-day market cap

drop of $200M


23

Build Better and More Secure Applications/Websites

IBM Rational AppScan® automates web application security audits to help ensure the security and compliance of web applications

Improve business integrity before you go liveAddress the security issues during the development cycle before applications go live, where

business risk is magnified, and costs to remediate are high.

Reduce application costs by automating manual processes Automate accurate vulnerability and compliance issues detection and their remediation

throughout the entire web application lifecycle, from the development cycle into operations.

Comply to the Government Regulations and Industry Security Requirements Incorporates most comprehensive compliance reporting solution, which generates 41out-of-

the-box regulatory compliance templates and reports

Provide ‘core to perimeter’ view into enterprise securityAdd web-application security and compliance testing to network-level offerings


24

IBM Rational AppScan Vulnerability Detection AppScan runs following simulated hacker attacks

cross-site scripting

HTTP response splitting

parameter tampering

hidden field manipulation

backdoor/debug options

stealth commanding

forceful browsing

application buffer overflow

cookie poisoning

third-party misconfiguration

known vulnerabilities

HTTP attacks

SQL injections

suspicious content

XML/SOAP tests

content spoofing

Lightweight Directory Access Protocol (LDAP) injection

XPath injection

session fixation

Documents

Nebezpecny Internet Novejsi Verze