Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation Overview

Published byTracy Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Presentation Overview"— Presentation transcript:

0 It’s No Longer the Network – Now It’s All About the Apps Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Information Security Forum for Texas Government May 20, 2015

1 Presentation Overview
Traditional Network Security Activities Versus the New Reality Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Mobile (In)Security Review Some Actual Vulnerability Data What Can You Do to Help? Tools and Resources to Assess and Audit AppSec Maturity

2 Traditional Network Security Centric Approach
Policies and Procedures Patching and Configuration Changes Network Scanning and Penetration Testing Logging and Monitoring Firewalls Network Intrusion Detection/Prevention Systems Anti-Virus and Endpoint Security Security Info Event Systems

3 Myth #1 – I Don’t Need Application Security Because My Network is Secure
A common approach is to place a Web Application Firewall (WAF) in front of the organization's public facing web applications and ignore or de-emphasize application vulnerabilities and remediation. WAFs provide great capabilities, but only if they are properly deployed, correctly configured, regularly updated and actively monitored. WAFs can be placed in monitor/learning mode which would not proactively block attack attempts. Look at the photo on the right. Imagine that the fierce guard dogs are WAFs protecting a residence with no locks on the doors or windows and large amounts of cash and jewelry laying on the table in the entry hall. As long as the dogs are in place, hungry and alert, you have a deterrent and a means to protect the valuables. But what if the dogs are sleepy, distracted, over fed or even drugged. Your defenses will be significantly degraded. Technical Rationale Non-Technical Rationale

4 Application Security Fundamentals
Application security includes measures taken throughout an application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.* The primary focus is on Layer 7 of the OSI Model AppSec should be part of an organization’s or vendor’s Software (or System) Development Life-Cycle (SDLC) A key component of application security should be for developers and their managers to be aware of basic AppSec requirements, common threats and effective countermeasures AppSec knowledge and maturity is significantly lower today than traditional network security * Wikipedia

5 Risks Associated With Vulnerable Applications
Unauthorized access to sensitive citizen or organizational data Theft of sensitive data to conduct identity theft, credit card fraud or other crimes Defacement of websites; strong potential for brand/reputation damage Manipulation of data impacting data integrity, quality and organization’s reputation Redirection of users to malicious web sites; phishing and malware distribution Denial of service; availability of data Attackers can assume valid user identities Access to hidden web pages using forged URLs Attacker’s hostile data can trick the interpreter to execute unintended commands

6 The Attack Profile Continues to Change
Top Attacks By Product Type Infrastructure 41.9% Application 32.6% ICS-SCADA 11.6% Content Management Systems 11.6% SSL/TLS 2.3 % (Heartbleed) Most Exploited OpenSSL TLS/DTLS Heartbleed GNU Bash Variable Content GNU Bash Variable Function Definitions Drupal Core SQL Injection Adobe Flash Player Remote Code Execution Source: Cisco 2015 Annual Security Report

7 Let’s Look at Mobile Applications
Today’s large companies each spend an average of $34 million annually to develop mobile apps we use to shop, bank and more. However, only an average of 5.5% of this immense budget is spent on securing these apps against hackers and security. Forty percent of companies do not scan the code in their mobile apps for security vulnerabilities Fifty percent of companies have zero budget specifically earmarked for any security of their mobile applications Source: March 2015 Ponemon/IBM Report of 400 Companies

8 Example High Risk Web Vulnerability

9 Brute Force Attack Vulnerability

10 Poor Application Password Management

11 Value and Risk Are Not Equally Distributed
Some Applications Matter More Than Others Value and character of data being managed Value of the transactions being processed Cost of downtime and breaches Therefore All Applications Should Not Be Treated the Same Allocate different levels of resources to assurance Select different assurance activities Also must often address compliance and regulatory requirements

12 First Step – Application Inventory and Risk Ranking
The best place to begin any application security assessment is to obtain (or create) an inventory of all applications used by your organization. Include custom built, COTS, mobile, web, 3rd party developed and SaaS. Risk rank the applications based on their criticality to the organization, the sensitivity of the data processed/stored and compliance requirements Attempt to determine if the applications have been tested for security vulnerabilities and when. Examine contracts for 3rd party applications.

13 Next Step – Implement a Risk Based Approach
Determine the size and complexity of critical applications Determine the underlying technology (Java, .net, Ruby, etc.) Research the kinds of attacks directed against your types of applications Perform or commission application security scanning coupled with manual testing Prioritize the vulnerabilities and create a remediation plan Follow up to determine that vulnerabilities are being remediated

14 Myth #2 – An Automated Scanner Can Find All The Application Vulnerabilities That Exist
There is no “silver bullet” for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means. Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do. But wait, there’s more…………

15 What Goes Into An Application Test?
Application security goes well beyond simply running a scanning tool. For critical or high value applications, or those that process sensitive data, thorough testing may actually include a combination of several methods. Unauthenticated Automated Scan Authenticated Automated Scan Automated Binary Analysis Blind Penetration Testing Manual Source Code Review Manual Binary Analysis Informed Manual Testing Automated Source Code Scanning

16 AppSec – What Can You Do and Why?
Information Security Professionals Promote AppSec awareness in your organization Confirm that application security testing is part of your overall security program Demand that all applications developed by 3rd parties be tested and remediated prior to being placed in production Get all developers and their managers trained on AppSec Obtain and review the SDLC from a security perspective IT Auditors Influence your leaders to include AppSec in the organization’s annual risk assessment or audit plan Increase your relevance and value to your organization by identifying risks associated with poorly coded applications Conduct a simple initial audit to assess what controls are in place Conduct a subsequent audit to determine the effectiveness of those controls; measure time to fix

17 Tools and Resources Open Software Assurance Maturity Model (OpenSAMM) – A freely available open source framework that organizations can use to build and assess their software security programs The Open Web Application Security Project (OWASP) – Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources Open Source or Low Cost Application Security Scanners – OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work

18 The OWASP Top 10 A1 Injection
A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards

19 The OWASP 2014 Top 10 For Mobile
M1 Weak Server Side Controls M2 Insecure Data Storage M3 Insufficient Transport Layer Security M4 Unintended Data Leakage M5 Poor Authorization and Authentication M6 Broken Cryptography M7 Client Side Injection M8 Security Decisions Via Untrusted Inputs M9 Improper Session Handling M10 Lack of Binary Protections

20 Example AppSec Audit Work Program
Software Assurance Maturity Model (SAMM) Scorecard Level 1 Maturity Level Activity Business Functions # Security Practices/Phase A B Governance 1 Strategy & Metrics 0.5 2 Policy & Compliance 3 Education & Guidance Construction 4 Threat Assessment 5 Security Requirements 6 Secure Architecture Verification 7 Design Review 8 Code Review 9 Security Testing Deployment 10 Vulnerability Management 11 Environment Hardening 12 Operational Enablement SAMM Valid Maturity Levels Implicit starting point representing the activities in the Practice being unfulfilled Initial understanding and ad hoc provision of Security Practice Increase efficiency and/or effectiveness of the Security Practice Comprehensive mastery of the Security Practice at scale Legend Objective Activity was met. Objective Activity was not met.

21 Questions / Contact Information Joe Krull Director (210) blog.denimgroup.com

Download ppt "Presentation Overview"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
© Copyright 2013 Denim Group - All Rights Reserved Mean Time to Fix (MTTF) IT Risk’s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP,

© Copyright 2013 Denim Group - All Rights Reserved Mean Time to Fix (MTTF) IT Risk’s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP,
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Introduction to Web Application Security

Introduction to Web Application Security
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Similar presentations

Ads by Google