SlideShare une entreprise Scribd logo

Top Application Security Trends of 2012

D
DaveEdwards12

Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.

Technologie
1  sur  40
An IDG Ventures Company November 20, 2012 1
Welcome to our Webinar…We’re Glad You Are Here Today! By Jessica Quinn, Director of Marketing Cyber Defense Magazine www.cyberdefensemagazine.com 2
Today’s Agenda 1. During today’s session, you’ll hear from two unique and complementary perspectives on Application Security Trends that have taken place throughout 2012 which will help you be better prepared for the coming year. 2. First, our Editor of Cyber Defense Magazine will share some of the key trends and his insights in the area of Cloud Computing and related Network Security breaches. 3. Then, the CEO of iViz Security will take you through some of the best “insider” information on in-the-field, boots-on-the- ground issues such as top 10 vulnerabilities in cloud/web apps, top 10 business logic vulnerabilities, top 3 reasons people were compromised and much more. 4. Finally, we’ll open it up to Q&A and then share with you a special offer, as promised. 3
Today’s Speakers Gary Miliefsky, Editor, Cyber Defense Magazine Gary is a Founding Member of the US Department of Homeland Security, has advised multiple US President’s Cyber Security teams, serves on the boards of NAISG, MITRE and Norwich University’s Cyber-war Research Labs. Bikash Barai, CEO, Co-founder, iViZ Security Inc. Bikash is the co-founder and CEO of iViZ, a pioneer in Cloud based Application Penetration Testing. He is credited of several innovations in the domain of Network Security and Anti-Spam Technologies and has patents filed under his name. Bikash is also an active speaker at various platforms like Nasscom, University of California - Berkeley, NUS Singapore, Global Security Challenge, TiE and several others. 4
INTRODUCTION by Gary S. Miliefsky, CISSP, fmDHS Editor, Cyber Defense Magazine 5
SaaS, Web, Cloud Applications - #1 Target of Cyber Crime We’re gunning for your apps because that’s where the data is… 6
There is a Growing Epidemic of Security Breaches • “Every company in every conceivable industry with significant size and valuable intellectual property has been compromised (or will be shortly.) … the entire set of Fortune Global 2000 firms [can be divided] into two categories: those that know they’ve been compromised and those that don’t yet know.” 7
Look at The Current Stats…. Cybercrime up by 6% in 2012 (Source: PONEMON INSTITUTE) Over 60% of Bing search results lead to infected pages WhiteHouse Hacked by China Over 30% of Google search (Sources: WHITEHOUSE.GOV and PENTAGON.MIL) results lead to infected pages ADOBE UPDATE SERVER – HACKED IN SEPTEMBER MICROSOFT INTERNET EXPLORER – HACKED IN OCTOBER ORACLE – RELEASES OVER 109 SECURITY FIXES IN OCTOBER Total Personally Identifiable Information Records Stolen (US): 563,000,000+ Total Common Vulnerabilities and Exposures (CVEs aka “holes”): ~54,000 Total MD5 Hash Entries in Top Anti-virus Databases: 100,000,000+ and growing (Sources: CDM, Adobe, Microsoft, Oracle, MITRE, PrivacyRights.org, VirusBulletin) 8
Why does this keep happening? 1. POOR CODING PRACTICES 2. SOFTWARE CODING FLAWS 3. NETWORK-BASED VULNERABILITIES 4. FREELY AVAILABLE EXPLOITATION TOOLS 5. ORGANIZED CRIME FUNDED HACKERS 6. STATE FUNDED CYBER WARRIORS 7. LACK OF REGULAR ASSESSMENT & REMEDIATION 1. PENETRATION TEST YOUR SAAS, WEB AND CLOUD OFFERINGS 2. REPORT ON THE HOLES AND STRATEGIZE HOW TO FIX 3. SCHEDULE WORKFLOW AND PERFORM REMEDIATION 4. REPEAT STEPS 1-3 9
Cyber Criminals Exploit Poorly Written Code...So… What are some of the Top Software Coding Flaws? (Source: http://cwe.mitre.org) 10
Top Software Coding Flaws (CWEs) Rank Score ID Name [1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] 79.0 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] 76.9 CWE-306 Missing Authentication for Critical Function [6] 76.8 CWE-862 Missing Authorization [7] 75.0 CWE-798 Use of Hard-coded Credentials [8] 75.0 CWE-311 Missing Encryption of Sensitive Data [9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type [10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision [11] 73.1 CWE-250 Execution with Unnecessary Privileges [12] 70.1 CWE-352 Cross-Site Request Forgery (CSRF) [13] 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] 68.5 CWE-494 Download of Code Without Integrity Check [15] 67.8 CWE-863 Incorrect Authorization [16] 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere [17] 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource [18] 64.6 CWE-676 Use of Potentially Dangerous Function [19] 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm [20] 62.4 CWE-131 Incorrect Calculation of Buffer Size [21] 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts 11
