SlideShare ist ein Scribd-Unternehmen logo

Security Lifecycle Management Process

Als PPT, PDF herunterladen
Bill Ross
Bill Ross

This is a NIST-based presentation on Web-Based threats and how to build decurity controls into the SDLC. Best to view in presentation mode.

1 von 45
INFOSECFORCE Application Security INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS 1
INFOSECFORCE Security and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
INFOSECFORCE Slickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
INFOSECFORCE What You Need to Know Symantec Internet Security Threat Report, Volume XIV 4
INFOSECFORCE Operational report  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild
INFOSECFORCE Common attack tools 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks
INFOSECFORCE “ the Cyber Battle Field” Google China cyber attack part of vast espionage campaign, experts say Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
INFOSECFORCE Malicious code is installed • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Symantec Internet Security Threat Report
INFOSECFORCE Key trends “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Web-based Cyber criminals want Increased sophistication Rapid adaptation to malicious activity YOUR information of the Underground security measures has accelerated Economy • Focus on exploits • Primary vector for targeting end-users • Well-established • Relocating operations to malicious activity for financial gain infrastructure for new geographic areas • Target reputable, monetizing stolen • Evade traditional security high-traffic websites information protection Symantec Internet Security Threat Report
INFOSECFORCE Key Trends – Global Activity • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase in identities exposed Downadup infections propagated spam across the Internet • Threat activity • 95% vulnerabilities as shared executable with 349.6 billion increases with attacked were client- files messages growth in side • 90% spam email Internet/Broadband distributed by Bot networks usage Internet Security Threat Report
INFOSECFORCE Website compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Site-specific vulnerabilities Web application vulnerabilities Internet Security Threat Report, 11 11
INFOSECFORCE Impact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
INFOSECFORCE The SDL Reduces the Total Cost of Development The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
INFOSECFORCE Top 10 Web Security Threats Broken authentication Cross-site scripting (XSS) Broken access control Unvalidated input Insecure storage Buffer overflows Improper error handling Injection flaws Insecure configuration management Application denial-of-service SUN
INFOSECFORCE Web Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
INFOSECFORCE Web Application Security Threats 2 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting
INFOSECFORCE Attack vector analyses Hacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.” Source: IBM
INFOSECFORCE Application security paradox Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place. Internet DMZ Trusted IIS ASP .NET Inside SunOne SQL WebSphere Oracle Apache Java DB2 HTTP(S) Corporate IMAP, FTP Firewall only Firewall only Firewall only allow Inside allows PORT 80 allows application server SSH , TELNET (or 443 SSL) applications to talk to POP3, XML traffic from the on the web database server. Internet to the server to talk to web server. application Any – Web server. Server: 80 SOURCE: SPIDYNAMICS
INFOSECFORCE Hacking the Super Bowl Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews
INFOSECFORCE How did this happen ? Business engines fueled by multiple and powerful applications
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure Social networks, and I-Pod, I-PAD as a network, peripheral-geddon Easy & “ anywhere access ” “THE CLOUD” Bill Gates, 2007 RSA
INFOSECFORCE Security coding errors
INFOSECFORCE Prevent & fortify
INFOSECFORCE This ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
INFOSECFORCE Security Business Case Security Defects Matter  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner) =  Undetected • QA testing tools not designed to detect security defects in applications  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the 1000 application sample ‘Healthchecks’ with market has become a mandatory requirement AppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deployment and encryption solutions in place… is almost 100 times greater than detecting and eliminating them during development. SOURCE: Seagate Technology
INFOSECFORCE Best practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning Application Development Prod and Maintenance Minimal set of coding practices  Data Classification – Classify  Input Validation – Validate input  Applications shall be hosted on data according to the sensitivity of from all sources. servers compliant with the corporate the data. Security requirements for IT system  Default deny – Access control  Risk Assessment – Conduct should be based on specific hardening preliminary risk assessment before permission rather than exclusion. development begins and after  Applications classified as planning is complete. Security  By default all access should be sensitive shall at a minimum have Requirements – Identify and denied. document the security requirements annual vulnerability assessments, of the application early in the  Principle of Least Privilege – when a significant change to the development lifecycle. Perform all processes with the least application has occurred, or set of required privileges depending on the data sensitivity  Security Design – Use the Data and risk. Classification process to determine  Quality Assurance – Quality specific security services needed by assurance identifies and eliminates the application software vulnerabilities.  SDLC – Address security within  Perform internal testing – Use all stages of the SDLC. source code auditing, pen testing, manual code review, or automated source code review
INFOSECFORCE Principles of Secure Programming TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN
INFOSECFORCE Application security risk analyses Vulnerability Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Threat Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Risk Multiple avenues of attack on organizational vital information assets Likelihood rating High Risk Impact High rating Overall risk High rating Risk summary High Relevant Hardened infrastructure (will not block port 80 attacks) controls Risk mitigation Follow application security planning, development and production best practices. Build security into all SDLC phases.
INFOSECFORCE SLCMP Embed information security in the SDLC and PLCMP by applying the practices and procedures defined in SLCMP
INFOSECFORCE An art form “ Building highly secure software is nothing less than an eloquently choreographed dance that calls upon the talent and skills of the developer, project manager and information security teaming to ensure that an application securely glides with grace across the technical stage ”
