SlideShare a Scribd company logo
1 of 33
Download to read offline
Security Verified




            Introduction to Web Application Security
                  Mohamed Ridha Chebbi, CISSP
                  iCode InfoSec – CEO & Head of PS
                  ridha.chebbi@icodesecurity.com




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Agenda                                                                                       Security Verified




•   Application InSecurity
•   TOP 10 Risks in APPSEC
•   Addressing the Problem
•   APPSEC Training
•   APPSEC Verification Process
•   APPSEC Standard (Security Levels)
•   APPSEC Protection Infrastructure




     Next-Gen Applications & Data Security conference, March 6th 2012

                                         © 2012 iCode information security All rights reserved
Security Verified




                                     Application InSecurity




Mohamed Ridha Chebbi, CISSP



   Next-Gen Applications & Data Security conference, March 6th 2012

                                       © 2012 iCode information security All rights reserved
Web Application Security Defined                                                                                     Security Verified




                                                               Intrusion Detection
                                                                 and Prevention

                       Internet

  Desktop / Client                              Firewall                                     Web       App           Database
                                                                                             Server    Server        Server
                                             Ports 443 & 80 still open                       Web app layer: 75% of
                                                                                            hacker attacks occur here
       Desktop &
     Content Security                             Network Security                            Application Security
       1980s                                          1990s                                       2000s

                     WEB APPLICATION SECURITY EVOLUTION



Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Why Website Security Matters                                                                             Security Verified




      $7.2+ Million is the average cost of a data
     breach
           Ponemon Institute –2011
                                                                                                400+
       75%+ of cyber attacks & Internet security                                                 New
     violations are generated through applications                                          Vulnerabilities a
           Gartner Group – 2011                                                                 Month
                                                                                             and Growing
       75% of enterprises experienced some
     form of cyber attack in 2011
           Symantec Internet Security Report – April 2011
      79% of victims subject to PCI DSS had not
     achieved compliance
           Verizon Business Data Breach Report – July 2011

Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified




                     Web Application Vulnerabilities
                              (% of total)


Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified




                               Web Application Vulnerabilities by Class
                                    (Commercial Applications)




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified




                                                    Other Category




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified




                                  Web Application Vulnerabilities
                                    (Proprietary Applications)




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified




                               Vulnerable Web Applications by type
                                    (Proprietary Applications)




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Hacking Continues …                                                                         Security Verified




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Breach Time to Detection                                                                                  Security Verified




                                                                  Average Number of Days
                                                                    from when a breach
                                                                    occurred and when it
                                                                    was Discovered = 156
                                                                    Days (Between 5 & 6
                                                                    Months)
                                                                  Main reason why an
                                                                    investigation launched?
                                                                                Because the Credit Card
                                                                                company detected a data
                                                                                pattern of unauthorized
                                                                                use.


Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Verified




            The Top 10 Risks in Application Security




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
OWASP Top Ten (2010 Edition)                                                                   Security Verified




                                                       http://www.owasp.org/index.php/Top_10



Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
VERACODE Assessment Results                                                                 Security Verified




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
VERACODE Assessment Results                                                                 Security Verified




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Verified




                             Addressing the Problem




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
How to Start ?                                                                              Security Verified




   1- Develop Secure Code
              Use Application Security Standard – Risk Mitigation Best Practices
              Training in Secure Coding

   2- Test and Review Applications
        in accordance to Application Security Standard - Verification Process
             Security Considerations during the SDLC :
                 Static Assessment (during build)
                 Dynamic Assessment (during Testing)
                 Internal Reviews (during design & build)
                 PEN Testing (during operation)

   3- Protect & Monitor Applications and Databases
        in accordance to Application Security Standard – Protection & Monitoring Architecture
             Protect applications & data by using :
                  Web Application Firewalls (WAF)
                  Database Firewalls (DBF)
                  File Firewalls (FF)


Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Training                                                               Security Verified




   iCode in-Class Courses
               Application Security Fundamentals
               TOP 10 OWASP In detail
               Secure Coding Java
               Secure Coding .NET
               Mobile Application Security
               Security Testing
               SDL

   iCode Virtual Class Courses
               50+ Hours of Online Courses
               33+ Course Modules (from security fundamentals to Secure Coding)




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Life Cycle                                                                                  Security Verified




        Design                     Build                       Test                  Deploy          Operate


             Internal Review                                                                                 Annually
                                  Static Assessment                                                            …
                                                             Dynamic Assessment

