Application Security not only consists in the use of software, hardware, and procedural methods to protect applications from external threats, it is more than technology, is a path not a destination, it is about risk management and implementing effective countermeasures to identify potential threats and understand that each threat presents a degree of risk.
Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application security routine minimize the likelihood that unauthorized code will be able to manipulate applications to access, steal, modify, or delete sensitive data.
Join up in a tour of various scenarios identifying the basic concepts about Application Security, learning about some of the most recent vulnerabilities and data breaches, as well as examples of how easy it can be to hack you.
2. 2019
#
ABOUT ME
2
@a_gomez_r BoquerónSec
Advanced App Engineering Associate Manager at Accenture. 15+ years
developing, designing, and architecting enterprise solutions in different
languages (mainly in Java). DevOps practitioner, Cloud solutions lover and
Application Security applied to SDLC (Software Delivery Lifecycle) evangelist.
ÁNGEL GÓMEZ ROMERO
Accenture Technology Center in Spain
4. APP SECURITY NOT ONLY CONSISTS IN THE
USE OF SOFTWARE, HARDWARE, AND
PROCEDURAL METHODS TO PROTECT
APPLICATIONS FROM EXTERNAL THREATS, IT
IS MORE THAN TECHNOLOGY, IS A PATH
NOT A DESTINATION
Copyright 2019 Accenture. All rights reserved. 4
2019
#
5. 2019
#
APP SEC
FOUNDATIONS
• Are we secure, or not?
• Brief history of App Security
• The life of a Cyberthreat
• Cybersec awareness: Malware
• Hacker/Cracker differences
Copyright 2019 Accenture. All rights reserved. 5
6. 2019
#
ARE WE SECURE, OR NOT?
Security is fundamentally about protecting assets.
Assets may be tangible items, such as a Web page or
database —
or less tangible, such as company reputation.
We must analyze our infrastructure and applications,
identifying potential threats and understand that each
threat presents a degree of risk.
This means on security we manage risks and we also
implement effective countermeasures.
Copyright 2019 Accenture. All rights reserved. 6
This is a common
misconception and it
depends on the
threat.
WHAT DO WE MEAN BY SECURITY?
A threat is a potential event that can adversely affect an asset, whereas a successful attack exploits
vulnerabilities in your system.
THREATS, VULNERABILITIES AND ATTACKS DEFINED
Threat Attack
Vulnerability
7. 2019
#
BRIEF HISTORY OF APP SECURITY
Highlights and reactions dating back to the late ‘80s
VIRUSES BEGINS
• 1971: First computer virus
"Creeper" detected on
ARPANET. First antivirus
program called the
"Reaper" created.
• 1988: First (not malicious)
Internet virus, “Morris”
worm, was unleashed.
• 1989: AIDS Trojan horse,
the first instance of a
ransomware detection.
ATTACKERS EVOLVED
FROM INDIVIDUALS TO
ORGANIZED GROUPS OF
CYBER CRIMINALS
• 1995: Javascript cross-site
scripting (XSS) attacks.
• 1998: Injection (such as
SQL) method of attack
discovered.
• 1999: “Melissa” Microsoft
Word virus disseminates
itself as email attachment.
MOBILE APPS
VULNERABILITIES OR
AUTOMOTIVE CYBER
THREATS EXPLOITED
• 2014: Attack on Sony
confidential information.
• 2015: Ashley Madison
personal data posted.
• 2017: “WannaCry” and
“Bad Rabbit” ransomware.
• 2018: Google+ API bug
potentially let to steal data
of 52.5 million users.
TACTIC/VULNERABILITY
DISCLOSURES
CONTINUE TO TREND
UPWARD
• 2000: “ILoveYou” worm,
infects systems worldwide.
• 2001: Microsoft victim of
DOS attacks the DNS.
• 2006: “Black Worm” filled
documents with garbage.
• 2009: Google China hit by
cyber attack, intellectual
property was stolen.
1980s 1990s 2000s 2010s
Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in
software applications with profound business and personal impacts.
Copyright 2019 Accenture. All rights reserved. 7
8. 2019
#
THE LIFE OF A CYBERTHREAT
How malware get into your system to steal your data
Copyright 2019 Accenture. All rights reserved. 8
Online transactions
contain valuable
data making them a
huge target for
crime.
