08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Â
Web Application Security Strategy
1. Copyright Š The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Security
Strategy â Getting it Right!
K. K. Mookhey Rohit Salecha
Director Security Analyst
Network Intelligence India Pvt. Ltd.
kkmookhey@niiconsulting.com
Rohit.salecha@niiconsulting.com
30 Aug 2013
4. OWASP
WAS Global Statistics
Vulnerability Population Trends for 2011-2012 as
stated by Cenzic â 26% rise since 2011
Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application-
Vulnerability-Trends-Report-2013.pdf
5. OWASP
Ponemon Application Security Report
Average cost of data breach in
India
$1.3 Million
Average number of breached
records
26,586
Average amount due to lost
business
$283,341
Attacks in which web app issues
were exploited
86%
Security budget allocated to
appsec!
18%
7. OWASP
Outcomes
âThe results were both stunning and
deeply puzzling. The connections
between various software security controls
and SDLC behaviors and the vulnerability
outcomes and breaches is far more
complicated than we ever imagined.â
âThe question we were left with is: Why do
we see such widely disparate answers
in the exact same industries? How do some
organizations effectively manage their
change control policies and regulatory
obligations so as not to be slowed down
while others are severely
challenged?â
Again, perhaps what works is a
combination of factors.
Perhaps that factor is the amount of pre-
production security testing
8. OWASP
One size does not fit all!
⢠Surveys/Reports cover
organizations across
industries
⢠Do not take into account
nature of the organizationâs
current web app situation â
vendor, in-house, legacy,
COTSE, etc.
⢠Do not take into account
current level of maturity
⢠Try to draw general
conclusions from
average/sum of all data
11. OWASP
Burning questions
⢠What should we invest in? What works and
what doesnât?
⢠In what sequence?
⢠What is likely to give the most ROI in terms of
significant improvements?
⢠Challenges with these initiatives â how to get
them right?
13. OWASP
Background
⢠Working with them since 2004
⢠Annual Grey-box Testing
⢠No secure coding guidelines
⢠No on-going Appsec reviews
⢠Just recently procured a WAF
14. OWASP
Statistics â Number of Vulnerabilities
The # of vulnerabilities have gone up between 2012 and 2013
0
1
2
3
4
5
6
7
8
9
10
Jul-12 Mar-13
Sum of High
Sum of Medium
15. OWASP
Statistics â Type of Vulnerabilities
The # of Business Logic Issues have gone up between 2012 and 2013
0
1
2
3
4
5
6
7
8
Jul-12 Mar-13
Business Logic
Input Validations
Others
16. OWASP
Analysis
⢠Lots of new code going live every day. Multiple
releases per day vs. one release per week
previously
⢠Pen-testing skills have improved
⢠More scope for testing â lot more functionality
on the sites
⢠Increase in business-logic issues â as we have
thoroughly understood their workings now
18. OWASP
Background
⢠BFSI Company
⢠Used to get periodic penetration tests done
⢠Contracted us in 2011 to do on-going appsec
testing
⢠We did 1 round of secure coding training as
well
⢠We work closely with their development teams
to help address the issue
⢠Development teams are largely outsourced â
though many working onsite
19. OWASP
Statistics
The # of vulnerabilities goes up and down â no significant trends
emerge!
Why?
0
50
100
150
200
250
300
Sum of High
Sum of Medium
20. OWASP
Analysis
⢠High turnover in the developer teams
⢠Lessons imparted via training or daily
interactions become useless due to the above
⢠Reduction seen where metrics being used to
penalize vendors
⢠Source Code Review is effective but has
inherent challenges
22. OWASP
Background
⢠Financial Products Company
⢠Used to get annual penetration tests done
⢠Implemented SCR solution in 2011
⢠We did 1 round of training on secure coding
⢠Secure coding guidelines also developed
⢠Development done largely by internal teams
23. OWASP
Statistics
The # of vulnerabilities going down
Why?
