The Web Application Security Crisis
-
Upload
cenzic -
Category
Technology
-
view
366 -
download
1
description
Transcript of The Web Application Security Crisis
Cenzic Confidential 1
The Web Application Security Crisis
June 2010Jon Zucker - Senior Product Manager
Cenzic
Survey
Web App Security and evolution
Case Studies
Vulnerability examples
The “Tops”
Practical Approaches
Discussion/Q&A
Cenzic Confidential 2
Agenda
Cenzic secures Websites against hacker attacks via its automated Web vulnerability scanning technology (on-premise software and SaaS products)
Cenzic helps its customers secure trillions of dollars in Web commerce
Cenzic provides compliance testing for GLBA / PCI / SOX & other regulations
Cenzic Confidential 3
About Cenzic
Hailstorm
Current situationSolutions deployed
• Manual• Dynamic• Static• WAF• Other
On PremiseSaaSHow often
Cenzic Confidential 4
Survey…
Cenzic Confidential 5
Internet
Client Firewall Web Server
AppServer
DatabaseServer
IDS/IPS
Application Security2000s
Network Security1990s
Desktop andContent Security
1980s
Ports 443 & 80 still open
Intrusion DetectionAnd Prevention
Corporate Security Evolution
Cenzic Confidential 6
80 443
Why Web security?
Cenzic Confidential 7
Protecting brands• Security breach at App layer can seriously
hurt customer trust
Complying with regulations • PCI, GLBA, HIPAA, AB 1950, and many
others
Testing all applications on a continuous basis
• To stay ahead of new vulnerabilities
8
Protect from the 400+ new threats per month by continually testing Production Applications
Drivers for Web Application Security
Cenzic Confidential
So what’s in my Web Application?
9
User
UI Layer
Middleware Layer
Source Code - Individual Applications
Web Browser
JavaScriptPlug-Ins/ APIJava DOM
HTML/DHTML Cookies
HTTPSSL
HTTP-SAuthentication Certificates
Digital SignaturesCommunication Layer
Web Server SW/HW
COMLDAP Server
App ServerASP CORBA DCOM
Data LayerDatabases HTML Raw Data CSS/XSLXML File System
Financial Order Management
HRInventory
Cenzic Confidential
Hackers are attacking everyone…• Banks, Credit Unions, Government Agencies, Small companies, Large
companies – Equal opportunity
87% of Websites are vulnerable to attack Source: SearchSecurity – January 2009
75% of enterprises experienced some form of cyber attack in 2009
Source: Symantec Internet Security Report – April 2010
90% of Websites are vulnerable to attackSource: Verizon Business Data Breach Report – April 2009
$6.6 Million is the average cost of a data breachSource: Ponemon Institute – January 2009
Cenzic Confidential 10
Stats
Cenzic Confidential 11
Source: Cenzic Q3-Q4, 2009 Application Trends Report
Vulnerability trends
Cenzic Confidential 12
Source: Cenzic Q3-Q4, 2009 Application Trends Report
Web Vulnerabilities by class –(Commercial Apps)
Vulnerability Breakdown ofMisc. Category
Cenzic Confidential 13
Source: Cenzic Q3-Q4, 2009 Application Trends Report
Cenzic Confidential 14
Source: Cenzic Q3-Q4, 2009 Application Trends Report
Web Vulnerabilities by class –(Proprietary apps)
Findings from Cenzic ClickToSecureManaged
Cenzic Confidential 15
Source: Cenzic Q3-Q4, 2009 Application Trends Report
No One Wants To Be in the Press
Cenzic Confidential 16
“Who is responsible when a hack occurs?” “False sense of Security”
“Concerns with finding all vulnerabilities” “Worried”
Why worry?
A total of 81 government Web sites in China were tampered from May 10 to May 16, down 35 percent compared to the previous week, according to a report released by National Computer Network Emergency Response Technical Team.
As of 12 p.m. on Monday, 29 hacked government Web sites had still not been restored, including four provincial Web sites. Monitoring shows major threats are from software risk loopholes, spread of malicious codes and page revisions.
The report revealed 150 .CN malicious domain names, five malicious codes and five software loopholes. And .xorg.pl, a malicious domain group registered in Poland, has more than 100 malicious domain names and has been used to tamper with many Chinese Web sites and users.
Data shows security awareness and security measures should be strengthened. And 124 government Web sites were hacked from May 2 to May 9.
81 govt sites May 10th-16th
down 35% 29 hacked sites…still not been
restored 150 .CN malicious domain names 5 malicious codes 5 software loopholes Malicious domain group registered
in Poland 100 malicious domain names Security awareness and security
measure should be strengthened 124 Web sites were hacked form
May 2-9
Cenzic Confidential 17
Source: People's Daily Online 5-19-10
Case Studies
Cenzic Confidential 18
Specific Hacking Case Studies:Heartland
Disclosed in January, 2009 Up to 130M cards exposed – largest attack (more than TJX)
• Not discovered until late 2008• Impact:
• Stock price went down 78%• Breach related expenses of $140 million• Millions of dollars in damages and recovery• Embarrassment for the company• Revenue loss
• Learning:• PCI compliance ≠ App security
Cenzic Confidential 19
Specific Hacking Case Studies:RBS World Pay
Disclosed in December, 2008 Up to 1.5M cards stolen
• Installed Malware • Cloned cards were given to an army of “cashers” across 49 cities
around the world• Visited 2,100 ATM machines in 280 cities
• Impact:• $9M stolen in less than 12 hours• Embarrassment for the company• Reputation damage
• Learning:• Hackers are getting very sophisticated and organized
Cenzic Confidential 20
Vulnerability Examples
Cenzic Confidential 21
Cross-Site Scripting (XSS)
What is it?: Found in web applications which allow code injection by malicious web users into the web pages viewed by other users. The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.