                                                                                                               …
                                                                                               PEN Testing

New Versions/Releases
                                                                                               Web Application & Data
                                                                                               Protection & Monitoring




   Next-Gen Applications & Data Security conference, March 6th 2012

                                       © 2012 iCode information security All rights reserved
Security Verified




                         Application Security Levels




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Requirements & Levels                                                                              Security Verified




                                                                                                      Level of rigor
                                                                     V1. Security Architecture
                                                                     V2. Authentication
                                                                     V3. Session Management
                                                                     V4. Access Control
                                    Level of rigor                   V5. Input Validation
                                                                     V6. Output Encoding/Escaping
Level 1               Level 2                                        V7. Cryptography
                                                                     V8. Error Handling and Logging
                                                                     V9. Data Protection
                                                                     V10. Communication Security
                                                                     V11. HTTP Security
                                                                     V12. Security Configuration
                                                                     V13. Malicious Code Search
                                                                     V14. Internal Security
                                                         Sections

 Next-Gen Applications & Data Security conference, March 6th 2012

                                     © 2012 iCode information security All rights reserved
Application Security Level 1                                                                          Security Verified




       Level 1 Verification is typically appropriate for applications where some
      confidence in the correct use of security controls is required.
   Threats to security will be typically viruses, warms and misuse.

        There are two constituent components for Level 1.
        - Level 1A is for the use of automated application vulnerability scanning (dynamic
        analysis)
        - Level 1B is for the use of automated source code scanning (static analysis).
   NOTE : if the verifier’s selected tool suite does not have the capability to verify a specified
   verification requirement, the verifier can perform manual verification to fill this gap.




                   Level 1A            +            Level 1B                    =           Level 1



Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Level 2                                                                          Security Verified




       Level 2 is appropriate for applications that handle personal transactions, conduct
      business-to-business transactions, or process personally identifiable information.
   Threats to security will be typically viruses, warms and opportunists such as
   malicious attackers.

        There are two constituent components for Level 2.
        - Level 2A is for the use of automated application vulnerability scanning (dynamic
        analysis)
        - Level 2B is for the use of automated source code scanning (static analysis).
    Note 1 : if the verifier’s selected tool suite does not have the capability to verify a specified
    verification requirement, the verifier can perform manual verification to fill this gap.

    Note 2 : The verifier needs to manually review and augment all the results for each Level 2
    requirement.


                       Level 2A            +            Level 2B                    =       Level 2

Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Level 1                                                                                             Security Verified




Example : ADB/ASS-V2 Authentication Verification Requirements for Level 1

                                   Verification Requirement




                                                                                            Level 1A



                                                                                                           Level 1B
       V2.1           Verify that all pages and resources require authentication                                     
              except those specifically intended to be public.
       V2.2           Verify that all password fields do not echo the user’s password                                
              when it is entered, and that password fields (or the forms that contain
              them) have autocomplete disabled.

       V2.3           Verify that if a maximum number of authentication attempts is                    
              exceeded, the account is locked for a period of time long enough to
              deter brute force attacks.




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Level 2                                                                                          Security Verified




Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2

                                       Verification Requirement




                                                                                                Level 2A


                                                                                                           Level 2B
         V2.1          Verify that all pages and resources require authentication except                       
              those specifically intended to be public.
         V2.2          Verify that all password fields do not echo the user’s password                         
              when it is entered, and that password fields (or the forms that contain
              them) have autocomplete disabled.
         V2.3          Verify that if a maximum number of authentication attempts is                           
              exceeded, the account is locked for a period of time long enough to deter
              brute force attacks.
         V2.4          Verify that all authentication controls are enforced on the server                      
              side.
         V2.5          Verify that all authentication controls (including libraries that call                   
              external authentication services) have a centralized implementation.
         V2.6          Verify that all authentication controls fail securely.                                  
         V2.7          Verify that the strength of any authentication credentials are                          
              sufficient to withstand attacks that are typical of the threats in the
              deployed environment.

Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application Security Level 2                                                                                         Security Verified




Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2 (Continue)

                                      Verification Requirement




                                                                                               Level 2A


                                                                                                          Level 2B
       V2.8          Verify that users can safely change their credentials using a                            
            mechanism that is at least as resistant to attack as the primary authentication
            mechanism.
       V2.9          Verify that re-authentication is required before any application-                        
            specific sensitive operations are permitted.
       V2.10         Verify that after an administratively-configurable period of time,                       
            authentication credentials expire.
       V2.11         Verify that all authentication decisions are logged.                                      
       V2.12         Verify that account passwords are salted using a salt that is unique to                   
            that account (e.g., internal user ID, account creation) and hashed before
            storing.
       V2.13         Verify that all authentication credentials for accessing services                         
            external to the application are encrypted and stored in a protected location
            (not in source code).


Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Verification Output Report                                                                                        Security Verified




 Level 1 or Level 2 Verification Report shall document the results of the analysis,
 including any remediation of vulnerabilities that was required.
             Level                              Pass                                           Fail
       Requirement           •    Verdict                                      •     Verdict
                             •    Verdict justification                        •     Location (URL
                                  (Level 2)                                          w/parameters and/or
                                                                                     source file path, name and
                                                                                     line number(s))
                                                                               •     Description (including
                                                                                     configuration information
                                                                                     as appropriate)
                                                                               •     Risk rating
                                                          • Risk justification
                             Any remediation of vulnerabilities that was discovered shall
                             be provided apart of the report.

Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Verified




                          Accreditation & Baselines




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Example of Accreditation Document                                                            Security Verified

                                                                        Accreditation

                                             Application Security Accreditation Form
Application            Category                          Version                     Release Date
Application Supports The following Business Functions :
Application makes use of the following Technology :
Application makes use of the following IT Infrastructure :
Application            First Name                        Title                       Department
Developer/Vendor       Last Name                         Telephone                   email
Primary Contact
Information
1                           Security Verification      P F N/T N/R Ref./Comments
                            Process
L1A                         Level 1A Verification
L1B                         Level 1B Verification
L2A                         Level 2A Verification
L2B                         Level 2B Verification
                                                Accreditation Zone
Production Date :                                  Notes/Comments

Accreditation Envolved Patries
…
Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Verified




                   Applications & Data Protection




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Application & Data Protection                                                                                        Security Verified




     Security Operating Center
                                                                                              Database Local
                                                                                                  Agent          Databases
                                                           Database Activity
                                                              Monitoring                                        N etw ork
                                                                  or                                           M onitoring
                                                             Discovery and
                                                           Assessment Server                                                 N ative
                                                                                                                             Audit



          Management
            Server
                                                                                            Database
                                                                                            Firewall




                                                               Web


                                        Web
                                     Application
                                      Firewall




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved
Security Verified




         Thanks




Next-Gen Applications & Data Security conference, March 6th 2012

                                    © 2012 iCode information security All rights reserved

More Related Content

What's hot

Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security DeploymentCisco Canada
 
Internet & iot security
Internet & iot securityInternet & iot security
Internet & iot securityUsman Anjum
 
Best Practice For Public Sector Information Security And Compliance
Best  Practice For  Public  Sector    Information  Security And  ComplianceBest  Practice For  Public  Sector    Information  Security And  Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecurityCigniti Technologies Ltd
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligenceijtsrd
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoTAmy Daly
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked   alok guptaFrom app sec to malsec malware hooked, criminal crooked   alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
 
Internet of things
Internet of thingsInternet of things
Internet of thingsvarungoyal98
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET Journal
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technologyijtsrd
 

What's hot (20)

Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Advanced Web Security Deployment
Advanced Web Security DeploymentAdvanced Web Security Deployment
Advanced Web Security Deployment
 
Internet & iot security
Internet & iot securityInternet & iot security
Internet & iot security
 
Best Practice For Public Sector Information Security And Compliance
Best  Practice For  Public  Sector    Information  Security And  ComplianceBest  Practice For  Public  Sector    Information  Security And  Compliance
Best Practice For Public Sector Information Security And Compliance
 
188
188188
188
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked   alok guptaFrom app sec to malsec malware hooked, criminal crooked   alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technology
 

Viewers also liked

AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAaron Weaver
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 

Viewers also liked (7)

Java zone ASVS 2015
Java zone ASVS 2015Java zone ASVS 2015
Java zone ASVS 2015
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 

Similar to Appsec Introduction

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Web App Se Saidi Scan
Web App Se Saidi ScanWeb App Se Saidi Scan
Web App Se Saidi ScanAung Khant
 
Cyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercatoCyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercatoHP Enterprise Italia
 
Time based security for cloud computing
Time based security for cloud computingTime based security for cloud computing
Time based security for cloud computingJorge Sebastiao
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startupsKesava Reddy
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorIBMGovernmentCA
 
