Upload
santiago-cavanna
View
1.054
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentacion realizada en Argentina y Paraguay Durante Marzo 2014. En Argentina por Faustino Sanchez. En Paraguay por Santiago Cavanna. Trata sobre el problema de la presencia de vulnerabilidades en aplicaciones, el impacto que tiene en las organizaciones y la forma que se encuentra disponible para descubrirlas en forma temprana y facilitar su remediacion Links disponibles en http://www.santiagocavanna.com/segurinfo-2014-el-costo-oculto-de-las-aplicaciones-vulnerables/
Citation preview
Santiago Cavanna IBM Security Systems Argentina-Uruguay-Paraguay Marzo 2014 [email protected]
El costo oculto de las
aplicaciones … Vulnerables
The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter
Trusted Intranet Online Banking Applica5on
Employee Applica5on
DMZ Untrusted Internet
2
…. With Mobile and Cloud There Is No Perimeter Security must be centered on applications and transactions
Online Banking Applica5on
Investment API Services
Employee Applica5on
Deliver Mobile App
Consume Apps and Services
Leverage Public Clouds
Trusted Intranet DMZ Untrusted Internet
3
media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf
In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and
85% reported internal incidents.
Threats increase along with old and new targets
?????????????????????? Web Apps Targeted
Mobile Devices Targeted
Escala9ng Threats
?????????????????????? Mobile Malware Increasing
31% of new aAacks in 1H 2013 targeted Web app vulnerabili9es
50% + of Web app vulnerabili9es are cross-‐site scrip9ng
Mobile devices are twice as appealing hackers can obtain personal and business data
Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 – 3/13
Source: IBM X-‐Force 2013 Mid-‐Year Trend and Risk Report Source: IBM X-‐Force 2013 Mid-‐Year Trend and Risk Report
83%
of enterprises have difficulty finding the security skills they need
tools from
vendors
85
45
IBM client example
70%
of security exec’s are concerned about
cloud and mobile security
Mobile malware grew
614%
from March 2012 to March 2013
in one year
A New Security Reality Is Here
61%
Data theft and cybercrime are the greatest threats to their reputation
of organizations say
Average U.S. breach cost $7million+
2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report
2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
A new security reality is here Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2
Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute <MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3 Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed. Sources: (3) 2013 CISO Survey, IBM; 2013 Juniper Mobile Threat Report <MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4 And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5 and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark. Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
Agenda
• IBM as Security Solution Provider
• IBM Security Framework
• X-Force, Security Reports and SecurityIntelligence.com
• Standards and regulations (NIST)
• Challenges for Security team at Application Security.
• Application Security Framework.
• Vulnerability at different SDLC Stage. – Dynamic and static analysis.
• Self-assessment and recommendations.
IBM Security Investment
• 6,000+ IBM Security experts worldwide
• 3,000+ IBM security patents
• 4,000+ IBM managed security services clients worldwide
• 25 IBM Security labs worldwide
IBM Security: Market-changing milestones
Mainframe and Server
Security
SOA Management and Security
Network Intrusion Prevention
Database Monitoring
Access Management
Application Security
Compliance Management
1976
Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security
1999
Dascom is acquired for access management capabilities
2006
Internet Security Systems, Inc. is acquired for security research and network protection capabilities
2007
Watchfire is acquired for security and compliance capabilities Consul is acquired for risk management capabilities Princeton Softech is acquired for data management capabilities
2008
Encentuate is acquired for enterprise single-sign-on capabilities
2009
Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities
2010
Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities 2005
DataPower is acquired for SOA management and security capabilities
2013 Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection
2002
Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities
Identity Management
Advanced Fraud Protection
Security Analytics
Security Intelligence
IBM Security Systems division is created
2011 Q1 Labs is acquired for security intelligence capabilities
2012
IBM Security Framework
hAp://www.redbooks.ibm.com/abstracts/sg248100.html
X-Force Threat Intelligence: The IBM Differentiator
IBM Confiden9al
URL/Web Filtering • Provides access to one of the world’s largest URL filter databases containing more than 20 billion evaluated Web pages and images
An5-‐Spam • Detect spam using known signatures, discover new spam types automa9cally, 99.9% accurate, near 0% overblocking
