Read these 40 slides on why people should care about web application security including the latest stats and descriptions of common attacks. Presented at the Cyber Security Conference in New York, June 2010.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
The Web Application Security Crisis
1. The Web Application Security Crisis
June 2010
Jon Zucker - Senior Product Manager
Cenzic Confidential 1
2. Agenda
Cenzic
Survey
Web App Security and evolution
Case Studies
Vulnerability examples
The “Tops”
Practical Approaches
Discussion/Q&A
Cenzic Confidential 2
3. About Cenzic
Cenzic secures Websites against hacker
attacks via its automated Web vulnerability
scanning technology (on-premise software Hailstorm
and SaaS products)
Cenzic helps its customers secure trillions of
dollars in Web commerce
Cenzic provides compliance testing for GLBA /
PCI / SOX & other regulations
Cenzic Confidential 3
4. Survey…
Current situation
Solutions deployed
• Manual
• Dynamic
• Static
• WAF
• Other
On Premise
SaaS
How often
Cenzic Confidential 4
5. Corporate Security Evolution
Web App Database
Client Firewall IDS/IPS
Server Server Server
Intrusion Detection
And Prevention
Internet
Ports 443 & 80
still open
Desktop and
Content Network Security Application Security
Security 1990s 2000s
1980s
Cenzic Confidential 5
8. Drivers for Web Application Security
Protecting brands
• Security breach at App layer can seriously
hurt customer trust
Complying with regulations
• PCI, GLBA, HIPAA, AB 1950, and many
others
Testing all applications on a
continuous basis
• To stay ahead of new vulnerabilities
Protect from the 400+ new threats per month by
continually testing Production Applications
Cenzic Confidential 8
9. So what’s in my Web Application?
User
JavaScript HTML/
Web DOM UI Layer Cookies Plug-Ins/ API
Java DHTML
Browser
SSL Digital
HTTP HTTP-S Authentication Communication Layer Certificates Signatures
Web COM App
Server ASP Middleware Layer Server CORBA DCOM
LDAP Server
SW/HW
Databases XML HTML Data Layer Raw Data CSS/XSL File System
Financial HR Source Code - Individual Applications Order
Inventory Management
Cenzic Confidential 9
10. Stats
Hackers are attacking everyone…
• Banks, Credit Unions, Government Agencies, Small companies, Large
companies – Equal opportunity
87% of Websites are vulnerable to attack
Source: SearchSecurity – January 2009
75% of enterprises experienced some form of cyber attack
in 2009
Source: Symantec Internet Security Report – April 2010
90% of Websites are vulnerable to attack
Source: Verizon Business Data Breach Report – April 2009
$6.6 Million is the average cost of a data breach
Source: Ponemon Institute – January 2009
Cenzic Confidential 10
16. No One Wants To Be in the Press
“Who is responsible when a hack occurs?” “False sense of Security”
“Concerns with finding all vulnerabilities” “Worried”
Cenzic Confidential 16
17. Why worry?
Source: People's Daily Online 5-19-10
A total of 81 government Web sites in China were 81 govt sites
tampered from May 10 to May 16, down 35
percent compared to the previous week, according May 10th-16th
to a report released by National Computer
Network Emergency Response Technical Team. down 35%
As of 12 p.m. on Monday, 29 hacked government 29 hacked sites…still not been
Web sites had still not been restored, including restored
four provincial Web sites. Monitoring shows major
threats are from software risk loopholes, spread of 150 .CN malicious domain names
malicious codes and page revisions.
The report revealed 150 .CN malicious domain 5 malicious codes
names, five malicious codes and five software
loopholes. And .xorg.pl, a malicious domain group 5 software loopholes
registered in Poland, has more than 100 malicious
domain names and has been used to tamper with Malicious domain group registered
many Chinese Web sites and users. in Poland
Data shows security awareness and security 100 malicious domain names
measures should be strengthened. And 124
government Web sites were hacked from May 2 to Security awareness and security
May 9.
measure should be strengthened
124 Web sites were hacked form
May 2-9
Cenzic Confidential 17
19. Specific Hacking Case Studies:
Heartland
Disclosed in January, 2009
Up to 130M cards exposed – largest attack (more than TJX)
• Not discovered until late 2008
• Impact:
• Stock price went down 78%
• Breach related expenses of $140 million
• Millions of dollars in damages and recovery
• Embarrassment for the company
• Revenue loss
• Learning:
• PCI compliance ≠ App security
Cenzic Confidential 19
20. Specific Hacking Case Studies:
RBS World Pay
Disclosed in December, 2008
Up to 1.5M cards stolen
• Installed Malware
• Cloned cards were given to an army of “cashers” across 49 cities
around the world
• Visited 2,100 ATM machines in 280 cities
• Impact:
• $9M stolen in less than 12 hours
• Embarrassment for the company
• Reputation damage
• Learning:
• Hackers are getting very sophisticated and organized
Cenzic Confidential 20
22. Cross-Site Scripting (XSS)
What is it?: Found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. The Web Application is used
to store, transport, and deliver malicious active content to an unsuspecting user.
Used by attackers to bypass access controls such as the same origin policy.
Recently, used to craft powerful phishing attacks and browser exploits.
Root Cause: Failure to proactively reject or scrub malicious characters from
input vectors.
Cenzic Confidential 22
23. Impacts of XSS
Session Hijacking: Hacker can steal the session id of the
user and use it conduct transactions
Record Key Strokes: Hacker can record all the keystrokes of
the victim
Entry point: Hacker can use XSS to hack into the network
and go deeper into other servers
Steal information: A victim’s files and PII can be accessed
and exploited by the hacker
Cenzic Confidential 23
24. SQL Injection
What is it?: Database contents are compromised or disclosed
by the use of specially crafted form input that manipulates
SQL Query Logic.
Root Cause: Failure to properly sanitize, reject, or escape
domain-specific SQL characters from an input vector.
Cenzic Confidential 24
25. Impacts of SQL Injection
Customer information: Hacker can get access to all your
customer records
Public Defacement: Hackers can easily deface thousands of
sites with one attack
Database Server: Hacker can compromise a database
server with SQL attacks
Bypass Log-in: By using simple SQL commands, a hacker
can bypass the log-in credentials
Cenzic Confidential 25
28. Top 5 Web Security Myths
I have SSL so that’ll protect my Web site
• SSL ≠ App Security
Have never been hacked
• How do you know?
PCI compliant
• Heartland, Hannaford…
I can test few of my Web applications once a year
• Any vulnerable site is your weakest link
Expensive
• Many flexible options to get you jump started
Cenzic Confidential 28
29. Top Reason #1
Web Applications Are Getting More Complex
Web 2.0 technologies exacerbate the problem
• Think you are not using Web 2.0? Think again!
e.g. Software mashups
• How do you know any of
the original app is secure?
• How do you know the
resulting app does not
include new vulns?
Cenzic Confidential 29
30. Top Reason #2
Compliance Pressure Isn’t Letting Up
(PCI, SOX, GLBA, HIPAA, FIECC, …)
Each regulation may have some level of implication
on application security
PCI section 6 has specific provision requirements
for Web security
We expect more regulations to follow suite
• California AB 211, section 1, 56.36 (b)
Cenzic Confidential 30
31. Top Reason #3
Third Party Code is Prevalent
• Outsourced, open source, and packaged applications
Enterprises use more open source code than they
know
• Apache, Net SNMP, Zlib, JBoss
Few software outsourcing providers have secure
coding provisions or service level guarantees
Do you know the security quality of third-party code
and apps?
Cenzic Confidential 31
33. Application Security Maturity Model
High
Tools & Technology
Low Panic Scramble Pit of Despair Security as Core Business Process
Low High
People & Process
33
34. Enterprise Security Challenge
C-Level
Will I get Hacked?
Information Security
Dev Dev Dev
Business Unit
Business Unit
Business Unit
QA QA QA
App 1 App 1 App 1
App 2 App 2 App 2
App 3 App 3 App 3
Pre-Production
Dev, QA, Staging
Production
Cenzic Confidential 34
35. Web & Software Security Lifecycle
Production/
Launch update1 update2
Training Dev Begins Alpha/Beta
...
Planning Scanning/Testing
Application Security is NOT a One Time Event
but a Discipline Over Time!
Cenzic Confidential 35
36. SDLC & Black Box Testing
Software Development Life Cycle
Design Build Deploy Operate
Code Review
Build & Test Automation
White Box Testing
Black Box Testing
Pen Test
Decision Support & Process Optimization
Cenzic Confidential 36
37. You May Have To Change
Internal Procedures & Processes
Buy in
• Management
• Grass roots
Create a dedicated
application security role
• Align this role with business,
operations, and development
and QA
• Define responsibility and
accountability structure
Engage business to define
priorities, standards, and Seat at the table…
policies
Cenzic Confidential 37
38. You May Have To Change
Internal Procedures & Processes
Move certain security functions into operations
• Security measures must be simple enough for non-experts
• Must integrate with existing operational procedures and tools
Metrics
• Implement reporting and metrics to measure risk
• Identify technology solutions/services that will provide
meaningful metrics
• Review, rinse, repeat
START!
Cenzic Confidential 38
39. Final Thoughts
This is real
Bad guys are getting smarter
Think about process/strategy
Test frequently
Starting Early = less $$
Cenzic Confidential 39