Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
3. Apps that (mostly) run in Browsers, and let users
submit/retrieve information from databases
3
4. § Quickly installed/updated
§ Works across operating systems
§ Limitless reach, affordable
4
These Are Called “Vulnerabilities”
But There Are Problem because…
§ Your Data is accessible from anywhere
§ To be useful, Web Apps interpret commands
§ There are hidden ways commands can be
used to breach data
8. § Cross-Site Scripting (XSS)
– Inserts malicious scripts via trusted URL
§ Broken Session Management
– Lets hackers access applications
§ Insecure Authentication
– Lets attack exploit authentication mechanism
§ Cross Site Request Forgery (CSRF)
– Forces a user to execute unwanted transactions on a
Web App they’re logged into.
§ Structured Query Language (SQL) Injection
– Malicious inputs (commands) modifies SQL queries to
steal or modify data.
8
9. § Web App Vulnerability Scanners conduct mock
“attacks” on an application to catalogue which types
of real attacks would succeed.
§ Results, with recommendations for how to fix, are
reported to app owner
9
10. § Proactively scanning your applications
for vulnerabilities and remediating them
before the bad guys find them.
§ Measuring online risk to manage it
§ Highly automated for fast, comprehensive
response and best real-world security.
10
12. § Today’s Economy is all about Web Apps
– They’re your store, your product, your branding, your
infrastructure.
– More apps with more valuable data make them a more
attractive target
§ Types of Data that can be stolen
– Customer Identification
– Access Controls
– Transaction Information
– Core Business Data
12
13. 13
“69% of 12,000+ IT professionals surveyed
believed that in 2013 Application
Vulnerabilities are the number one
security issue.”
-The 2013 (ISC)2 Global Information Security Workforce Study
https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information
%20Security%20Workforce%20Study%20Feb%202013.pdf
16. § 80% have Session Management problems
§ 61% have Cross Site Scripting issues
§ 45% have Authentication vulnerabilities
16
17. § Jan.14, 2013: CISO, Justin Somaini left
shortly after a Cross Site Scripting (XSS)
attack resulted in an embarrassing surge
of Spam from compromised Yahoo Mail
accounts.
§ Outside security experts said Yahoo was
slow to fix the vulnerability, which may have
led to the CISO’s abrupt departure.
– http://allthingsd.com/20130114/yahoos-chief-information-security-officer-
departs-with-more-top-execs-under-ceo-scrutiny/
– http://allthingsd.com/20130110/that-yahoo-mail-vulnerability-not-really-fixed/
– http://arstechnica.com/security/2013/01/how-yahoo-allowed-hackers-to-
hijack-my-neighbors-e-mail-account/?
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A
+arstechnica%2Findex+%28Ars+Technica+-+All+content%29
17
18. § SQL Injection of Heartland Payment Systems’ Web
site In March of 2008 exposed 134 million credit
cards.
– The vulnerability had been known for a long time
– Perpetrator was caught and is serving 20 years, but…
– …the damage was already done.
§ http://www.csoonline.com/article/700263/the-15-
worst-data-security-breaches-of-the-21st-century
18
20. § How many Web applications do you have?
§ Which apps have mission-critical data
behind them?
§ Who Develops/updates them?
§ Do you want to build out a security analyst
group or retain outside experts?
§ Do you have mobile apps you want to
assess?
20
21. § Security Analysts: Scan, Analyze, Coordinate
§ App Developers: Incorporate findings, fix code
§ QA: Re-run scans to ensure fixes worked
§ Governance/Risk/Compliance: Consume reports
§ Production Team: Re-run scans regularly to find
new issues
§ CIO/CISO: View Dashboard to see trends
21
22. § Many vulnerabilities are relatively easy to detect,
block and fix.
§ Common tools for managing vulnerabilities:
– Secure coding standards
– Web security scanning
– Intrusion/penetration testing
– Web Application Firewalls (WAFs)
§ Security is a continuous effort
– New developers, software and hardware are employed
– Old vulnerabilities never go away
– Hackers continue to generate new attacks
22
23. 1. Employ coding best practices during
development.
2. Scan and remediate in pre-production test
environment (run-time is most accurate)
3. Monitor production apps, and patch
accordingly
– Web Application Firewalls, working with
vulnerability scanner, can use policy to “virtually
patch” some vulnerabilities
23
24. § Pre-Production
– Pros: Fixing earlier may be more efficient, more
aggressive testing may be used safely
– Cons: Test environment may not mirror production
environment.
