Application Hackers Have A Handbook. Why Shouldn't You?

435 views

Published on

More Hacker Hotshots: http://www.concise-courses.com/upcoming/

In this Hacker Hotshot Hangout Marc Shinbrood shares:
1. Todays Web Application Vulnerabilities
2. Real World Application Security Lifecycles
3. Holistic Application Security Solutions

More Hacker Hotshots: http://www.concise-courses.com/upcoming/

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
435
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Stripped down and customized version of Mac OS Xdoes not have common binaries such as bash, ssh, or even ls.MobileSafari - many features of Safari have been removedNo Flash plug-in, many file types cannot be downloaded
  • Each application runs with its UID in its own Dalvik virtual machineProvides CPU protection, memory protectionAuthenticated communication protection using Unix domain socketsOnly ping, zygote (spawn another process) run as rootApplications announces permission requirementCreate a whitelist model – user grants accessBut don’t want to ask user often – all questions asked as install timeInter-component communication reference monitor checks permissions
  • Train your developersReview your codeTest, test and test againProtect in real-time and virtual patch with technologies like web application firewalls
  • Trustwave provides a unified set of offerings to help you address the security challenges and trends we just mentioned. And we do it by hiding the complexity of the environment.At the end of the day, this is what we want the customer to remember – four things about Trustwave that are unique and we do better than anyone else. And how these areas all work together to address customer issues.SpiderLabs – Simple is IntelligentSpiderLabs is the advanced Security team at Trustwave and drives our security research, penetration testing, and incident response offerings. SpiderLabs has completed thousands of forensics investigations, application and network penetration tests in over 50 countries – we believe more than any other provider. SpiderLabs are “ethical hackers at the leading edge of security”.This deep experience gives SpiderLabs unparalleled insight into current and emerging security threats, which then provides real-time threat intelligence to significantly enhance our security products as well as managed security offerings. In fact, we just announced the SpiderLabs Threat Intelligence program where organizations can also get the same threat knowledge we have been providing our internal MSS – this is focused in the areas of Malware, Mobility, Infrastructure and Virtualization/Cloud. SpiderLabs is also very active in sharing our insights with the security community, such as publishing research papers, speaking at events like DefCon and BlackHat and perhaps most visibly, the annual Global Security Report. Unified Security – Simple is UnifiedThe current approach to security, we think, is ineffective. The world has changed – too many threats, evolving far too quickly from a diverse set of attack vectors. Days and sometimes months pass before a company even realizes it has been compromised. According to the latest Global Security Report, only 16% of all organizations were able to self-detect an attack! This disturbing stat also highlights another major challenge - the complexity that organizations face.Trustwave’s Unified Security approach is designed to address this changing world. We have a comprehensive set of security offerings to protect you from the web layer, to the application layer to the network layer and finally to the data layer. Our offerings include award winning secure web gateways, web filters, web app firewalls, network access control, UTM, data loss prevention, secure email gateways, and encryption products. What is unique is how we deliver these products as unified solutions to provide better security and simplicity of use. Trustwave solutions collaborate with our award winning SIEM to help analyze seemingly disconnected events, and correlate them to recognize threats that would have otherwise been missed. In short, SIEM becomes the nerve center that collects information from individual security solutions, correlates them to gain insight about threats and then takes action to prevent an attack. We “bring all our security, all in one place”“Unified security is a strategy that correlates and analyzes information from disparate sources, enabling security products to cooperate, understand and jointly repel external and internal threats to data”Managed Security Services –Simple is FocusedTrustwave is one of the leading managed security providers in the world – with global 24x7x365 SOC coverage. Our MSS vision is to “help organizations run their security while they focus on running their business”. In addition to the foundational offerings like UTM, firewalls etc, that many MSS vendors provide, we also provide next generation and high-value managed offerings like Managed NAC, WAF, SIEM, FIM, Encryption etc that others do not. This enables Trustwave to not only provide one of the broadest MSS offerings, but also deliver a pathway for companies who need sophisticated security technologies, delivered as simple to consume managed offerings. Finally, Trustwave MSS benefits greatly from the real-time threat intelligence from our SpiderLabs division – based on the thousands of forensic investigations and penetration tests done in over 50 countries. This insight helps the Trustwave MSS team to build the right policies to protect our customers, and from threats they were not even aware of. We are honored to be recognized by Forrester as a leader in MSS in their Forrester Wave report.We’re changing the way managed security providers are viewed in the industry – previously it was just to reduce costs in capex and optimize resources. However, now, with Trustwave MSS, you’re not just getting affordable, simplified security but also better security.Compliance and Validation – Simple is ClearWe are the global leader in PCI compliance. This unique heritage also provides us a strong blueprint to help address other regulations such as HIPAA, Data Privacy, SOX, ISO2700x etc. Our products are tuned to not only secure your data but also provide reports that can prove compliance with regulations (for eg our SIEM has over 1400 reports) We have over half a million subscribers in our TrustKeeper portal using us for compliance. They use unique offerings like the “To Do list” which helps guide users on compliance issues and offer approaches for remediation. We also combine security and compliance solutions to make it easier for organizations – we have successfully helped franchises and other distributed organizations with bundled and packaged solutions to address compliance and security.Elevator pitch“Trustwave’s unified security approach provides organizations simple solutions to complex security and compliance challenges. Our best-in-class solutions, including SWG, WAF, NAC, Encryption and others, build on a layered strategy, offering protection from the web, applications, to networks, email and ultimately to the data itself. Uniquely, these solutions collaborate with our market-leading SIEM technology to correlate and analyze security events in real time, helping businesses quickly understand vulnerabilities and take action to repel both internal and external threats.  These unified solutions, enhanced with intelligence from Trustwave’s SpiderLabs, an advanced security and research team, can be deployed on-premise or delivered as managed services through our award-winning portal, TrustKeeper.”
  • Application Hackers Have A Handbook. Why Shouldn't You?