INFOSECFORCE SLCMP and the SDLC …“The Dance” Initiate Design/Develop Implement Production Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod for new business requirements technical development prod testing prod testing process, document architecture application or designed developed technology INFOSEC architecture document created based on data security Application and INFOSEC participation categorization, policy, infrastructure in feasibility analyses, application functionality penetration testing no documentation and risk and vulnerability required Server cert assessments Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests, application security process to decompile code follows phase one guidelines. Preliminary risk and testing. Once code acceptance vulnerability test plan defining as much as possible to testing process. vulnerability assessment done. begins solidifying, Used as final document assessments, Measures requirements against testing tools, use soft tools such as determine if code has verification that risk policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC requirements stated based on testers. Gain level testing. the security architecture. perspective preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide manager. to developers to fix or define assessments. If necessary, developers for code mitigating controls. Aspect ** Security certification and requirements document adjusted correction security has expertise in this accreditation should be area finalized
INFOSECFORCE SLCMP Deliverables Initiate Develop Implement Production - Security control integration - Second phase app security - Data security categorization testing - Preliminary risk assessment - Third phase app security testing - Security certification - Security plan - Security accreditation - Risk assessment - Security architecture - Threat management - Functional requirements - Functional and vulnerability - Configuration analyses test plan management and control - Assurance requirements - First phase testing - Continuous monitoring - Control selection - Additional planning - Incident response plan assignments
INFOSECFORCE SLCMP and the PLCMP Initiate Design/Develop Implement Production Demand manger reviews the request Control selection begins. and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and Detailed technical and solutions and designs designs implemented as part of the security design infrastructure. • Architecture • Design security controls • Security architecture • Implementation • Patch management Standards and • Begin organizing security • Design and technical • Change Management • Monitoring Convergence plan development architecture developed Capacity Monitoring • Incident response • Project Review • Architecture Review • Day to Day Operations • Security administration • Scoping • Detailed Design planning • KPI reporting on security • Solution Design • Level 4 Support design metrics • Cost Estimation • Define Security requirements • Security architecture • Threat management • Data and Infrastructure Categorization • Security control integration • Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability • Risk assessment • Security penetration and • Control selection and standard testing • Functional requirements analyses vulnerability testing integration • Determines validity of security • Assurance requirements analyses • Security certification architecture • Control selection and standard • Security accreditation • Determines security process integration • Final risk assessment shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK
INFOSECFORCE SLCMP adopted guidelines Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 SP 800-37 Security Security Control Categorization Security Control Selection Monitoring Defines category of information Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the safeguards and countermeasures) planned or impact of loss information system that may affect security in place to protect the information system controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 Security Control SLCMP System Refinement Authorization Uses risk assessment to adjust minimum control INPUTS Determines risk to agency operations, agency set based on local conditions, required threat assets, or individuals and, if acceptable, coverage, and specific agency requirements authorizes information system processing SP 800-18 SP 800-53A / SP 800-26 / SP 800-37 SP 800-70 Security Control Security Control Documentation Security Control Assessment Implementation In system security plan, provides a an Determines extent to which the security overview of the security requirements for Implements security controls in controls are implemented correctly, operating the information system and documents the new or legacy information as intended, and producing desired outcome security controls planned or in place systems; implements security with respect to meeting security configuration checklists requirements Source: NIST
INFOSECFORCE SLCMP Benefits SLCMP ROI  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs
INFOSECFORCE Conclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
INFOSECFORCE QUESTIONS 38
INFOSECFORCE BACK UP SLIDES
INFOSECFORCE Initiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
INFOSECFORCE Develop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements Ensure that enterprise security policy and standards are followed. Determine which laws analyses must be followed by the application. Assurance requirements Determine what level of certification application requires. For example, government analyses applications might require a FISMA C&A.
INFOSECFORCE Develop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that business test plan logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc components
INFOSECFORCE Implement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct testing findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective testing Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
INFOSECFORCE Production deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management Operational process and plan to ensure environment receives current security patches and and control other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
INFOSECFORCE SDLC/PLCMP Deliverables Initiate - Data security categorization - Security Plan - Preliminary risk assessment Design and - Risk assessment - Security architecture develop - Functional and vulnerability - Functional requirements analyses test plan - Assurance requirements - First phase testing - Control selection - Additional planning assignments Implement - Security control integration - Security certification - Security accreditation - Second phase app security testing - Final risk acceptance - Third phase app security testing document Production - Threat management - Configuration management and control - Continuous monitoring - Incident response plan REF: NIST 800-53

