Name

Title:

Aaron Clark

Security Shifts to the Application

You’re late to the party

Some found that out the hard way

• “Night Dragon”

• Sony

• LizaMoon

• HBGary

Federal

Others were told they had to go

• PCI

• Disa

STIG

• HIPAA

• FISMA

• NERC

Some looked at the costs

1,000,000x

10x

1x

Development Test Deployment

Dam

age

to E

nter

pris

e

Functional Flaw

Security Flaw Unbudgeted Costs:

Customer notification / care

Government fines

Litigation

Reputational

damage

Brand erosion

Cost to repair

The exposure is greater than you think

Web App Vulnerabilities Continue to Dominate

Nearly half (49%) of all vulnerabilities are Web application vulnerabilities

Cross-Site Scripting & SQL injection vulnerabilities continue to dominate

The Smarter Planet

Our world is getting

Instrumented

Our world is getting

Interconnected

Our world is getting

Intelligent

More Justification for Application Security Action

• 89% of records breached from hacks were leverage SQL Injection flaws

• 79% of breached organizations subject to PCI were found to be non-compliant

• 92% of compromised records were compromised using Web applications as the attack pathway

Verizon

2010 data Breach Investigations Report

Security is never first

It should never be last

So, why are there problems ?

• We code the vulnerabilities

Inadequate training of programmers

Inadequate security specifications

Inadequate security review and testing

Lack of security management during SDLC

Lack of adequate technology

• Conflicting objectives

• Network defenses provides protection

• Meets Compliance == Secure

• Website uses SSL, it’s secure

• Vulnerabilities in internal apps are not important

• Annual penetration tests are an adequate safety measure

• Encryption of data is adequate safety measure

Compounded by: Software Security Myths

Security Landscape Distinguishing Technologies• Network Firewalls:

– Perimeter protection mechanisms to block traffic in real-time.

– But websites have to be publicly available, thus port 80 and port 443 are enabled for access which makes Network Firewalls incapable of blocking application-layer attacks

• Intrusion Detection / Prevention Systems (IDS / IPS)

– Also considered a perimeter protection mechanism. They monitor data flow through the network in real-time.

– They are incapable of blocking application-layer attacks since they are not application-aware operating at the network level

Application Firewalls:

Perimeter protection and are generally very effective, but difficult to configure and maintain (every time an application changes the firewall needs to be reconfigured).

They can also reduce website response time and lead to lost revenue

Some percentage of “good”

traffic is inadvertently blocked too

Network Scanners

Network Scanners are incapable of extensive interactions with the application layer (even using “application scanners”

they provide) so no matter how secure an organization makes their network, they would still be vulnerable to application-level attacks

Database Scanners

Do not scan or test web applications

They focus solely on how well information is protected within the database itself

14

So, Why Prioritize Secure Software ?• To protect value

• To protect privacy

• To avoid costs associated with non-compliance

• Some of the impacts due to attacks

Loss of value

• Sensitive data, Trade secrets, Intellectual property, Reputational

damage, Market capitalization,..

Downtime

• Unavailability, Disruption

Regulatory penalties

• Fines, Litigation, PR, Notification

Fraud

A framework for security

Application Safety Protect Valuable Assets

• Multiple points of protection Secure code

development and vulnerability management

Protect Web applications from potential

attacks

Deliver security and performance in Web

services and SOA

Manage secure Web applications

• Identify vulnerabilities and malware

• Actionable information to correct the problems

• Block attacks that aim to exploit Web application vulnerabilities

• Integrate Web application security with existing network infrastructure

• Purpose-built XML and SOA solutions for security and performance

• Ongoing management and security with a suite of identity and access management solutions

End-to-end Web application security

A Path to Secure Applications

Ope

ratio

nal R

isk

Mgm

tPr

oact

ive

Risk

Miti

gatio

n

Deploy Application

Appl

icat

ion

& re

sour

ce

prot

ectio

n in

ope

ratio

n

Secu

re a

pplic

atio

n de

velo

pmen

t acr

oss

desig

n, c

ode,

bui

ld, t

est p

hase

s

Vulnerability Assessment of Source Code

Identity & Access Management

Web Application Protection

Secure Web Services

Vulnerability Assessment Functioning Application

Final Security Audit

Production-Site Monitoring

Policy & Requirements Definition

IBM Security Services

IBM Security

IBM Security

Smarter Security for Smarter Products

Smarter Products require secure applications

Security needs to be built into the

development process

and addressed throughout the development lifecycle

Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:

• Provide

integrated testing solutions for developers, QA, Security and Compliance stakeholders

• Leverage multiple appropriate testing technologies (static & dynamic analysis)

• Provide

effortless security that allows development to be part of the solution

• Support governance, reporting and

dashboards

• Can

facilitate collaboration between development and security teams

The Application Security Challenge

What?• Need to mitigate the risk

of a Security breach

• Need to find

and remediate

these vulnerabilities

• Must utilize a cost effective

way of doing this that makes sense

Who?• Software security represents the intersection between

security & development –

solution needs to be a joint collaboration

• Starts with Security Auditor (can also be outsourced)

• Larger organizations require the scaling of security testing into the development organization

Start to finish to start security

Security Testing Within the Software Lifecycle

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

Application Security Testing Maturity

Security Testing Within the Software Lifecycle

Build

SDLCSDLC

Coding QA Security Production

Most Issues are found by security auditors prior to

going live.