    1. 1. August 13, 2013 Application Hackers Have a Handbook. . . Why Shouldn't You?
    2. 2. 1 Today’s Vulnerabilities 2 Real World Application Security Lifecycle 3 Holistic Application Security Solution AGENDA
    3. 3. Web Application Vulnerabilities 3
    4. 4. Improving Business Intelligence Your Objective: • Improve visibility across systems • Monitor, control and detect anomalies and compromise • Correlate events and instruct devices across the network • Dynamically enforce policies and rules across technologies Cybercriminals aggressively exploit the weakness of siloed monitoring and controls. ONLY 24% OF BREACHES ARE SELF-DETECTED Business and Threat Intelligence • Security Information and Event Management (SIEM) • Web Application Firewall • Global Threat Database • Threat Research and Advisory Services Source: 2013 Trustwave Global Security Report
    5. 5. 0 10 20 30 40 50 60 2011 2013* 2015* Tablet apps Smartphone apps March 2012 “Mobile App is the new fact of engagement” Mobile apps: $6 billion Market today Will hit $ 55.7 billion by 2015 Mobile Apps are Taking Off 5
    6. 6. iOS Architecture – Security Weaknesses • All processes of interest run with administrative privileges • iPhone does not utilize some widely accepted practices – Address randomization • The stack, heap, and executable code located at precisely the same spot in memory – Non-executable heaps • Buffer overflow on heap can write executable instructions 6
    7. 7. Android Architecture – Security Weaknesses • Google decided against (in initial release) – stack and heap non-execute protections • GIF image vulnerability – Decode function uses logical screen width and height to allocate heap – Can overflow the heap buffer allowing hacker to control the phone • Vulnerability is in the multimedia subsystem made by PacketVideo – Due to insufficient boundary checking – It’s possible to corrupt the heap and execute arbitrary code on the device 7
    8. 8. Securing Web & Mobile Applications Your Objective: • Ensure secure development of web and mobile applications • Prevent Layer 7 attacks and dynamically protect web applications • Maintain application performance 360 Application Security • Secure App Development Training • Secure Code Review • Mobile Application Penetration Testing • Web Application Penetration Testing • Web Application Firewall • SSL Certificates TOP APP ATTACK METHODS e-commerce sites are the #1 targeted asset of hackers. Source: 2013 Trustwave Global Security Report
    9. 9. 9 Application Security -- A Lifecycle View Security review Architecture audits Code review Static analysis Dynamic testing Penetration testing Application firewalls SDLC Production Application security training
    10. 10. 10 Challenges to Implement Application Security Manual process Error prone Lack of expertise Lack of incentive Complex to carry out Time-to-market pressure Lack of influence Lack of code visibility Different priorities No code & design visibility No root cause info Lack of influence Lack of visibility and integration Application security training
    11. 11. Securing Web & eMail Your Objective: • Create a layered defense • Improve anti-malware power at the gateway • Enable safe and productive use of social media • Get control of data from creation to destruction Content Security and Control • Threat Research & Advisory Services/Feeds • Secure Web Gateway • Web Application Firewall • Secure Email Gateway • Data Loss Prevention • Data Encryption • Security Awareness Education Web-based systems are the most utilized threat vector of hackers. AVERAGE TIME FROM BREACH TO DETECTION: 210 DAY Source: 2013 Trustwave Global Security Report
