Challenge Web Application Today!!! Promote CSSLP Certification. Introduce OWASP 2010 Top 10 Risks? Practice with Web Goat? For Education only.

1. Certified Secure Software Lifecycle Professional
(CSSLP)
Master Degree in Management Information Systems (MSMIS)
Faculty of Commerce and Accountancy, Thammasat University
05-April-2010
Surachai Chatchalermpun

2. Speaker Profile
, CSSLP, ECSA , LPT
2

3. Agenda
Challenges Today…
What is CSSLP?
What is OWASP?
What is WebGoat?
WebGoat Lesson!

4. Challenges Today…
• Over 70% of breaches of security vulnerabilities exist at
the application level. (Gartner Group, 2005)
• Software is often not developed with security in mind
• Attack targeted, financially motivated attacks continue
to rise
• Attacks are moving up the application stack
• New technology waves keep on coming -- there are still
numerous emerging threat vectors which require
increased spending in certain security sub-segments.
Source: Global Information Security & IT Security Personnel Development in USA –
trend and hurdles, Prof. Howard A. Schmidt

5. Source: Issue number 9 Info Security Professional Magazine

6. W. Hord Tipton, CISSP-
ISSEP, CAP, CISA
(ISC)² Executive Director

7. What is the CSSLP?
• Certified Secure Software Lifecycle Professional (CSSLP)
• Base credential
• Professional certification program
• Takes a holistic approach to security in the software
lifecycle
• Tests candidates competency (KSAs) to significantly
mitigate the security concerns

8. • Global leaders in certifying and educating information security
professionals with the CISSP® and related concentrations,
CAP® and SSCP®.
• Established in 1989 – not-for-profit consortium of industry
leaders.
• More than 60,000 certified professionals in over 135 countries.
• Board of Directors - top information security professionals
worldwide.
• All of our information security credentials are accredited
ANSI/ISO/IEC Standard 17024 and were the first technology-
related credentials to receive this accreditation.

9. Over 70% of breaches of security vulnerabilities exist
at the application level.*
* Gartner Group, 2005

10. Purpose
• Provide a credential that speaks to the individual’s
understanding of and ability to deliver secure
software through the use of best practices.
• The target professionals for this Certification would
be anyone who is directly and in some cases
indirectly, involved in the Software Lifecycle.

11. Software Lifecycle Stakeholder Chart
Top Management
Auditors
Business Unit Heads
Client Side PM
IT Manager
Industry Group
Delivery Heads Security Specialists
Software
Lifecycle
Business Stakeholders Application Owners
Analysts
Developers/
Quality Coders
Assurance Influencers
Managers Primary Target
Project Managers/
Technical Secondary Target
Architects Team Leads

12. Market Drivers
• Security is everyone’s responsibility
• Software vulnerabilities have emerged
as a major concern
• Off shoring of software development
• Software is often not developed with
security in mind
• Desire to meet growing industry needs

13. Certified Secure Software
Lifecycle Professional
(ISC)² CSSLP CBK 7 Domains:
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Coding
• Secure Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance,
and Disposal

14. CSSLP Certification Requirements
By Experience Assessment:
• Experience Assessment will be open until March 31, 2009
• Candidate will be required to submit:
– Experience Assessment Application
– Signed candidate agreement and adherence to (ISC)² Code of
Ethics
– Detailed resume of experience
– Four essay responses (Between 250-500 words) detailing
experience in four of the following knowledge areas
• Applying Security concepts to Software Development
• Software Design
• Software Implementation/Coding
• Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance, and Disposal
– Fee of $650

15. CSSLP Certification Requirements
By Examination:
• The first public exam will be held at the end of June 2009
• Candidate will be required to submit:
– Completed examination registration form
– Signed candidate agreement and adherence to the (ISC)² Code of
ethics
– Proof of 4 years of FTE experience in the Software Development
Lifecycle (SDLC) Process or 3 years plus 1 year waiver of
experience for degree in an IT related field
– Fee of $549 early-bird and $599 standard
• Candidate will be required to
– Pass the official (ISC)² CSSLP certification examination
– Complete the endorsement process
• The Associate of (ISC)² Program will apply to those who have
passed the exam but still need to acquire the necessary
minimum experience requirements

16. CSSLP CBK Overlap between
other Certifications/Programs
GSSP-C GSSP-J
(SANS) (SANS)
Software Coder Software Coder
Certification Program Certification Program
CSSE CSSLP
(ISSECO)
Entry-level
Education (ISC)²
Professional Certification Software
Program
Certificate of Program Assurance
Completion Initiative
(DHS)
Awareness Effort
CSDA CSDP
Vendor-
Specific
Credentials (IEEE) (IEEE)
Associate Level Professional
Status
Certification Program

17. Future of CSSLP
• International Marketing Efforts
• ANSI/ISO/IEC17024 accreditation
• Maintenance activities
• Cert Education Program

18. Hear what Anthony Lim, from IBM,
has to say about CSSLP

19. CSSLP Certification
My CSSLP Certification

20. Why is Web Application Security Important?
• Easiest way to compromise hosts, networks and users.
• Widely deployed.
• No Logs! (POST Request payload)
• Incredibly hard to defend against or detect.
• Most don’t think of locking down web applications.
• Intrusion detection is a joke.
• Firewall? What firewall? I don’t see no firewall…
• SSL Encrypted transport layer does nothing.
Source: White Hat Security

