Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for Managers and Executives

Published byChester Lawrence Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Security for Managers and Executives"— Presentation transcript:

1 Security for Managers and Executives
OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Contributor and Reviewer Keith Turpin

2 Objectives Things we can do that will help build secure applications
Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal Answer some common questions

3 How would you feel if your confidential data is stolen?
Angry! Frustrated!

4 Identity Theft Phishing

5 Facebook Phishing Attack
Lures people to a fake Facebook page and prompts them to log in. Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.

6 customer data, 77 Million compromised. (potentially CCs as well)

7 Why Should We Care? Let’s just think this through…
How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application

8 Cost of Non-Compliance
In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa© authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).

9 Cost of Non-Compliance (Cont)
Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1, average fraudulent transaction Bad Publicity – Priceless!

10 Why Web Application Security important?
Attacks Shift Towards Application Layer Security Spending % of Attacks % of Dollars 10% Web Applications 75% 90% Network Server 25% 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire

11 Problem Illustrated Application Layer Network Layer
Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing I wanted to illustrate here visually how the attack is happening. Attackers send an attack inside valid Http Request. Application code is tricked in doing something it was not supposed to do. Full application security requires specific software development expertise. Network layer security alone cannot stop attacks inside Http Request. APPLICATION ATTACK Custom Code App Server Web Server Hardened OS Network Layer Firewall Firewall Insider

12 Demo Attack Phases of hacker attacks

13 Phase 1 Information search Fingerprinting
1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database

14 Phase 1 - Information Search
SQL Injection 1. Hacker found vulnerability Search for (specific) user Find additional information about user 2. Needs information for next phase of attack

15 Phase 2 - Infrastructure
Cross Site Scripting (XSS) 1. Hacker found personal information about user Phone number 2. Sends with unsuspicious topic 3. Includes XSS in that sends user session to the hackers server

16 Phase 2 - Infrastructure
Cross Site Scripting (XSS) 1. User receives 2. is unsuspicious to user Topic Originator 3. Included XSS sends all cookies to hacker’s web site

17 Phase 3 - Exploit Session hijacking
1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights

18 That was just the beginning

19 Demo Cross-site scripting
Xss-Proxy XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site. Web Goat XSS

20 Leverage OWASP for Web Application Security Training
The Open Web Application Security Project (OWASP Foundation Inc.) Participation in OWASP is free and open to all The vision is a software market that produces code that’s secure.  The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work.  International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships

21 What are the Top 10 Vulnerabilities?
OWASP Top 10

22 Common Security Issues: The OWASP Top 10 2010
The Ten Most Critical Risk Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security risk Living document: Top10 different from 2007 T10

23 Users and Adopters Payment Card Industry (PCI)
PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. OWASP Supporters

24 Educational Supporters

25 Common Security Issues: The OWASP Top 10 2010

26 Security Threats and OWASP T10
Phishing Exploit weak authentication, authorization, session management and input validation (XSS, XFS) vulnerabilities Privacy violations Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities Identity theft Exploit poor or non-existent cryptographic controls, malicious file execution, authentication, business rule and auth checks vulnerabilities

27 Security Threats and OWASP T10 (cont)
System compromise, data alteration or data destruction Exploit injection flaws, remote file inclusion-upload vulnerabilities Financial loss Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities Reputation loss Depend on any evidence (not necessarily exploitation) of a web application vulnerability

28 OWASP ESAPI (Enterprise Security API)
Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries ESAPI Homepage:

29 OWASP ESAPI 2.0 & OWASP Top 10 for 2010 mapping
A1: Injection Encoder A2: Cross-Site Scripting (XSS) Here is the mapping for OWASP Top 10 for 2010 and ESAPI 2.0 Encoder, Validator A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities A4: Insecure Direct Object References AccessReferenceMap, AccessController A5: Cross-Site Request Forgery (CSRF) User (CSRF Token) A6: Security Misconfiguration Security Configuration A7: Insecure Cryptographic Storage Encryptor A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer Protection HTTPUtilities A10: Unvalidated Redirects and Forwards AccessController

30 OWASP Documentation on Web Application Security
Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Secure Coding Practices Quick Reference Guide for secure coding practices Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard Secure Coding Practices ASVS Testing Guide Developer Guide Code Review Guide Application Security Desk Reference (ASDR)