Cyber Criminals Exploit Network-based Holes…So… What are some of the Top CVEs? (Source: http://cve.mitre.org) 12
Top External Vulnerabilities (CVEs) Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392 Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100) CVE-2011-3414, CVE-2011-3415, CVE-2011-3416, CVE-2011-3417 Microsoft SMB Remote Code Execution Vulnerability (MS09-001) CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 SSH Protocol Version 1 Supported CVE-2001-1473 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08- 067) CVE-2008-4250 Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020) CVE-2012-0002, CVE-2012-0152 13 13
So Why Consider Going SaaS, Web or Cloud-based App? • On-demand Benefits – No Capacity Issues…it’s all there when you need it, sized right. • Lower Costs – The TCO is much lower and you don’t worry about hardware upgrades • Rent vs Own – Why own all that expensive equipment – cloud elasticity allows your SaaS/Web/Cloud Apps to shrink or grow automatically • Space/Time Saver – Updates are faster and it takes less time to deploy newer versions or scale to larger platforms • Reliability – Business Continuity and Disaster Recovery Planning (BCP/DRP) and all related redundancies and backup systems is not your problem just make sure you have a really good Service Level Agreement (SLA) • 7x24x365 Access to your Apps – It’s up to the service provider but you will usually have more uptime and IT service support without bearing the costs and get a year round 24 hour system in place 14 14
Hmm…when moving to SaaS, Web or Cloud-apps, I ponder… • What are the most critical vulnerabilities that threaten the security of my perimeter defenses on the web or in the ‘Cloud’? • What is the probability that a cyber criminal could penetrate my Web-based applications and gain access to my data? • How can I find my vulnerabilities and do so in a way that has no time sync of false positive, so I can work through them quicker? • How do I prioritize the vulnerabilities, create a plan for improvement and get the budget approved? 15
DEEP DIVE with Bikash Barai, CEO & Co-founder iViZ Security Inc. 16
Background • iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee • Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers 17
Research Methodology • Application security Data Collection • 300+ Customers • 5,000 + Application Security Tests • 25% Apps from Asia, 40% Apps from USA and 25% from Europe 18
Key Findings • 99% of the Apps tested had at least 1 vulnerability • 82% of the web application had at least 1 High/Critical Vulnerability • 90% of hacking incidents never gets known to public • Very low correlation between Security and Compliance (Correlation Coefficient: 0.2) • Average number of vulnerability per website: 35 • 30% of the hacked organizations knew the vulnerability (for which they got hacked) before hand • #1 Vulnerability: Cross site scripting (61%) • #1 Secure vertical: Banking • #1 Vulnerable Vertical: Retail 19
Average number of Vulnerabilities 20
Top 5 Application Flaws Percentage of websites containing the “Type of Vulnerability” 21
5 Common Business Logic Flaws • Weak Password recovery • Abusing Discount Logic/Coupons • Denial of Service using Business Logic • Price Manipulation during Transaction • Insufficient Server Side Validation (One Time Password (OTP) bypass) 22
Which are the most vulnerable Industry Verticals? Average number of Vulnerabilities per Application 23
Application Security Posture by Geography Average number of Vulnerability per Application 24
Top 5 Application Security Trends 25
Runtime Application Security Protection (RASP) • RASP is an integral part of an application run time environment. • RASP can detect an attacks at runtime (attempt to write high volume data /unauthorized database access) • It has real time capability to take actions like terminate sessions, raise alerts etc. • Web Application Firewall (WAF) can detect attacks and RASP verify/take actions. 26
Collaborative Security Intelligence • DAST+SAST=IAST • SAST+DAST+WAF • SAST+DAST+SIM/SIEM • WAF+RASP • Grand Unification DAST: Dynamic Application Security Testing SAST: Static Application Security Testing IAST: Interactive Application Security Testing SIM: Security Incident Management SIEM: Security Incident and Event Management 27
