Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
2. Welcome to our Webinar…We’re Glad You Are Here Today!
By Jessica Quinn, Director of Marketing
Cyber Defense Magazine
www.cyberdefensemagazine.com
2
3. Today’s Agenda
1. During today’s session, you’ll hear from two unique and
complementary perspectives on Application Security Trends
that have taken place throughout 2012 which will help you be
better prepared for the coming year.
2. First, our Editor of Cyber Defense Magazine will share some of
the key trends and his insights in the area of Cloud Computing
and related Network Security breaches.
3. Then, the CEO of iViz Security will take you through some of
the best “insider” information on in-the-field, boots-on-the-
ground issues such as top 10 vulnerabilities in cloud/web apps,
top 10 business logic vulnerabilities, top 3 reasons people were
compromised and much more.
4. Finally, we’ll open it up to Q&A and then share with you a
special offer, as promised.
3
4. Today’s Speakers
Gary Miliefsky, Editor, Cyber Defense Magazine
Gary is a Founding Member of the US Department of Homeland
Security, has advised multiple US President’s Cyber Security
teams, serves on the boards of NAISG, MITRE and Norwich
University’s Cyber-war Research Labs.
Bikash Barai, CEO, Co-founder, iViZ Security Inc.
Bikash is the co-founder and CEO of iViZ, a pioneer in Cloud based
Application Penetration Testing. He is credited of several
innovations in the domain of Network Security and Anti-Spam
Technologies and has patents filed under his name. Bikash is also
an active speaker at various platforms like Nasscom, University of
California - Berkeley, NUS Singapore, Global Security Challenge,
TiE and several others.
4
6. SaaS, Web, Cloud Applications - #1 Target of Cyber Crime
We’re gunning for your apps because
that’s where the data is…
6
7. There is a Growing Epidemic of Security Breaches
• “Every company in every conceivable industry with significant size and
valuable intellectual property has been compromised (or will be shortly.)
… the entire set of Fortune Global 2000 firms [can be divided] into two
categories: those that know they’ve been compromised and those that
don’t yet know.”
7
8. Look at The Current Stats….
Cybercrime up by 6% in 2012
(Source: PONEMON INSTITUTE) Over 60% of Bing search results
lead to infected pages
WhiteHouse Hacked by China Over 30% of Google search
(Sources: WHITEHOUSE.GOV and PENTAGON.MIL) results lead to infected pages
ADOBE UPDATE SERVER – HACKED IN SEPTEMBER
MICROSOFT INTERNET EXPLORER – HACKED IN OCTOBER
ORACLE – RELEASES OVER 109 SECURITY FIXES IN OCTOBER
Total Personally Identifiable Information Records Stolen (US): 563,000,000+
Total Common Vulnerabilities and Exposures (CVEs aka “holes”): ~54,000
Total MD5 Hash Entries in Top Anti-virus Databases: 100,000,000+ and growing
(Sources: CDM, Adobe, Microsoft, Oracle, MITRE, PrivacyRights.org, VirusBulletin)
8
9. Why does this keep happening?
1. POOR CODING PRACTICES
2. SOFTWARE CODING FLAWS
3. NETWORK-BASED VULNERABILITIES
4. FREELY AVAILABLE EXPLOITATION TOOLS
5. ORGANIZED CRIME FUNDED HACKERS
6. STATE FUNDED CYBER WARRIORS
7. LACK OF REGULAR ASSESSMENT &
REMEDIATION
1. PENETRATION TEST YOUR SAAS, WEB AND CLOUD OFFERINGS
2. REPORT ON THE HOLES AND STRATEGIZE HOW TO FIX
3. SCHEDULE WORKFLOW AND PERFORM REMEDIATION
4. REPEAT STEPS 1-3
9
10. Cyber Criminals Exploit Poorly Written Code...So…
What are some of the Top
Software Coding Flaws?
(Source: http://cwe.mitre.org)
10
11. Top Software Coding Flaws (CWEs)
Rank Score ID Name
[1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3] 79.0 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] 76.9 CWE-306 Missing Authentication for Critical Function
[6] 76.8 CWE-862 Missing Authorization
[7] 75.0 CWE-798 Use of Hard-coded Credentials
[8] 75.0 CWE-311 Missing Encryption of Sensitive Data
[9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type
[10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision
[11] 73.1 CWE-250 Execution with Unnecessary Privileges
[12] 70.1 CWE-352 Cross-Site Request Forgery (CSRF)
[13] 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14] 68.5 CWE-494 Download of Code Without Integrity Check
[15] 67.8 CWE-863 Incorrect Authorization
[16] 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
[17] 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource
[18] 64.6 CWE-676 Use of Potentially Dangerous Function
[19] 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[20] 62.4 CWE-131 Incorrect Calculation of Buffer Size
[21] 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts
11
12. Cyber Criminals Exploit Network-based Holes…So…
What are some of the
Top CVEs?
(Source: http://cve.mitre.org)
12
13. Top External Vulnerabilities (CVEs)
Apache Chunked-Encoding Memory Corruption Vulnerability
CVE-2002-0392
Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100)
CVE-2011-3414, CVE-2011-3415, CVE-2011-3416, CVE-2011-3417
Microsoft SMB Remote Code Execution Vulnerability (MS09-001)
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
SSH Protocol Version 1 Supported
CVE-2001-1473
Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-
067)
CVE-2008-4250
Microsoft Windows Remote Desktop Protocol Remote Code Execution
Vulnerability (MS12-020)
CVE-2012-0002, CVE-2012-0152
13
13
14. So Why Consider Going SaaS, Web or Cloud-based App?
• On-demand Benefits – No Capacity Issues…it’s all there when you need it,
sized right.
• Lower Costs – The TCO is much lower and you don’t worry about hardware
upgrades
• Rent vs Own – Why own all that expensive equipment – cloud elasticity
allows your SaaS/Web/Cloud Apps to shrink or grow automatically
• Space/Time Saver – Updates are faster and it takes less time to deploy
newer versions or scale to larger platforms
• Reliability – Business Continuity and Disaster Recovery Planning (BCP/DRP)
and all related redundancies and backup systems is not your problem just
make sure you have a really good Service Level Agreement (SLA)
• 7x24x365 Access to your Apps – It’s up to the service provider but you will
usually have more uptime and IT service support without bearing the costs
and get a year round 24 hour system in place
14
14
15. Hmm…when moving to SaaS, Web or Cloud-apps, I ponder…
• What are the most critical vulnerabilities that threaten the
security of my perimeter defenses on the web or in the
‘Cloud’?
• What is the probability that a cyber criminal could penetrate
my Web-based applications and gain access to my data?
• How can I find my vulnerabilities and do so in a way that has no
time sync of false positive, so I can work through them
quicker?
• How do I prioritize the vulnerabilities, create a plan for
improvement and get the budget approved?
15
17. Background
• iViZ – Cloud based Application Penetration
Testing
• Zero False Positive Guarantee
• Business Logic Testing with 100% WASC (Web Application
Security Consortium) class coverage
• Funded by IDG Ventures
• 30+ Zero Day Vulnerabilities discovered
• 10+ Recognitions from Analysts and Industry
• 300+ Customers
17
18. Research Methodology
• Application security Data Collection
• 300+ Customers
• 5,000 + Application Security Tests
• 25% Apps from Asia, 40% Apps from USA
and 25% from Europe
18
19. Key Findings
• 99% of the Apps tested had at least 1 vulnerability
• 82% of the web application had at least 1 High/Critical
Vulnerability
• 90% of hacking incidents never gets known to public
• Very low correlation between Security and Compliance
(Correlation Coefficient: 0.2)
• Average number of vulnerability per website: 35
• 30% of the hacked organizations knew the vulnerability (for
which they got hacked) before hand
• #1 Vulnerability: Cross site scripting (61%)
• #1 Secure vertical: Banking
• #1 Vulnerable Vertical: Retail
19
21. Top 5 Application Flaws
Percentage of websites containing the “Type of Vulnerability”
21
22. 5 Common Business Logic Flaws
• Weak Password recovery
• Abusing Discount Logic/Coupons
• Denial of Service using Business Logic
• Price Manipulation during Transaction
• Insufficient Server Side Validation (One Time
Password (OTP) bypass)
22
23. Which are the most vulnerable Industry Verticals?
Average number of Vulnerabilities per Application
23
26. Runtime Application Security Protection (RASP)
• RASP is an integral part of an application run time
environment.
• RASP can detect an attacks at runtime (attempt to write high
volume data /unauthorized database access)
• It has real time capability to take actions like terminate
sessions, raise alerts etc.
• Web Application Firewall (WAF) can detect attacks and RASP
verify/take actions.
26
28. Hybrid Application Security Testing
• Problems with Automation
• False Positive
• Business Logic Testing
• Why Artificial Intelligence is not enough?
• Multi Stage Attack Planning is not solved
• Modeling Creativity, Intuition is suboptimal
• Cannot discover and verify assumptions
• How to solve?
• Not “Man vs Machine” but “Man and Machine”
• Hybrid Testing with power of automation but manual augmentation model
which can scale
• Model can be very steep linear or non-linear depending on innovations
28
29. Application Security as a Service
• #1 Problem the Appsec industry is facing…
• Severe dearth of trained AppSec professionals
• Trends in overall Tech Industry
• Focus on Core Competency, Cloud, “Get it done” vs “Do it Yourself”
• What are the options to leverage
• WAF as a service
• SIM as a service
• DAST/SAST/VM as a service
• Hybrid Pen Testing as a SaaS
• Benefits
• Resolving the problems of talent acquisition and retention
• Reduction of fixed operational costs
• Help in focusing on core competency
• Reduction of operational management overheads 29
30. Beyond SDLC: Secure Dev-Ops
• What is Dev-Ops?
• Software Development methodology which focuses on
communication, collaboration and integration of Developers and IT
Operations professionals
• Software Engineering+Quality Assurance+Tech Operations
• Dev-Ops is beyond (Software Development Lifecycle)
SDLC
• Need to move from Secure SDLC to Secure Dev-Ops
30
31. Application Security Vulnerability Management Model
• Types of Apps by Business Criticality
• High
• Medium
• Low
• Type of Testing
• Automated
• Standard: Automated + False Positive Removal
• Premium: Automated + False Positive Removal +
Business Logic Testing
31
32. Application Security Vulnerability Management Model
• Testing Strategy for Apps with following Business
Criticality (Minimum Requirement)
• High
• Premium Test for every major release
• Standard test for every minor release
• Medium
• Standard test for every release
• Low
• Automated test on a quarterly,
yearly basis or during every
release
32
33. 80/20 Rule: Top 5 focus
• #1: Identify and Classify all Apps based on Business
Criticality
• #2: Regular Testing
• Hybrid Testing (Auto+Manual): All Business Critical Apps during every
major release
• Automated Testing: All Business Critical Apps during every release +
Rest on Quarterly basis
• #3: Implement efficient Patching Process
• #4: Implement WAF for Business Critical Apps
• #5: Implement Secure SDLC/Secure Dev-Ops
33
35. How do I get my freebies?
• Free Penetration Test: Simply mail us
• varun@ivizsecurity.com
• Free Checklist to evaluate a Pen Testing vendor
• We will send you the download link over email
35
36. Additional Bonus to Attendees…Get Your Free Copy…
Signup Today for FREE E-Subscriptions:
FREE MONTHLY NEWSLETTERS
20-40 pages packed with tips, tricks, tools and
techniques for better IT Security and Regulatory
Compliance
FREE QUARTERLY MAGAZINE
Ships in print at RSA Conference and BlackHat in
2013, Covers next generation tools and
techniques, Cyber Defense Test Labs (CDTL)
INFOSEC product reviews, and much more…
www.cyberdefensemagazine.com
36
37. Thank You
• Bikash Barai
• bikash@ivizsecurity.com
• @bikashbarai1
• Gary Milefsky
• garym@cyberdefensemagazine.com
37
38. Q&A
• What are the secrets vendors don’t tell?
• How to evaluate a security testing vendor?
• Can you tell me a real life case study of an organization which
you consider as a “good example”….
38
39. Solantus: “Advancing the Distribution Model”
Quick thanks to our silent sponsor, Solantus:
Through well formulated business practices and processes, we
take new product and service introductions to successful
mainstream market acceptance.
Our technology “Story” is one in which we embrace products
and services that incorporate proven innovations which help
differentiate our channel partners and serve the best interests of
their customers.
Learn more about next-gen distribution at www.solantus.com
39
40. Call To Action
To receive your free penetration testing, please contact us using
your real email address at the company you work where you
have permission to allow this offering.
We cannot accept emails from google or
yahoo, etc…as our service requires
corporate approval. Send your email
request to:
sales@ivizsecurity.com
In addition, we will send you your free checklist to selecting your
application penetration testing (APT) vendor.
40