August 13, 2013

Application Hackers Have a Handbook. . .Why Shouldn't You?

1Today’s Vulnerabilities2Real World Application Security Lifecycle 3Holistic Application Security Solution

AGENDA

Web Application Vulnerabilities

3

Improving Business Intelligence

Your Objective:• Improve visibility across systems• Monitor, control and detect anomalies

and compromise • Correlate events and instruct devices

across the network• Dynamically enforce policies and rules

across technologies

Cybercriminals aggressively exploit the weakness of siloed monitoring and controls.

ONLY 24% OF BREACHES ARE SELF-DETECTED

Business and Threat Intelligence• Security Information and Event

Management (SIEM) • Web Application Firewall• Global Threat Database• Threat Research and Advisory Services

Source: 2013 Trustwave Global Security Report

2011 2013* 2015*0

10

20

30

40

50

60

Tablet appsSmartphone apps

March 2012 “Mobile App is the new fact of engagement”

Mobile apps: $6 billion Market today

Will hit $ 55.7 billion by 2015

Mobile Apps are Taking Off

5

iOS Architecture – Security Weaknesses• All processes of interest run with

administrative privileges• iPhone does not utilize some widely

accepted practices– Address randomization

• The stack, heap, and executable code located at precisely the same spot in memory

– Non-executable heaps• Buffer overflow on heap can

write executable instructions

6

Android Architecture – Security Weaknesses • Google decided against (in initial release)

– stack and heap non-execute protections• GIF image vulnerability

– Decode function uses logical screen width and height to allocate heap

– Can overflow the heap buffer allowing hacker to control the phone

• Vulnerability is in the multimedia subsystem made by PacketVideo– Due to insufficient boundary checking – It’s possible to corrupt the heap and

execute arbitrary code on the device

7

Securing Web & Mobile Applications

Your Objective:• Ensure secure development of web and

mobile applications• Prevent Layer 7 attacks and dynamically

protect web applications• Maintain application performance

360 Application Security

• Secure App Development Training• Secure Code Review• Mobile Application Penetration Testing• Web Application Penetration Testing• Web Application Firewall• SSL Certificates

TOP APP ATTACK METHODS

e-commerce sites are the #1 targeted asset of hackers.

Source: 2013 Trustwave Global Security Report

9

Application Security -- A Lifecycle View

Security reviewArchitecture audits

Code reviewStatic analysis

Dynamic testing Penetration testing Application firewalls

SDLC Production

Application security training

10

Challenges to Implement Application Security

Manual processError prone

Lack of expertiseLack of incentive Complex to carry outTime-to-market pressure

Lack of influence Lack of code visibilityDifferent priorities

No code & design visibilityNo root cause infoLack of influence

Lack of visibility and integration

Application security training

Securing Web & eMail

Your Objective:• Create a layered defense• Improve anti-malware power at the

gateway• Enable safe and productive use of

social media• Get control of data from creation to

destruction

Content Security and Control• Threat Research & Advisory

Services/Feeds• Secure Web Gateway• Web Application Firewall• Secure Email Gateway• Data Loss Prevention• Data Encryption• Security Awareness Education

Web-based systems are the most utilized threat vector of hackers.

AVERAGE TIME FROM BREACH TO DETECTION: 210 DAYS

Source: 2013 Trustwave Global Security Report

This Means …• Defects are found later in

the lifecycle– Increased remediation cost

• Often security defects are not fixed due to separate agenda and accountability structures – Developers are under

time-to-market pressure

• Silo-ed model does not scale– How many auditors do you need

to cover all your apps?

30x

Development Integration Audit/test Production0

5

10

15

20

25

30

Cost for defect fixes

Source: NIST

1x5x

10x

12

Why Application Security?

• Applications are vulnerable• 44% of organizations feel that application vulnerabilities pose the

greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey.

• Fixing them is expensive• A recent study of more than 150 organizations found the average total

cost to remediate a single application security incident is approximately $300,000.

• Late fixes are even more expensive• It is 5 times more expensive to fix a flaw in development than during

design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology.

13

14

What We Need: The Shape of An Ideal Solution

More automated design audits andthreat modeling

• Easy to use static analysis • Suitable for developers• Meaningful remediation guidance • Integrated with dynamic tests

• Integrated with static analysis• Provide input back to dev• Scanning and intelligent pen testing

• Virtual patching• Real time attack blocking• Continuous deployment

support

Application security training

That said --You don’t have to tackle everything at once, but you need a strategy to get there!

15

Recommendations• Immediate to-do list

– Invest in WAF technology for all your external-facing web applications

– Invest in developer training, focusing on on-the-job training– Invest in static analysis technology, start small

• Medium-term to-do list– Perform dynamic scan on all of your applications – Define your selective penetration testing strategy– Populate static analysis– Prioritize remediation

• Long-term to-do list– Build your complete application security competency

16

Ready To Get Started?• Get “Addressing the OWASP Top 10 with Trustwave WebDefend”

White Paper – https://www.trustwave.com/application-security/

• Take the OWASP Top 10 Threats & Mitigations Course for free!

• We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now!

1717

About TrustwaveFounded in 1995

Almost 1100 employees in 26 locations worldwide

Nearly 2.5 million merchants trust us for their compliance and security needs

Robust portfolio of risk management, compliance and security solutions

Leading provider of Cloud Security through our award-winning TrustKeeper portal

Leading provider of Managed Security Services, with global 365x24x7 operations

Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations

18

Simple Solutions to Complex Challenges

19

360 Application Security • The industry’s only holistic application security lifecycle solution

• Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way

Unique to

Market

20

Summary

• Application security should be addressed from design to production

• Best practice is with a lifecycle approach

• Trustwave’s 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today

21

QUESTIONS