0
2
4
6
8
10
12
May-11 Oct-12
Sum of High
Sum of Medium
24. OWASP
Analysis
⢠Low turnover in developer team
⢠Team leads have been with them since past 6-7
years
⢠SCR tool faced lot of resistance, but gradually
acceptability has grown
⢠Developers have written custom sanitization
functions and configured these in SCR
⢠No code is uploaded without running it through
SCR
⢠Lessons learnt from pen-tests have also been
incorporated into secure coding guidelines
25. OWASP
SCR Tool
⢠Challenges
⢠Does not identify business logic issues
⢠Large number of false positives
â60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.â
⢠May not support your coding platform
⢠Not able to handle large codebases
⢠Positives
⢠Can scan incrementally
⢠Allows custom sanitization functions to be configured
⢠Allows false positives to be marked
⢠Exports data into Excel for easy tracking
⢠Has extensive knowledge base
⢠Pin-points exact location
29. OWASP
Analysis
⢠Vendor delays in fixing the issues
⢠Multiple reassessments leads to the issues
remaining open and overlapped in subsequent
assessments
⢠High level of exposure on the Internet
⢠Multiple approaches adopted and strong focus
on appsec in recent times
⢠WAF implementation remains a challenge
31. OWASP
WAF Right Approach
⢠Understanding of the Applications that will be
integrated with WAF
⢠Enabling the right security policies for the
application
⢠Testing the alerts and violations for identifying
the false positives
⢠Involvement of the development team to verify
on the URLâs learnt, alerts, violations, update on
the mitigation, update on application changes
and broken links & references
32. OWASP
WAF Implementation Mistakes
⢠Not changing the default error page of WAF
⢠Not informing about the changes that happen in
the application code
⢠Not checking the broken link and broken
references
⢠Not fine-tuning the web directory and Web
URLâs
⢠Keeping the WAF in the Monitoring Mode,
without defined plan for migration to Block
Mode.
35. OWASP
Strategic Options / 1
ď If you have all your development done in-house
ď If your team is relatively stable
ď Then:
ď Embed security into the SDLC by beginning with on-
going assessments
ď Source code reviews
ď Have someone manage the SCR Tool output
ď Training
ď Development of secure coding guidelines
ď Development/Embedding of a security framework
36. OWASP
Strategic Options / 2
ď If you have many complex, heterogeneous
systems, some from vendors, some in-house
ď Then
ď Same strategy as #1, plusâŚ
ď Strong vendor management processes for meeting
security objectives
ď WAF
37. OWASP
Strategic Options / 3
ď If all your applications are from vendors
ď And if you have limited budgets
ď On-going assessments
ď But eventuallyâŚ
38. OWASP
Strategic Options / 4
ď If you are a vendor
ď Then:
ď Do everything! Seriously, is that even a question?
ď Pre-hiring checks
ď Training â after hiring and periodically thereafter
ď Secure coding guidelines
ď Security frameworks
ď Threat modeling
ď Grey-box assessments
ď Source code reviews â embed SCR into IDE
ď Include # of security bugs in developer appraisals
ď Incentivize security innovation
ď Internal & external marketing, nay, evangelism!
39. OWASP
Common Elements of any Strategy
ď Management Commitment
ď Prioritized Approach
ď Measurement & Metrics
ď # of issues per application â trend over time
ď # of issues by vendor
ď Time taken to fix issues
ď # of issues by source (grey-box, external PT, source code review, etc.)
ď See what works and what doesnât for your organization
ď Vendor Management
ď SLAs for fixing security bugs
ď Service credits for bugs found
ď Enforcing security assessments by the vendor
ď Enforcing adoption of SDL by the vendor
40. OWASP
Open QuestionsâŚ
⢠Outsource vs. In-house Security Assessment
⢠Legacy Apps â Orphaned
⢠Level of enforcement at the vendorâs end
⢠Procure tool vs. Security as a Service
⢠Business Logic Issues
⢠Bug Bounty Program