Application Hackers Have A Handbook. Why Shouldn't You?
Embed Size (px)
Transcript of Application Hackers Have A Handbook. Why Shouldn't You?
- 1. August 13, 2013 Application Hackers Have a Handbook. . . Why Shouldn't You?
2. 1 Todays Vulnerabilities 2 Real World Application Security Lifecycle 3 Holistic Application Security Solution AGENDA 3. Web Application Vulnerabilities 3 4. Improving Business Intelligence Your Objective: Improve visibility across systems Monitor, control and detect anomalies and compromise Correlate events and instruct devices across the network Dynamically enforce policies and rules across technologies Cybercriminals aggressively exploit the weakness of siloed monitoring and controls. ONLY 24% OF BREACHES ARE SELF-DETECTED Business and Threat Intelligence Security Information and Event Management (SIEM) Web Application Firewall Global Threat Database Threat Research and Advisory Services Source: 2013 Trustwave Global Security Report 5. 0 10 20 30 40 50 60 2011 2013* 2015* Tablet apps Smartphone apps March 2012 Mobile App is the new fact of engagement Mobile apps: $6 billion Market today Will hit $ 55.7 billion by 2015 Mobile Apps are Taking Off 5 6. iOS Architecture Security Weaknesses All processes of interest run with administrative privileges iPhone does not utilize some widely accepted practices Address randomization The stack, heap, and executable code located at precisely the same spot in memory Non-executable heaps Buffer overflow on heap can write executable instructions 6 7. Android Architecture Security Weaknesses Google decided against (in initial release) stack and heap non-execute protections GIF image vulnerability Decode function uses logical screen width and height to allocate heap Can overflow the heap buffer allowing hacker to control the phone Vulnerability is in the multimedia subsystem made by PacketVideo Due to insufficient boundary checking Its possible to corrupt the heap and execute arbitrary code on the device 7 8. Securing Web & Mobile Applications Your Objective: Ensure secure development of web and mobile applications Prevent Layer 7 attacks and dynamically protect web applications Maintain application performance 360 Application Security Secure App Development Training Secure Code Review Mobile Application Penetration Testing Web Application Penetration Testing Web Application Firewall SSL Certificates TOP APP ATTACK METHODS e-commerce sites are the #1 targeted asset of hackers. Source: 2013 Trustwave Global Security Report 9. 9 Application Security -- A Lifecycle View Security review Architecture audits Code review Static analysis Dynamic testing Penetration testing Application firewalls SDLC Production Application security training 10. 10 Challenges to Implement Application Security Manual process Error prone Lack of expertise Lack of incentive Complex to carry out Time-to-market pressure Lack of influence Lack of code visibility Different priorities No code & design visibility No root cause info Lack of influence Lack of visibility and integration Application security training 11. Securing Web & eMail Your Objective: Create a layered defense Improve anti-malware power at the gateway Enable safe and productive use of social media Get control of data from creation to destruction Content Security and Control Threat Research & Advisory Services/Feeds Secure Web Gateway Web Application Firewall Secure Email Gateway Data Loss Prevention Data Encryption Security Awareness Education Web-based systems are the most utilized threat vector of hackers. AVERAGE TIME FROM BREACH TO DETECTION: 210 DAY Source: 2013 Trustwave Global Security Report 12. This Means Defects are found later in the lifecycle Increased remediation cost Often security defects are not fixed due to separate agenda and accountability structures Developers are under time-to-market pressure Silo-ed model does not scale How many auditors do you need to cover all your apps? 30x 0 5 10 15 20 25 30 Development Integration Audit/test Production Cost for defect fixes Source: NIST 1x 5x 10x 12 13. Why Application Security? Applications are vulnerable 44% of organizations feel that application vulnerabilities pose the greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey. Fixing them is expensive A recent study of more than 150 organizations found the average total cost to remediate a single application security incident is approximately $300,000. Late fixes are even more expensive It is 5 times more expensive to fix a flaw in development than during design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology. 13 14. 14 What We Need: The Shape of An Ideal Solution More automated design audits and threat modeling Easy to use static analysis Suitable for developers Meaningful remediation guidance Integrated with dynamic tests Integrated with static analysis Provide input back to dev Scanning and intelligent pen testing Virtual patching Real time attack blocking Continuous deployment support Application security training 15. That said -- You dont have to tackle everything at once, but you need a strategy to get there! 15 16. Recommendations Immediate to-do list Invest in WAF technology for all your external-facing web applications Invest in developer training, focusing on on-the-job training Invest in static analysis technology, start small Medium-term to-do list Perform dynamic scan on all of your applications Define your selective penetration testing strategy Populate static analysis Prioritize remediation Long-term to-do list Build your complete application security competency 16 17. Ready To Get Started? Get Addressing the OWASP Top 10 with Trustwave WebDefend White Paper https://www.trustwave.com/application-security/ Take the OWASP Top 10 Threats & Mitigations Course for free! We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now! 17 17 18. About Trustwave Founded in 1995 Almost 1100 employees in 26 locations worldwide Nearly 2.5 million merchants trust us for their compliance and security needs Robust portfolio of risk management, compliance and security solutions Leading provider of Cloud Security through our award-winning TrustKeeper portal Leading provider of Managed Security Services, with global 365x24x7 operations Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations 18 19. Simple Solutions to Complex Challenges 19 20. 360 Application Security The industrys only holistic application security lifecycle solution Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way 20 21. Summary Application security should be addressed from design to production Best practice is with a lifecycle approach Trustwaves 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today 21 22. QUESTIONS