Contenu connexe Similaire à What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec (20) Plus de IBM Security (20) What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec1. IBM Security Systems
OWASP Top Ten 2013 Update
Diana Kelley
Application Security Strategist
Presented: February 2014
© 2013 IBM Corporation
2. IBM Security Systems
Agenda
X-Force Latest Findings
OWASP and Top Ten Defined
OWASP Top Ten Web – 2013 Update
Changes
Impacts
OWASP Top Ten Mobile
Making the Most of the OWASP Top Tens
How IBM Security AppScan can Help
Web
Mobile
2
© 2014 IBM Corporation
7. IBM Security Systems
OWASP Defined
OWASP – Open Web Application Security Project
Our mission is to make software security visible, so that individuals and organizations
worldwide can make informed decisions about true software security risks.
Facts
Came online December 1, 2001
Established as a Not-for-Profit April 21, 2004
International organization, over 36,000 global participants
Free to participate
All materials are available under a free and open software license
Vendor neutral
Does not endorse or recommend commercial products or services
7
© 2014 IBM Corporation
8. IBM Security Systems
OWASP Projects
OWASP runs three types of projects
Incubator – experimental projects, ideas are being proven
• Code
• Tools
• Documentation
Labs - have produced a deliverable of value
• Tools
• Documentation
Flagship - superior maturity, established quality, and strategic value
• Code
• Tools
• Documentation
Top 10 is a Flagship, Documentation Project at OWASP
8
© 2014 IBM Corporation
9. IBM Security Systems
Who Uses the OWASP Top Ten?
Standards and Practices
U.S. Federal Trade Commission recommends that companies use the OWASP Top Ten
to help prioritize efforts when addressing software risks
http://www.business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems
PCI DSS 3.0 Requirement 6.5 - for industry best practices and common coding
vulnerabilities
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
End User Companies Including
A.G. Edwards, CitiBank, IBM Global Services, Price Waterhouse Coopers,, Samsung,
The Hartford
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-ProjectsVendors_Using_the_OWASP_Top_10
Application Security Testing Vendors
9
Ex: for compliance reporting in testing tools (spoiler alert: IBM!)
© 2014 IBM Corporation
11. IBM Security Systems
How the Ranking is Done
The OWASP Top 10 focuses on identifying the most serious risks for a
broad array of organizations. OWASP provides generic information about
likelihood and technical impact using this ratings scheme, which is based
on the OWASP Risk Rating Methodology.*
Based on 8 datasets from 7 firms that specialize in application security,
including 4 consulting companies and 3 tool/SaaS vendors
*Image Source and Text: https://www.owasp.org/index.php/Top_10_2013-Risk
11
© 2014 IBM Corporation
12. IBM Security Systems
Comparison of 2010 and 2013 OWASP Top 10 Lists
2010
2013
What Changed
A1
Injection
Injection
N/A
A2
Cross-Site Scripting (XSS)
Broken Authentication and
Session Management
Was 2010-A3
A3
Broken Authentication and Session
Management
Cross-Site Scripting (XSS)
Was 2010-A2
A4
Insecure Direct Object References
Insecure Direct Object References
N/A
A5
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Was 2010-A6
A6
Security Misconfiguration
Sensitive Data Exposure
Merges 2010-A7 and
2010-A9
A7
Insecure Cryptographic Storage
Missing Function Level Access
Control
Expanded from 2010-A8
A8
Failure to Restrict URL Access
Cross-Site Request Forgery
(CSRF)
Was 2010-A5
A9
Insufficient Transport Layer
Protection
Using Known Vulnerable
Components
Expansion from 2010-A6
A10
Unvalidated Redirects and Forwards
Unvalidated Redirects and
Forwards
N/A
12
© 2014 IBM Corporation
13. IBM Security Systems
Other Changes of Note
Sensitive Data Exposure
Covers data in use (in browser), in transit and at rest
Combined into a single vulnerability to encompass the data protection lifecycle in an
application environment
Assess the entire cycle for data exposure
Classify data to understand what’s sensitive
Scope data protection to that data
• Ex: passwords, EHR, PII
Don’t Forget!
For transport protection, SSL and TLS should be defined in requirements
Techniques like preventing auto-complete and disabling caching can help protect data in
use in the browser
13
© 2014 IBM Corporation
14. IBM Security Systems
How Apps are Developed is changing – and so are the Attacks
Missing Function Level Access Control
Functions can be accessed in ways not limited to the URL – ex; UI may show links or buttons that
required login privs
Or the UI hides them, but the access is still available through the server if the attacker can craft the
correct request
Don’t Forget!
Test all methods of access
Augment tools with manual pen testing for better coverage
server. Expanding this vulnerability highlights the importance of doing thorough testing on all methods
of access
Using Known Vulnerable Components
Previously part of “Security Misconfigurations”
Component based development is on the rise
Requires closer attention to security and testing of those components and open source modules
Don’t Forget!
14
Forbidding use of external components may slow down development
Consider an approved component library
Re-test components, frameworks and plug-ins when new revs are released before approving them for
use
Create guidance with recommended usage and configurations to prevent unintentional mis-use
© 2014 IBM Corporation
16. IBM Security Systems
OWASP Top 10 Mobile, Release Candidate v1.0
16
Image Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
© 2014 IBM Corporation
17. IBM Security Systems
Example: M4 Client Side Injection
Checking the code is a fast and accurate way to see if the application is
handling data correctly. Code analysis tools can help a security
analyst find the use of interpreters and trace the data flow through
the application. Manual penetration testers can confirm these issues by
crafting exploits that confirm the vulnerability.*
*Image Source and Text: https://www.owasp.org/index.php/Mobile_Top_10_2012-M4
17
© 2014 IBM Corporation
19. IBM Security Systems
OWASP is a Great Starting Point
But it’s not the final destination!
Software security testing is part of a broader application security program
Security Intelligence:
Information and event management
Advanced correlation and deep analytics
External threat research
Optimized
Secure app engineering processes
Fraud detection
Proficient
Basic
Glass box scanning
Static analysis
Dynamic analysis
Applications
19
© 2014 IBM Corporation
20. IBM Security Systems
What Works for You
“Leverage your organization’s existing strengths to do and measure what
works for you”*
In Practice Examples
Companies that outsource development
• Use the OWASP Top Ten to evaluate code before acceptance/deployment
Companies that develop and test in-house
• Use OWASP for training developers
• Or as one of the baselines during security testing
Education for Executives
• To help them understand the risks and problems associated with insecure/untested software
*https://www.owasp.org/index.php/Top_10_2013
20
© 2014 IBM Corporation
21. IBM Security Systems
Create Your Own Top Ten Ranking the OWASP Way
Start with the standard risk model
RISK
Likelihood
Impact
Customize for application security and your organizational needs
Step 1: Identifying a Risk
Step 2: Factors for Estimating Likelihood
Step 3: Factors for Estimating Impact
Step 4: Determining Severity of the Risk
Step 5: Deciding What to Fix
Step 6: Customizing Your Risk Rating Model
Learn More:
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#The_OWASP_Risk_Rating_Metho
dology
21
© 2014 IBM Corporation
23. IBM Security Systems
Application Security: The Source of Security Protection
1.
2.
Mobile Application Attacks are
Increasing Rapidly
3.
Vulnerabilities spread through a
wide variety of applications
(internal development / external in
use without code)
4.
Common questions: where are
your vulnerabilities and how to
validate the risk?
5.
23
Web application vulnerabilities
dominate the enterprise threat
landscape
Many clients still do not understand
the need for Application Security in
their environment
© 2014 IBM Corporation
24. IBM Security Systems
Gartner has recognized IBM as a leader in the Magic Quadrant for
Application Security Testing (AST)
Magic Quadrant for Application
Security Testing
Neil MacDonald, Joseph Feiman
July 2, 2013
“The market for application security
testing is changing rapidly. Technology
trends, such as mobile
applications, advanced Web
applications and
dynamic languages, are forcing the
need to combine dynamic and static
testing capabilities, which is reshaping
the overall market.”
This Magic Quadrant graphic was published
by Gartner, Inc. as part of a larger research
note and should be evaluated in the context of
the entire report. The link to the Gartner report
is available upon request from IBM.
24
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the
highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
© 2014 IBM Corporation
25. IBM Security Systems
Adopt a Secure by Design approach to enable you to design, deliver
and manage smarter software and services
Build security into your application
development process
Efficiently and effectively address
security defects before deployment
Collaborate effectively between
Security and Development
Deliver New
Services Faster
Innovate
Securely
Reduce
Costs
Provide Management visibility
Proactively address vulnerabilities early in the development process
25
© 2014 IBM Corporation
26. Applications
IBM Security Systems
Finding more vulnerabilities using advanced techniques
Dynamic Analysis
Static Analysis
- Analyze Source Code
- Use during development
- Uses Taint Analysis /
Pattern Matching
Total Potential
Security Issues
- Analyze Live Web Application
- Use during testing
- Uses HTTP tampering
Hybrid Analysis
- Correlate Dynamic and
Static results
- Assists remediation by
identification of line of code
Run-Time Analysis
- Combines Dynamic Analysis with
run-time agent
- More results, better accuracy
26
26
Client-Side Analysis
- Analyze downloaded Javascript
code which runs in client
- Unique in the industry
© 2014 IBM Corporation
27. IBM Security Systems
The IBM Security AppScan Solution
AppScan Enterprise Server
Governance -- Collaboration -- Security Intelligence -- Correlation
Source for Analysis
Source for Automation
• Configure
Software
• Build
integration
• Scan
• Automate
Scans
• Triage
Results
• ANT, Make,
Maven
integration
• Manage
Security
Policies
Penetration
Testing
27
• Data Access
API
Source for Development
• Investigate
Flaws
• Remediate
with Guidance
• IDE Scan
• Confirm Fix
Source for Remediation
• Non-scanning IDE plugin
AppScan Standard
Desktop solution for security consultants and in-house security testers
Combines advanced security testing with ease of use
DAST with advanced hybrid technology included (JavaScript Analyzer & new Glass
box)
© 2014 IBM Corporation
29. IBM Security Systems
Enterprise Dashboards – Measure Progress
Compare the number of
issues across teams and
applications
Identify top security
issues and risks
View trending of the
number of issues by
severity over time
Monitor the progress of
issue resolution
29
© 2014 IBM Corporation
30. IBM Security Systems
Bridging the Security/Development gap
Break down organizational silos
Security experts establish security testing
policies
Development teams test early in the cycle
Provide Management Visibility
Dashboard of application risk
Enable compliance with
regulation-specific reporting
Treat vulnerabilities as development
defects
“… we wanted to go to a multiuser web-based solution
that enabled us to do concurrent scans and provide our
customers with a web-based portal for accessing and
sharing information on identified issues.”
Alex Jalso, Asst Dir, Office of InfoSecurity, WVU
30
Developer
Architect
Quality
Professional
Enables
Collaboration
Security Auditor
© 2014 IBM Corporation
32. Under NDA until date of announce
IBM Security Systems
AppScan Source - 100% coverage of OWASP Mobile Top Ten
OWASP TOP 10
IBM Security AppScan Coverage
1. Insecure Data Storage
Trace routes of sensitive data
2. Weak Server Side Controls
Security scanning of server side code
3. Insufficient Transport Layer Protection
Check for use of SSL/TLS
4. Client Side Injection
Checks for common injection flaws including SQLi,
HTMLi, and XSS
5. Poor Authentication and Authorization
Track where IDs and Passwords enter/exit the system
6. Improper Session Handling
Verify UUID is not used for session management
7. Security Decisions via Untrusted Inputs
Track where data originates and how it is used
8. Side Channel Data Leakage
Test for data leakage to log files, pasteboard, property
lists, etc
9. Broken Cryptography
Identify proper usage of cryptographic usage
10. Sensitive Information Disclosure
Test for data leakage to peripherals, network, sockets,
etc.
32
© 2014 IBM Corporation
33. IBM Security Systems
Wrap-Up!
X-Force is IBM’s Leading Research and attack insights from today’s
security threat landscape
Stay ahead of the threat, know what attackers are doing
OWASP and the OWASP Top Ten
Industry accepted rankings of the most critical web and mobile software vulnerabilities
Use these to help inform and mature your software security programs
IBM Security AppScan can be a cirtical part of that program
Test for the high severity vulnerabilities
Prioritize fixes
Help developers remediate existing problems and learn how to code to prevent new
ones
Run reports for auditors and assessors
33
© 2014 IBM Corporation