21. Web Application Hacking
Outer
DMZ Zone
Inner
Server farm Zone
Source: White Hat Security

22. Your “Code” is Part of Your Security Perimeter
APPLICATION Your security “perimeter” has huge
ATTACK
Application Layer
holes at the “Application layer”
Legacy Systems
Web Services
Human Resource
Directories
Databases
Custom Developed
Billing
Application Code
App Server
Network Layer
Web Server
Hardened OS
Inner Firewall
Outer Firewall
You can’t use network layer protection (Firewall, SSL, IDS, hardening)
to stop or detect application layer attacks
Source: White Hat Security

23. The Web Application Security Risk
• Web Applications are vulnerable:
– exposing its own vulnerabilities.
– Change frequently, requiring constant tuning of application
security.
– Complex and feature rich with the advent of AJAX, Web
Services and Web 2.0. (and Social Network)
• Web Applications are threatened:
– New business models drive “for profit” hacking.
– Performed by Black hat professionals enabling complex
attacks.
• Potential impact may be severe:
– Web applications are used for sensitive information and
important transactions.
Source: White Hat Security

24. Threat is Difficult to Assess
• Web Attacks are Stealth:
– Victims hide breaches.
– Incidents are not
detected.
• Statistics are Skewed:
– Number of incident
reported is statistically
insignificant.
Source: Breach Security

25. Source: Web Hacking Incidents Database

26. Source: Web Hacking Incidents Database

27. Available Sources Attacks
• Zone-H (The Hacker Community)
– http://www.zone-h.org
– The most comprehensive attack repository, very
important for public awareness.
– Reported by hackers and focus on defacements.
• WASC Statistics Project
– http://www.webappsec.org
• OWASP top 10
– http://www.owasp.org

28. Hacking Incidents (Defacement)

29. Hacking Incidents (Defacement)

30. Hacking Incidents (Defacement)

31. Key Principle
3 Pillars of ICT 3 Pillars of Security
Disclosure
People Confidentiality
PPT CIA
Process Technology Integrity Availability
(Tool) Alteration Disruption
31

32. Root Causes of Application Insecurity : PPT
Missing or • People and Organization
Inadequate Examples
Tools, Libraries,
or – Lack of Application Security training
Missing or
Inadequate Infrastructure – Roles & Responsibilities not clear
Processes – No budget allocated
• Process Examples
– Underestimated risks
– Missed requirements
Untrained – Inadequate testing and reviews
People and
Organizational – Lack of metrics
Structure Issues – Lack of implementing Best Practices or
Standards
Knowledge Mgmt
Communication
Administration
Bus. Functions
Transactions
E-Commerce
– No detection of attacks
Accounts
Finance
• Technology Examples
Custom Code – Lack of appropriate tools
– Lack of common infrastructure
– Configuration errors
Source: OWASP

33. People / Processes / Technology
Training
Awareness
Guidelines
Automated
Testing Secure
Development
Application Secure Code
Firewalls Review
Secure Security Testing
Configuration
33

34. SDLC & OWASP Guidelines
Source: OWASP
34

35. Source: OWASP

36. Source: OWASP

37. Source: OWASP

38. Source: Microsoft

39. CSSLP Certification
What is OWASP?
The Open Web Application Security Project (OWASP) is:
A not-for-profit worldwide charitable organization focused on
improving the security of application software.
Our mission is to make application security visible, so that
people and organizations can make informed decisions about true
application security risks.
Everyone is free to participate in OWASP and all of our
materials are available under a free and open software license.
Source: http://www.owasp.org

40. OWASP Foundation has over 130 Local Chapters

41. 41

46. CSSLP is WebGoat?
What Certification
WebGoat is a deliberately insecure J2EE web
application maintained by OWASP TOP 10 designed to
teach web application security lessons.
In each lesson, users must demonstrate their
understanding of a security issue by exploiting a real
vulnerability in the WebGoat application.

47. CSSLP is WebGoat?
What Certification

48. CSSLP Certification
WebGoat Installation
Windows - (Download, Extract, Double Click Release)
1. To start Tomcat, browse to the WebGoat directory unzipped above
and double click "webgoat.bat“
2. start your browser and browse to... (Notice the capital 'W' and 'G')
http://localhost/WebGoat/attack
3. login in as: user = guest, password = guest
4. To stop WebGoat, simply close the window you launched it from.

49. tion
WebGoat Lesson 1

50. tion
WebGoat Lesson 2

51. tion
WebGoat Lesson 3

52. tion
Solution: WebGoat Lesson 3

53. tion
Solution: WebGoat Lesson 3
True OR ? = True

54. tion
WebGoat Lesson 4

55. tion
Solution: WebGoat Lesson 4

56. tion
WebGoat Lesson 5

57. tion
Solution: WebGoat Lesson 5
Use Tamper data (Firefox Plug-in)for edit variable value:
AccessControlMatrix.help" | net user"

58. Question & Answer
Thank You
Surachai Chatchalermpun
surachai.c@pttict.com