Infosec 2012 | 25/4/12 Introduction Application Security vs. Data Security Current Application Security Approach –Vulnerability vs. Risk –Technique vs. Goal Challenges of Existing Application Security Solutions New Approach for Application Data Security
Infosec 2012 | 25/4/12 About Myself 16 years in information/application security (Over 10 years hands on penetration testing) Research, Development, Enhancement –Attack & Defense Techniques –WAF / AppSec Testing Products Regular Speaker in Security Conferences OWASP Global Membership Committee & Chairman of OWASP Israel
Infosec 2012 | 25/4/12 The Problem Application Security – Goal or Mean? Importance of Protecting Persistent Data DB Security Solutions – Is It Enough? Influence of App Vulns on Data Security AppSec As a Mean for Data Protection AppSec As Integrate Part of R&D?
Infosec 2012 | 25/4/12 Current Approach Approach Too Technical Focus on Technical Aspects –Examine it from the vulnerability perspective –Focus on injections & technical problems –Analysis of code, rather than application –Ignoring application data Focus on technology instead of risk Hard to fit into the development lifecycle
Infosec 2012 | 25/4/12 Too Many Vulnerabilities… SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Forceful Browsing Session Riding Hidden Field Manipulation LDAP Injection Cookie Poisoning CRLF Injection HTTP Response Splitting XPath Injection Directory Traversal OS Commanding Session Hijacking Insecure Redirect Flow Bypassing Director Listing Insecure Password Storage File Inclusion No User Lockout Unauthenticated Access Buffer Overflow No SSL Session Fixation Detailed Error Messages Misconfiguration Information Leakage URL Encoding
Infosec 2012 | 25/4/12 Going Back to the Roots Risk Based Approach CIA –Confidentiality –Integrity (+ Non Repudiation) –Availability Assess Application Vulnerabilities Based on Data Risk
Infosec 2012 | 25/4/12 Data Oriented Approach Taking a Data-Oriented Approach to Application Security Testing Logical vs Technical Business Impact Level of Exploitability Risk, Risk, Risk
Infosec 2012 | 25/4/12 Example: Unauthorized Data Modification The Attack is Data Modification Can be performed in various ways: –Parameter Tampering –Flow Bypassing –SQL Injection –Cross Site Scripting –Cross Site Request Forgery
Infosec 2012 | 25/4/12 The Problem – Take II Existing Solutions – Too Technical No One Used Data Oriented Approach –DAST (Scanners) Analyze Request/Responses – No Data Access Focused on Technical Vulnerabilities –SAST (Static Analyzers) Only Static Code – No Data Access Focused on Technical Vulnerabilities –Pentesters – Better, But Still Mostly Technical
Infosec 2012 | 25/4/12 The Problem – Take II Result – Low Security ROI – €€€ spent on solutions not focused on data risk – €€€ spent on professional services trying to sort through the thousands of results – €€€ spent on R&D hours of fixing unnecessary fixes High Costs, Unfocused Efforts, Inefficient.
Infosec 2012 | 25/4/12 The Solution: Data Centric Application Security Analysis of Actual Data Handling in System Automatic Data Classification –Sensitivity –Ownership –Accessibility –etc. Identifying Vulns Which Pose Real Risk Verification of Actual Risk Level
Infosec 2012 | 25/4/12 Advantages Focus on Real Vulnerabilities Holistic Approach (Application, not Code) Support for Business Transactions –Multi Tier, Multi Step Components, etc. Identify Vulnerabilities Otherwise Unidentified Identify Potential Data Breaches Easy to Integrate into R&D
Infosec 2012 | 25/4/12 The Data Centric Approach More REAL Vulnerabilities No IRRELEVANT Vulnerabilities Efficient, Practical, Focused Fits R&D Security Program Provides High Security ROI
Infosec 2012 | 25/4/12 About Quotium New Generation Application Security Data Oriented Approach Utilizes new Runtime Analysis Engine –Analysis of application data and code –Exploit verification to classify risk. Intuitive & Easy to Use Adaptive to the Development Process