Source: Incognito Forensic Foundation, 2018
Hackers use underground
Internet circles known as the
Dark Web to share ideas and
organize, then they craft exploits
and ways to infiltrate targets
(some are malicious or hacked
websites that steal information).
There are other approaches,
phishing emails tricking
employees into downloading
malware that permits the hackers
access to secure systems
CYBERATTACKS AND
MALWARE CREATION
COLLABORATION OF
"THE GOOD GUYS"
Indicators of emerging cyber
threats help professionals to quickly
prevent malicious attacks, patch system
vulnerabilities and educate employees.
9. 2019
#
CYBERSECURITY AWARENESS:
MALWARE Differences between these programs
Copyright 2019 Accenture. All rights reserved. 9
Although they are all
bad, learn how to
“Guess who?” to
fight them.
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Any malware software is intentionally
designed to cause damage to a
computer, server, client, or network.
It jeopardizes the affected systems after it
is implanted or introduced in some way
into a target's computer.
Source: ESET Smart Security
10. 2019
#
HACKER/CRACKER DIFFERENCES
Avoid bothering anyone confusing the terms
Copyright 2019 Accenture. All rights reserved. 10
Intensely interested in the recondite workings of
any computer operating system and programming
language (most often programmers), discovering holes
and the reasons, constantly seeking further knowledge,
freely share what they discover, and never intentionally
damage data.
One who breaks into or otherwise violates the
system integrity of remote machines with malicious intent.
Having gained unauthorized access, crackers destroy
vital data, deny legitimate users service, or cause
problems for their targets. This means on security we
manage risks and we also implement effective
countermeasures.
Differences to help
or to detect and stop
them. HACKER
• Ethical or White Hat vs Gray Hat hacker.
• Expert vs. Script Kiddies crackers.
SOME TYPES
CRACKER
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Source: Peatonet Computing and Internet of Things Security
11. 2019
#
SECURING
APPLICATIONS
• How it works:
o Cybersecurity
o Cloud/Mobile Security
• Build a Secure application
• Security main elements
• Core Security principles
Copyright 2019 Accenture. All rights reserved. 11
12. 2019
#
HOW IT WORKS: CYBERSECURITY
Response plan stopping a security breach
Copyright 2019 Accenture. All rights reserved. 12
Meet John, he's the chief security officer
(CSO) for a company that has an incident
response platform (EIRP) in place which
acts as a hub for the people, processes
and technology
Threat source
identification
The IRP software
connects to the
company user directory
The IRP system
recognizes the user
account belongs to a
valid company user
Findings triage
Helping on the IRP
software, the security
team reject false-
positives and also
identify defect
criticality (John's
credentials
were stolen when the
hackers found a
vulnerability in the
company's firewall)
It has determined
the attempted attack
came from a well
known cybercrime
organization using
stolen credentials (a
malware infected file
was uploaded)
Irregular
activity occurs
on John’s
account
Vulnerabilities
are fixed
Security team uses the
findings to identify the
specific server
vulnerability that
allowed the attack
The IRP software uses
the information to
determine which
machines in the
network need to be
patched
Collect findings
The incident IP
addresses are sent by
the IRP to a threat
intelligence software
which identifies the
address (maybe it is a
suspected malware
known server)
Findings are
aggregated to a
playbook to be
checked/reviewed by a
security team
Status (legal)
report
Security team
communicates
which data may
have been stolen or
compromised during
the incident
Regulatory agencies
are notified, as well
as the affected
parties
2
1
1
2
3
4
5
6
A user behavior
analytics engine that
monitors account
activity recognizes a
suspicious behavior
Late-night logins and an
unusual amount of
downloaded data is
checked by the EIRP
3
4 5
6
13. 2019
#
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
HOW IT WORKS: CLOUD SECURITY
• Restricting visibility and filtering
data through a private cloud that isolates
the client applications for unwanted traffic
access and ensuring protection.
• Monitoring data and only allowing the
legitimate users to gain or block access to
the server.
• Managing identity for access and
also setting compliance rules to ensure
the safety of the data bases (bound by laws
and regulations).
Copyright 2019 Accenture. All rights reserved. 13
Cloud computing is
opening companies
up to new types of
cyber threats.
Source: WordPress Tidbits and Web Design Resource
14. 2019
#
IMAGE,
ILLUSTRATION,
TEXT, GRAPH ETC.
HOW IT WORKS: MOBILE SECURITY
• Prevent data leakage, ensuring that all
important data is encrypted, enhancing
security during the development process.
• Multiple security protection layers,
without making any changes to the mobile
app itself.
• Testing for vulnerabilities and risk
identifying where the (sensitive) data leaves
in the mobile.
• Protecting data in the wild with
obfuscation to prevent for changes in the
code or malware repackage.
Copyright 2019 Accenture. All rights reserved. 14
Personal information
is the most
important thing we
carry around.
Source: Shutterstock, Inc.
15. 2019
#
SECURITY MAIN ELEMENTS
Security relies on elements described below
AUTHENTICATION
• Who are you? Applied for users,
other services, processes, computers.
• Is the process uniquely identifying the
clients of your applications and
services?
AUTHORIZATION
• What can you do? Resources and
operations that the authenticated client
is permitted to access.
• Resources as files, databases, tables,
… and operations as product purchase.
AUDITING
• Together with logging is the key to
non-repudiation.
• This mechanism guarantees that a
user cannot deny performing an
operation or initiating a transaction.
CONFIDENTIALITY
• Data cannot be gathered by
unauthorized users or monitoring the
flow of traffic across a network.
• Encryption and Access control lists
(ACLs) are used to enforce privacy.
IMAGE OR
ILLUSTRATION
1 2
INTEGRITY
• Guarantee that data is protected from
accidental or deliberate (malicious)
modification.
• Hashing techniques and message
authentication codes often used.
AVAILABILITY
• Systems remain available for
legitimate users.
• DOS (denial-of-service) attacks try to
crash an application or to make sure
that it is sufficiently overwhelmed.
Copyright 2019 Accenture. All rights reserved. 15
3 4
6
5
16. 2019
#
CORE SECURITY PRINCIPLES
Recommendations regardless of technology/scenario
Compartmentalize
Reduce the surface area of attack.
Use least privilege
Minimal privileges and access rights.
Apply defense in depth
You do not rely on a single layer of security.
Do not trust user input
Assume all input is malicious until proven.
Check at the gate
Authenticate/authorize early —
at the first gate.
Fail securely
do not leave sensitive data accessible.
Secure the weakest link
Review any weak link in the chain for breaches.
Keep security simple
Avoid complex architectures and use simpler approach.
Create secure defaults
E.g. Disable default account and enable when required.
Don’t trust infrastructure/services
Application needs auth2 action from surrounded systems.
Reduce your attack surface
If you do not use it, remove it or disable it.
Establish secure defaults
Deliver an “out of the box” secure experience for users.
Copyright 2019 Accenture. All rights reserved. 16
18. 2019
#
SOCIAL ENGINEERING HACK YOU
Simple trick with a phone call and crying baby
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
Hacking without any
code, just use a
phone, mail and
connection to
internet.
The focus in Social Engineering is to
extract some information or data points
that can be used in a later attack.
Copyright 2019 Accenture. All rights reserved. 18
19. 2019
#
SHOULD WE FEAR HIJACKING?
Hackers remotely (and easily) kill a Jeep on highway
Type of network
security attack to
takes control of a
communication.
In hijacking the atacker masquerades
as one of the entities who communicate
between them.
Some typical scenarios are man-in-the-
middle attack, browser hijacking
or web site hijack.
Copyright 2019 Accenture. All rights reserved. 19
IMAGE, ILLUSTRATION,
TEXT, GRAPH ETC.
20. 2019
#
THANKS !!
Copyright 2019 Accenture. All rights reserved. 20
https://www.zdnet.com/pictures/these-are-the-worst-hacks-cyberattacks-and-data-breaches-of-2018
WORST HACKS, CYBERATTACKS, AND DATA BREACHES OF 2018
https://www.youtube.com/channel/UClAgZm2OXFpX8WoMsOpWoXA
https://www.youtube.com/channel/UCtVlDASwc48aPui_gGZg4dQ
IBM SECURITY / IBM THINK ACADEMY
https://www.youtube.com/channel/UCe2VfUzsF9E4_MpVbLxHjmA
https://jktech.com/insight/blogs/how-does-cloud-based-security-work/
ESET USA / JKT (A HIGH IQ COMPANY)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP TOP 10 MOST CRITICAL WEB APPLICATION SECURITY RISKS
Notas do Editor
PAM: Privileged Access Management, refers to a class of solutions that help secure, control, manage and monitor privileged access to critical assets.
IAM: Identity and Access Management, refers to a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
DR: Disaster Recovery, is an area of security planning that aims to protect an organization from the effects of significant negative events. DR allows an organization to maintain or quickly resume mission-critical functions following a disaster.
BCP: Business Continuity Planning, is the process involved in creating a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected, and are able to function quickly in the event of a disaster. The BCP is generally conceived in advance and involves input from key stakeholders and personnel.
SIEM: Security information and Event Management, is an approach to security management that combines SIM (Security Information Management) and SEM (Security Event Management) functions into one security management system.
SOC: Security Operations Center, is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology. Typically, a SOC is equipped for access monitoring, and controlling of lighting, alarms, and vehicle barriers.
In order to detect advanced threats and breach activity more effectively, security methods can’t just focus on detection and prevention but must also include the ability to mitigate the impact once an attacker gets in. Organizations need to look at their security model holistically and gain continuous protection and visibility along the entire journey – from point of entry, through propagation, and post-infection remediation.
THREATS, VULNERABILITIES AND ATTACKS DEFINED
A threat is any potential occurrence, malicious or otherwise, that could harm an asset. In other words, a threat is any bad thing that can happen to your assets.
A vulnerability is a weakness that makes a threat possible. This may be because of poor design, configuration mistakes, or inappropriate and insecure coding techniques. Weak input validation is an example of an application layer vulnerability, which can result in input attacks.
An attack is an action that exploits a vulnerability or enacts a threat. Examples of attacks include sending malicious input to an application or flooding a network in an attempt to deny service.
1995: JavaScript was released to make it easier for developers to build interactive websites, and it wasn’t long before hackers began exploiting this new technology with techniques such as cross-site scripting (XSS). Some efforts were made to combat the issue, but it wasn’t until the infamous Samy worm defaced and took down MySpace in 2005 that developers and hackers began to take notice.
1998: A security researcher named Jeff Forristal (aka Rain Forrest Puppy) discovered the injection method of attack and detailed his findings on message boards. His findings were a warning to the industry of this imminent threat to Data Security. Indeed, many attacks followed, such as the SQL injection attack on Guess.com in 2002, which compromised over 200,000 names and credit card numbers. Injection remains to this day one of the top threats to Application Security.
COMPUTER VIRUS
Hidden malicious code that copies itself on computers without consent.
WORM
Similar to a virus, but can quickly spread over the Internet independently (both can perform harmful acts once they've gotten into your system).
TROJAN
Disguises itself as a normal or desirable program to trick you to install it, then performs various malicious functions such as the leading files, granting remote access to your computer or key logging which is recording your keystrokes to obtain personal information and passwords.
ROOTKIT
Threat that conceals other malware, so it stays hidden from you and making it more difficult to detect and delete.
RANSOMWARE
Locks you out of your files and demands payment in order to restore access.
SPYWARE
Collects sensitive personal information from computer such as key logging your passwords or credit card numbers.
ETHICAL/WHITE HAT HACKER
They know how to find and exploit vulnerabilities and weaknesses in various systems (just like a malicious/black hat hacker) trying to find vulnerabilities and fix them before the bad guys can get there and try to break in. The role is similar to a penetration tester, but breaking into systems legally and ethically.
EXPERT/SCRIPT KIDDIES CRACKERS
The first discover new security holes and often write programs that exploit them, and the second type only knows how to get these programs and run them (more numerous, but much easier to stop and detect).
CARDER
Expert in fraud with credit cards. They generate fake numbers and access codes that successfully violate control systems to steal and clone cards.
PHARMER
They are engaged in phishing attacks, where the user believes they are entering a real site and actually enters their data in one created by the hacker. Later they use the credentials to steal funds from the accounts of their victims.
In man-in-the-middle attack the perpetrator takes control of an established connection while it is in progress. The attacker intercepts messages in a public key exchange and then retransmits them, substituting their own public key for the requested one, so that the two original parties still appear to be communicating with each other directly.
In browser hijacking a user is taken to a different site than requested (e.g. gaining access to DNS records on a server, or spoofing valid e-mail accounts and floods the inboxes of the technical and administrative contacts).
In web site hijack the perpetrator simply registers a domain name similar enough to a legitimate one that users are likely to type it, either by mistaking the actual name or through a typo (e.g. sending users to a pornographic site).