Hybrid Application Security Testing • Problems with Automation • False Positive • Business Logic Testing • Why Artificial Intelligence is not enough? • Multi Stage Attack Planning is not solved • Modeling Creativity, Intuition is suboptimal • Cannot discover and verify assumptions • How to solve? • Not “Man vs Machine” but “Man and Machine” • Hybrid Testing with power of automation but manual augmentation model which can scale • Model can be very steep linear or non-linear depending on innovations 28
Application Security as a Service • #1 Problem the Appsec industry is facing… • Severe dearth of trained AppSec professionals • Trends in overall Tech Industry • Focus on Core Competency, Cloud, “Get it done” vs “Do it Yourself” • What are the options to leverage • WAF as a service • SIM as a service • DAST/SAST/VM as a service • Hybrid Pen Testing as a SaaS • Benefits • Resolving the problems of talent acquisition and retention • Reduction of fixed operational costs • Help in focusing on core competency • Reduction of operational management overheads 29
Beyond SDLC: Secure Dev-Ops • What is Dev-Ops? • Software Development methodology which focuses on communication, collaboration and integration of Developers and IT Operations professionals • Software Engineering+Quality Assurance+Tech Operations • Dev-Ops is beyond (Software Development Lifecycle) SDLC • Need to move from Secure SDLC to Secure Dev-Ops 30
Application Security Vulnerability Management Model • Types of Apps by Business Criticality • High • Medium • Low • Type of Testing • Automated • Standard: Automated + False Positive Removal • Premium: Automated + False Positive Removal + Business Logic Testing 31
Application Security Vulnerability Management Model • Testing Strategy for Apps with following Business Criticality (Minimum Requirement) • High • Premium Test for every major release • Standard test for every minor release • Medium • Standard test for every release • Low • Automated test on a quarterly, yearly basis or during every release 32
80/20 Rule: Top 5 focus • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • Hybrid Testing (Auto+Manual): All Business Critical Apps during every major release • Automated Testing: All Business Critical Apps during every release + Rest on Quarterly basis • #3: Implement efficient Patching Process • #4: Implement WAF for Business Critical Apps • #5: Implement Secure SDLC/Secure Dev-Ops 33
QUESTIONS AND ANSWERS 34
How do I get my freebies? • Free Penetration Test: Simply mail us • varun@ivizsecurity.com • Free Checklist to evaluate a Pen Testing vendor • We will send you the download link over email 35
Additional Bonus to Attendees…Get Your Free Copy… Signup Today for FREE E-Subscriptions: FREE MONTHLY NEWSLETTERS 20-40 pages packed with tips, tricks, tools and techniques for better IT Security and Regulatory Compliance FREE QUARTERLY MAGAZINE Ships in print at RSA Conference and BlackHat in 2013, Covers next generation tools and techniques, Cyber Defense Test Labs (CDTL) INFOSEC product reviews, and much more… www.cyberdefensemagazine.com 36
Thank You • Bikash Barai • bikash@ivizsecurity.com • @bikashbarai1 • Gary Milefsky • garym@cyberdefensemagazine.com 37
Q&A • What are the secrets vendors don’t tell? • How to evaluate a security testing vendor? • Can you tell me a real life case study of an organization which you consider as a “good example”…. 38
Solantus: “Advancing the Distribution Model” Quick thanks to our silent sponsor, Solantus: Through well formulated business practices and processes, we take new product and service introductions to successful mainstream market acceptance. Our technology “Story” is one in which we embrace products and services that incorporate proven innovations which help differentiate our channel partners and serve the best interests of their customers. Learn more about next-gen distribution at www.solantus.com 39
Call To Action To receive your free penetration testing, please contact us using your real email address at the company you work where you have permission to allow this offering. We cannot accept emails from google or yahoo, etc…as our service requires corporate approval. Send your email request to: sales@ivizsecurity.com In addition, we will send you your free checklist to selecting your application penetration testing (APT) vendor. 40

