Date post: | 30-Oct-2014 |
Category: |
Technology |
Upload: | opsource |
View: | 773 times |
Download: | 3 times |
© 2010 OpSource, Inc. All rights reserved.
Webinar: Strategies for Web Application Security
Featuring:
Andy HoerneckeSr. Application Security Consultant Neohapsis
David McKenzie Sr. Director Business Consulting OpSource
Turn up the speakers on your computer for streamed audio or dial in to:
– U.S.: (888) 669-5051– International: (303) 330-0440 (Room:
*8886695051#)
The webinarwill begin at 9am PT / Noon ET
© 2010 OpSource, Inc. All rights reserved.
Agenda
• Housekeeping
• Intro to OpSource
• Featured Presentation by Neohapsis
• Q&A Session
© 2010 OpSource, Inc. All rights reserved.
Welcome!
• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource
• All phones are set on mute
• If you have a question, please use the Chat Q&A box located below the presentation panel
• We will collect questions throughout the webinar and answer as many as we can at the end
• If we don’t answer your question, we’ll follow-up with an answer via email
• Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar
© 2010 OpSource, Inc. All rights reserved.
OpSource: Enterprise Cloud and Managed Hosting
• OpSource provides Enterprise Cloud and Managed Hosting Services
• Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms
• Investors: Crosslink Ventures, Velocity Interactive Group, Intel and NTT
• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore
• Unmatched Industry Experience– SaaS Hosting and Scaling Software-Oriented Architectures (SOA)– High Performance, Secure Cloud Computing
Founded in 2002
© 2010 OpSource, Inc. All rights reserved.
OpSource Serves 600+ Clients with Millions of End-Users
SaaS & Managed Hosting Hybrid Hosting Cloud Hosting
© 2010 OpSource, Inc. All rights reserved.
OpSource Partner Ecosystem
Telecom Distribution Consulting Cloud Platform Infrastructure
© 2010 OpSource, Inc. All rights reserved.
• Sr. Application Security Consultant
• Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering.
• Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation
• Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers
Andy Hoernecke, Sr. Application Security Consultant, Neohapsis
Strategies for Web Application Security
Sr. Application Security Consultant
April 13th, 2011
Andy Hoernecke
Neohapsis Confidential9
Agenda
BackgroundTool IntroductionWeb Application Scanning Strengths/WeaknessesWhere Scanning Makes SenseSDL IntegrationSupplemental Security Measures
Neohapsis Confidential10
Background
~96% of records breached involved “hacking” or malware~92% of records stolen through “hacking” involved a web applicationMost commonly exploited web application vulnerabilities include:
SQL InjectionBrute Force AttacksOS CommandingDefault/Guessable CredentialsCross-Site Scripting
Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team
Neohapsis Confidential11
Tool Introduction-Dynamic Analysis
Tests running web applications by making requests as a normal user would
Examples:IBM AppScanHP WebInspectWhiteHat
Scanning phases generally includeSpideringFault InjectionAnalysis
Neohapsis Confidential12
Tool Introduction-Static Analysis
Tests through the analysis of source or object code
Examples:FortifyVeracode
Capabilities vary greatlyMay require compilable codeMay only handle certain languages
Not currently as widely adopted
Neohapsis Confidential13
Dynamic Analysis Strengths
Performing tedious tests (Fuzzing)XSSFile Path manipulationSSL issues
Signature Based TestsKnown vulnerabilities in common applications
Sensitive Information ChecksDefault files/scriptsCertain types of information disclosure (internal IP addresses)
Configuration IssuesParameter based fault injection
Neohapsis Confidential14
Dynamic Analysis Weaknesses
Logic BugsExample: Negative Pricing/Quantity
Authentication IssuesSSO Related
Authorization ProblemsUser Role EnforcementForced Browsing
Vulnerabilities part of complex/multi-step processesIdentifying discrete pages in “rewritten URLs”Results can vary greatly based on configuration and scanner in use
Neohapsis Confidential15
Percent Vulnerabilities Identified
Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)
Neohapsis Confidential16
Experience Needed
Web application scanners are not like antivirus tools
Most will require tuning and customization to get good resultsLogin and session management can often cause problems
There WILL be false positives
Tuning and interpretation of results requires application security knowledge
Unlikely that canned reports can be handed off to average developers without some additional explanation
Neohapsis Confidential17
Where Scanning Makes Sense
Application Scanning is a piece of the overall SDL
Most standard web applications using HTTP/HTTPS
Modern scanners provide decent JavaScript parsing
Mostly platform/language independent
As the first stage of a manual assessment
Neohapsis Confidential18
Where Scanning Makes Doesn’t Sense
Applications heavily reliant on client side code
Non-HTTP applications CORBARMI Proprietary protocols
Results could be limited for:Web Services/SOAP APIsVery AJAX intensive applicationsOther client-side technologies
FlashSilverlight
Completely static sites
Neohapsis Confidential19
Application Scanning and SDL
Web application scanners are valuable as part of the Secure Development LifecycleVariables include:
How frequently to scanDependent on several factors:
Application/Data sensitivityDevelopment CycleBusiness CriticalityAvailable Resources
Which environments to scan?Production
Generally the most important code base to be secureRequires the most care as outages are generally not well received
QA, Staging, DevelopmentGood to catch vulnerabilities before rolled into productionMany development groups have hands full fixing issues in production
Neohapsis Confidential20
Application Scanning and SDL
Dynamic scanning has limitations
Won’t be able to find everything a code review could find
Can provide finding relatively quickly and help focus on potentially insecure areas of an application
Neohapsis Confidential21
Supplementing Application Scanning
Periodic manual testing for sensitive applicationsBlackbox, Greybox, WhiteboxMay be targeted to certain functionality
Standard IT best practicesSeparation of dutiesDefense in depth
Working in security during earlier development phasesSecurity requirementsArchitecture review
Developer security training/awareness
© 2010 OpSource, Inc. All rights reserved.
Questions & Answers / Contact Info
Q & AType your questions into the chat box below the presentation panel
Contact OpSource: Dave McKenzie – [email protected] Inquiries – [email protected] or 800-664-9973
Recorded webinar and slides will be posted within 48 hours on the OpSource website.