A presentation is given by K.K.Mookhey & Rohit Salecha at OWASP India 2013.

1. Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Security
Strategy – Getting it Right!
K. K. Mookhey Rohit Salecha
Director Security Analyst
Network Intelligence India Pvt. Ltd.
kkmookhey@niiconsulting.com
Rohit.salecha@niiconsulting.com
30 Aug 2013

2. OWASP
Agenda
• Research Background & Objectives
• Appsec Initiatives – Options
• Case Studies
• Lessons Learnt
• Way Forward

3. OWASP
WAS Global Statistics
AKA
Standard FUD slides

4. OWASP
WAS Global Statistics
Vulnerability Population Trends for 2011-2012 as
stated by Cenzic – 26% rise since 2011
Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application-
Vulnerability-Trends-Report-2013.pdf

5. OWASP
Ponemon Application Security Report
Average cost of data breach in
India
$1.3 Million
Average number of breached
records
26,586
Average amount due to lost
business
$283,341
Attacks in which web app issues
were exploited
86%
Security budget allocated to
appsec!
18%

6. OWASP
Existing Studies/Reports
WhiteHat Security – Annual Website Security Statistics Report
https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Coverity – Software Security Risk Report
http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf
Cenzic Application Vulnerability Trends Report
https://info.cenzic.com/2013-Application-Security-Trends-Report.html
Ponemon Application Security Report
https://www.barracuda.com/docs/white_papers/barracuda_web_app_firew
all_wp_cenzic_exec_summary.pdf
OWASP Guide for CISOs
https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs

7. OWASP
Outcomes
“The results were both stunning and
deeply puzzling. The connections
between various software security controls
and SDLC behaviors and the vulnerability
outcomes and breaches is far more
complicated than we ever imagined.”
“The question we were left with is: Why do
we see such widely disparate answers
in the exact same industries? How do some
organizations effectively manage their
change control policies and regulatory
obligations so as not to be slowed down
while others are severely
challenged?”
Again, perhaps what works is a
combination of factors.
Perhaps that factor is the amount of pre-
production security testing

8. OWASP
One size does not fit all!
• Surveys/Reports cover
organizations across
industries
• Do not take into account
nature of the organization’s
current web app situation –
vendor, in-house, legacy,
COTSE, etc.
• Do not take into account
current level of maturity
• Try to draw general
conclusions from
average/sum of all data

9. OWASP
Appsec Options

10. OWASP
Appsec Program – Options
• Annual PT
• On-going Assessments
• Source Code Reviews
• Secure Coding Training
• Secure Coding Guidelines
• Web Application Firewall
• Security Scanning Tool
• Application Security Framework
• Security Design Review

11. OWASP
Burning questions
• What should we invest in? What works and
what doesn’t?
• In what sequence?
• What is likely to give the most ROI in terms of
significant improvements?
• Challenges with these initiatives – how to get
them right?

12. OWASP
A popular dotcom
Case studies

13. OWASP
Background
• Working with them since 2004
• Annual Grey-box Testing
• No secure coding guidelines
• No on-going Appsec reviews
• Just recently procured a WAF

14. OWASP
Statistics – Number of Vulnerabilities
The # of vulnerabilities have gone up between 2012 and 2013
0
1
2
3
4
5
6
7
8
9
10
Jul-12 Mar-13
Sum of High
Sum of Medium

15. OWASP
Statistics – Type of Vulnerabilities
The # of Business Logic Issues have gone up between 2012 and 2013
0
1
2
3
4
5
6
7
8
Jul-12 Mar-13
Business Logic
Input Validations
Others

16. OWASP
Analysis
• Lots of new code going live every day. Multiple
releases per day vs. one release per week
previously
• Pen-testing skills have improved
• More scope for testing – lot more functionality
on the sites
• Increase in business-logic issues – as we have
thoroughly understood their workings now

17. OWASP
A BFSI Client
Case studies

18. OWASP
Background
• BFSI Company
• Used to get periodic penetration tests done
• Contracted us in 2011 to do on-going appsec
testing
• We did 1 round of secure coding training as
well
• We work closely with their development teams
to help address the issue
• Development teams are largely outsourced –
though many working onsite

19. OWASP
Statistics
The # of vulnerabilities goes up and down – no significant trends
emerge!
Why?
0
50
100
150
200
250
300
Sum of High
Sum of Medium

20. OWASP
Analysis
• High turnover in the developer teams
• Lessons imparted via training or daily
interactions become useless due to the above
• Reduction seen where metrics being used to
penalize vendors
• Source Code Review is effective but has
inherent challenges

21. OWASP
A Financial Products IT Company
Case studies

22. OWASP
Background
• Financial Products Company
• Used to get annual penetration tests done
• Implemented SCR solution in 2011
• We did 1 round of training on secure coding
• Secure coding guidelines also developed
• Development done largely by internal teams