Recommandé

Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
Cisco Canada
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Skybox Security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
Cisco Canada
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
kevinmass30
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
Duo Security
 

Recommandé

Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
Cisco Canada
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Skybox Security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
Cisco Canada
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
kevinmass30
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
Duo Security
 
Keynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of SecurityKeynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of Security
Priyanka Aash
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy
Ioannis Aligizakis, M.Sc.
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
ISSA LA
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
Cisco Security
 
Scot Secure 2015
Scot Secure 2015Scot Secure 2015
Scot Secure 2015
Ray Bugg
 
Threat Modeling
Threat ModelingThreat Modeling
Threat Modeling
keyuradmin
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
Cisco Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Duo Security
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
Brian Kelly
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
IBM Security
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2
rpark31
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
Cisco Canada
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Comercios de madrid
Comercios de madridComercios de madrid
Comercios de madrid
Luis Angel Pedrero Lopez
 
1933 1952
1933 19521933 1952
1933 1952
Andrea Roco
 

Contenu connexe

Tendances

Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
Brian Kelly
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
IBM Security
 

Tendances (20)

Keynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of SecurityKeynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of Security
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
 
Scot Secure 2015
Scot Secure 2015Scot Secure 2015
Scot Secure 2015
 
Threat Modeling
Threat ModelingThreat Modeling
Threat Modeling
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 

En vedette

Duolingo wendy martinez diaz
Duolingo wendy martinez diazDuolingo wendy martinez diaz
Duolingo wendy martinez diaz
tecolite
 
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau KleinGuía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
Pau Klein
 
Instructivo audiencia publica
Instructivo audiencia publicaInstructivo audiencia publica
Instructivo audiencia publica
Pascual_Bravo
 
Los clubes de Lealtad. El Marketing del siglo XXI
Los clubes de Lealtad. El Marketing del siglo XXILos clubes de Lealtad. El Marketing del siglo XXI
Los clubes de Lealtad. El Marketing del siglo XXI
guest5cd5a6
 
Apresentacao durst
Apresentacao durstApresentacao durst
Apresentacao durst
APETT
 
Open Learning Analytics panel presentation - LAK 15
Open Learning Analytics panel presentation - LAK 15 Open Learning Analytics panel presentation - LAK 15
Open Learning Analytics panel presentation - LAK 15
Sandeep M. Jayaprakash
 

En vedette (20)

Comercios de madrid
Comercios de madridComercios de madrid
Comercios de madrid
 
1933 1952
1933 19521933 1952
1933 1952
 
UN VIAJE POR ESPAÑA S G R
UN VIAJE POR ESPAÑA S G RUN VIAJE POR ESPAÑA S G R
UN VIAJE POR ESPAÑA S G R
 
Anoline cosmoline
Anoline cosmolineAnoline cosmoline
Anoline cosmoline
 
Especial Beatificaciones - Octubre 2013
Especial Beatificaciones - Octubre 2013Especial Beatificaciones - Octubre 2013
Especial Beatificaciones - Octubre 2013
 
L. Annaei Senecae De vita beata
L. Annaei Senecae De vita beata L. Annaei Senecae De vita beata
L. Annaei Senecae De vita beata
 
Adysa Group ETL
Adysa Group ETLAdysa Group ETL
Adysa Group ETL
 
Duolingo wendy martinez diaz
Duolingo wendy martinez diazDuolingo wendy martinez diaz
Duolingo wendy martinez diaz
 
