• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Top 10 Application Security Predictions for 2014
 

Top 10 Application Security Predictions for 2014

on

  • 1,487 views

Chris Harget shares consolidated research data from Cenzic's security team, industry experts and security luminaries. The research-grounded predictions include: ...

Chris Harget shares consolidated research data from Cenzic's security team, industry experts and security luminaries. The research-grounded predictions include:

>>> WHAT emerging initiatives (e.g., Enterprise App Stores, API proliferation) are most likely to increase appsec risk and what to do about it.

>>> WHY Cross Site Request Forgery (CSRF) may be the next exploitation to "go large."

>>> HOW the "Internet of Things" may have a huge impact on application security.

... plus several more predictions.

2013 is coming to a close but online application threats won't be taking a holiday. Prepare for a secure 2014 by checking out "Top 10 Application Security Predictions for 2014."

Statistics

Views

Total Views
1,487
Views on SlideShare
1,308
Embed Views
179

Actions

Likes
1
Downloads
38
Comments
3

2 Embeds 179

https://info.cenzic.com 174
https://na-abd.marketodesigner.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • http://gg.gg/19qo2
    Are you sure you want to
    Your message goes here
    Processing…
  • Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here http://gg.gg/16pxf
    Are you sure you want to
    Your message goes here
    Processing…
  • Mediafire Download : http://www.mediafire.com/download/7aoel0kpzvwnzeh/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Top 10 Application Security Predictions for 2014 Top 10 Application Security Predictions for 2014 Presentation Transcript

    • Cenzic Live! Webinar: Top 10 Application Security Predictions for 2014 Chris Harget 1
    • Agenda  2013 In Review  2014 Predictions  New Year’s Resolutions 2 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 2013 AppSec In Review 3
    • 2013 Developments/News 4 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 160 Million Cards Stolen Via SQLi 5 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Vulnerabilities Trended Down… …Slightly Source: Cenzic Application Vulnerability Trends Report 2013 6 Cenzic, Inc. - Confidential, All Rights Reserved.
    • OWASP Updated Its Top 10  Broadening of URL access control flaws to now include actual application functions  Expansion and merger of data-in-transit and data-atrest flaws on both the server side and client side  Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)  Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)related flaws https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/ 7 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Compliance: Hello PCI 3.0  Penetration testing activities (internal and external) now must follow an "industry-accepted penetration testing methodology," such as that specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. 8 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 2013 Was Kind Of A Stormy Year = 9 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 2014 AppSec Predictions 7.2 10
    • 1.The Internet Of Things = App Risk2  “The Internet of Things (or IoT for short) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.” – http://en.wikipedia.org/wiki/Internet_of_things  “A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.” – http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf  Many of these devices will be managed via apps 11 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 1.The Internet Of Things = App Risk2  New Attack Surfaces Include: – Smart Televisions – Home Alarms – Smart Meters – Smartphone cameras and microphones – Security Cameras – Baby monitors – Medical Equipment – Supply Chain Goods – Smart Thermostats – Cars 12 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 1.The Internet Of Things = App Risk2 Top Ten Connected Applications in 2020 Value to the Connected Life Connected Car $600 billion Clinical Remote Monitoring $350 billion Assisted Living $270 billion Home and Building Security $250 billion Pay-As-You-Drive Car Insurance $245 billion New Business Models for Car Usage $225 billion Smart Meters Traffic Management Electric Vehicle Charging Building Automation $105 billion $100 billion $75 billion $40 billion http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020 13 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 2. Enterprise App Stores Explode… Cenzic, Inc. - Confidential, All Rights Reserved. 14
    • 2. Enterprise App Stores Explode…  …Not Necessarily In a Good Way  Risks: – Apps have privileged access to corporate data – Malware sent via links in SMS or downloaded – Rogue apps can act as a key logger – Vulnerabilities doubly problematic 15 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 3: Bug Bounties Go Large  Glory, prizes and cash offered to crowd source finding security flaws in social networks, cloud apps, etc.  May give COTS an edge over open source  220 Bugs found at OWASP’s November Hackathon 16 Cenzic, Inc. - Confidential, All Rights Reserved. http://www.bugsheet.com/bug-bounties
    • 4: Developers Incentivized on Security Evolve  Status Quo: Developers primarily compensated for code completed on schedule  Enterprises experimenting with 10-20% of MBO based on vulnerability scores (HARM™ or CVE)  Intriguing…yet to be proven 17 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 5: Increased Hacking Via Partner API  Programmable Web now lists >10,000 APIs  >100% compound annual growth. http://blog.programmableweb.com/2013/10/26/hack-ofbuffer-should-raise-security-concerns-for-all-apiproviders/ 18 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 6: A Major Supply Chain Hack  An F1000 Enterprise will lose data or be vandalized via a partner’s application  Partners provide services, goods, distribution, marketing, & outsourcing.  An enterprise’s total app ecosystem may include hundreds of partner apps  The bigger brand will take the hit 19 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 7: CSRF Crosses The Chasm = Exploit Prevalence of apps , but – SQL Injection vulnerabilities were found in only 18%  Vulnerability Prevalence 1 from 2005-2011 were responsible for 83% of the records stolen2 – A famous 2005 incident (Card Systems Solutions) put SQL Injection on the map3.  Cross Site Request Forgery – Caused by a lack of randomness in requests that allows hacker to predict the request format and exploit it – Breaches can be innocuous or devastating  If one CSRF attack gets big headlines, could be the new attack du jour.   2: http://www.darkreading.com/views/lets-ask-why/240003593  20 1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html 3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century Cenzic, Inc. - Confidential, All Rights Reserved.
    • 8: Mobile Hacking Goes Up Projected MobileOS Data Volume Growth 21 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 8: Mobile Hacking Goes Up  Mobile App Security Lags – Mobile malware increasingly sophisticated – BYOD/MDM challenges persist  Security measures so far: – Sandbox enterprise apps on phone – Virtualize apps – Biometric authentication – Mobile Application Firewall – Geofencing  It’s unclear if they will limit breaches from application vulnerabilities. 22 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 9. Hacking Prosecutions Will Go Up  First Ever Cybercrime RICO Trial Began – Nov. 20, 2013 http://www.wired.com/threatlevel/2013/11/openmarket-trial-begins/  A hacker dealing in stolen credit cards is being charged with the Racketeering  If successful, others in his organization could be prosecuted for criminal conspiracy  This could dramatically expand the reach of cybercrime prosecution. 23 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 10: Public Layer 7 Government Hack  A nation-state will be implicated in a large Layer 7 app breach…  Probably trying to steal credentials to target – User sensitive info (dissident info) – Financial info (for business advantage) – Energy sector (critical infrastructure).  The most sophisticated actors are the nation states. 24 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Suggested AppSec New Year’s Resolutions 25
    • Internet of Things Resolutions  Bake application security into your IoT plans early! 26 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Enterprise App Store Resolutions  Hold apps with privileged access to corporate data to the highest vulnerability testing standards.  Be 100% responsible for the security of your store apps…no one else will. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Mobile Resolutions  Encourage users to check the General Settings for new mobile apps to turn off unnecessary permissions.  Test mobile apps for vulnerabilities proportionately to their usage and data value  Evaluate Mobile Antivirus  Educate yourself 28 Cenzic, Inc. - Confidential, All Rights Reserved.
    • App Design Resolutions  Leverage anti-CSRF frameworks  Validate inputs  Implement tighter session management  Confirm your off-the-shelf application components have no known vulnerabilities before use 29 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Partner Apps & API  Ensure Partners’ Web Services are tested and hardened for security with the same standards as your company-owned applications. Note: Cenzic’s New Service Can Help 30 Cenzic, Inc. - Confidential, All Rights Reserved.
    • 3 Pillars of Enterprise App Security Enterprise Application Security Pre-production & App Development 31 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
    • Detects Web & Mobile App Vulnerabilities  Easy-to-use Software, SaaS, or Managed Service  Accurate behavior-based Scanning protects – 500,000+ online applications – $Trillion+ of commerce  Delivers best continuous real-world Risk Management 32 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Application Vulnerability Monitoring In Production .Identify Risk = + Mitigate Risk =  One-click virtual patching via tight integration with leading Web Application Firewalls 33 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Managed Services Offerings – At-a-glance Bronze Silver Industry BestPractices for Brochureware sites Phishing Light input validation Data Security Session management OWASP compliance PCI compliance Business logic testing Application logic testing Manual penetration testing - Confidential, All Rights Reserved. 34 Cenzic, Inc. X Gold Platinum Industry BestPractices for forms and login protected sites Compliance for sites with user data X X Comprehensive scans for Mission critical applications x x X X X X X X x x X X x X X x x x x
    • Cenzic Can Help  Train your people  Give them better gear  Have someone else carry the baton 35 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Good Luck In The New Year! 36 Cenzic, Inc. - Confidential, All Rights Reserved.
    • Questions? request@cenzic.com or 1.866-4-Cenzic Blog: https://blog.cenzic.com www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)