Most Issues are found by security auditors prior to

going live.

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

Security Testing Within the Software Lifecycle

Build

SDLCSDLC

Coding QA Security Production

Desired ProfileDesired Profile

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

Cost Benefits of Early Detection

(Web Application Vulnerability Assessment)

ROI Opportunity of Application Security Testing

Cost Savings –

Testing Early in Dev

Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense

Cost Savings –

Automated Testing

Automated testing provides productivity savings over manual testing

Cost Avoidance –

Of A Security Breach

Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage

80% of development costs are spent identifying and correcting defects

Cost of finding & fixing problems:

code stage is $80, QA/Testing is $960*

Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage.

* Source: GBS Industry standard study

Outsourced audits can cost $10,000 to $50,000 per application

At $20,000 an app, 50 audits will cost $1M.

With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)

The cost to companies is $214 per compromised record**

The average cost per data breach is $7.25 Million**

** Source: Ponemon

Institute, Cost of a Data Breach, 2010

Principles & Perceptions

• Secure Development (mis)Perceptions• Aligned closely with waterfall steps (design, development, delivery)

• Process intensive and heavyweight

• Requires a large number of artifacts

• Agile Principle #1: Our highest priority is to satisfy the customer through early and continuous delivery of valuable

software

• Secure software increases the client value

• Agile focuses on customer need …

and security is a customer need

Automated application security testing

The dynamic (and static) duo

Security Testing Technologies

Combination Drives Greater Solution Accuracy

Static Code Analysis = Whitebox-

Looking at the code for security issues (code-level scanning)

Dynamic Analysis = Blackbox

-

Sending tests to a functioning application

Total PotentialTotal PotentialSecurity IssuesSecurity Issues

DynamicDynamicAnalysisAnalysis

StaticStaticAnalysisAnalysis

Greatest accuracy

Application Security Chart

There are three basic components to securing an application:• The actual application source code• The infrastructure it runs on• External components it requires

Different technologies are needed to fully map the risk

30

Dynamic Security Analysis through Automation

31

Crawl Site

Identify Vulnerabilities

Fuzz with Known Attacks altoro.com/editProfile.jsp

altoro.com/

altoro.com/login.jsp

altoro.com/feedback.jsp

altoro.com/logout.jsp

SQL Injection!

Static Security Analysis through Automation

32

DoPost() {String username =

request.getParameter("username");String password =

request.getParameter("password");

String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'";

ResultSet rs = stmt.executeQuery(query);}

DoPost

GetParam

Str.Append

ExecuteQuery

DoPost

GetParam

Str.Append

ExecuteQuery

DoPost

GetParam

Str.Append

ExecuteQuery

SQL Injection!

Compile & Translate

Apply Vulnerability Rules

Apply API Rules

Complimentary Security Assessment

Static• Findings directly tied to their

locations in the source

• Test earlier in lifecycle

• Test sub-components of an application

• Easier automation

• Fast scanning

• Non-web-applications, infrastructure, middleware

• All control flows

• Illuminate architecture and logic

• Consistent Automation

Dynamic• Simpler configuration

– No cross-domain requirement

• Lower learning curve

• Findings include attack vectors

• Captures dynamic activity (Spring, Struts, CAB)

• Scan unsupported source languages

• 3rd

party applications (no source)

• Find configuration vulnerabilities

• Smaller finding sets

33

The combined result

IBM Rational AppScan

Comprehensive Application Vulnerability Management

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD PRE-PRODPRE-PROD PRODUCTIONPRODUCTIONQAQA

AppScan

StandardAppScan Source

AppScan

TesterSecurity Requirements

Definition AppScan

Standard

Security / compliance testing incorporated into

testing & remediation workflows

Security requirements defined before design

& implementation

Outsourced testing for security audits & production site

monitoring

Security & Compliance Testing, oversight, control,

policy, audits

Build security testing into the IDE

Application Security Best Practices & Education

Automate Security / Compliance testing in

the Build Process

SECURITYSECURITY

AppScan

Enterprise

AppScan

onDemand

Dynamic Analysis/Blackbox

–

Static Analysis/Whitebox

-

AppScan

Build

36

Monitor

AppScan Source Edition Workflow

Scan Triage

AssignRemediate

ConfigureAppScan

Source for Security

AppScan

Source for Security

AppScan

Source for Security or

AppScan

Source for Remediation AppScan

Source for Security

AppScan

ReportingAppScan

Source for Security, Automation, or

Developer

What’s the first step?