Revista Ecos de la Fondita volumen 1 febrero 2016 - edicion 30 aniversario
Revista Ecos de la Fondita volumen 1 febrero 2016 - edicion 30 aniversarioRevista Ecos de la Fondita volumen 1 febrero 2016 - edicion 30 aniversario
Revista Ecos de la Fondita volumen 1 febrero 2016 - edicion 30 aniversario
 
Empresa PEQUEÑAS DIVERSIONES S.A.
Empresa PEQUEÑAS DIVERSIONES S.A.Empresa PEQUEÑAS DIVERSIONES S.A.
Empresa PEQUEÑAS DIVERSIONES S.A.
 
Variants at the 9p21 locus and melanoma risk
Variants at the 9p21 locus and melanoma riskVariants at the 9p21 locus and melanoma risk
Variants at the 9p21 locus and melanoma risk
 
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau KleinGuía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
Guía Oficial de Google Posicionamiento en Buscadores SEO :: Pau Klein
 
Instructivo audiencia publica
Instructivo audiencia publicaInstructivo audiencia publica
Instructivo audiencia publica
 
Los clubes de Lealtad. El Marketing del siglo XXI
Los clubes de Lealtad. El Marketing del siglo XXILos clubes de Lealtad. El Marketing del siglo XXI
Los clubes de Lealtad. El Marketing del siglo XXI
 
700 libros tecnicos_-_by_peter_pank
700 libros tecnicos_-_by_peter_pank700 libros tecnicos_-_by_peter_pank
700 libros tecnicos_-_by_peter_pank
 
Electric Vehicles & Electric Utilities, Webinar Slides from FleetCarma
Electric Vehicles & Electric Utilities, Webinar Slides from FleetCarmaElectric Vehicles & Electric Utilities, Webinar Slides from FleetCarma
Electric Vehicles & Electric Utilities, Webinar Slides from FleetCarma
 
Matemática Cosentino Singapur Primer Grado Bloque 1
Matemática Cosentino Singapur Primer Grado Bloque 1Matemática Cosentino Singapur Primer Grado Bloque 1
Matemática Cosentino Singapur Primer Grado Bloque 1
 
Apresentacao durst
Apresentacao durstApresentacao durst
Apresentacao durst
 
Buenas prácticas de auditoria de estados financieros
Buenas prácticas de auditoria de estados financierosBuenas prácticas de auditoria de estados financieros
Buenas prácticas de auditoria de estados financieros
 
Open Learning Analytics panel presentation - LAK 15
Open Learning Analytics panel presentation - LAK 15 Open Learning Analytics panel presentation - LAK 15
Open Learning Analytics panel presentation - LAK 15
 

Similaire à Top Application Security Trends of 2012

SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 

Similaire à Top Application Security Trends of 2012 (20)

Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 

Plus de DaveEdwards12

Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
DaveEdwards12
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
DaveEdwards12
 

Plus de DaveEdwards12 (11)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Top Application Security Trends of 2012

  • 1. An IDG Ventures Company November 20, 2012 1
  • 2. Welcome to our Webinar…We’re Glad You Are Here Today! By Jessica Quinn, Director of Marketing Cyber Defense Magazine www.cyberdefensemagazine.com 2
  • 3. Today’s Agenda 1. During today’s session, you’ll hear from two unique and complementary perspectives on Application Security Trends that have taken place throughout 2012 which will help you be better prepared for the coming year. 2. First, our Editor of Cyber Defense Magazine will share some of the key trends and his insights in the area of Cloud Computing and related Network Security breaches. 3. Then, the CEO of iViz Security will take you through some of the best “insider” information on in-the-field, boots-on-the- ground issues such as top 10 vulnerabilities in cloud/web apps, top 10 business logic vulnerabilities, top 3 reasons people were compromised and much more. 4. Finally, we’ll open it up to Q&A and then share with you a special offer, as promised. 3
  • 4. Today’s Speakers Gary Miliefsky, Editor, Cyber Defense Magazine Gary is a Founding Member of the US Department of Homeland Security, has advised multiple US President’s Cyber Security teams, serves on the boards of NAISG, MITRE and Norwich University’s Cyber-war Research Labs. Bikash Barai, CEO, Co-founder, iViZ Security Inc. Bikash is the co-founder and CEO of iViZ, a pioneer in Cloud based Application Penetration Testing. He is credited of several innovations in the domain of Network Security and Anti-Spam Technologies and has patents filed under his name. Bikash is also an active speaker at various platforms like Nasscom, University of California - Berkeley, NUS Singapore, Global Security Challenge, TiE and several others. 4
  • 5. INTRODUCTION by Gary S. Miliefsky, CISSP, fmDHS Editor, Cyber Defense Magazine 5
  • 6. SaaS, Web, Cloud Applications - #1 Target of Cyber Crime We’re gunning for your apps because that’s where the data is… 6
  • 7. There is a Growing Epidemic of Security Breaches • “Every company in every conceivable industry with significant size and valuable intellectual property has been compromised (or will be shortly.) … the entire set of Fortune Global 2000 firms [can be divided] into two categories: those that know they’ve been compromised and those that don’t yet know.” 7
  • 8. Look at The Current Stats…. Cybercrime up by 6% in 2012 (Source: PONEMON INSTITUTE) Over 60% of Bing search results lead to infected pages WhiteHouse Hacked by China Over 30% of Google search (Sources: WHITEHOUSE.GOV and PENTAGON.MIL) results lead to infected pages ADOBE UPDATE SERVER – HACKED IN SEPTEMBER MICROSOFT INTERNET EXPLORER – HACKED IN OCTOBER ORACLE – RELEASES OVER 109 SECURITY FIXES IN OCTOBER Total Personally Identifiable Information Records Stolen (US): 563,000,000+ Total Common Vulnerabilities and Exposures (CVEs aka “holes”): ~54,000 Total MD5 Hash Entries in Top Anti-virus Databases: 100,000,000+ and growing (Sources: CDM, Adobe, Microsoft, Oracle, MITRE, PrivacyRights.org, VirusBulletin) 8
  • 9. Why does this keep happening? 1. POOR CODING PRACTICES 2. SOFTWARE CODING FLAWS 3. NETWORK-BASED VULNERABILITIES 4. FREELY AVAILABLE EXPLOITATION TOOLS 5. ORGANIZED CRIME FUNDED HACKERS 6. STATE FUNDED CYBER WARRIORS 7. LACK OF REGULAR ASSESSMENT & REMEDIATION 1. PENETRATION TEST YOUR SAAS, WEB AND CLOUD OFFERINGS 2. REPORT ON THE HOLES AND STRATEGIZE HOW TO FIX 3. SCHEDULE WORKFLOW AND PERFORM REMEDIATION 4. REPEAT STEPS 1-3 9
  • 10. Cyber Criminals Exploit Poorly Written Code...So… What are some of the Top Software Coding Flaws? (Source: http://cwe.mitre.org) 10
  • 11. Top Software Coding Flaws (CWEs) Rank Score ID Name [1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] 79.0 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] 76.9 CWE-306 Missing Authentication for Critical Function [6] 76.8 CWE-862 Missing Authorization [7] 75.0 CWE-798 Use of Hard-coded Credentials [8] 75.0 CWE-311 Missing Encryption of Sensitive Data [9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type [10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision [11] 73.1 CWE-250 Execution with Unnecessary Privileges [12] 70.1 CWE-352 Cross-Site Request Forgery (CSRF) [13] 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] 68.5 CWE-494 Download of Code Without Integrity Check [15] 67.8 CWE-863 Incorrect Authorization [16] 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere [17] 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource [18] 64.6 CWE-676 Use of Potentially Dangerous Function [19] 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm [20] 62.4 CWE-131 Incorrect Calculation of Buffer Size [21] 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts 11
  • 12. Cyber Criminals Exploit Network-based Holes…So… What are some of the Top CVEs? (Source: http://cve.mitre.org) 12
  • 13. Top External Vulnerabilities (CVEs) Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392 Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100) CVE-2011-3414, CVE-2011-3415, CVE-2011-3416, CVE-2011-3417 Microsoft SMB Remote Code Execution Vulnerability (MS09-001) CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 SSH Protocol Version 1 Supported CVE-2001-1473 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08- 067) CVE-2008-4250 Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020) CVE-2012-0002, CVE-2012-0152 13 13
  • 14. So Why Consider Going SaaS, Web or Cloud-based App? • On-demand Benefits – No Capacity Issues…it’s all there when you need it, sized right. • Lower Costs – The TCO is much lower and you don’t worry about hardware upgrades • Rent vs Own – Why own all that expensive equipment – cloud elasticity allows your SaaS/Web/Cloud Apps to shrink or grow automatically • Space/Time Saver – Updates are faster and it takes less time to deploy newer versions or scale to larger platforms • Reliability – Business Continuity and Disaster Recovery Planning (BCP/DRP) and all related redundancies and backup systems is not your problem just make sure you have a really good Service Level Agreement (SLA) • 7x24x365 Access to your Apps – It’s up to the service provider but you will usually have more uptime and IT service support without bearing the costs and get a year round 24 hour system in place 14 14
  • 15. Hmm…when moving to SaaS, Web or Cloud-apps, I ponder… • What are the most critical vulnerabilities that threaten the security of my perimeter defenses on the web or in the ‘Cloud’? • What is the probability that a cyber criminal could penetrate my Web-based applications and gain access to my data? • How can I find my vulnerabilities and do so in a way that has no time sync of false positive, so I can work through them quicker? • How do I prioritize the vulnerabilities, create a plan for improvement and get the budget approved? 15
  • 16. DEEP DIVE with Bikash Barai, CEO & Co-founder iViZ Security Inc. 16
  • 17. Background • iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee • Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers 17
  • 18. Research Methodology • Application security Data Collection • 300+ Customers • 5,000 + Application Security Tests • 25% Apps from Asia, 40% Apps from USA and 25% from Europe 18
  • 19. Key Findings • 99% of the Apps tested had at least 1 vulnerability • 82% of the web application had at least 1 High/Critical Vulnerability • 90% of hacking incidents never gets known to public • Very low correlation between Security and Compliance (Correlation Coefficient: 0.2) • Average number of vulnerability per website: 35 • 30% of the hacked organizations knew the vulnerability (for which they got hacked) before hand • #1 Vulnerability: Cross site scripting (61%) • #1 Secure vertical: Banking • #1 Vulnerable Vertical: Retail 19
  • 20. Average number of Vulnerabilities 20
  • 21. Top 5 Application Flaws Percentage of websites containing the “Type of Vulnerability” 21
  • 22. 5 Common Business Logic Flaws • Weak Password recovery • Abusing Discount Logic/Coupons • Denial of Service using Business Logic • Price Manipulation during Transaction • Insufficient Server Side Validation (One Time Password (OTP) bypass) 22
  • 23. Which are the most vulnerable Industry Verticals? Average number of Vulnerabilities per Application 23
  • 24. Application Security Posture by Geography Average number of Vulnerability per Application 24
  • 25. Top 5 Application Security Trends 25
  • 26. Runtime Application Security Protection (RASP) • RASP is an integral part of an application run time environment. • RASP can detect an attacks at runtime (attempt to write high volume data /unauthorized database access) • It has real time capability to take actions like terminate sessions, raise alerts etc. • Web Application Firewall (WAF) can detect attacks and RASP verify/take actions. 26
  • 27. Collaborative Security Intelligence • DAST+SAST=IAST • SAST+DAST+WAF • SAST+DAST+SIM/SIEM • WAF+RASP • Grand Unification DAST: Dynamic Application Security Testing SAST: Static Application Security Testing IAST: Interactive Application Security Testing SIM: Security Incident Management SIEM: Security Incident and Event Management 27
  • 28. Hybrid Application Security Testing • Problems with Automation • False Positive • Business Logic Testing • Why Artificial Intelligence is not enough? • Multi Stage Attack Planning is not solved • Modeling Creativity, Intuition is suboptimal • Cannot discover and verify assumptions • How to solve? • Not “Man vs Machine” but “Man and Machine” • Hybrid Testing with power of automation but manual augmentation model which can scale • Model can be very steep linear or non-linear depending on innovations 28
  • 29. Application Security as a Service • #1 Problem the Appsec industry is facing… • Severe dearth of trained AppSec professionals • Trends in overall Tech Industry • Focus on Core Competency, Cloud, “Get it done” vs “Do it Yourself” • What are the options to leverage • WAF as a service • SIM as a service • DAST/SAST/VM as a service • Hybrid Pen Testing as a SaaS • Benefits • Resolving the problems of talent acquisition and retention • Reduction of fixed operational costs • Help in focusing on core competency • Reduction of operational management overheads 29
  • 30. Beyond SDLC: Secure Dev-Ops • What is Dev-Ops? • Software Development methodology which focuses on communication, collaboration and integration of Developers and IT Operations professionals • Software Engineering+Quality Assurance+Tech Operations • Dev-Ops is beyond (Software Development Lifecycle) SDLC • Need to move from Secure SDLC to Secure Dev-Ops 30
  • 31. Application Security Vulnerability Management Model • Types of Apps by Business Criticality • High • Medium • Low • Type of Testing • Automated • Standard: Automated + False Positive Removal • Premium: Automated + False Positive Removal + Business Logic Testing 31
  • 32. Application Security Vulnerability Management Model • Testing Strategy for Apps with following Business Criticality (Minimum Requirement) • High • Premium Test for every major release • Standard test for every minor release • Medium • Standard test for every release • Low • Automated test on a quarterly, yearly basis or during every release 32
  • 33. 80/20 Rule: Top 5 focus • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • Hybrid Testing (Auto+Manual): All Business Critical Apps during every major release • Automated Testing: All Business Critical Apps during every release + Rest on Quarterly basis • #3: Implement efficient Patching Process • #4: Implement WAF for Business Critical Apps • #5: Implement Secure SDLC/Secure Dev-Ops 33
  • 35. How do I get my freebies? • Free Penetration Test: Simply mail us • varun@ivizsecurity.com • Free Checklist to evaluate a Pen Testing vendor • We will send you the download link over email 35
  • 36. Additional Bonus to Attendees…Get Your Free Copy… Signup Today for FREE E-Subscriptions: FREE MONTHLY NEWSLETTERS 20-40 pages packed with tips, tricks, tools and techniques for better IT Security and Regulatory Compliance FREE QUARTERLY MAGAZINE Ships in print at RSA Conference and BlackHat in 2013, Covers next generation tools and techniques, Cyber Defense Test Labs (CDTL) INFOSEC product reviews, and much more… www.cyberdefensemagazine.com 36
  • 37. Thank You • Bikash Barai • bikash@ivizsecurity.com • @bikashbarai1 • Gary Milefsky • garym@cyberdefensemagazine.com 37
  • 38. Q&A • What are the secrets vendors don’t tell? • How to evaluate a security testing vendor? • Can you tell me a real life case study of an organization which you consider as a “good example”…. 38
  • 39. Solantus: “Advancing the Distribution Model” Quick thanks to our silent sponsor, Solantus: Through well formulated business practices and processes, we take new product and service introductions to successful mainstream market acceptance. Our technology “Story” is one in which we embrace products and services that incorporate proven innovations which help differentiate our channel partners and serve the best interests of their customers. Learn more about next-gen distribution at www.solantus.com 39
  • 40. Call To Action To receive your free penetration testing, please contact us using your real email address at the company you work where you have permission to allow this offering. We cannot accept emails from google or yahoo, etc…as our service requires corporate approval. Send your email request to: sales@ivizsecurity.com In addition, we will send you your free checklist to selecting your application penetration testing (APT) vendor. 40