Why care about secure web apps?
- 7 out of 10 web apps were vulnerable to the use of a hyperlink with a malicious code embedded to it
- 1 in 3 web apps aided hackers through information leakage: when a website unintentionally or unknowingly reveals sensitive information such as error messages or developer comments.
With Web 2.0 technologies and other development platforms, applications are becoming increasingly powerful and complex
2. Lead Instructor: David J. Kennedy
Principal - Profiling and e.Discovery
CISSP, GSEC, MCSE 2003
As the Practice Lead for Profiling & e.Discovery, Dave provides security solutions to companies
and organizations worldwide. His team focuses on the technical side of security, performing
penetration tests, source code review, web application security, data forensics, electronic
discovery and wireless assessments.
Before joining SecureState, Dave spent over five years working with elite security groups and
the National Security Agency. He was also in the United States Marine Corp’s Intelligence
Agency, where he worked with the National Security Agency to combat terrorism and
eventually became an instructor for wireless security and data forensics.
Your Host:
Chuck Mackey, HISP
Executive Director, TSI /Security F.I.R.M. Program
As the Technology Solutions Institute’s (TSI) Executive Director, Chuck provides IT and Security program
direction for Corporate College, a division of Cuyahoga Community College (Tri-C). He is the College’s former
CISO where he created the Office of Safe and Secure Computing (OSSC).
Chuck holds and MBA in Systems Management and carries the Holistic Information Security Practitioner (HISP)
certification. Prior to joining Tri-C, he worked at Deloitte Consulting, Ernst & Young LLP, and Boeing’s (former)
McDonnell Douglas military aircraft contractor.
3. JUST SOME OF THE F.I.R.M.* CONTENT
*Foundation
Immersion
Reinforcement
Mastery
4.
5. Why Care About Secure Web Applications?
• 7 out of 10 web applications were vulnerable to the use of a hyperlink with
malicious (malware) code embedded in it.
• 1 in 3 web apps aided attackers through information leakage: when a website
unintentionally or unknowingly reveals sensitive information such as error
messages or developer comments.
• 1 in 4 was susceptible to content spoofing: technique used to trick a user into
believing that certain content appearing on a web site is legitimate. (AKA:
„Phishing‟)
• 1 in 6 fell prey to SQL injection: an attack technique used to exploit web sites
by altering program statements.
• 1 in 6 employed insufficient authentication: occurs when a website permits an
attacker to access sensitive content or functionality without having to properly
authenticate.
• 1 in 6 used insufficient authorization: when a website permits access to
sensitive content or functionality that should require increased access control
restrictions.
• 1 in 7 allowed abuse of functionality: uses a website's own features and
functionality to consume, defraud, or circumvent access controls mechanisms.
Source: Web Application Security Consortium 2008
6. So, What is the Issue?
•“With Web 2.0 technologies and other development platforms, applications are
becoming increasingly powerful and complex.
•With complexity comes a growing risk that security vulnerabilities will be
introduced into applications.
•These vulnerabilities lie within the code and can be exploited by anyone who
gains access to your website or your software.
•Developers are trained (if at all) to build complex and feature-rich applications,
not safe and secure sites.
•Increasingly, the software applications that millions of people and businesses
depend on every day are being exposed to escalating risks in the form of
sophisticated attacks and other threats.
•Carnegie Mellon University‟s CERT (Computer Emergency Response Team)
tabulates comprehensive data on the number of software vulnerabilities
reported each year. Between 1995 and 2007, the data CERT collected and
analyzed from numerous sources showed that the number of reported security
vulnerabilities increased an average of 37 percent every year.”
Source: The Case for Business Software Assurance, Fortify 2008
7. The New Security Frontier
•The hacking community has shifted its efforts toward the application
layer.
•The hacking community is now heavily funded and supported by
countries around the world.
•With companies spending millions of dollars securing the perimeter
with network firewalls, intrusion prevent systems, and other devices,
hackers have realized the lowest hanging fruit lies in the applications
themselves.
•Vulnerabilities that exist in the code are being exploited to steal private
data, conduct phishing attacks, deface web sites, and run any range of
online scams.
•Vulnerabilities have lead to breaches exposing over 212 million records
over the last 3 years.
8. Come on, is it really that bad?
• Gartner reports that 75% of breaches are caused by security flaws in
software.
• National Institute of Standards and Technology (NIST), reporting that
92% of vulnerabilities are in software.
• The United States Air Force reports that the percentage of attacks
directed at their applications (versus their networks) grew from 2 % to
36 % between 2004 and 2006.
•InformationWeek reported that the number of hackers attacking banks
jumped by 81% between 2005 and 2006, according to figures released
at the Black Hat security conference in July, 2007. This increase is due
to the increased availability of hacking toolkits and malware in the
online underground.
•Underground sites, such as http://www.xssed.com/, give attackers a
blueprint of how to break into enterprise applications.
•So, yeah, it‟s bad.
Source: The Case for Business Software Assurance, Fortify 2008
9. What to do?
• Establish a baseline where the greatest risk lies in the organization.
•aka: Risk Assessment.
• Define roles and assign responsibility for each task.
• Educate developers on secure coding.
• Identify automated solutions that can speed the process of
securing applications.
• Track metrics to gauge the success of each activity.
ATTEND
What: Secure Web Apps Development Training
When: April 7* & 8**, 2009; 8:00 AM – 4:30 PM
Where: Corporate College East (CCE)
4400 Richmond Rd., Warrensville Hts., OH 44128
http://corporatecollege.com/FacilitiesLocations.aspx
*$299.00/person
**$399.00 for both days
Includes lunch, materials, ongoing access to the Security F.I.R.M. Micro-site
Registration Information: william.mcclung@tri-c.edu
Or Call Bill @ 216-987-2971
Limited Seating
Completion Certificate Available