31 OWASP Tools and Technology
Automated Security Verification Vulnerability Scanners Static Analysis Tools Fuzzing Manual Security Verification Penetration Testing Tools Code Review Tools Security Architecture ESAPI Secure Coding AppSec Libraries ESAPI Reference Implementation Guards and Filters AppSec Management Reporting Tools AppSec Education CBT(Computer based training) Flawed Apps Learning Environments Live CD

32 Web Testing Environment (Live CD)
Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration

33 Web Testing Environment (Live CD)
Burpsuite Cal Ende 1.0rc3 Fierce Firefox 3.6 Grendel-scan 1.0 Httprint 301 Jbrofuzz 2.4 Maltego 3.0 Metasploit Netcat Nikto Nmap 5.00 Paros Ratproxy 1.58 Spikeproxy Sqlbrute 1.0 Sqlmap 0.8 Tcpdump w3af-svn 4041 wapiti Webgoat 5.3-RC1 Webscarab Webslayer-svn r4 Wireshark Wsfuzzer Zap These are the list of tools that comes in Live CD

34 Secure Coding Practices
The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices. The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.

35 Training and Education
OWASP Education project: ucation_Project OWASP Project and resources you can use: SP_projects_and_resources_you_can_use_TODAY

36 Training and Education(cont)
OWASP CBT Project: OWASP_CBT_Project

37 Web Goat A classic vulnerable application to teach developers security code flaws

38 WebScarab – A Proxy Engine
A Proxy tool to intercept Http Request and Http Response

39 Software Assurance Maturity Model (SAMM)
The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization  Alignment & Governance Governance is centered on the processes and activities on how an organization manages overall software development activities. This includes cross cutting concerns on development and processes on organization level. Education & Guidance Involves increasing security knowledge amongst personnel in software development through training and guidance on security topics relevant to individual job functions. Standards and Compliance Involves setting up a security and compliance control and audit framework throughout an organization to achieve increased assurance in software under construction and in operation. Strategic Planning: Involves the overall strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture. Requirements & Design In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation. Threat Modeling: involves accurately identifying and characterizing potential attacks on a software in order to better understand the risks and facilitate risk management. Security Requirements: Security Requirements involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception. Defensive Design: Secure Architecture involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built. Verification & Assessment It is focused on the processes and activities how we check and test artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities. Architecture Review: Design Review involves inspection of the artifacts created from the design process to ensure provision of adequate security mechanisms Code Review: involves assessment of source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations. Security Testing: involves testing software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases. Deployment & Operations Involves release management. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment. Vulnerability Management: involves establishing consistent processes for managing internal and external vulnerability reports to limit exposure and gather data to enhance the security assurance program. Environment Hardening involves implementing controls for the operating environment like web server and application server hardening. Operational Enablement involves identifying and capturing security-relevant information needed by an operator to properly configure, deploy, and run a software. Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations Disciplines Functions

40 Software Assurance Maturity Model (SAMM)
Check out this one...

41 SAMM Conducting assessments
SAMM includes assessment worksheets for each Security Practice

42 SAMM Creating Scorecards
Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

43 Process perspective: Build Security in the SDLC

44

45 Threat Modeling-An approach for analyzing the security

46 Threat Categorization - Stride
Threats can be systematically identified in the application in a structured and repeatable manner Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege

47 Threat Categorization (cont)
Types Examples Security Control Spoofing Illegally access and use another user's credentials Authentication Tampering Maliciously change/modify persistent data, such as data in a database Integrity Repudiation Perform illegal operations that lacks the ability to trace Non-Repudiation Information disclosure Read a file that one was not granted access to, or read data in transit Confidentiality Denial of service Deny access to valid users, such as making a web server temporarily unavailable or unusable Availability Elevation of privilege Gain unauthorized access or compromise a system Authorization

48

49 ??? Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications? Compliance In case of security breech Fines Reputation Loss - Priceless

50 ??? What do we do if application is already in production and it has missed that phase of security? It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities.

51 ??? Security Code Review Value of mentoring is enormous
What will help? Leverage OWASP Security Code Review Value of mentoring is enormous Application scanning and code scanning using static analysis tools Web application security part of the SDLC process Secure code development training Train QA to find security issues in the application

52 Make Security part of the SDLC process

53

Download ppt "Security for Managers and Executives"

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.

The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google