Your SlideShare is downloading. ×
How to Overcome the 5 Barriers to Production App Security Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How to Overcome the 5 Barriers to Production App Security Testing

379

Published on

View the slides from Sameer Dixit and Chris Harget's energetic discussion about the five most common obstacles to monitoring production applications for new vulnerabilities. This webinar will set you …

View the slides from Sameer Dixit and Chris Harget's energetic discussion about the five most common obstacles to monitoring production applications for new vulnerabilities. This webinar will set you on a path rise above the production security challenges of downtime, data loss and disgrace.

Webinar recording at: https://info.cenzic.com/overcome-barriers-prod-app-sec.html

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
379
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How To Overcome the 5 Barriers To Production App Security Testing Chris Harget - Product Marketing Sameer Dixit - Managed Services
  • 2. Or… 5 Reasons You’re Not Monitoring Production Apps For Vulnerabilities… …and 7 Reasons You Really Should
  • 3. 3 Agenda Cenzic, Inc. - Confidential, All Rights Reserved. Why You’re Not Scanning Why You Should Overcoming Barriers How Cenzic Managed Services Can
  • 4. 4 1. You Use SAST Tools In Development Cenzic, Inc. - Confidential, All Rights Reserved. • Good first step • Efficient for some remediations • Teaches Developers best practices • Commonly accepted method • Insufficient = False sense of security
  • 5. 5 2. Production Team Afraid of Down Time Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team measured by up time • If it’s not broke, don’t fix it • Security Analyst needs Production Buy- In to actively monitor production environments
  • 6. 6 3. Production Team May Not Have Skill Set Cenzic, Inc. - Confidential, All Rights Reserved. • Depends on team • Mostly made up of guys who plan and manage patches, maintain hardware, and rollout new systems. • If they’re not comfortable…they will resist
  • 7. 7 4. Confusion Over Whose Budget Pays Cenzic, Inc. - Confidential, All Rights Reserved. • Is this Developers’ budget? • They built it, unless it’s outsourced • Is it Security Analysts’ budget? • It’s security…and development and production… • Is it Production budget? • They run it.
  • 8. 8 5. You Haven’t Gotten Around To it Yet Cenzic, Inc. - Confidential, All Rights Reserved. • Even if everyone agrees it should be done…it has to become a priority • Like brushing teeth…you can skip it, but eventually there’ll be a hole. • Gets deferred.
  • 9. 9 5 Barriers To Monitoring Production Apps Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development 2. Production team afraid of down time 3. Production team may not have skill set 4. Confusion over whose budget pays 5. You haven’t gotten around to it yet
  • 10. …And 7 Reasons You Really Should
  • 11. 11 1. Some Vulnerabilities Can't Be Found by SAST Cenzic, Inc. - Confidential, All Rights Reserved. • Search Strings might miss them • May only appear in run-time environment • May be on web server or framework • QA & Production environment may not be identical (especially DBs)
  • 12. 12 2. New Vulnerabilities Discovered Daily Cenzic, Inc. - Confidential, All Rights Reserved. • >5,200 Web app vulnerabilities discovered…so far • ~1,090 discovered last year • Odds are, hundreds more will be discovered while your apps are in production.
  • 13. 13 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production Apps Are The Biggest Risk 600+ Million Web Sites <10% of the applications in development or in QA stage >90% applications are in production and deployed At Greatest Risk! Vulnerability Testing Must Monitor Run-Time Environments
  • 14. 14 4. Some Vulnerabilities Cause Downtime Cenzic, Inc. - Confidential, All Rights Reserved. • Buffer Overflow • Downs app & can give shell access • XSS • Can insert javascript to the web server 100's of times for each user and spread like a virus • SQL injection • Drop tables, remove users, dump database • About 110 other types of attacks that can lead directly to production downtime
  • 15. 15 5. Effective Automated Attacks Cenzic, Inc. - Confidential, All Rights Reserved. • Blackbox testing + Cenzic experts • Designed to emulate what attackers do on your site, but safer • Cenzic has 10+ years helping enterprises and SMB’s protect Production Apps • Tools and services can find vulnerabilities with minimized risk to application uptime and data
  • 16. 16 6. Tightly Integrate WAF to Monitoring Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic integrates with leading Web App Firewalls • As few as two-clicks to approve/enact a policy & virtually patch app vulnerability • Faster remediation => More Secure + Identify Risk Mitigate Risk = =
  • 17. 17 7. Managed Services For Key Apps Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team = Security Team • Priority Apps deserve specialists • Frees Production Team To: • Receive results • Manage patches (virtual or code refresh) • Maximize uptime
  • 18. 18 Overcoming Barrier 1 Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development • But that’s not a complete solution • Some vulnerabilities require real- time scanning • New vulnerabilities discovered all the time
  • 19. 19 Overcoming Barrier 2 Cenzic, Inc. - Confidential, All Rights Reserved. 2. Production team afraid of down time • …and vulnerable apps can increase downtime. • You patch other bugs in Production • Monitoring can be done fairly safely
  • 20. 20 Overcoming Barrier 3 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production team may not have skill set • Cenzic Managed Service can cover it until your team gets the skills • Cenzic takes care of F100 customers for Production Monitoring
  • 21. 21 Overcoming Barrier 4 Cenzic, Inc. - Confidential, All Rights Reserved. 4. Confusion Over Who Pays • Whoever has the most budget • Production…probably
  • 22. 22 Overcoming Barrier 5 Cenzic, Inc. - Confidential, All Rights Reserved. 5. You haven’t Got Around To It Yet • It’s important • It’s relatively safe • It’s easy • Production can probably afford it
  • 23. 23 A Few… Cenzic, Inc. - Confidential, All Rights Reserved.
  • 24. 24 What's Best Form Factor For You? Cenzic, Inc. - Confidential, All Rights Reserved. Low-Risk Apps High Priority Apps Under-resourced, broad-duties Security Analysts Cloud (self-service) Production Scanning Managed Service Production Scanning Sizeable, Focused Security Analyst Group Cloud or Software Production Scanning Software or Managed Service Production Scanning
  • 25. 25 What's Important To Success Cenzic, Inc. - Confidential, All Rights Reserved. • Consistent Detection Accuracy • Erratic technicians or ad hoc tools can mask changes in security posture • Quality of Service • Production Teams benefit from vulnerability monitoring managed services that meet high standards
  • 26. 26 Monitoring Available 24x7 Cenzic, Inc. - Confidential, All Rights Reserved. • Frequent Assessments = shorter vulnerability windows • Reports should include trend data and ranking of vulnerabilities for easy response • Vulnerabilities should be time- stamped so you know report was actually run that week.
  • 27. 27 What's Important To Success? Cenzic, Inc. - Confidential, All Rights Reserved. • Options To Evolve • Managed Service might be great way to start. Self-service Saas, software, or service/software hybrid might make sense in the long run. • Scalability • Start with key apps, scale to all apps
  • 28. 28 Choosing Vendor By References Cenzic, Inc. - Confidential, All Rights Reserved. • Services harder to rate than software. • (People)*(Software)= Results • Talent doesn’t scale well • Look for best-in-class software • Look for excellent customer survey results
  • 29. 29 Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic is a leading provider of Web Application Production Scanning as a Managed Service. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Large and happy customers
  • 30. 30 How Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • We Do It All • Cenzic is the only vendor who offers you excellent software, or excellent managed services leveraging our excellent solutions • Evolve wherever you want with Cenzic
  • 31. 31 Customers Rate Cenzic Higher Cenzic, Inc. - Confidential, All Rights Reserved. • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services!
  • 32. Managed Services Offerings – At-a-Glance 32 Cenzic, Inc. - Confidential, All Rights Reserved. Bronze Silver Gold Platinum Industry Best- Practices for Brochureware sites Industry Best- Practices for forms and login protected sites Compliance for sites with user data Comprehensive scans for Mission critical applications Phishing X X X x Light input validation X X X x Data Security X X X x Session management X X x OWASP compliance X x PCI compliance X x Business logic testing x Application logic testing x Manual penetration testing x
  • 33. 33 Cenzic, Inc. - Confidential, All Rights Reserved. Pre-production & App Development Production Partner / Supply Chain Enterprise Application Security Complete Enterprise Security by Cenzic
  • 34. 34 Application Security for Web, Web Services & Mobile

×