Empfohlen

Data explosion
Data explosionData explosion
Data explosionG Prachi
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Cyber attack
Cyber attackCyber attack
Cyber attackManjushree Mashal
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyberJahangirnagar University
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Classification in data mining
Classification in data mining Classification in data mining
Classification in data mining Sulman Ahmed
 

Empfohlen

Data explosion
Data explosionData explosion
Data explosionG Prachi
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Cyber attack
Cyber attackCyber attack
Cyber attackManjushree Mashal
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyberJahangirnagar University
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Classification in data mining
Classification in data mining Classification in data mining
Classification in data mining Sulman Ahmed
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Chap8 basic cluster_analysis
Chap8 basic cluster_analysisChap8 basic cluster_analysis
Chap8 basic cluster_analysisguru_prasadg
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
3.2 partitioning methods
3.2 partitioning methods3.2 partitioning methods
3.2 partitioning methodsKrish_ver2
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Trusted systems
Trusted systemsTrusted systems
Trusted systemsahmad abdelhafeez
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Web security
Web securityWeb security
Web securityJatin Grover
 
Cybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-convertedCybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-convertedProf .Pragati Khade
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Data mining: Classification and prediction
Data mining: Classification and predictionData mining: Classification and prediction
Data mining: Classification and predictionDataminingTools Inc
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 

Weitere ähnliche Inhalte

Was ist angesagt?

Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
Chap8 basic cluster_analysis
Chap8 basic cluster_analysisChap8 basic cluster_analysis
Chap8 basic cluster_analysisguru_prasadg
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
3.2 partitioning methods
3.2 partitioning methods3.2 partitioning methods
3.2 partitioning methodsKrish_ver2
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Cybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-convertedCybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-convertedProf .Pragati Khade
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Data mining: Classification and prediction
Data mining: Classification and predictionData mining: Classification and prediction
Data mining: Classification and predictionDataminingTools Inc
 

Was ist angesagt? (20)

Password Attack
Password Attack Password Attack
Password Attack
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Database security
Database securityDatabase security
Database security
 
Chap8 basic cluster_analysis
Chap8 basic cluster_analysisChap8 basic cluster_analysis
Chap8 basic cluster_analysis
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: Overview
 
Cia security model
Cia security modelCia security model
Cia security model
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
 
3.2 partitioning methods
3.2 partitioning methods3.2 partitioning methods
3.2 partitioning methods
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
Email security
Email securityEmail security
Email security
 
Web security
Web securityWeb security
Web security
 
Cybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-convertedCybersecurity 140713064844-phpapp01 (1)-converted
Cybersecurity 140713064844-phpapp01 (1)-converted
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Data mining: Classification and prediction
Data mining: Classification and predictionData mining: Classification and prediction
Data mining: Classification and prediction
 

