How To Overcome the
5 Barriers To Production App
Security Testing
Chris Harget -
Product Marketing
Sameer Dixit -
Managed ...
Or…
5 Reasons You’re Not
Monitoring Production Apps For
Vulnerabilities…
…and 7 Reasons You Really Should
3
Agenda
Cenzic, Inc. - Confidential, All Rights Reserved.
Why You’re Not Scanning
Why You Should
Overcoming Barriers
How ...
4
1. You Use SAST Tools In Development
Cenzic, Inc. - Confidential, All Rights Reserved.
• Good first step
• Efficient for...
5
2. Production Team Afraid of Down Time
Cenzic, Inc. - Confidential, All Rights Reserved.
• Production Team measured by u...
6
3. Production Team May Not Have Skill Set
Cenzic, Inc. - Confidential, All Rights Reserved.
• Depends on team
• Mostly m...
7
4. Confusion Over Whose Budget Pays
Cenzic, Inc. - Confidential, All Rights Reserved.
• Is this Developers’ budget?
• Th...
8
5. You Haven’t Gotten Around To it Yet
Cenzic, Inc. - Confidential, All Rights Reserved.
• Even if everyone agrees it sh...
9
5 Barriers To Monitoring Production Apps
Cenzic, Inc. - Confidential, All Rights Reserved.
1. You use SAST tools in Deve...
…And 7 Reasons You Really
Should
11
1. Some Vulnerabilities Can't Be Found by SAST
Cenzic, Inc. - Confidential, All Rights Reserved.
• Search Strings might...
12
2. New Vulnerabilities Discovered Daily
Cenzic, Inc. - Confidential, All Rights Reserved.
• >5,200 Web app vulnerabilit...
13 Cenzic, Inc. - Confidential, All Rights Reserved.
3. Production Apps Are The Biggest Risk
600+ Million Web Sites <10% o...
14
4. Some Vulnerabilities Cause Downtime
Cenzic, Inc. - Confidential, All Rights Reserved.
• Buffer Overflow
• Downs app ...
15
5. Effective Automated Attacks
Cenzic, Inc. - Confidential, All Rights Reserved.
• Blackbox testing + Cenzic experts
• ...
16
6. Tightly Integrate WAF to Monitoring
Cenzic, Inc. - Confidential, All Rights Reserved.
• Cenzic integrates with leadi...
17
7. Managed Services For Key Apps
Cenzic, Inc. - Confidential, All Rights Reserved.
• Production Team = Security Team
• ...
18
Overcoming Barrier 1
Cenzic, Inc. - Confidential, All Rights Reserved.
1. You use SAST tools in Development
• But that’...
19
Overcoming Barrier 2
Cenzic, Inc. - Confidential, All Rights Reserved.
2. Production team afraid of down time
• …and vu...
20
Overcoming Barrier 3
Cenzic, Inc. - Confidential, All Rights Reserved.
3. Production team may not have skill set
• Cenz...
21
Overcoming Barrier 4
Cenzic, Inc. - Confidential, All Rights Reserved.
4. Confusion Over Who Pays
• Whoever has the mos...
22
Overcoming Barrier 5
Cenzic, Inc. - Confidential, All Rights Reserved.
5. You haven’t Got Around To It Yet
• It’s impor...
23
A Few…
Cenzic, Inc. - Confidential, All Rights Reserved.
24
What's Best Form Factor For You?
Cenzic, Inc. - Confidential, All Rights Reserved.
Low-Risk Apps High Priority Apps
Und...
25
What's Important To Success
Cenzic, Inc. - Confidential, All Rights Reserved.
• Consistent Detection Accuracy
• Erratic...
26
Monitoring Available 24x7
Cenzic, Inc. - Confidential, All Rights Reserved.
• Frequent Assessments = shorter
vulnerabil...
27
What's Important To Success?
Cenzic, Inc. - Confidential, All Rights Reserved.
• Options To Evolve
• Managed Service mi...
28
Choosing Vendor By References
Cenzic, Inc. - Confidential, All Rights Reserved.
• Services harder to rate than
software...
29
Cenzic Can Help
Cenzic, Inc. - Confidential, All Rights Reserved.
• Cenzic is a leading provider of Web
Application Pro...
30
How Cenzic Can Help
Cenzic, Inc. - Confidential, All Rights Reserved.
• We Do It All
• Cenzic is the only vendor who
of...
31
Customers Rate Cenzic Higher
Cenzic, Inc. - Confidential, All Rights Reserved.
• 2013 Gartner surveyed App
Security Tes...
Managed Services Offerings – At-a-Glance
32 Cenzic, Inc. - Confidential, All Rights Reserved.
Bronze Silver Gold Platinum
...
33 Cenzic, Inc. - Confidential, All Rights Reserved.
Pre-production &
App Development
Production
Partner /
Supply Chain
En...
34
Application Security for
Web, Web Services & Mobile
Upcoming SlideShare
Loading in...5
×

How to Overcome the 5 Barriers to Production App Security Testing

457

Published on

View the slides from Sameer Dixit and Chris Harget's energetic discussion about the five most common obstacles to monitoring production applications for new vulnerabilities. This webinar will set you on a path rise above the production security challenges of downtime, data loss and disgrace.

Webinar recording at: https://info.cenzic.com/overcome-barriers-prod-app-sec.html

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
457
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Overcome the 5 Barriers to Production App Security Testing

  1. 1. How To Overcome the 5 Barriers To Production App Security Testing Chris Harget - Product Marketing Sameer Dixit - Managed Services
  2. 2. Or… 5 Reasons You’re Not Monitoring Production Apps For Vulnerabilities… …and 7 Reasons You Really Should
  3. 3. 3 Agenda Cenzic, Inc. - Confidential, All Rights Reserved. Why You’re Not Scanning Why You Should Overcoming Barriers How Cenzic Managed Services Can
  4. 4. 4 1. You Use SAST Tools In Development Cenzic, Inc. - Confidential, All Rights Reserved. • Good first step • Efficient for some remediations • Teaches Developers best practices • Commonly accepted method • Insufficient = False sense of security
  5. 5. 5 2. Production Team Afraid of Down Time Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team measured by up time • If it’s not broke, don’t fix it • Security Analyst needs Production Buy- In to actively monitor production environments
  6. 6. 6 3. Production Team May Not Have Skill Set Cenzic, Inc. - Confidential, All Rights Reserved. • Depends on team • Mostly made up of guys who plan and manage patches, maintain hardware, and rollout new systems. • If they’re not comfortable…they will resist
  7. 7. 7 4. Confusion Over Whose Budget Pays Cenzic, Inc. - Confidential, All Rights Reserved. • Is this Developers’ budget? • They built it, unless it’s outsourced • Is it Security Analysts’ budget? • It’s security…and development and production… • Is it Production budget? • They run it.
  8. 8. 8 5. You Haven’t Gotten Around To it Yet Cenzic, Inc. - Confidential, All Rights Reserved. • Even if everyone agrees it should be done…it has to become a priority • Like brushing teeth…you can skip it, but eventually there’ll be a hole. • Gets deferred.
  9. 9. 9 5 Barriers To Monitoring Production Apps Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development 2. Production team afraid of down time 3. Production team may not have skill set 4. Confusion over whose budget pays 5. You haven’t gotten around to it yet
  10. 10. …And 7 Reasons You Really Should
  11. 11. 11 1. Some Vulnerabilities Can't Be Found by SAST Cenzic, Inc. - Confidential, All Rights Reserved. • Search Strings might miss them • May only appear in run-time environment • May be on web server or framework • QA & Production environment may not be identical (especially DBs)
  12. 12. 12 2. New Vulnerabilities Discovered Daily Cenzic, Inc. - Confidential, All Rights Reserved. • >5,200 Web app vulnerabilities discovered…so far • ~1,090 discovered last year • Odds are, hundreds more will be discovered while your apps are in production.
  13. 13. 13 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production Apps Are The Biggest Risk 600+ Million Web Sites <10% of the applications in development or in QA stage >90% applications are in production and deployed At Greatest Risk! Vulnerability Testing Must Monitor Run-Time Environments
  14. 14. 14 4. Some Vulnerabilities Cause Downtime Cenzic, Inc. - Confidential, All Rights Reserved. • Buffer Overflow • Downs app & can give shell access • XSS • Can insert javascript to the web server 100's of times for each user and spread like a virus • SQL injection • Drop tables, remove users, dump database • About 110 other types of attacks that can lead directly to production downtime
  15. 15. 15 5. Effective Automated Attacks Cenzic, Inc. - Confidential, All Rights Reserved. • Blackbox testing + Cenzic experts • Designed to emulate what attackers do on your site, but safer • Cenzic has 10+ years helping enterprises and SMB’s protect Production Apps • Tools and services can find vulnerabilities with minimized risk to application uptime and data
  16. 16. 16 6. Tightly Integrate WAF to Monitoring Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic integrates with leading Web App Firewalls • As few as two-clicks to approve/enact a policy & virtually patch app vulnerability • Faster remediation => More Secure + Identify Risk Mitigate Risk = =
  17. 17. 17 7. Managed Services For Key Apps Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team = Security Team • Priority Apps deserve specialists • Frees Production Team To: • Receive results • Manage patches (virtual or code refresh) • Maximize uptime
  18. 18. 18 Overcoming Barrier 1 Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development • But that’s not a complete solution • Some vulnerabilities require real- time scanning • New vulnerabilities discovered all the time
  19. 19. 19 Overcoming Barrier 2 Cenzic, Inc. - Confidential, All Rights Reserved. 2. Production team afraid of down time • …and vulnerable apps can increase downtime. • You patch other bugs in Production • Monitoring can be done fairly safely
  20. 20. 20 Overcoming Barrier 3 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production team may not have skill set • Cenzic Managed Service can cover it until your team gets the skills • Cenzic takes care of F100 customers for Production Monitoring
  21. 21. 21 Overcoming Barrier 4 Cenzic, Inc. - Confidential, All Rights Reserved. 4. Confusion Over Who Pays • Whoever has the most budget • Production…probably
  22. 22. 22 Overcoming Barrier 5 Cenzic, Inc. - Confidential, All Rights Reserved. 5. You haven’t Got Around To It Yet • It’s important • It’s relatively safe • It’s easy • Production can probably afford it
  23. 23. 23 A Few… Cenzic, Inc. - Confidential, All Rights Reserved.
  24. 24. 24 What's Best Form Factor For You? Cenzic, Inc. - Confidential, All Rights Reserved. Low-Risk Apps High Priority Apps Under-resourced, broad-duties Security Analysts Cloud (self-service) Production Scanning Managed Service Production Scanning Sizeable, Focused Security Analyst Group Cloud or Software Production Scanning Software or Managed Service Production Scanning
  25. 25. 25 What's Important To Success Cenzic, Inc. - Confidential, All Rights Reserved. • Consistent Detection Accuracy • Erratic technicians or ad hoc tools can mask changes in security posture • Quality of Service • Production Teams benefit from vulnerability monitoring managed services that meet high standards
  26. 26. 26 Monitoring Available 24x7 Cenzic, Inc. - Confidential, All Rights Reserved. • Frequent Assessments = shorter vulnerability windows • Reports should include trend data and ranking of vulnerabilities for easy response • Vulnerabilities should be time- stamped so you know report was actually run that week.
  27. 27. 27 What's Important To Success? Cenzic, Inc. - Confidential, All Rights Reserved. • Options To Evolve • Managed Service might be great way to start. Self-service Saas, software, or service/software hybrid might make sense in the long run. • Scalability • Start with key apps, scale to all apps
  28. 28. 28 Choosing Vendor By References Cenzic, Inc. - Confidential, All Rights Reserved. • Services harder to rate than software. • (People)*(Software)= Results • Talent doesn’t scale well • Look for best-in-class software • Look for excellent customer survey results
  29. 29. 29 Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic is a leading provider of Web Application Production Scanning as a Managed Service. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Large and happy customers
  30. 30. 30 How Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • We Do It All • Cenzic is the only vendor who offers you excellent software, or excellent managed services leveraging our excellent solutions • Evolve wherever you want with Cenzic
  31. 31. 31 Customers Rate Cenzic Higher Cenzic, Inc. - Confidential, All Rights Reserved. • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services!
  32. 32. Managed Services Offerings – At-a-Glance 32 Cenzic, Inc. - Confidential, All Rights Reserved. Bronze Silver Gold Platinum Industry Best- Practices for Brochureware sites Industry Best- Practices for forms and login protected sites Compliance for sites with user data Comprehensive scans for Mission critical applications Phishing X X X x Light input validation X X X x Data Security X X X x Session management X X x OWASP compliance X x PCI compliance X x Business logic testing x Application logic testing x Manual penetration testing x
  33. 33. 33 Cenzic, Inc. - Confidential, All Rights Reserved. Pre-production & App Development Production Partner / Supply Chain Enterprise Application Security Complete Enterprise Security by Cenzic
  34. 34. 34 Application Security for Web, Web Services & Mobile
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×