IBM Security SolutionsIBM Internal Use Only

38IBM Internal Use Only

QA Team

Development Team

Security Team

QA Team

Development Team

Security Team

Application Security Maturity Model

CORRECTIVE BOLT ON BUILT INUNAWARE

Time

Secu

rity

ass

essm

ent

cov

erag

e Doing nothing External tests on production applications

and security team centric testing

Security testing before deployment

Fully integrated system security

Improve Security Testing Coverage

Improve Collaboration of security issues

Assure Secure SDLC

Improve Compliance and Management reporting

Security Team

Security maturity Corrective

Build

SDLCSDLC

Coding QA Security Production

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

3rd Party Pen Test

Build

SDLCSDLC

Coding QA Security Production

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

Manual Pen Test

Manual CodeReview

Automated Pen Test

Automated Code Scan

3rd Party Pen Test

Security maturity Bolt-On

Build

SDLCSDLC

Coding QA Security Production

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

Manual Pen Test

Manual CodeReview

Automated Pen Test

Automated Code Scan

3rd Party Pen Test

Security maturity Built-In

Manual Pen Test

Manual CodeReview

Automated Pen Test

Automated Code Scan

Manual Pen Test

Manual CodeReview

Automated Pen Test

Automated Code Scan

Automated Pen Test

Build

SDLCSDLC

Coding QA Security Production

% o

f Iss

ue F

ound

by

Stag

e of

SD

LC

Application Deployed

Agile / Waterfall threshold?

Manual Pen Test

Manual CodeReview

Automated Pen Test

Automated Code Scan

3rd Party Pen Test

Security maturity what works

Automated Code Scan

Automated Code Scan

Automated Pen Test

Patrick Vandenberg

IBM Rational Security

pvandenb@ca.ibm.com

Ben Mayrides

Cigital

bmayrides@cigital.com

Legal Disclaimer© IBM Corporation 2011. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the

completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries

in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance

characteristics may vary by customer.

Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus®

Sametime®

Unyte™). Subsequent references can drop “IBM”

but should include the proper branding (e.g., Lotus Sametime

Gateway, or WebSphere

Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml

for guidance on which trademarks require the ®

or ™

symbol. Do not use abbreviations for IBM product names in your

presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation.

IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld

and Lotusphere

are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte

is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

If you reference Adobe®

in the text, please mark the first use and include the following; otherwise delete:

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

If you reference Java™

in the text, please mark the first use and include the following; otherwise delete:

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the

United States, other countries, or both.

If you reference Microsoft®

and/or Windows®

in the text, please mark the first use and include the following, as applicable; otherwise delete:

Microsoft and Windows are trademarks of Microsoft Corporation in

the United States, other countries, or both.

If you reference Intel®

and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:

Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and

other countries.

If you reference UNIX®

in the text, please mark the first use and include the following; otherwise delete:

UNIX is a registered trademark of The Open Group in the United States and other countries.

If you reference Linux®

in your presentation, please mark the first use and include the

following; otherwise delete:

Linux is a registered trademark of Linus

Torvalds

in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

If the text/graphics include screenshots, no actual IBM employee

names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete:

All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

Try the new Rational AppScan

ROI calculator…

Use ROI calculator on a Web application testing solution.

Discover how you can:

Automate application security analysis.

Detect exploitable vulnerabilities, protecting against the threat of cyber-attack.

Reduce the costs associated with manual vulnerability testing.

Visit our Rational Application & Security Website

and get the newest updates

Free trial download of IBM Rational AppScan

software

• Protect against the threat of attacks, and data breaches with Rational AppScan• IBM Rational application security

software helps IT and security professionals protect against the threat of attacks and data breaches. If you use applications to collect

or exchange sensitive or personal data, your job as a security professional is harder now than ever before.

• Download it now at no charge!

Improvement Between Application Testing Cycles

Significant decline in the likelihood of finding application vulnerabilities in a retest

In many cases this reduction is more than half that of the original

Demonstrates the importance of testing applications but also follow up and mitigation

Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry

False Positives

49

Most of the time they are not actually false positives. These false ‘false positives’

are one of two things

• Sources the business doesn’t care about (getProperty

is far too common an example)

• Data flows that are validated by validators

that haven’t been marked up

There are cases where false positives are a problem, 9 out of 10

of these occur because we can’t set a rule for the validation

• Set in a config

file (servlet

validators, struts validators, etc)

• Validators

declared with annotations (aspect oriented coding does this)

• Validators

that occur before one of our ‘Source’

rules are triggered

• Microsoft built-in validation (this one is more of a false false

positive)