23. OWASP
Statistics
The # of vulnerabilities going down
Why?
0
2
4
6
8
10
12
May-11 Oct-12
Sum of High
Sum of Medium

24. OWASP
Analysis
• Low turnover in developer team
• Team leads have been with them since past 6-7
years
• SCR tool faced lot of resistance, but gradually
acceptability has grown
• Developers have written custom sanitization
functions and configured these in SCR
• No code is uploaded without running it through
SCR
• Lessons learnt from pen-tests have also been
incorporated into secure coding guidelines

25. OWASP
SCR Tool
• Challenges
• Does not identify business logic issues
• Large number of false positives
“60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.”
• May not support your coding platform
• Not able to handle large codebases
• Positives
• Can scan incrementally
• Allows custom sanitization functions to be configured
• Allows false positives to be marked
• Exports data into Excel for easy tracking
• Has extensive knowledge base
• Pin-points exact location

26. OWASP
A Telco
Case studies

27. OWASP
Background
• Large Telco
• On-going Appsec assessments
• On-going SCR
• Periodic penetration tests
• Development done by vendors
• WAF Implemented since a year, but…

28. OWASP
Statistics
0
50
100
150
200
250
300
350
400
Sep-12 Jan-13 May-13 Jun-13 Aug-13
Sum of High
Sum of Medium
The # of vulnerabilities are stable – no significant trends emerge!
Why?
Note, this is a vulnerability tracker, so issues are open
issues, not rediscovered issues

29. OWASP
Analysis
• Vendor delays in fixing the issues
• Multiple reassessments leads to the issues
remaining open and overlapped in subsequent
assessments
• High level of exposure on the Internet
• Multiple approaches adopted and strong focus
on appsec in recent times
• WAF implementation remains a challenge

30. OWASP
WAF Challenges

31. OWASP
WAF Right Approach
• Understanding of the Applications that will be
integrated with WAF
• Enabling the right security policies for the
application
• Testing the alerts and violations for identifying
the false positives
• Involvement of the development team to verify
on the URL’s learnt, alerts, violations, update on
the mitigation, update on application changes
and broken links & references

32. OWASP
WAF Implementation Mistakes
• Not changing the default error page of WAF
• Not informing about the changes that happen in
the application code
• Not checking the broken link and broken
references
• Not fine-tuning the web directory and Web
URL’s
• Keeping the WAF in the Monitoring Mode,
without defined plan for migration to Block
Mode.

33. OWASP
Summary of the Options Exercised
Option Dotcom BFSI IT Telco
Annual VAPT    
Round-the-clock
Assessments
   
SCR – Tool    
SC Guidelines    
Threat Modeling    
WAF    
SC Training    
Appsec Tools    
Security Frameworks in use    
Vulnerability Management    

34. OWASP
So…
Where do we go now?

35. OWASP
Strategic Options / 1
 If you have all your development done in-house
 If your team is relatively stable
 Then:
 Embed security into the SDLC by beginning with on-
going assessments
 Source code reviews
 Have someone manage the SCR Tool output
 Training
 Development of secure coding guidelines
 Development/Embedding of a security framework

36. OWASP
Strategic Options / 2
 If you have many complex, heterogeneous
systems, some from vendors, some in-house
 Then
 Same strategy as #1, plus…
 Strong vendor management processes for meeting
security objectives
 WAF

37. OWASP
Strategic Options / 3
 If all your applications are from vendors
 And if you have limited budgets
 On-going assessments
 But eventually…

38. OWASP
Strategic Options / 4
 If you are a vendor
 Then:
 Do everything! Seriously, is that even a question?
 Pre-hiring checks
 Training – after hiring and periodically thereafter
 Secure coding guidelines
 Security frameworks
 Threat modeling
 Grey-box assessments
 Source code reviews – embed SCR into IDE
 Include # of security bugs in developer appraisals
 Incentivize security innovation
 Internal & external marketing, nay, evangelism!

39. OWASP
Common Elements of any Strategy
 Management Commitment
 Prioritized Approach
 Measurement & Metrics
 # of issues per application – trend over time
 # of issues by vendor
 Time taken to fix issues
 # of issues by source (grey-box, external PT, source code review, etc.)
 See what works and what doesn’t for your organization
 Vendor Management
 SLAs for fixing security bugs
 Service credits for bugs found
 Enforcing security assessments by the vendor
 Enforcing adoption of SDL by the vendor

40. OWASP
Open Questions…
• Outsource vs. In-house Security Assessment
• Legacy Apps – Orphaned
• Level of enforcement at the vendor’s end
• Procure tool vs. Security as a Service
• Business Logic Issues
• Bug Bounty Program

41. OWASP
Any Questions?
Thank You!
Take the Survey!
http://niiconsulting.com/surveys/wass/index.php