Your SlideShare is downloading. ×
0
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using 80 20 rule in application security management

521

Published on

80/20 rule (also known as Pareto Principle) is one of the most beautiful rules which helps to achieve as well as fail. In most of the cases where it goes wrong was finally turned out to be figuring …

80/20 rule (also known as Pareto Principle) is one of the most beautiful rules which helps to achieve as well as fail. In most of the cases where it goes wrong was finally turned out to be figuring out the “right few”. This is probably one of the most elusive rules. It is easy to understand but extremely difficult to practice.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
521
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Using 80/20 rule in Application Security Management Bikash Barai, Co-Founder & CEOJan 2013 © iViZ Security Inc 0
  • 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a ServiceJan 2013 © iViZ Security Inc 1
  • 3. Background: Application Security Statistics 2012Jan 2013 © iViZ Security Inc 2
  • 4. Application Security Statistics 2012 • Based on real Application Security tests of iViZ – 300+ Customers – 5,000 + Application Security Tests • 99% of the Apps tested had at least 1 vulnerability • 82% of the web application had at least 1 High/Critical Vulnerability • Very low correlation between Security and Compliance (Correlation Coefficient: 0.2) • Average number of vulnerability per website: 35Jan 2013 © iViZ Security Inc 3
  • 5. Average number of VulnerabilitiesJan 2013 © iViZ Security Inc 4
  • 6. Top 5 Application Flaws Percentage of websites containing the “Type of Vulnerability”Jan 2013 © iViZ Security Inc 5
  • 7. 5 Common Business Logic Flaws • Weak Password recovery • Abusing Discount Logic/Coupons • Denial of Service using Business Logic • Price Manipulation during Transaction • Insufficient Server Side Validation (One Time Password (OTP) bypass)Jan 2013 © iViZ Security Inc 6
  • 8. Using 80/20 rule ..Jan 2013 © iViZ Security Inc 7
  • 9. 80/20 Rule • 80% of the effects come from 20% of the causes • Pareto Principle, Law of Vital Few, 80/20 Rule • Examples – 80% of your profits come from 20% of your customers – 80% of your complaints come from 20% of your customers – 20% rules detect 80% Spams • Opposite may also be true in some situations – Long TailJan 2013 © iViZ Security Inc 8
  • 10. Top 7 Mistakes • Cheap Security (Cheap Lock = No Lock) • Lack of prioritization and all round investment: Building an Iron door but with thatched walls • Security initiative not introduced early on (design phase) • Lack of proper Appsec organization (roles, KRA,KPI) • Trying too many things at the same time OR Trying to do everything in-house • Not choosing the right vendor/products • Thinking Secure Seal = Real SecurityJan 2013 © iViZ Security Inc 9
  • 11. 80/20 Rule: Top 5 Steps • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • #3: Implement efficient Patching Process • #4: Implement Secure SDLC/Secure Dev-Ops • #5: Implement WAF for Business Critical AppsJan 2013 © iViZ Security Inc 10
  • 12. #1: Identify and ClassifyJan 2013 © iViZ Security Inc 11
  • 13. Identify and Classify your Apps • 90% of the organizations do not know – How many Apps they have? – Who owns each of the App? – Which Apps are business critical? • #1 Step: Identify your Apps – Use automated Application Discovery tools – Ask all your departments • #2 Step: Classify the Apps – Business Critical: Can cause revenue loss, reputation loss, legal implications – Non-Business Critical: Every thing elseJan 2013 © iViZ Security Inc 12
  • 14. #2: Regular Security TestingJan 2013 © iViZ Security Inc 13
  • 15. Application Security Vulnerability Management Model • Type of Test – Comprehensive Penetration Testing (Automated+Manual) – Automated Application Security Testing • Strategy for Business Critical Apps – Comprehensive Penetration Testing during every major release (OR at least once a quarter) – Automated Testing once a month • Strategy for Non-Business Critical Apps – 1 to 4 Automated Test per year (based on budget) – 1 Comprehensive Test per year (if Budget permits)Jan 2013 © iViZ Security Inc 14
  • 16. DAST vs SAST • Dynamic Application Security Testing (DAST): Does not need Code • Static Application Security Testing (SAST): Needs code/binary • Should I choose DAST or SAST? – #1 Step: Conduct DAST. • This is low hanging fruit. Easy to adopt. Less Expensive. More mature. – #2 Step: Conduct SAST+DAST • Lower false negative, Better coverage, More costly, Higher overheadJan 2013 © iViZ Security Inc 15
  • 17. Tools vs Consultant vs Cloud • Tools(License/On Demand) – Need in-house team to remove false positives and conduct business logic Tests • Consultants – Good quality, Costly, Cannot Scale • Cloud (with human intervention) – Good quality, Scalable, Vulnerability Data on CloudJan 2013 © iViZ Security Inc 16
  • 18. Which option should I choose? • Cloud (with human augmentation) – Most optimal for 80% of cases. No license Cost. No People Cost. Cost Effective. Scalable. • Automated Tools/On Demand Tools – If you can hire and retain an application security testing team (less than 1% organization can do it) • Consultants – Non Standard and Complex Application; You do not have in-house team. More costly. High QualityJan 2013 © iViZ Security Inc 17
  • 19. 9 Questions to ask your consultant 1. Who (individual) will conduct the test? 2. How many Application Security Tests did he conduct before? 3. What are the contributions of the testers in security research (vulnerability discovery, research papers, tools, conference presentations etc) 4. What is the methodology of security testing? 5. How will he ensure coverage? Does he have a checklist? Can he share that or show that? 6. How will he conduct business logic testing? 7. Where will he store the data? How will the data be kept secure? 8. Can he test during non-business hours? 9. Can he meet up to your scalability requirements? • Ask Yourself: Can you conduct adequate number of tests within your current budget using the consultant?Jan 2013 © iViZ Security Inc 18
  • 20. Top 5 metrics to benchmark a tool 1. What is the rate of false positive? 2. How many classes of vulnerabilities does it cover? 3. Which are the classes it does not cover? 4. How good is the coverage of the crawler? Is there any benchmark? 5. How many scans can run in parallel? • If possible: benchmark the tools for False Positives and False NegativesJan 2013 © iViZ Security Inc 19
  • 21. #3: Efficient Remediation ProcessJan 2013 © iViZ Security Inc 20
  • 22. Top Steps for Effective Remediation • Create awareness among the engineering team members • Create an effective communication channel (Spokesperson/internal wiki etc) between security testing and engineering team • Create effective process to raise tickets, manage and monitor them • Conduct re-validation testing • Average Vulnerability Closing Time should be part of KPI (internal team) or SLA (for outsourced development)Jan 2013 © iViZ Security Inc 21
  • 23. #4: Secure SDLCJan 2013 © iViZ Security Inc 22
  • 24. Top Application Security Principles • Validate Input data • Encode output data • Implement principle of least privilege, Fail securely by default • Protect sensitive transactions using anti-automation, challenge/response, re-authentication • Implement secure session management – Issue/reissue new session cookie for each login, Automatic session expiration etc • Implement strong known cryptographic storage. Only store data that you require. • Details:Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referen ce_Guide_v2.pdfJan 2013 © iViZ Security Inc 23
  • 25. Top Steps towards Secure SDLC • Phase 1: Create a minimal coding and designing guideline – Implement, Monitor and Measure • Phase 2: Create a more advanced coding and design guideline • People are resistant towards change and there is adoption overhead. Do not try everything in one go. • Select the top 20% of guidelines which will help you the most in phase 1 • Consider Phase 2 as your goal. Phase 1 is your step towards achieving the goal.Jan 2013 © iViZ Security Inc 24
  • 26. #5: Web Application Firewall (WAF)Jan 2013 © iViZ Security Inc 25
  • 27. WAF-pros and cons • Pros: – Protects applications with known simplistic and common flaws – Protection before even if flaws are patched in the application. • Cons: – Does not protect against new and advanced attacks/Business logic flaws. – May Reduce application performance – May block legitimate requests if configured too strictly (false positives) – Do not actually fix the flaws in the code, only protects against some attacks. WAF cannot be a substitute for secure development practices.Jan 2013 © iViZ Security Inc 26
  • 28. Recap: 80/20 Rule: Top 5 Steps • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • #3: Implement efficient Patching Process • #4: Implement Secure SDLC/Secure Dev-Ops • #5: Implement WAF for Business Critical AppsJan 2013 © iViZ Security Inc 27
  • 29. Top Free Online Resources • OWASP Secure Coding Practices Quick Reference: Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referenc e_Guide_v2.pdf • OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20- %202010.pdf • OWASP Secure Code Review Guide: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide- V1_1.pdf • OWASP Projects Page: https://www.owasp.org/index.php/Category:OWASP_ProjectJan 2013 © iViZ Security Inc 28
  • 30. Thank You bikash@ivizsecurity.com Blog: http://bikashbarai.blogspot.in Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1Jan 2013 © iViZ Security Inc 29

×