© 2010 OpSource, Inc. All rights reserved.

Webinar: Strategies for Web Application Security

Featuring:

Andy HoerneckeSr. Application Security Consultant Neohapsis

David McKenzie Sr. Director Business Consulting OpSource

Turn up the speakers on your computer for streamed audio or dial in to:

– U.S.: (888) 669-5051– International: (303) 330-0440 (Room:

*8886695051#)

The webinarwill begin at 9am PT / Noon ET

© 2010 OpSource, Inc. All rights reserved.

Agenda

• Housekeeping

• Intro to OpSource

• Featured Presentation by Neohapsis

• Q&A Session

© 2010 OpSource, Inc. All rights reserved.

Welcome!

• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource

• All phones are set on mute

• If you have a question, please use the Chat Q&A box located below the presentation panel

• We will collect questions throughout the webinar and answer as many as we can at the end

• If we don’t answer your question, we’ll follow-up with an answer via email

• Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar

© 2010 OpSource, Inc. All rights reserved.

OpSource: Enterprise Cloud and Managed Hosting

• OpSource provides Enterprise Cloud and Managed Hosting Services

• Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms

• Investors: Crosslink Ventures, Velocity Interactive Group, Intel and NTT

• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore

• Unmatched Industry Experience– SaaS Hosting and Scaling Software-Oriented Architectures (SOA)– High Performance, Secure Cloud Computing

Founded in 2002

© 2010 OpSource, Inc. All rights reserved.

OpSource Serves 600+ Clients with Millions of End-Users

SaaS & Managed Hosting Hybrid Hosting Cloud Hosting

© 2010 OpSource, Inc. All rights reserved.

OpSource Partner Ecosystem

Telecom Distribution Consulting Cloud Platform Infrastructure

© 2010 OpSource, Inc. All rights reserved.

• Sr. Application Security Consultant

• Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering.

• Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation

• Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers

Andy Hoernecke, Sr. Application Security Consultant, Neohapsis

Strategies for Web Application Security

Sr. Application Security Consultant

April 13th, 2011

Andy Hoernecke

Neohapsis Confidential9

Agenda

BackgroundTool IntroductionWeb Application Scanning Strengths/WeaknessesWhere Scanning Makes SenseSDL IntegrationSupplemental Security Measures

Neohapsis Confidential10

Background

~96% of records breached involved “hacking” or malware~92% of records stolen through “hacking” involved a web applicationMost commonly exploited web application vulnerabilities include:

SQL InjectionBrute Force AttacksOS CommandingDefault/Guessable CredentialsCross-Site Scripting

Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team

Neohapsis Confidential11

Tool Introduction-Dynamic Analysis

Tests running web applications by making requests as a normal user would

Examples:IBM AppScanHP WebInspectWhiteHat

Scanning phases generally includeSpideringFault InjectionAnalysis

Neohapsis Confidential12

Tool Introduction-Static Analysis

Tests through the analysis of source or object code

Examples:FortifyVeracode

Capabilities vary greatlyMay require compilable codeMay only handle certain languages

Not currently as widely adopted

Neohapsis Confidential13

Dynamic Analysis Strengths

Performing tedious tests (Fuzzing)XSSFile Path manipulationSSL issues

Signature Based TestsKnown vulnerabilities in common applications

Sensitive Information ChecksDefault files/scriptsCertain types of information disclosure (internal IP addresses)

Configuration IssuesParameter based fault injection

Neohapsis Confidential14

Dynamic Analysis Weaknesses

Logic BugsExample: Negative Pricing/Quantity

Authentication IssuesSSO Related

Authorization ProblemsUser Role EnforcementForced Browsing

Vulnerabilities part of complex/multi-step processesIdentifying discrete pages in “rewritten URLs”Results can vary greatly based on configuration and scanner in use

Neohapsis Confidential15

Percent Vulnerabilities Identified

Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)

Neohapsis Confidential16

Experience Needed

Web application scanners are not like antivirus tools

Most will require tuning and customization to get good resultsLogin and session management can often cause problems

There WILL be false positives

Tuning and interpretation of results requires application security knowledge

Unlikely that canned reports can be handed off to average developers without some additional explanation

Neohapsis Confidential17

Where Scanning Makes Sense

Application Scanning is a piece of the overall SDL

Most standard web applications using HTTP/HTTPS

Modern scanners provide decent JavaScript parsing

Mostly platform/language independent

As the first stage of a manual assessment

Neohapsis Confidential18

Where Scanning Makes Doesn’t Sense

Applications heavily reliant on client side code

Non-HTTP applications CORBARMI Proprietary protocols

Results could be limited for:Web Services/SOAP APIsVery AJAX intensive applicationsOther client-side technologies

FlashSilverlight

Completely static sites

Neohapsis Confidential19

Application Scanning and SDL

Web application scanners are valuable as part of the Secure Development LifecycleVariables include:

How frequently to scanDependent on several factors:

Application/Data sensitivityDevelopment CycleBusiness CriticalityAvailable Resources

Which environments to scan?Production

Generally the most important code base to be secureRequires the most care as outages are generally not well received

QA, Staging, DevelopmentGood to catch vulnerabilities before rolled into productionMany development groups have hands full fixing issues in production

Neohapsis Confidential20

Application Scanning and SDL

Dynamic scanning has limitations

Won’t be able to find everything a code review could find

Can provide finding relatively quickly and help focus on potentially insecure areas of an application

Neohapsis Confidential21

Supplementing Application Scanning

Periodic manual testing for sensitive applicationsBlackbox, Greybox, WhiteboxMay be targeted to certain functionality

Standard IT best practicesSeparation of dutiesDefense in depth

Working in security during earlier development phasesSecurity requirementsArchitecture review

Developer security training/awareness

© 2010 OpSource, Inc. All rights reserved.

Questions & Answers / Contact Info

Q & AType your questions into the chat box below the presentation panel

Contact OpSource: Dave McKenzie – david@opsource.netSales Inquiries – sales@opsource.net or 800-664-9973

Recorded webinar and slides will be posted within 48 hours on the OpSource website.