Embed Size (px)
Citation preview
sumnevaSERT
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
AGENDA
• Overview
• Demonstration
• Summary
2
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
• We live in a time where the security of data is the most emphasized yet least practiced thing
• WikiLeaks
• HBGary
• Epsilon
• Unfortunately, adding security to our applications is almost always event driven or reactive
INSECURITIES
4
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
CUSTOMER DEMAND
• Despite this, we’re all tasked with quickly developing applications for our customers/clients
• Often times, we take shortcuts and leave out things, like security
• Not because we want to, because we have to
5
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
EXCUSES, EXCUSES...
• We make many, many excuses to ourselves as to why we didn’t adequately secure our applications:
• Not enough time
• No one cares about the data/application
• It’s “internal only”
• Our users are not smart enough to do anything malicious
• False sense of security
6
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
RECIPE FOR DISASTER
• Given:
• The stresses of getting our applications released quickly
• The lack of time we have to do so
• Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix
• If we only knew what they were and had the time...
7
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
SUMNEVASERT
• sumnevaSERT: Security Evaluation & Review Tool
• APEX application designed to evaluate and identify potential security issues in other APEX applications
• Supports APEX 4.0+
• Runs on any edition of the database
• Can be easily customized to meet your specific security and/or QA requirements
8
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
HOW IT WORKS
• sumnevaSERT uses a simple scoring & red light/green light approach to evaluate your application based on a number of pre-defined criteria
• Each application gets a score based on the result of evaluating an attribute
• Percentage as well as X of Y points
• Each attribute evaluated either passes or fails
• Pass yields a point; failure yields none
9
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
HOW IT WORKS
10
An authorization scheme was expected, but not found. Thus, this
attribute failed.
The developer can click on Fix and see step-by-step instructions.
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
WHAT IT LOOKS FOR
• Application Settings
• Session Timeout
• Security Attributes
• Schema Properties
• SQL Injection
• Cross Site Scripting
• Session State Protection
• Unrestricted Items
• Encrypted Items
• Page Access
• Form Autocomplete
• Authorization Schemes
11
• sumnevaSERT ships with a set of attributes that inspect APEX applications for the following:
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
ONE SIZE DOESN’T FIT ALL
• If you need additional attributes inspected, you can customize sumnevaSERT as much as you like
• sumnevaSERT supports a number of rule types:
• NULL/NOT NULL
• List of Valid Values
• Less Than/Greater Than
• PL/SQL
12
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
MULTI-PURPOSE
• Thus, you can create your own attribute set(s) for specific purposes, for example:
• General Security Attributes
• General set of attributes that must be metand a minimal score must be achieved
• Application with Sensitive Data
• Look for specific columns in reports and flag for follow-up
• Minimal Configuration Signature
• Applications must use a specific authentication scheme, etc.
13
D E M O N S T R A T I O N
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
sumnevaSERT
14
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
THE REALITY
16
• sumnevaSERT will identify most security exploits that hackers and malicious users alike look for in APEX applications and provide step-by-step solutions to fix them
• But it will not secure everything
• There’s no such thing as a silver bullet of any sort...
• You still need a strong overall security policy
• Strong Passwords
• Physical access control
• Code Audits
• Best Practices
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
AVAILABILITY
• Initial release in Beta now
• Still accepting beta customers - contact us for details
• Targeted release of June 2011
• Will support APEX 4.0+
17
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
LICENSING
18
• Per instance of APEX
• Can run on as many applications as you like in as many workspaces as you like in a single instance of APEX
• Contact us for details & pricing
• +1 (703) 879-4615
• http://www.sumneva.com/sert
Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - [email protected]
http://sumneva.com