    12. 12. This Means … • Defects are found later in the lifecycle – Increased remediation cost • Often security defects are not fixed due to separate agenda and accountability structures – Developers are under time-to-market pressure • Silo-ed model does not scale – How many auditors do you need to cover all your apps? 30x 0 5 10 15 20 25 30 Development Integration Audit/test Production Cost for defect fixes Source: NIST 1x 5x 10x 12
    13. 13. Why Application Security? • Applications are vulnerable • 44% of organizations feel that application vulnerabilities pose the greatest threat to them in 2012. Source: InformationWeek 2012 Strategic Security Survey. • Fixing them is expensive • A recent study of more than 150 organizations found the average total cost to remediate a single application security incident is approximately $300,000. • Late fixes are even more expensive • It is 5 times more expensive to fix a flaw in development than during design, 10 times more in testing, and 30 times more in deployment. Source: National Institute of Standards and Technology. 13
    14. 14. 14 What We Need: The Shape of An Ideal Solution More automated design audits and threat modeling • Easy to use static analysis • Suitable for developers • Meaningful remediation guidance • Integrated with dynamic tests • Integrated with static analysis • Provide input back to dev • Scanning and intelligent pen testing • Virtual patching • Real time attack blocking • Continuous deployment support Application security training
    15. 15. That said -- You don’t have to tackle everything at once, but you need a strategy to get there! 15
    16. 16. Recommendations • Immediate to-do list – Invest in WAF technology for all your external-facing web applications – Invest in developer training, focusing on on-the-job training – Invest in static analysis technology, start small • Medium-term to-do list – Perform dynamic scan on all of your applications – Define your selective penetration testing strategy – Populate static analysis – Prioritize remediation • Long-term to-do list – Build your complete application security competency 16
    17. 17. Ready To Get Started? • Get “Addressing the OWASP Top 10 with Trustwave WebDefend” White Paper – https://www.trustwave.com/application-security/ • Take the OWASP Top 10 Threats & Mitigations Course for free! • We can show you how to protect your applications in 30 minutes or less. Start your proof of concept with Trustwave WebDefend now! 17 17
    18. 18. About Trustwave Founded in 1995 Almost 1100 employees in 26 locations worldwide Nearly 2.5 million merchants trust us for their compliance and security needs Robust portfolio of risk management, compliance and security solutions Leading provider of Cloud Security through our award-winning TrustKeeper portal Leading provider of Managed Security Services, with global 365x24x7 operations Trustwave SpiderLabs has performed over 14,000 penetration tests and 1,500 forensic investigations 18
    19. 19. Simple Solutions to Complex Challenges 19
    20. 20. 360 Application Security • The industry’s only holistic application security lifecycle solution • Enables an organization to secure their applications while meeting regulatory and compliance requirements in a simple way 20
    21. 21. Summary • Application security should be addressed from design to production • Best practice is with a lifecycle approach • Trustwave’s 360 Application Security solution, including the award-winning WebDefend WAF, can help you start protecting your applications today 21
    22. 22. QUESTIONS

    ×