§ Production
– Pros: Most accurate (real environment), Detects newly
discovered vulnerabilities, Web App Firewall virtual
patch may minimize repair time
– Cons: Production team must buy in, care must be taken
to use only safe attacks.
§ Answer? Yes. Both. All of the above.
24
25. § Managed Service
– Pro: Expert, Fast, Easy, can cover Mobile apps too
– Con: $$, Only as good as their tools
§ Cloud-based SaaS
– Pro: Quick Setup, Simple, Affordable
– Con: Shallower scan misses some vulnerability
types
§ Software (desktop or Enterprise)
– Pro: Powerful, best value for large # of apps
– Con: More to learn, costly for small # of apps
§ Hybrid (Managed Service + Enterprise Software)
– Pro: Most secure, augments your team, flexible
– Con: Mostly for enterprises
25
27. § Mix and Match
– Managed Service for Compliance/Mission Critical apps
– Software or Cloud for the rest
§ Plan to Evolve
– Managed Service to start, migrate to Hyrid or Enterprise
Software (your data can be preserved)
§ Phase I, Phase II
– Cover most important apps first
– Expand to the rest when feasible
27
28. § Who?
– Global NGO with thousands of web sites
§ Need?
– Methodology Assessment of their security posture, and
real-world training of their Developers
§ Solution?
– Cenzic PS did a 3-day engagement with their App
Developers.
– Reviewed 10 most common vulnerabilities, found
examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a
hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate
said vulnerabilities.
28
29. § Who?
– High technology company with a mobile
application that accessed sensitive customer
data
§ Need?
– Vulnerability Scan a mobile app that
can not be traditionally traversed with a spider.
§ Solution?
– Cenzic Mobile Scan service performed a dynamic
analysis by placing a proxy in line to the mobile app,
which allowed technicians to replay various attacks
and coupled it with a thorough forensic analysis of
the application on the device to identify
vulnerabilities that exposed customer data.
29
30. § Who?
– A Health Maintenance Organization
§ Need?
– Deep scan of a new application on a tight development
schedule to ensure compliance.
§ Solution?
– Cenzic PS performed Manual Penetration testing along
with the comprehensive vulnerability scanning to provide
a very thorough scan which could suffice for any
compliance or audit need.
30
31. 31
Bronze
Silver
Gold
Pla0num
Industry
Best-‐
Prac0ces
for
Brochureware
sites
Industry
Best-‐
Prac0ces
for
forms
and
login
protected
sites
Compliance
for
sites
with
user
data
Comprehensive
scans
for
Mission
cri0cal
applica0ons
Phishing
X
X
X
x
Light
input
valida0on
X
X
X
x
Data
Security
X
X
X
x
Session
management
X
X
x
OWASP
compliance
X
x
PCI
compliance
X
x
Business
logic
tes0ng
x
Applica0on
logic
tes0ng
x
Manual
penetra0on
tes0ng
x
32. 32
Of All Attacks on Information Security
Are Directed to the Web Application Layer
Of All Web Applications Are Vulnerable
Network
Server
Web Application
% of Amount
Security Budget
10%
90%
% of Attacks
Risk
75%
Web
Layer
25%
33. 33
§ Justify more IT spend
§ Reallocate existing IT spend
§ Stretch existing App Sec spend
Tip: For more ideas watch
“Top 10 Ways to Win Budget For App Security”
https://info.cenzic.com/webinar-security-budget.html
34. § Web App Security Trends Report 2013
– https://info.cenzic.com/2013-Application-Security-Trends-
Report.html
§ Web Security: Are You Part Of The Problem?
– http://coding.smashingmagazine.com/2010/01/14/web-
security-primer-are-you-part-of-the-problem/
§ Open Web Application Security Project
– (www.OWASP.org) is a broad-based organization seeking
to make software security visible for better decision
making
34
35. We offer:
§ Industry-leading, patented scanning technology
§ The broadest range of managed service, cloud,
enterprise software and hybrid service solutions to
best meet your evolving needs
§ Training, consulting, and mobile app assessment
35
36. § Audit your environment
– How many apps do you have?
– Are you subject to regulatory compliance?
– Which app is most crucial to your organization?
§ Identify team members who need to get educated
§ Try Cenzic for Free
– https://info.cenzic.com/evaluate-software.html
§ Let us know how we can help you succeed!
– Consulting, Managed Services, and Training always
help http://www.cenzic.com/services-support/training/
36