Breached! App Attacks, Application Protection and Incident Response
Upcoming SlideShare
Loading in...5

Breached! App Attacks, Application Protection and Incident Response



Software applications, like outward facing Web applications, are consistently ranked as one of the top threat vectors. For example, according to a recent report from Trustwave, SQL injection was the ...

Software applications, like outward facing Web applications, are consistently ranked as one of the top threat vectors. For example, according to a recent report from Trustwave, SQL injection was the attack method for 26% of all reported breaches. Indeed despite being a decade-old, well understood vulnerability, SQL injection flaws remain present in 32% of applications.

This webinar will first explain software application vulnerabilities and define their various types. It will also present recent research findings about the prevalence of these vulnerabilities and their impact. From there it will discuss what organizations can do to harden their applications. Finally, the webinar will cover best practices for responding to a successful application attack.

Our featured speaker for this timely webinar is Chris Wysopal, Co-Founder, CTO & Chief Information Security Officer at Veracode.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Breached! App Attacks, Application Protection and Incident Response Breached! App Attacks, Application Protection and Incident Response Presentation Transcript

    • Breached! App Attacks,Application Protection,and Incident Response
    • Page 2Agenda• Introductions• Application Security 101• How To Improve Application Security• Application Security IR Best Practices• Q&A
    • Page 3Introductions: Today’s Speakers• Ted Julian, Chief Marketing Officer, Co3 Systems• Ted is a serial entrepreneur who has launched four companiesduring his ~20 years in the security / compliance industry.• Chris Wysopal, Co-Founder, CTO & CISO,Veracode• Director of Development, Symantec; VP Research & Development,@stake
    • Page 4Co3 Automates Breach ManagementPREPAREImprove OrganizationalReadiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gapsREPORTDocument Results andTrack Performance• Document incident results• Track historical performance• Demonstrate organizationalpreparedness• Generate audit/compliance reportsASSESSQuantify Potential Impact,Support Privacy ImpactAssessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact AssessmentsMANAGEEasily Generate DetailedIncident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
    • Page 5About Veracode• Founded in 2006 by a world class team ofapplication security experts from @stake,Guardent, Symantec, and VeriSign, Veracodeprovides the world’s leading Application RiskManagement Platform. Veracodes patented andproven cloud-based capabilities allow customers togovern and mitigate software security risk across asingle application or an enterprise portfolio withunmatched simplicity.• Veracode has received considerable recognitionand awards in the industry including being nameda Gartner “Cool Vendor,” The Wall Street Journal’s“Technology Innovation Award,” and was listed as#20 on Forbes’ “America’s Most PromisingCompanies”
    • Page 6Your Apps, In The CrosshairsCorporations are targeted for their IP and othervaluables which sit behind a porous security perimeter
    • Page 7Your Apps, In The CrosshairsIt is porous because of the way businesses interact withtheir customers, suppliers, and partners via email andweb applications. Mobile apps coming soon!
    • Page 8But I Already Have Security!• Firewalls – Don’t block data moving to and from trustedcomputers. You trust your web servers. You trust youremployees desktops. Won’t stop spear phishing or web appattacks.• Encryption – You encrypt data so it can’t be snooped overnetwork or read from stolen hard drive. Attackers accessencrypted data through applications posing as legitimateusers• Antivirus – Can only stop known malware. Attackers makebrand new custom malware to attack you.Spearphishing and web app vulnerabilities bypass all 3!
    • Page 9Insecure Apps Are A Leading Cause Of Breaches
    • POLL
    • Page 11Biggest SQL Injection Breaches of 2012
    • Page 12Case Study: Night Dragon• Impacted the Energy Sector fromNov 2009 – Feb 2011• Information targeted:• Energy field productioninformation• Financial information• Industrial Control Systeminformation
    • POLL
    • Page 14How It Works: SQL Injection Attack
    • Page 1570+% of Web Apps Fail Security Testing
    • Page 16OWASP Top 10 Vulnerability Types
    • Page 17Top Vulnerability Types (% of Affected Web App Builds)
    • Page 18Techniques To Test Application Security• Universe of application securityvulnerabilities is extensive• There is no “silver bullet” – each techniquehas strengths and weaknesses• A complete analysis includes:• Static analysis (i.e. White Box)• Dynamic analysis (i.e. Black Box)• Penetration testing• Design review• Threat modeling• Automation allows manual penetrationtesters to focus on vulnerabilities onlyhumans can findAutomatedStaticAutomatedDynamicPenetrationTesting
    • POLL
    • Page 20Application Security Incident Response (IR)PREPAREMinimize Risk• Inventory your apps• Remove vulnerabilities inadvance• Simulate application securityincidents• Verify data collection for keyapps• ID organizational / skill-set gapsREPORTDocument Results andTrack Performance• Document incident results• Short and Long-Term fix• Track historical performance• Lots of App Sec incidents?• Update app inventory and re-scan• Annual IR report / infographicASSESSCharacterize Impact• Gather forensics• Any PII?• Send notice to IR team• App you didnt know about? Howcrucial is it to the business?MANAGETune The Incident ResponsePlan• Triage the app• Pull it? Patch it? Monitor it?• Assign tasks: who/what/when• Time to fix?• Monitor progress to completion
    • Page 21Application Security IR - Prepare• Inventory applications• Web apps, Mobile apps, 3rd Party apps• Rank by importance / severity / difficulty to fix• Quadrant or other metaphor to prioritize on the critical thatare easy?• Verify data collection on key apps• Simulate an App Sec breach• Anything they are likely to learn from the simulation / firedrill other than they may need skills they don’t have?It is cheapest to fix these issues in advance
    • Page 22Application Security IR - Report• Post-mortem• What went well? What didn’t?• People, Process, and Technology remediation• Report to management in business impact terms• Technology remediation plan• Quick fixes? Compensating controls?• Update application inventory• Web apps, Mobile apps, 3rd Party apps• Report by incident type and business unit• What incident types and business units are the mainproblems?
    • One Alewife Center, Suite 450Cambridge, MA 02140PHONE 617.206.3900WWW.CO3SYS.COM“Co3 Systems makes the process ofplanning for a nightmare scenario aspainless as possible, making it an Editors’Choice.”PC MAGAZINE, EDITOR’S CHOICE“Co3…defines what software packagesfor privacy look like.”GARTNER“Platform is comprehensive, userfriendly, and very well designed.”PONEMON
    • Page 25About Chris WysopalCo-Founder, CTO & CISO, Veracode• Chris is responsible for the security analysis capabilities ofVeracode technology. Mr. Wysopal is recognized as an expertand a well known speaker in the information security fieldand was recently named one of InfoWorld’s Top 25 CTO’sand one of the 100 most influential people in IT by theeditorial staffs of eWeek, CIO Insight and Baseline Magazine.Chris has testified on Capitol Hill on the subjects ofgovernment computer security and how vulnerabilities arediscovered in software. He also has spoken as the keynote atWest Point, to the Defense Information Systems Agency(DISA) and before the International Financial Futures andOptions Exchange in London. His opinions on Internetsecurity are highly sought after and most major print andmedia outlets have featured stories on Mr. Wysopal and hiswork.