Used by attackers to bypass access controls such as the same origin policy. Recently, used to craft powerful phishing attacks and browser exploits.
Root Cause: Failure to proactively reject or scrub malicious characters from input vectors.
22Cenzic Confidential
Session Hijacking: Hacker can steal the session id of the user and use it conduct transactions Record Key Strokes: Hacker can record all the keystrokes of
the victim Entry point: Hacker can use XSS to hack into the network
and go deeper into other servers Steal information: A victim’s files and PII can be accessed
and exploited by the hacker
23
Impacts of XSS
Cenzic Confidential
What is it?: Database contents are compromised or disclosed by the use of specially crafted form input that manipulates SQL Query Logic. Root Cause: Failure to properly sanitize, reject, or escape
domain-specific SQL characters from an input vector.
24
SQL Injection
Cenzic Confidential
Impacts of SQL Injection
Customer information: Hacker can get access to all your customer records Public Defacement: Hackers can easily deface thousands of
sites with one attack Database Server: Hacker can compromise a database
server with SQL attacks Bypass Log-in: By using simple SQL commands, a hacker
can bypass the log-in credentials
25Cenzic Confidential
Cenzic Confidential 26
The “tops”
Cenzic Confidential 27
Top 5 Web Security Myths
I have SSL so that’ll protect my Web site• SSL ≠ App Security
Have never been hacked• How do you know?
PCI compliant• Heartland, Hannaford…
I can test few of my Web applications once a year• Any vulnerable site is your weakest link
Expensive • Many flexible options to get you jump started
Cenzic Confidential 28
Top Reason #1
Cenzic Confidential 29
Web Applications Are Getting More Complex Web 2.0 technologies exacerbate the problem
• Think you are not using Web 2.0? Think again!
e.g. Software mashups• How do you know any of
the original app is secure? • How do you know the
resulting app does not include new vulns?
Top Reason #2
Cenzic Confidential 30
Compliance Pressure Isn’t Letting Up(PCI, SOX, GLBA, HIPAA, FIECC, …)
Each regulation may have some level of implication on application security
PCI section 6 has specific provision requirements for Web security
We expect more regulations to follow suite • California AB 211, section 1, 56.36 (b)
Top Reason #3
Third Party Code is Prevalent • Outsourced, open source, and packaged applications
Enterprises use more open source code than they know
• Apache, Net SNMP, Zlib, JBoss
Few software outsourcing providers have secure coding provisions or service level guarantees
Do you know the security quality of third-party code and apps?
Cenzic Confidential 31
Practical Approaches
Cenzic Confidential 32
Application Security Maturity Model
LowLow
High
High
People & Process
Tool
s &
Tec
hnol
ogy
Pit of Despair Security as Core Business ProcessPanic Scramble
33
Enterprise Security Challenge
Cenzic Confidential 34Cenzic Confidential 34
Business U
nit
Dev
QA
App 2
App 3
Business U
nit
Dev
QA
App 1
App 2
C-LevelWill I get Hacked?
Business U
nit
Dev
QA
App 1
App 2
App 3
Information Security
Production
Pre-Production
Dev, QA, Staging
App 3
App 1
Web & Software Security Lifecycle
Cenzic Confidential 35
Application Security is NOT a One Time Event but a Discipline Over Time!
Dev Begins Alpha/BetaProduction/
Launch update1 update2
...
Planning Scanning/Testing
Training
SDLC & Black Box Testing
Cenzic Confidential 36
Pen Test
Software Development Life Cycle
Decision Support & Process Optimization
Black Box Testing
White Box Testing
Build & Test Automation
Code Review
Design Build Deploy Operate
You May Have To Change Internal Procedures & Processes
Buy in• Management• Grass roots
Create a dedicated application security role
• Align this role with business, operations, and development and QA
• Define responsibility and accountability structure
Engage business to define priorities, standards, and policies
Cenzic Confidential 37
Seat at the table…
You May Have To Change Internal Procedures & Processes
Move certain security functions into operations• Security measures must be simple enough for non-experts• Must integrate with existing operational procedures and tools
Metrics• Implement reporting and metrics to measure risk• Identify technology solutions/services that will provide
meaningful metrics • Review, rinse, repeat
Cenzic Confidential 38
START!
Final Thoughts
This is real
Bad guys are getting smarter
Think about process/strategy
Test frequently
Starting Early = less $$
Cenzic Confidential 39
Cenzic Confidential 40
www.Cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Jon Zucker [email protected]