Ähnlich wie Security Lifecycle Management Process

Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2Gaurav Srivastav
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaSylCotter
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveAvinantaTarigan
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakImperva
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonIBM Danmark
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance Raleigh ISSA
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowIBM Security
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Mandar Kharkar
 

Ähnlich wie Security Lifecycle Management Process (20)

Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)Dna
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
The State of Application Security: What Hackers Break
The State of Application Security: What Hackers BreakThe State of Application Security: What Hackers Break
The State of Application Security: What Hackers Break
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
 

Mehr von Bill Ross

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Bill Ross
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationBill Ross
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityBill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security servicesBill Ross
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanBill Ross
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security servicesBill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...Bill Ross
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations CenterBill Ross
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "Bill Ross
 

Mehr von Bill Ross (10)

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
 

Security Lifecycle Management Process

  • 1. INFOSECFORCE Application Security INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS 1
  • 2. INFOSECFORCE Security and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
  • 3. INFOSECFORCE Slickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
  • 4. INFOSECFORCE What You Need to Know Symantec Internet Security Threat Report, Volume XIV 4
  • 5. INFOSECFORCE Operational report  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild
  • 6. INFOSECFORCE Common attack tools 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks
  • 7. INFOSECFORCE “ the Cyber Battle Field” Google China cyber attack part of vast espionage campaign, experts say Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
  • 8. INFOSECFORCE Malicious code is installed • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Symantec Internet Security Threat Report
  • 9. INFOSECFORCE Key trends “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Web-based Cyber criminals want Increased sophistication Rapid adaptation to malicious activity YOUR information of the Underground security measures has accelerated Economy • Focus on exploits • Primary vector for targeting end-users • Well-established • Relocating operations to malicious activity for financial gain infrastructure for new geographic areas • Target reputable, monetizing stolen • Evade traditional security high-traffic websites information protection Symantec Internet Security Threat Report
  • 10. INFOSECFORCE Key Trends – Global Activity • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase in identities exposed Downadup infections propagated spam across the Internet • Threat activity • 95% vulnerabilities as shared executable with 349.6 billion increases with attacked were client- files messages growth in side • 90% spam email Internet/Broadband distributed by Bot networks usage Internet Security Threat Report
  • 11. INFOSECFORCE Website compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Site-specific vulnerabilities Web application vulnerabilities Internet Security Threat Report, 11 11
  • 12. INFOSECFORCE Impact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
  • 13. INFOSECFORCE The SDL Reduces the Total Cost of Development The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
  • 14. INFOSECFORCE Top 10 Web Security Threats Broken authentication Cross-site scripting (XSS) Broken access control Unvalidated input Insecure storage Buffer overflows Improper error handling Injection flaws Insecure configuration management Application denial-of-service SUN
  • 15. INFOSECFORCE Web Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
  • 16. INFOSECFORCE Web Application Security Threats 2 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting
  • 17. INFOSECFORCE Attack vector analyses Hacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.” Source: IBM
  • 18. INFOSECFORCE Application security paradox Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place. Internet DMZ Trusted IIS ASP .NET Inside SunOne SQL WebSphere Oracle Apache Java DB2 HTTP(S) Corporate IMAP, FTP Firewall only Firewall only Firewall only allow Inside allows PORT 80 allows application server SSH , TELNET (or 443 SSL) applications to talk to POP3, XML traffic from the on the web database server. Internet to the server to talk to web server. application Any – Web server. Server: 80 SOURCE: SPIDYNAMICS
  • 19. INFOSECFORCE Hacking the Super Bowl Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews
  • 20. INFOSECFORCE How did this happen ? Business engines fueled by multiple and powerful applications
  • 21. INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA
  • 22. INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure Social networks, and I-Pod, I-PAD as a network, peripheral-geddon Easy & “ anywhere access ” “THE CLOUD” Bill Gates, 2007 RSA
  • 23. INFOSECFORCE Security coding errors
  • 24. INFOSECFORCE Prevent & fortify
  • 25. INFOSECFORCE This ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
  • 26. INFOSECFORCE Security Business Case Security Defects Matter  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner) =  Undetected • QA testing tools not designed to detect security defects in applications  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the 1000 application sample ‘Healthchecks’ with market has become a mandatory requirement AppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deployment and encryption solutions in place… is almost 100 times greater than detecting and eliminating them during development. SOURCE: Seagate Technology
  • 27. INFOSECFORCE Best practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning Application Development Prod and Maintenance Minimal set of coding practices  Data Classification – Classify  Input Validation – Validate input  Applications shall be hosted on data according to the sensitivity of from all sources. servers compliant with the corporate the data. Security requirements for IT system  Default deny – Access control  Risk Assessment – Conduct should be based on specific hardening preliminary risk assessment before permission rather than exclusion. development begins and after  Applications classified as planning is complete. Security  By default all access should be sensitive shall at a minimum have Requirements – Identify and denied. document the security requirements annual vulnerability assessments, of the application early in the  Principle of Least Privilege – when a significant change to the development lifecycle. Perform all processes with the least application has occurred, or set of required privileges depending on the data sensitivity  Security Design – Use the Data and risk. Classification process to determine  Quality Assurance – Quality specific security services needed by assurance identifies and eliminates the application software vulnerabilities.  SDLC – Address security within  Perform internal testing – Use all stages of the SDLC. source code auditing, pen testing, manual code review, or automated source code review
  • 28. INFOSECFORCE Principles of Secure Programming TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN
  • 29. INFOSECFORCE Application security risk analyses Vulnerability Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Threat Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Risk Multiple avenues of attack on organizational vital information assets Likelihood rating High Risk Impact High rating Overall risk High rating Risk summary High Relevant Hardened infrastructure (will not block port 80 attacks) controls Risk mitigation Follow application security planning, development and production best practices. Build security into all SDLC phases.
  • 30. INFOSECFORCE SLCMP Embed information security in the SDLC and PLCMP by applying the practices and procedures defined in SLCMP
  • 31. INFOSECFORCE An art form “ Building highly secure software is nothing less than an eloquently choreographed dance that calls upon the talent and skills of the developer, project manager and information security teaming to ensure that an application securely glides with grace across the technical stage ”
  • 32. INFOSECFORCE SLCMP and the SDLC …“The Dance” Initiate Design/Develop Implement Production Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod for new business requirements technical development prod testing prod testing process, document architecture application or designed developed technology INFOSEC architecture document created based on data security Application and INFOSEC participation categorization, policy, infrastructure in feasibility analyses, application functionality penetration testing no documentation and risk and vulnerability required Server cert assessments Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests, application security process to decompile code follows phase one guidelines. Preliminary risk and testing. Once code acceptance vulnerability test plan defining as much as possible to testing process. vulnerability assessment done. begins solidifying, Used as final document assessments, Measures requirements against testing tools, use soft tools such as determine if code has verification that risk policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC requirements stated based on testers. Gain level testing. the security architecture. perspective preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide manager. to developers to fix or define assessments. If necessary, developers for code mitigating controls. Aspect ** Security certification and requirements document adjusted correction security has expertise in this accreditation should be area finalized
  • 33. INFOSECFORCE SLCMP Deliverables Initiate Develop Implement Production - Security control integration - Second phase app security - Data security categorization testing - Preliminary risk assessment - Third phase app security testing - Security certification - Security plan - Security accreditation - Risk assessment - Security architecture - Threat management - Functional requirements - Functional and vulnerability - Configuration analyses test plan management and control - Assurance requirements - First phase testing - Continuous monitoring - Control selection - Additional planning - Incident response plan assignments
  • 34. INFOSECFORCE SLCMP and the PLCMP Initiate Design/Develop Implement Production Demand manger reviews the request Control selection begins. and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and Detailed technical and solutions and designs designs implemented as part of the security design infrastructure. • Architecture • Design security controls • Security architecture • Implementation • Patch management Standards and • Begin organizing security • Design and technical • Change Management • Monitoring Convergence plan development architecture developed Capacity Monitoring • Incident response • Project Review • Architecture Review • Day to Day Operations • Security administration • Scoping • Detailed Design planning • KPI reporting on security • Solution Design • Level 4 Support design metrics • Cost Estimation • Define Security requirements • Security architecture • Threat management • Data and Infrastructure Categorization • Security control integration • Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability • Risk assessment • Security penetration and • Control selection and standard testing • Functional requirements analyses vulnerability testing integration • Determines validity of security • Assurance requirements analyses • Security certification architecture • Control selection and standard • Security accreditation • Determines security process integration • Final risk assessment shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK
  • 35. INFOSECFORCE SLCMP adopted guidelines Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 SP 800-37 Security Security Control Categorization Security Control Selection Monitoring Defines category of information Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the safeguards and countermeasures) planned or impact of loss information system that may affect security in place to protect the information system controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 Security Control SLCMP System Refinement Authorization Uses risk assessment to adjust minimum control INPUTS Determines risk to agency operations, agency set based on local conditions, required threat assets, or individuals and, if acceptable, coverage, and specific agency requirements authorizes information system processing SP 800-18 SP 800-53A / SP 800-26 / SP 800-37 SP 800-70 Security Control Security Control Documentation Security Control Assessment Implementation In system security plan, provides a an Determines extent to which the security overview of the security requirements for Implements security controls in controls are implemented correctly, operating the information system and documents the new or legacy information as intended, and producing desired outcome security controls planned or in place systems; implements security with respect to meeting security configuration checklists requirements Source: NIST
  • 36. INFOSECFORCE SLCMP Benefits SLCMP ROI  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs
  • 37. INFOSECFORCE Conclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
  • 38. INFOSECFORCE QUESTIONS 38
  • 39. INFOSECFORCE BACK UP SLIDES
  • 40. INFOSECFORCE Initiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
  • 41. INFOSECFORCE Develop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements Ensure that enterprise security policy and standards are followed. Determine which laws analyses must be followed by the application. Assurance requirements Determine what level of certification application requires. For example, government analyses applications might require a FISMA C&A.
  • 42. INFOSECFORCE Develop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that business test plan logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc components
  • 43. INFOSECFORCE Implement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct testing findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective testing Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
  • 44. INFOSECFORCE Production deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management Operational process and plan to ensure environment receives current security patches and and control other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
  • 45. INFOSECFORCE SDLC/PLCMP Deliverables Initiate - Data security categorization - Security Plan - Preliminary risk assessment Design and - Risk assessment - Security architecture develop - Functional and vulnerability - Functional requirements analyses test plan - Assurance requirements - First phase testing - Control selection - Additional planning assignments Implement - Security control integration - Security certification - Security accreditation - Second phase app security testing - Final risk acceptance - Third phase app security testing document Production - Threat management - Configuration management and control - Continuous monitoring - Incident response plan REF: NIST 800-53

