OWASP 3 Background PhD in Information Security Emergence in Designing Routing Protocols UK Security Scientist DefCon 2007, IEEE, IEE, BCS, CISSP Java Developer Background J2SE, JEE OWASP Project Leader JBroFuzz Employer: Information Risk Management, UK www.irmplc.com www.irmplc.com
OWASP 4 Motivation “the cash desk, the derivatives desk, the program desk … bring them all together” “ Do you have trading technology that allows you to trade across every asset in every country? ” “Our traders can trade across multiple asset classes simultaneously” “We offer you the ability to trade from your PDA” How long can you be out of the market for?
OWASP 5 Motivation How long can you be out of the market for? Regulatory requirements Business loss opportunities Liability issues regarding prices Increase in number of people on the floor
OWASP 6 The Freakonomics of Security and Personel Scenario: Member of Staff A, holds a password of ‘operational importance’ Technical Attack Approach Password is stored in the form of a 128 bit hash The cost of obtaining the hash would require an insider’s presence To check for a single value would cost: $0.00000000001 To check for more than half of the values: ≈$ 184 million Human Attack Approach Clerical A Staff Salary pays: $ 40 K / Year A successful career of, say 25 years Total Earnings: ≈ $ 1 million …
OWASP 10 Scenario Operational System Risk Assessment Initiated Initial Internal Assessment External Penetration Test
OWASP 11 Scenario Results External Penetration Test A1: Cross Site Scripting A2: Cross Site Request Forgery A4: Web Application DoS A7: Weak Session Cookies A9: Insecure Communications Final Risk Assessment A1: Non Internet Facing Application A2: Scarce Data Manipulation Attacks A4: Application recovers successfully A7: Users not technical enough A9: Internal Switched Network Fun and Profit Enterprise Attack A4: Cause a Web Denial of Service A1: Mass Internal Phishing Email A2: Manipulate Data being on the fly A7: Hijack administrator’s data A9: Bounce data off mail gateway
OWASP 12 Conclusions Complex “Enterprise Level” applications will experience “Enterprise Level” attacks An application, subsystem or component must be able to withstand a targeted specialized attack Simplicity is key for a Secure System Implementation