IP Reputa5on • Categorize malicious websites via their IP address into different threat segments, including malware hosts, spam sources, and anonymous proxies
Web Applica5on Control • Iden9fying and providing ac9ons for applica9on traffic, both web-‐based, such as Gmail, and client based, such as Skype
The mission of X-Force is to: § Monitor and evaluate the rapidly changing
threat landscape
§ Research new attack techniques and develop protection for tomorrow’s security challenges
§ Educate our customers and the general public
Advanced Security and Threat Research
Security Intelligence
hAp://www-‐03.ibm.com/security/xforce/ hAp://securityintelligence.com/
Safeguard pa9ent data
Secure the credit card environment
Protect self-‐service DMV portal
Protect cri9cal infrastructure for the smart grid
Reduce online banking fraud
Secure data exchange among insurance providers
Control access to auto designs and intellectual property
Security func9onality examples
Standards and Regulations
hAp://securityintelligence.com/nist-‐cybersecurity-‐framework-‐applica9on-‐security-‐risk-‐management/
v1.0 of the NIST Framework for Improving Cri9cal Infrastructure Cybersecurity. Execu9ve Order 13636 from President Obama was issued on February 12th 2014
Sogware Risk and the Framework
SoRware security is a cri5cal component of cybersecurity. If the apps you’re running can be exploited, the services they’re running are at risk. And though there isn’t a special sec9on devoted to applica9ons or building sogware in the NIST Framework, sogware is men9oned a number of 9mes and should be addressed as part of the broader cybersecurity program.
Security team challenges
16
1000s of apps
A small team
What is our applica5on security status? Which are our most important applica1ons?
How many of them have we assessed? Which ones present the highest risk?
Which vulnerabili1es should we fix first? What are the most common mistakes developers make?
Applications
Reducing the costs of developing secure applica9ons and assuring the privacy and integrity of trusted informa9on
Portfolio Overview
AppScan Enterprise Edition • Enterprise-class solution for implementing and managing an application security program, includes high-level dashboards, test policies, scan templates and issue management capabilities
• Multi-user solution providing simultaneous security scanning and centralized reporting
AppScan Standard Edition • Desktop solution to automate web application security testing for IT Security, auditors, and penetration testers
AppScan Source Edition • Static application security testing to identify vulnerabilities at the line
of code. Enables early detection within the development life cycle.
Application Security Framework
Test
Scan & Remediate
Security Intelligence, Policy and Governance Ac9vity monitoring, context, risk assessment, compliance repor9ng
Development eLearning Correla5on Vuln Disclosure
Integra5ons Integra5ons
Deployment White/Black Lists Big Data Analy5cs Procurement
Protect
Block & Prevent Web Applica9on Firewall Intrusion Preven9on Database Ac9vity Monitoring Containeriza9on / Sandbox Dynamic Scanning (light)
Assure
Rank & Validate Applica9on Reputa9on Vendor Rankings Compliance Scanning Research Updates… Sta9c, Dynamic, Binary of Manifest tes9ng based on access
Sta9c Source Dynamic Pre-‐Launch Sta9c Binary Dynamic Produc9on
Applica9on Tes9ng Services from the Cloud Full managed service – easy to start and easy to test third party apps
Mobile Applica9on Tes9ng Mobile Applica9on Reputa9on Services
Integrated Solu9ons – From Development to Deployment Risk Management and Visibility
Key Trends
The Old Story – Still Valid But There’s More….
Find during Development $80/defect
Find during Build $240/defect
Find during QA/Test $960/defect
Find in Produc9on
$7,600 / defect
80% of development costs are spent iden4fying and correc4ng defects!*
** Source: Ponemon Ins9tute 2009-‐10 * Source: Na9onal Ins9tute of Standards and Technology
Average Cost of a Data Breach $7.2M** from law suits, loss of customer
trust, damage to brand
Application Security: Helping to protect against the threat of attacks and data breaches
Finding more vulnerabilities using advanced techniques
Sta9c Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / PaAern Matching
Dynamic Analysis
- Correlate Dynamic and Sta9c results
- Assists remedia9on by iden9fica9on of line of code
Hybrid Analysis
21
- Analyze Live Web Applica9on - Use during tes9ng - Uses HTTP tampering
Client-‐Side Analysis - Analyze downloaded Javascript code which runs in client
- Unique in the industry
Run-‐Time Analysis - Combines Dynamic Analysis with run-‐9me agent
- More results, beAer accuracy
Total Poten9al Security Issues
Applica9ons
No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed. To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox). Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability). Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle). Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test. Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market. Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.
