2. IBM Software Group | Rational software
Agenda
W eb Application Security Issues
W eb Application Security Model
Application Security and Software development
Application Security Maturity Model
3. IBM Software Group | Rational software
Application Security Today
“Web application vulnerabilities accounted for 69% of vulnerabilities
disclosed between July 2005 and June 2006”
Gartner
“64% of developers are not confident in their ability to write secure
applications”
Microsoft Developer Research
“70% of companies today are NOT applying secure application
development techniques in their software development practices”
Aberdeen Group, May 2007
“90% of applications, when tested are vulnerable”
Watchfire
4. IBM Software Group | Rational software
The Reality: Security and Spending Are Unbalanced
Security Spending
% of Attacks % of Dollars
Web 10%
Applications
75% 90%
Network
25% Server
75% of All Attacksto the Web Application Layer
Are Directed
on Information Security
2/3 of All Web Applications Are Vulnerable
Sources: Gartner, Watchfire
5. IBM Software Group | Rational software
Why Application Security is a High Priority
Web applications are the #1 focus of hackers:
75% of attacks at Application layer (Gartner)
XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
Most sites are vulnerable:
90% of sites are vulnerable to application attacks (Watchfire)
78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
80% of organizations will experience an application security incident by 2010 (Gartner)
Web applications are high value targets for hackers:
Customer data, credit cards, ID theft, fraud, site defacement, etc
Compliance requirements:
Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
6. IBM Software Group | Rational software
The Myth: “Our Site Is Safe”
We Have Firewalls
in Place We Audit It Once a
Quarter with Pen Testers
We Use Network
Vulnerability Scanners
7. IBM Software Group | Rational software
Network Defenses for Web Applications
Security
Perimeter IDS IPS App Firewall
Firewall Intrusion Intrusion Application
Detection Prevention Firewall
System System
System Incident Event Management (SIEM)
7
9. IBM Software Group | Rational software
12 Most Frequent Hacker Attacks
Cookie Poisoning
Hidden Field Manipulation
Parameter Tampering
Buffer Overflow
Cross-site Scripting
Backup and Debug Options
Forceful Browsing
HTTP Response Splitting
Stealth commanding
3rd Party Misconfiguration
Known vulnerabilities
XML & Web service vulnerabilities
10. IBM Software Group | Rational software
Going Beyond Pointing out Security Problems
11. IBM Software Group | Rational software
Web Application Environment
Security
Web Application Scanners
Web Application Web Services
Network
Scanners Web Server
Database Operating System
Database Scanners Host Scanners
11
12. IBM Software Group | Rational software
Network vs. Application Security - Complimentary
Info Security Landscape
Desktop Transport Network Web Applications
Antivirus Encryption Firewalls /
Protection (SSL) Advanced
Routers
Application Backend
Firewall
Servers Server
Databases
Web Servers
Network & Application Security
solutions address different problems
ISS Rational AppScan
12
13. IBM Software Group | Rational software
High Level Web App. Architecture Review
Sensitive
Customer data is
App is deployed stored here
here
Internet
Firewall
Client Tier
(Browser) Database
SSL App Server
(Presentation)
(Business
Logic)
Protects
Transport Protects Network Data Tier
Middle Tier
14. IBM Software Group | Rational software
Why Application Security Problems Exist
Root Cause
Developers are not trained to write or test for secure code
Firewalls and IPS’s don’t block application attacks.
Port 80 is wide open for attack.
Network scanners won’t find application vulnerabilities.
Nessus, ISS, Qualys, Nmap, etc.
Network security (firewall, IDS, etc) do nothing once an organization web enables an
application.
Current State
Organizations test tactically at a late & costly stage in the development process
A communication gap exists between security and development as such vulnerabilities
are not fixed
Testing coverage is incomplete
14
16. IBM Software Group | Rational software
Building Security & Compliance into the SDLC
SDLC
Coding Build QA Security Production
Enable Security
Developers to effectively
drive
remediation into
development
Developers
Ensure
vulnerabilities
are addressed
before
Developers Provides Developers and Testers applications
with expertise on detection and are put into
remediation ability production
17. IBM Software Group | Rational software
Application Security Maturity Model
BLISSFUL AWARENESS CORRECTIVE OPERATIONS
IGNORANCE PHASE PHASE EXCELLENCE PHASE
10 %
30 %
Maturity
30 %
30 %
Duration 2-3 Years Time
18. IBM Software Group | Rational software
Reduced Costs, Increased Coverage
External Security
Internal Tactical
Cost
Per
Application
Tested
Strategic
Operationalized
0% 25% 50% 75% 100%
Application Coverage
19. IBM Software Group | Rational software
IBM Rational Application Security Testing Products
AppScan Enterprise
Web Application Security Testing Across the SDLC
Application Quality Security Production
Development Assurance Audit Monitoring
Test Test Test Monitor or
Applications Applications Applications Re-Audit
As Developed As Part of Before Deployed
QA Process Deployment Application
s
21. IBM Software Group | Rational software
IBM Rational in the IBM Security Portfolio
4 – Monitor and fix !
Centrally manage security Assess
events, report on security 1 – Where are you ?
posture, remediate Understand customer security needs and
Watchfire Solutions Monitor security exposures
Access
3 – Let the good guys IN !
Manage and control user identities and
access privileges Defend
2 – Keep the bad guys OUT !
Preemptively protect the enterprise against threats
to the infrastructure, confidential data and services
Watchfire Solutions
21
22. IBM Software Group | Rational software
Bad Press Decreases Shareholder Value
One-day market cap
drop of $200M
23. IBM Software Group | Rational software
Build Better and More Secure Applications/Websites
Improve business integrity before you go live
Address the security issues during the development cycle before applications go live, where
business risk is magnified, and costs to remediate are high.
Reduce application costs by automating manual processes
Automate accurate vulnerability and compliance issues detection and their remediation
throughout the entire web application lifecycle, from the development cycle into operations.
Comply to the Government Regulations and Industry Security Requirements
Incorporates most comprehensive compliance reporting solution, which generates 41out-of-
the-box regulatory compliance templates and reports
Provide ‘core to perimeter’ view into enterprise security
Add web-application security and compliance testing to network-level offerings
IBM Rational AppScan® automates web
application security audits to help ensure the
security and compliance of web applications
23