Hinweis der Redaktion

  1. We offer customers choice and flexibility in how they purchase and use our products and services. These range from modular software suites like Symantec Protection Suites for enterprises to all-in-one software products such as Norton 360 for consumers. We have professional services – 4,000 security experts providing everything from advisory to supports services – to Norton Live consumer services. There are a variety of solutions that we offer as a service (SaaS) – from online backup for consumers to messaging security for enterprises. And then there are managed services – from residency to MSS to Norton Live for consumers.
  2. Fewer site-specific vulns in 2008 but they still aren’t being patched. Only 394 (3%) patched in 2008 compared to 1,240 (7%) in 2007. The number of site-specific vulns is adding up over time. In 2008, 63% of identified vulnerabilities affected Web applications, an increase over 2007, when 59% did. In 2008 there were a number of high-profile incidents involving SQL injection vulnerabilities. The purpose of these attacks was to inject malicious content into compromised sites that would then attempt to exploit subsequent site visitors. Attackers used a technique that allowed them to dynamically inject malicious content into strings throughout the database without detection. This provided a means of generically exploiting vulnerable applications rather than having to develop application-specific payloads. Messaging: Web servers can be difficult to secure. Patching requires downtime and frequently corporate sites are hosted on third-party server networks. As a result they can frequently be easy targets for attackers. Because of this, Web servers and connected databases need to be continuously monitored for suspicious activity.
  3. STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide