In this session you will learn why you need to shift from vulnerability detection only to a holistic web application defense strategy. We’ll outline the top three ways to improve your web app security and share how others have developed an integrated, comprehensive strategy that reduces costs and improves the balance between security and app functionality.
2. Ryan Holland
Sr Manager, Partner Solution Architects
Amazon Web Services
3. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Customers
Security & Compliance is a Shared Responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
4. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Culture of security and
continual
improvement
Ongoing audit and
assurance program
Your content
Your controls
AWS Marketplace
Security & Compliance is a Shared Responsibility
Customers
5. Every customer has access to the same security capabilities
AWS maintains a formal control environment
•SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
•SOC 2 Security
•ISO 27001 Certification
•Certified PCI DSS Level 1 Service Provider
•FedRAMP(FISMA), ITAR, FIPS 140-2
•HIPAA and MPAA capable
Foundation Services
Compute
Storage
Database
Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
6. Let AWS take care of the heavy lifting for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS
customer you can focus on your business and not be distracted by the muck.
7. AWS partners can help you build secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =
AWS partner solutions
These products and more are available on the AWS marketplace -WAF,
VPN, IPS, AV, API gateways, data encryption, user management
Your secure AWS
solutions
8. Top 3 Ways to Improve Web App Security in AWS
Dawn Smeaton
Product Marketing, Web App Security
9. Cloud Security is a Shared Responsibility
Copyright 2014 Trend Micro Inc.
Cloud Service Provider
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Cloud User
Operation System
Applications
Data
Identity & Access
Security Groups
10. Anti-malware
Intrusion Prevention
Host Firewall
Integrity
Monitoring
Log Inspection
Application Scanning
Data Encryption
ADAPTIVE
Intelligent, dynamic provisioning & policy enforcement
CONTEXT
Workload & application-aware
SCALABLE
Auto-detect new instances and rapidly applies security
PLATFORM
Comprehensive capabilities across data center & cloud
Copyright 2014 Trend Micro Inc.
11. Web Apps are a Favorite Target
Copyright 2014 Trend Micro Inc.
Easy to develop exploits
High value of data
13. SQL Injection example
1. Application presents a form
2. Attacker enters a SQL query in the form data
3. Application forwards query to database
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs the attack query and sends encrypted results back to app
5. Application decrypts data as normal and sends results to the attacker
Username:
Password:
“SELECT * FROM acc
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
Confidential | Copyright 2013 Trend Micro Inc. 13
14. Web App Vulnerabilities InjectionBroken authenticationXSSSensitive data exposureCross site request forgeryInsecure direct object referencesSecurity misconfigurationMissing Function level access controlUnvalidatedredirects Technical Impacts Site defacementAccess to databases & internal networksLoss of sensitive dataGoogle search blacklistingMalwareUser accounts hijackedWeb server availability Business Impacts Damage to brand reputation Loss of customer trustRevenue lossFail PCI Compliance
The impact of vulnerabilities can be huge
Copyright 2014 Trend Micro Inc.
15. Top Three ways to improve Web App Security
Expand Detection
Strengthen Defenses
Centralize Visibility
1
2
3
Copyright 2014 Trend Micro Inc.
17. Expand Detection
Operating System
(Known Vulnerabilities)
Web Server
(Known Vulnerabilities)
Web Apps
Copyright 2014 Trend Micro Inc.
18. TECHNICAL FLAWS
OGICAL FLAWS
Different vulnerabilities need different approaches
•Automated tools crawl websites, imitating user interaction to find errors in code, malware or links to inappropriate sites
•Find common coding errors like SQL injection, cross site scripting, ineffective security controls
Technical Flaws
•Looking at site in context to find potential weaknesses
•Manual testing uncovers flaws that are difficult or impossible to find with automated tools
Logical Flaws
Copyright 2014 Trend Micro Inc. 18
21. Traditional web app protection
•Detects & blocks malicious activityat platform (Web server and OS)
•Virtual patching from some offerings can shield discovered platform vulnerabilities without requiring code updates, patches, or configuration fixes
•Analyzes traffic, including SSL- encrypted communication
•Rules govern application behavior and block attacks without requiring app modification
•Can help with PCI-DSS compliance
Web Application Firewall (WAF)
Intrusion Prevention
Copyright 2014 Trend Micro Inc.
23. Web App security that fits the cloud
BUT…
AWS requires pre-approval
before scanning
Hosting on AWS provides agility & scalability
Copyright 2014 Trend Micro Inc.
Auto Scaling group
www.example.com
security group
root volume
data volume
Elastic Load
Balancing
EC2 instance
web app
server
UNLESS you use an AWS pre-authorized scanner like Trend Micro
25. Continuous Visibility
•Need actionable insights
•Reduce number of solutions
–App scanning
–Manual testing
–Platform scanning
–SSL
•Understand countermeasures available in overall security architecture
Copyright 2014 Trend Micro Inc.
“Single dashboard take lots of info and boils it down to make it easy to consume and share”
26. Comprehensive Detection: Automated scanning of applications and platforms, plus app logic testing by security experts
AWS Pre-authorized Scanner: No manual scan approvals required, Trend Micro is pre-authorized to scan web apps hosted on AWS
1
2
3
Integrated Management: Cloud-based, centralized single console for scanning, SSL certificates and protection
Trend Micro Delivers Unparalleled Web App Security
Copyright 2014 Trend Micro Inc.
27. Get Started!
•Schedule a personal product demo
•Get a free trial
–Scanning of up to 3 web apps in AWS, including full vulnerability report and SSL certificatesRequest your trial atwebappsecurity.trendmicro.com
Copyright 2014 Trend Micro Inc.