Important Questions to Consider
Do the applications contain sensitive data?
§ Is the data protected?
§ How do you know if it’s protected?
Do you outsource your mobile applica5on development?
How do you keep pace with the constant mobile updates?
§ How do you determine risk?
§ Do you have mobile specific security exper9se?
§ Do you have acceptance criteria?
§ Do you check applica9on security every release?
§ Do you have a way to automate tes9ng?
What is application security testing?
Just got breached, how do we prevent this?
How do we protect our mobile apps?
Application Security Awareness
From “Do Nothing” to “Reactive” to Proactive”!
Where are you on this spectrum?
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security
http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0
https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf
Security Cloud Vs Virtual …
http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security
http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg
Guide to implementing a secure cloud
The following security measures represent general best practice implementations for cloud security.
• Implement and maintain a security program. • Build and maintain a secure cloud infrastructure. • Ensure confidential data protection. • Implement strong access and identity management. • Establish application and environment provisioning. • Implement a governance and audit management program. • Implement a vulnerability and intrusion management program. • Maintain environment testing and validation.
Build and maintain a secure cloud infrastructure 4. Protect administrative access. 4.3. Maintain am audit trail of administrative actions.
4.4. The cloud host should develop and publish configuration management guidelines. 4.5. Implement an Asset Discovery Mechanism to identify resources in use in the target environment. 4.6. Regularly review Asset Maps to understand assets in the cloud environment. 4.7. Maintain a Configuration Data Store to enable auditability and general security understanding.
5. Ensure patch management.
5.1. The cloud host should develop and publish a patch and change management program. 5.2. Develop a pre-production patch management system to enable business resiliency. 5.3. Ensure logging is enabled for all patch processes, and develop the appropriate documentation. 5.4. Ensure that all systems, and applications are running the latest vendor supplied patches, and updates within the specified
period as specified in the patch and change management program. Ensure that an appropriate time frame is established. 5.5. Establish a process or utilize a third-party vendor to maintain awareness of the latest security vulnerabilities.
http://www.redbooks.ibm.com/abstracts/redp4614.html
http://www.redbooks.ibm.com/abstracts/redp4893.html
http://publib-b.boulder.ibm.com/abstracts/sg247928.html
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Slide 04 media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf Slide 05 http://www.slideshare.net/junipernetworks/third-annual-mobile-threats-report http://www.juniper.net/us/en/forms/mobile-threats-report/ http://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html http://www-935.ibm.com/services/us/gbs/bus/html/reputational-risk-resolution-for-2013.html http://www.ibm.com/developerworks/library/se-global/ http://www.ponemon.org/data-security http://www.esg-global.com/blogs/more-on-the-security-skills-shortage-issue/ http://www.esg-global.com/blogs/the-security-skills-shortage-is-worse-than-you-think/ http://www.esg-global.com/blogs/what-cisos-can-do-about-the-cybersecurity-skills-shortage/ http://www.slideshare.net/IBMGovernmentCA/reputational-risk-16787581 Slide 10 http://www.redbooks.ibm.com/abstracts/sg248100.html Slide 12 http://securityintelligence.com/ http://www-03.ibm.com/security/xforce/ Slide 15 http://securityintelligence.com/nist-cybersecurity-framework-application-security-risk-management/
Slide 27 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 28http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0 http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on Slide 29 https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Slide 30 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 31 http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg Slide 35 http://www.redbooks.ibm.com/abstracts/redp4614.html http://publib-b.boulder.ibm.com/abstracts/sg247928.html http://www.redbooks.ibm.com/abstracts/redp4893.html Slide 35 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf