SlideShare a Scribd company logo

Strategies for Web Application Security

OpSource
OpSource
TechnologyBusiness
1 of 22
Download to read offline
The webinar will begin at 9am PT / Noon ET Webinar: Strategies for Web Application Security Featuring: Andy Hoernecke Turn up the speakers on your computer Sr. Application Security Consultant for streamed audio or dial in to: Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room: David McKenzie *8886695051#) Sr. Director Business Consulting OpSource © 2010 OpSource, Inc. All rights reserved.
Agenda • Housekeeping • Intro to OpSource • Featured Presentation by Neohapsis • Q&A Session © 2010 OpSource, Inc. All rights reserved.
Welcome! • Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource • All phones are set on mute • If you have a question, please use the Chat Q&A box located below the presentation panel • We will collect questions throughout the webinar and answer as many as we can at the end • If we don’t answer your question, we’ll follow-up with an answer via email • Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
OpSource: Enterprise Cloud and Managed Hosting • OpSource provides Enterprise Cloud and Managed Hosting Services • Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms • Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT • Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore • Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
OpSource Serves 600+ Clients with Millions of End-Users SaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
OpSource Partner Ecosystem Telecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
Andy Hoernecke, Sr. Application Security Consultant, Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures 9 Neohapsis Confidential
Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team 10 Neohapsis Confidential
Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis 11 Neohapsis Confidential
Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted 12 Neohapsis Confidential
Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection 13 Neohapsis Confidential
Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use 14 Neohapsis Confidential
Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001) 15 Neohapsis Confidential
Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation 16 Neohapsis Confidential
Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment 17 Neohapsis Confidential
Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites 18 Neohapsis Confidential
Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production 19 Neohapsis Confidential
Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application 20 Neohapsis Confidential
Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness 21 Neohapsis Confidential
Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – david@opsource.net Sales Inquiries – sales@opsource.net or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.

Recommended

Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protection
Satya Harish
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
NetSPI
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 

Recommended

Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protection
Satya Harish
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
NetSPI
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
rohit_ta
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
jeff cheng
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution
Engineering Software Lab
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Create Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsCreate Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN Connections
OpSource
 
Case Study: Aerohive
Case Study: AerohiveCase Study: Aerohive
Case Study: Aerohive
OpSource
 

More Related Content

What's hot

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 

What's hot (20)

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

Viewers also liked

Create Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsCreate Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN Connections
OpSource
 
Case Study: Aerohive
Case Study: AerohiveCase Study: Aerohive
Case Study: Aerohive
OpSource
 
Case study: Glassbeam
Case study: Glassbeam Case study: Glassbeam
Case study: Glassbeam
OpSource
 
Scalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept SoftwareScalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept Software
OpSource
 
159158 Mmsonesource
159158 Mmsonesource159158 Mmsonesource
159158 Mmsonesource
tbogan3
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
OpSource
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
OpSource
 

Viewers also liked (8)

Create Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsCreate Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN Connections
 
Case Study: Aerohive
Case Study: AerohiveCase Study: Aerohive
Case Study: Aerohive
 
Case study: Glassbeam
Case study: Glassbeam Case study: Glassbeam
Case study: Glassbeam
 
Scalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept SoftwareScalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept Software
 
Customer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company ProfitabilityCustomer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company Profitability
 
159158 Mmsonesource
159158 Mmsonesource159158 Mmsonesource
159158 Mmsonesource
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 

Similar to Strategies for Web Application Security

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile Application
TechWell
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
pivotalsecurity
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 

Similar to Strategies for Web Application Security (20)

Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoT
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile Application
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

More from OpSource

Overview & Demo: OpSource Cloud
Overview & Demo: OpSource CloudOverview & Demo: OpSource Cloud
Overview & Demo: OpSource Cloud
OpSource
 
Challenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVsChallenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVs
OpSource
 
SAP Business Objects
SAP Business ObjectsSAP Business Objects
SAP Business Objects
OpSource
 
Saas business model_thinkstrategies
Saas business model_thinkstrategiesSaas business model_thinkstrategies
Saas business model_thinkstrategies
OpSource
 
Scaling SaaS on Oracle
Scaling SaaS on OracleScaling SaaS on Oracle
Scaling SaaS on Oracle
OpSource
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaS
OpSource
 
Cloud Disaster Recovery
Cloud Disaster Recovery Cloud Disaster Recovery
Cloud Disaster Recovery
OpSource
 
Astoria case study
Astoria case studyAstoria case study
Astoria case study
OpSource
 
The Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS DeliveryThe Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS Delivery
OpSource
 
Case Study: AlertBoot
Case Study: AlertBootCase Study: AlertBoot
Case Study: AlertBoot
OpSource
 
Moving apps to_the_cloud
Moving apps to_the_cloudMoving apps to_the_cloud
Moving apps to_the_cloud
OpSource
 
Case Study: Marketing Advocate
Case Study: Marketing AdvocateCase Study: Marketing Advocate
Case Study: Marketing Advocate
OpSource
 
Case Study: Thermo fisher
Case Study: Thermo fisherCase Study: Thermo fisher
Case Study: Thermo fisher
OpSource
 
Hot Cloud Companies: Tap in Systems
Hot Cloud Companies: Tap in SystemsHot Cloud Companies: Tap in Systems
Hot Cloud Companies: Tap in Systems
OpSource
 

More from OpSource (20)

Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud ComplexitiesHot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
 
Overview & Demo: OpSource Cloud
Overview & Demo: OpSource CloudOverview & Demo: OpSource Cloud
Overview & Demo: OpSource Cloud
 
Demo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing CloudDemo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing Cloud
 
Challenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVsChallenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVs
 
SAP Business Objects
SAP Business ObjectsSAP Business Objects
SAP Business Objects
 
Saas business model_thinkstrategies
Saas business model_thinkstrategiesSaas business model_thinkstrategies
Saas business model_thinkstrategies
 
Scaling SaaS on Oracle
Scaling SaaS on OracleScaling SaaS on Oracle
Scaling SaaS on Oracle
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaS
 
Cloud Disaster Recovery
Cloud Disaster Recovery Cloud Disaster Recovery
Cloud Disaster Recovery
 
Case Study: ClearBenefits
Case Study: ClearBenefitsCase Study: ClearBenefits
Case Study: ClearBenefits
 
Case Study: ACCEPT
Case Study: ACCEPTCase Study: ACCEPT
Case Study: ACCEPT
 
Astoria case study
Astoria case studyAstoria case study
Astoria case study
 
The Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS DeliveryThe Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS Delivery
 
Case Study: MediServe
Case Study: MediServeCase Study: MediServe
Case Study: MediServe
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
Case Study: AlertBoot
Case Study: AlertBootCase Study: AlertBoot
Case Study: AlertBoot
 
Moving apps to_the_cloud
Moving apps to_the_cloudMoving apps to_the_cloud
Moving apps to_the_cloud
 
Case Study: Marketing Advocate
Case Study: Marketing AdvocateCase Study: Marketing Advocate
Case Study: Marketing Advocate
 
Case Study: Thermo fisher
Case Study: Thermo fisherCase Study: Thermo fisher
Case Study: Thermo fisher
 
Hot Cloud Companies: Tap in Systems
Hot Cloud Companies: Tap in SystemsHot Cloud Companies: Tap in Systems
Hot Cloud Companies: Tap in Systems
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Strategies for Web Application Security

  • 1. The webinar will begin at 9am PT / Noon ET Webinar: Strategies for Web Application Security Featuring: Andy Hoernecke Turn up the speakers on your computer Sr. Application Security Consultant for streamed audio or dial in to: Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room: David McKenzie *8886695051#) Sr. Director Business Consulting OpSource © 2010 OpSource, Inc. All rights reserved.
  • 2. Agenda • Housekeeping • Intro to OpSource • Featured Presentation by Neohapsis • Q&A Session © 2010 OpSource, Inc. All rights reserved.
  • 3. Welcome! • Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource • All phones are set on mute • If you have a question, please use the Chat Q&A box located below the presentation panel • We will collect questions throughout the webinar and answer as many as we can at the end • If we don’t answer your question, we’ll follow-up with an answer via email • Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
  • 4. OpSource: Enterprise Cloud and Managed Hosting • OpSource provides Enterprise Cloud and Managed Hosting Services • Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms • Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT • Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore • Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
  • 5. OpSource Serves 600+ Clients with Millions of End-Users SaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
  • 6. OpSource Partner Ecosystem Telecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
  • 7. Andy Hoernecke, Sr. Application Security Consultant, Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
  • 8. Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
  • 9. Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures 9 Neohapsis Confidential
  • 10. Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team 10 Neohapsis Confidential
  • 11. Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis 11 Neohapsis Confidential
  • 12. Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted 12 Neohapsis Confidential
  • 13. Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection 13 Neohapsis Confidential
  • 14. Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use 14 Neohapsis Confidential
  • 15. Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001) 15 Neohapsis Confidential
  • 16. Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation 16 Neohapsis Confidential
  • 17. Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment 17 Neohapsis Confidential
  • 18. Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites 18 Neohapsis Confidential
  • 19. Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production 19 Neohapsis Confidential
  • 20. Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application 20 Neohapsis Confidential
  • 21. Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness 21 Neohapsis Confidential
  • 22. Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – david@opsource.net Sales Inquiries – sales@opsource.net or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.