BYOD and Security Trends
BYOD and Security TrendsBYOD and Security Trends
BYOD and Security TrendsCisco Russia
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsJulien Ott
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19IBM Sverige
 
iViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Techno Solutions
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Security is Hard
Security is HardSecurity is Hard
Security is HardMike Murray
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsLiwei Ren任力偉
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 

Similar to Appsec Introduction (20)

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Web App Se Saidi Scan
Web App Se Saidi ScanWeb App Se Saidi Scan
Web App Se Saidi Scan
 
Cyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercatoCyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercato
 
Time based security for cloud computing
Time based security for cloud computingTime based security for cloud computing
Time based security for cloud computing
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startups
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
 
BYOD and Security Trends
BYOD and Security TrendsBYOD and Security Trends
BYOD and Security Trends
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
iViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration TestingiViZ Security : On Demand Penetration Testing
iViZ Security : On Demand Penetration Testing
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Security is Hard
Security is HardSecurity is Hard
Security is Hard
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and Solutions
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 

Appsec Introduction

  • 1. Security Verified Introduction to Web Application Security Mohamed Ridha Chebbi, CISSP iCode InfoSec – CEO & Head of PS ridha.chebbi@icodesecurity.com Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 2. Agenda Security Verified • Application InSecurity • TOP 10 Risks in APPSEC • Addressing the Problem • APPSEC Training • APPSEC Verification Process • APPSEC Standard (Security Levels) • APPSEC Protection Infrastructure Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 3. Security Verified Application InSecurity Mohamed Ridha Chebbi, CISSP Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 4. Web Application Security Defined Security Verified Intrusion Detection and Prevention Internet Desktop / Client Firewall Web App Database Server Server Server Ports 443 & 80 still open Web app layer: 75% of hacker attacks occur here Desktop & Content Security Network Security Application Security 1980s 1990s 2000s WEB APPLICATION SECURITY EVOLUTION Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 5. Why Website Security Matters Security Verified $7.2+ Million is the average cost of a data breach Ponemon Institute –2011 400+ 75%+ of cyber attacks & Internet security New violations are generated through applications Vulnerabilities a Gartner Group – 2011 Month and Growing 75% of enterprises experienced some form of cyber attack in 2011 Symantec Internet Security Report – April 2011 79% of victims subject to PCI DSS had not achieved compliance Verizon Business Data Breach Report – July 2011 Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 6. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities (% of total) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 7. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities by Class (Commercial Applications) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 8. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Other Category Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 9. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities (Proprietary Applications) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 10. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Vulnerable Web Applications by type (Proprietary Applications) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 11. Hacking Continues … Security Verified Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 12. Breach Time to Detection Security Verified Average Number of Days from when a breach occurred and when it was Discovered = 156 Days (Between 5 & 6 Months) Main reason why an investigation launched? Because the Credit Card company detected a data pattern of unauthorized use. Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 13. Security Verified The Top 10 Risks in Application Security Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 14. OWASP Top Ten (2010 Edition) Security Verified http://www.owasp.org/index.php/Top_10 Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 15. VERACODE Assessment Results Security Verified Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 16. VERACODE Assessment Results Security Verified Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 17. Security Verified Addressing the Problem Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 18. How to Start ? Security Verified 1- Develop Secure Code Use Application Security Standard – Risk Mitigation Best Practices Training in Secure Coding 2- Test and Review Applications in accordance to Application Security Standard - Verification Process Security Considerations during the SDLC : Static Assessment (during build) Dynamic Assessment (during Testing) Internal Reviews (during design & build) PEN Testing (during operation) 3- Protect & Monitor Applications and Databases in accordance to Application Security Standard – Protection & Monitoring Architecture Protect applications & data by using : Web Application Firewalls (WAF) Database Firewalls (DBF) File Firewalls (FF) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 19. Application Security Training Security Verified iCode in-Class Courses Application Security Fundamentals TOP 10 OWASP In detail Secure Coding Java Secure Coding .NET Mobile Application Security Security Testing SDL iCode Virtual Class Courses 50+ Hours of Online Courses 33+ Course Modules (from security fundamentals to Secure Coding) Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 20. Application Security Life Cycle Security Verified Design Build Test Deploy Operate Internal Review Annually Static Assessment … Dynamic Assessment … PEN Testing New Versions/Releases Web Application & Data Protection & Monitoring Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 21. Security Verified Application Security