WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat...

29
WHITEHAT SECURITY T.C. NIEDZIALKOWSKI Technical Evangelist [email protected] DECEMBER 2012

Transcript of WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat...

Page 1: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WHITEHAT SECURITY

T.C. NIEDZIALKOWSKI Technical Evangelist

[email protected]

DECEMBER 2012

Page 2: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WhiteHat Security – Company Overview • Headquartered in Santa Clara, CA

• WhiteHat Sentinel – SaaS end-to-end website risk management platform

• Employees: 250+

• Customers: 650+

© 2012 WhiteHat Security, Inc. 2

Page 3: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Web Application Security Across the SDLC Security throughout application the lifecycle reduces website risks across the enterprise

© 2012 WhiteHat Security, Inc. 3

OVERVIEW

Preproduction

Sentinel BE/SE/PE

Sentinel Source

Development Production

Expertise: Threat Research Center

Intelligence: Security Metrics and Real Time Reporting

Accessibility: Anytime / Anywhere via the Internet

Pre Production Production Development

Sentinel PL

WhiteHat Sentinel Security Platform

Page 4: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WhiteHat Sentinel Software as a Service • SaaS (Annual Subscription)

– Unlimited Assessments / Users

– Fixed Flat Rate per Website

• Unique Methodology – Proprietary scanning technology

– Expert website security analysis (TRC)

– Satisfies PCI 6.6 requirements

• Vulnerability Verification and prioritization – XML API links other security solutions

• Easy to get started – Need URL and Credentials

– No Management of Hardware or Software

– No Additional Training

© 2012 WhiteHat Security, Inc. 4

Page 5: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

How WhiteHat Sentinel Works

© 2012 WhiteHat Security, Inc. 5

Page 6: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

CYBERCRIME IS NOW THE SECOND BIGGEST CAUSE OF

ECONOMIC CRIME EXPERIENCED BY THE FINANCIAL SERVICES

SECTOR

© 2012 WhiteHat Security, Inc. 6

Page 7: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

1 million accounts with 1 SQL Injection attack

© 2012 WhiteHat Security, Inc. 7

ATTACK LANDSCAPE

Page 8: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

XSS from 2009 used by Lulzsec to announce Murdoch’s death in 2011

© 2012 WhiteHat Security, Inc. 8

ATTACK LANDSCAPE

Page 9: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Sophisticated, targeted fraud on Ebay.com

© 2012 WhiteHat Security, Inc. 9

ATTACK LANDSCAPE

Page 10: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Attacker Profiles • Random Opportunistic

– Fully automated scripts

– Unauthenticated scans

– Targets chosen indiscriminately

• Directed Opportunistic – Commercial and Open Source Tools

– Authentication scans

– Multi-step processes (forms)

• Fully Targeted – Customize their own tools

– Focused on business logic

– Clever and profit driven ($$$)

© 2012 WhiteHat Security, Inc. 10

ATTACK LANDSCAPE

Page 11: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

BIG DATA CAN TELL US WHAT IS REALLY GOING ON

© 2012 WhiteHat Security, Inc. 11

Page 12: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

© 2012 WhiteHat Security, Inc. 12

METRICS

Page 13: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

8/10 websites have serious vulnerabilities Average number of new serious* vulnerabilities discovered per website per year

Serious vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)

© 2012 WhiteHat Security, Inc. 13

METRICS

Page 14: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WhiteHat Security Top Ten (2011)

Percentage likelihood of a website having at least one vulnerability sorted by class

© 2012 WhiteHat Security, Inc. 14

METRICS

Page 15: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

37% of Vulnerabilities are Never Fixed

• The overall Remediation Rate in 2011 was 63%, up from 53% in 2010, and almost double the rate of 35% in 2007. Roughly 7% average improvement per year in the percentage resolved during each of the last four years.

© 2012 WhiteHat Security, Inc. 15

METRICS

Page 16: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Serious Vulnerabilities take 38 days to fix

© 2012 WhiteHat Security, Inc. 16

METRICS

Page 17: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Window of exposure

© 2012 WhiteHat Security, Inc. 17

METRICS

Page 18: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Why Do Vulnerabilities Go Unfixed? • No one at the organization understands or is

responsible for maintaining the code.

• Development group does not understand or respect the vulnerability.

• Affected code is owned by unresponsive third-party.

• Website will be decommissioned or replaced “soon.”

• Risk of exploitation is accepted.

• Feature enhancements are prioritized ahead of security fixes.

© 2012 WhiteHat Security, Inc. 18

METRICS

Page 19: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

HOW TO SOLVE VULNERABILITY OVERLOAD

© 2012 WhiteHat Security, Inc. 19

Page 20: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Targeting and Evolving Security Strategies

© 2012 WhiteHat Security, Inc. 20

INTEGRATION

FROM

• Fulfilling checkbox requirements

• Point in time assessments • Tactical efforts to secure

specific websites • Taking precautions but

accept a certain level of risk

TO

• Securing all Web assets throughout the SDLC

• Continuous concurrent assessments

• Strategic security program to secure all websites

• Perform security analysis in all stages of the SDLC

Page 21: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WAF is strategic control to mitigate risk Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say:

A WAF could feasibly help mitigate the risk of at least 71% of all custom Web application vulnerabilities.

© 2012 WhiteHat Security, Inc. 21

INTEGRATION

Page 22: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

How to solve Vulnerability Overload • Sentinel Baseline Service finds on average of 7

vulnerabilities per site in the unauthenticated space

• It is common for Customers to run Baseline on all of their assets

• 200 sites X 7 Vulnerabilities = 1400 problems!

• The WhiteHat Sentinel / F5 ASM solution will eliminate 71%

• Leaving the other 29% to be solve by code remediation or iRules

© 2012 WhiteHat Security, Inc. 22

INTEGRATION

Page 23: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Integration Overview

© 2012 WhiteHat Security, Inc. 23

INTEGRATION

• Finds a vulnerability • Virtual-patching with

one-click on BIG-IP ASM

• Verify, assess, resolve and retest in one UI • Automatic or manual creation of policies • Discovery and remediation in minutes

• Vulnerability checking, detection and remediation

• Complete website protection

Page 24: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Why past attempts at DAST+WAF failed • DAST can disrupt production if not carefully configured

– Testing QA won’t provide accurate measurement

• Hundreds or thousands of unvalidated “false positives” and “duplicates” – Slowed WAF performance and blocked valid traffic

• Without up-to-date, validated input, can’t move WAF into blocking mode

• False negatives in scanning methodology (not testing certain functionality) still required broad rules

© 2012 WhiteHat Security, Inc. 24

INTEGRATION

Page 25: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WhiteHat Sentinel Ideal Solution for ASM • WhiteHat’s unique methodology

– allows service to find more vulnerabilities and have less false positives than other DAST vendors, all while testing production safely

• F5 ASM + WhiteHat enables twice the number of automatically resolvable vulnerability classes of any other similar integration

• F5 is the only WAF vendor that can consume WhiteHat Sentinel's unique “Vuln ID” – Allows continuous, historical tracking of vulnerabilities, and better

integration with WAF and SDLC

• Live team of experts to provide assistance, explanation, and demonstration of vulnerabilities

© 2012 WhiteHat Security, Inc. 25

INTEGRATION

Page 26: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

Unique to WH+ASM integration

• “Vuln ID” to historically track vulnerability status

• 100% verified vulnerability results

© 2012 WhiteHat Security, Inc. 26

INTEGRATION

• “Retest Now” to confirm virtual patch effectiveness

• “Mitigated by WAF” flag in Sentinel interface

Page 27: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

WAF roadmap • Virtual patching support for atypical vulnerabilities

• Expand coverage to more vulnerability classes

• Bi-directional integration to better inform DAST of web application attack surface

© 2012 WhiteHat Security, Inc. 27

INTEGRATION

Page 28: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

http://www.f5networks.co.jp/info/whitehat.html

© 2012 WhiteHat Security, Inc. 28

FREE TRIAL

Page 29: WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat Sentinel / F5 ASM solution will eliminate 71% ... Slowed WAF performance and blocked

THANK YOU

T.C. NIEDZIALKOWSKI Technical Evangelist

[email protected]