Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Security Strategies --OWASP Taiwan 2008
Yen-Ming ChenDirector of Consulting, NorthwestFoundstone, A Division of McAfee
OWASP
Agenda
Security Problems and StatisticsAnalysisStrategic PlanningConclusion
2
OWASP
Yen-Ming Chen
Director of Consulting, Northwest.Joined Foundstone in 2000 4 Contributing authorships: HE 3rd edition, HE of Web App, Win XP professional Security and HackNote Web securityDozens of articles in SecurityFocus, DevX, SysAdmin, PCWeek, CNET Taiwan, ITHome and other mediasInvited speaker for world wide security conferencesMSIN from C.M.U. Information Networking Institute (1999)
OWASP
SECURITY PROBLEMS
Thus do many calculations lead to victory, and few calculations to defeat
4
OWASP
Current Status
Security MaturityAttack Target ShiftSecurity EcosystemSQL InjectionWhy You Still Can’t Rely on Automated Tools
5
OWASP
Information Security Maturity: 1996
OWASP
Information Security Maturity: 2000
OWASP
Information Security Maturity: 2004
OWASP
Information Security Maturity: 2008
OWASP
Attack Target Shift
From server to application; from corporate network to every user.
10
OWASP
Google Search Trend
11
OWASP
Hacking Evolved
OWASP
Security EcoSystem
Government
Corporate/Organization The Bad Guys
General Public
Attack
Attack
AttackReg
ulate
Monitor/Catch
Reg
ulat
e Monitor
Monitor/Sell
Monitor
Monito
r/Sell
OWASP
SQL Injection
RFP (Rain Forest Puppy) identified the problem in Phrack 54 (December 1998)
http://www.phrack.org/issues.html?issue=54&id=8#articleIn 2005, Cardsystem lost 40 million credit card infoIn 2008, an automated mass attack of 500,000 (estimated) web servers
Yes, using SQL Injection! Exploits of a mom (http://xkcd.com/327/):
14
OWASP
Why You Still Can’t Rely on Automated Tools?
North Carolina News 13Web-based “closings” ticker for schools/businesses
Submit info Human approval Stack messages
http://tinyurl.com/pwpec
OWASP
This is What You See…
OWASP
UAL vs. Google
An old article about UAL's 2002 bankruptcy-court filing resurfaced Sep 8, 2008 as an apparently fresh report on Google's news service. Stock in the parent company of United Airlines quickly dropped to $3 a share from nearly $12.50 before the Nasdaq Stock Market halted trading and UAL issued a statement denying any fresh Chapter 11 filing.UAL's stock price ended Tuesday's session at $10.60, ...
OWASP
UAL vs. Google
18
$1.1 Billion market value disappeared in a few hours!!!
OWASP
Some Survey Data
OWASP
McGraw Touchpoint Secure SDLC
OWASP
Microsoft SDL
21
OWASP
Where are things going?
Penetration testing is still how a lot of companies are going to assess their security
Frameworks/libraries/etc are going to make shooting yourself in the foot harder (xss, SQLi, etc)
“Silver Bullet” devices/technologies are always going to be around
SDL is starting to show proven results
OWASP 23
OWASP
What’s Next?
Security research is chasing after new technologiesNew vulns on different products will happen dailyBetter accuracies from security productsSlower to see new paradigm shift
Integrate security into your daily lifeCorporate M&ANeed better management on executionNew technologies to make it harder to make unsecure web applications
Learn from other fieldsKnowledge Discovery, Data Mining & Information RetrievalBiology, Physics, Social Science and others
24
OWASP
WEB APPLICATION SECURITY
Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight
25
OWASP
2007-2008 Analysis
Collected 77 Applications in 5 industriesPicked 27 out of them and did further studyArranged findings based on
Foundstone Security Framework, Overall risk level and Root cause in SDLC phases
26
OWASP
Foundstone Security Framework
27
OWASP
Financial Services – 15 Apps
28
OWASP
Healthcare – 12 Apps
29
OWASP
Insurance – 27 Apps
30
OWASP
Retail – 17 Apps
31
OWASP
Utility – 6 Apps
32
OWASP
27 Applications
13 on Unix; 13 on Windows; 1 on NovellTotal 421 findings
33
OWASP
Findings by Framework and Risk Level
34
OWASP
High and Medium Risk Findings
35
OWASP
Findings by Percentage
36
OWASP
Findings by SDLC Phases
37
OWASP
White Box vs. Black Box
OWASP
10 Things To Secure Your Web App
AuthenticationPassword policy
Reset password function, history, complexity and account lockout
AuthorizationRole/privilege mapping and enforcementWorkflow/business logic authorization enforcement
Data ValidationDo your validation on the server-side both on output and input!
Session ManagementUse random session ID and maintain the state on server-side. Do not depend on any state information on the client
Data ProtectionProtect your important data in storage and transitChoose your data protection solution wisely
Configuration ManagementSecure server configuration and patch it well!
Exception ManagementHandle all exception and return generic error messages
Logging and AuditingWhat to log and how/when to audit?
39
OWASP
STRATEGIC PLANNING
If you know the enemy and know yourself, you need not fear the result of a hundred battles
40
OWASP
Six Sigma Tactical Steps
Define MeasureAnalyzeImproveControl
OWASP
What is Process Sigma?
Defects per Unit and Opportunities
3.4 defects per 1 million opportunities is Six Sigma
Number of Defects
Number of units × Number of opps.
× 1,000,000
OWASP
Balanced Scorecard
43
OWASP
Methodology
44
Root Cause
Analysis
Root Cause
Analysis
Solution Mappin
g
Solution Mappin
g
Strategic
Planning
Strategic
Planning
OWASP
Solution
45
OWASP
Capability
46
OWASP
Action Items
47
OWASP
CONCLUSIONIn order to carry out an attack, we must have means available
48
OWASP
Summary
We reviewed:Current security statusWeb application security statisticsStrategic planning to keep your web application secure
Security is an on-going process that also requires people and technology to play important roles.
49
OWASP
No Silver Bullets or Easy Button!
OWASP
If Toyota Builds Your Web Applications…
Modularization, Automation and Just-In-TimeReduce cost, maintain highest customer satisfactionImplementation phase will be automated and modularizedDevelopers won’t be able to use any insecure implementation techniquesWeb applications will be stick to the known best practice with high quality in security. When there is a serious flaw there will be a recall.
51
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Thank You
Yen-Ming ChenDirector of Consulting,Foundstone, A Division of [email protected]
52