Levels Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 22. Security Requirements & Levels Security Verified Level of rigor V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control Level of rigor V5. Input Validation V6. Output Encoding/Escaping Level 1 Level 2 V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security Sections Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 23. Application Security Level 1 Security Verified Level 1 Verification is typically appropriate for applications where some confidence in the correct use of security controls is required. Threats to security will be typically viruses, warms and misuse. There are two constituent components for Level 1. - Level 1A is for the use of automated application vulnerability scanning (dynamic analysis) - Level 1B is for the use of automated source code scanning (static analysis). NOTE : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap. Level 1A + Level 1B = Level 1 Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 24. Application Security Level 2 Security Verified Level 2 is appropriate for applications that handle personal transactions, conduct business-to-business transactions, or process personally identifiable information. Threats to security will be typically viruses, warms and opportunists such as malicious attackers. There are two constituent components for Level 2. - Level 2A is for the use of automated application vulnerability scanning (dynamic analysis) - Level 2B is for the use of automated source code scanning (static analysis). Note 1 : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap. Note 2 : The verifier needs to manually review and augment all the results for each Level 2 requirement. Level 2A + Level 2B = Level 2 Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 25. Application Security Level 1 Security Verified Example : ADB/ASS-V2 Authentication Verification Requirements for Level 1 Verification Requirement Level 1A Level 1B V2.1 Verify that all pages and resources require authentication   except those specifically intended to be public. V2.2 Verify that all password fields do not echo the user’s password   when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled. V2.3 Verify that if a maximum number of authentication attempts is  exceeded, the account is locked for a period of time long enough to deter brute force attacks. Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 26. Application Security Level 2 Security Verified Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2 Verification Requirement Level 2A Level 2B V2.1 Verify that all pages and resources require authentication except   those specifically intended to be public. V2.2 Verify that all password fields do not echo the user’s password   when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled. V2.3 Verify that if a maximum number of authentication attempts is   exceeded, the account is locked for a period of time long enough to deter brute force attacks. V2.4 Verify that all authentication controls are enforced on the server   side. V2.5 Verify that all authentication controls (including libraries that call  external authentication services) have a centralized implementation. V2.6 Verify that all authentication controls fail securely.   V2.7 Verify that the strength of any authentication credentials are   sufficient to withstand attacks that are typical of the threats in the deployed environment. Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 27. Application Security Level 2 Security Verified Example : ADB/ASS-V2 Authentication Verification Requirements for Level 2 (Continue) Verification Requirement Level 2A Level 2B V2.8 Verify that users can safely change their credentials using a   mechanism that is at least as resistant to attack as the primary authentication mechanism. V2.9 Verify that re-authentication is required before any application-   specific sensitive operations are permitted. V2.10 Verify that after an administratively-configurable period of time,   authentication credentials expire. V2.11 Verify that all authentication decisions are logged.  V2.12 Verify that account passwords are salted using a salt that is unique to  that account (e.g., internal user ID, account creation) and hashed before storing. V2.13 Verify that all authentication credentials for accessing services  external to the application are encrypted and stored in a protected location (not in source code). Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 28. Verification Output Report Security Verified Level 1 or Level 2 Verification Report shall document the results of the analysis, including any remediation of vulnerabilities that was required. Level Pass Fail Requirement • Verdict • Verdict • Verdict justification • Location (URL (Level 2) w/parameters and/or source file path, name and line number(s)) • Description (including configuration information as appropriate) • Risk rating • Risk justification Any remediation of vulnerabilities that was discovered shall be provided apart of the report. Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 29. Security Verified Accreditation & Baselines Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 30. Example of Accreditation Document Security Verified Accreditation Application Security Accreditation Form Application Category Version Release Date Application Supports The following Business Functions : Application makes use of the following Technology : Application makes use of the following IT Infrastructure : Application First Name Title Department Developer/Vendor Last Name Telephone email Primary Contact Information 1 Security Verification P F N/T N/R Ref./Comments Process L1A Level 1A Verification L1B Level 1B Verification L2A Level 2A Verification L2B Level 2B Verification Accreditation Zone Production Date : Notes/Comments Accreditation Envolved Patries … Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 31. Security Verified Applications & Data Protection Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 32. Application & Data Protection Security Verified Security Operating Center Database Local Agent Databases Database Activity Monitoring N etw ork or M onitoring Discovery and Assessment Server N ative Audit Management Server Database Firewall Web Web Application Firewall Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  • 33. Security Verified Thanks Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved