SlideShare a Scribd company logo

Application security enterprise strategies

Network Intelligence India
Network Intelligence India
Technology
1 of 38
Application Security – Enterprise Strategies K. K. Mookhey, CISA, CISSP, CISM Principal Consultant www.niiconsulting.com
Agenda The Biggest Hack in History How the Cookie Crumbles? Answers! www.niiconsulting.com
Speaker Introduction Founder & Principal Consultant, Network Intelligence Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Conducted numerous pen-tests, application security assessments, forensics, etc. www.niiconsulting.com
THE BIGGEST HACK IN HISTORY www.niiconsulting.com
Gonzalez, TJX and Heart-break-land >200 million credit card number stolen Heartland Payment Systems, TJX, and 2 US national retailers hacked Modus operandi Visit retail stores to understand workings Analyze websites for vulnerabilities Hack in using SQL injection Inject malware Sniff for card numbers and details Hide tracks www.niiconsulting.com
The hacker underground Albert Gonzalez a/k/a “segvec,” a/k/a “soupnazi,” a/k/a “j4guar17” Malware, scripts and hacked data hosted on servers in: Latvia Ukraine New Jersey Netherlands California IRC chats March 2007: Gonzalez “planning my second phase against Hannaford” December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” www.niiconsulting.com
Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc Commands used on IRC !cardable !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk www.niiconsulting.com
TJX direct costs $200 million in fines/penalties $41 million to Visa $24 million to Mastercard www.niiconsulting.com
Cost of an incident $6.6 million average cost of a data breach From this, cost of lost business is $4.6 million More than $200 per compromised record On the other hand: Fixing a bug costs $400 to $4000 Cost increases exponentially as time lapses www.niiconsulting.com
How the Cookie Crumbles www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
Betting blind! DB Name Table Names User IDs Table Structure Data www.niiconsulting.com
Net Result Enterprise Owned! www.niiconsulting.com
Other aspects www.niiconsulting.com
App2App Communication • App2App interaction requires an authentication process – Calling application needs to send credentials to target application • Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc. www.niiconsulting.com
Answers! www.niiconsulting.com
Technology Solutions Web Application Firewalls Privileged Identity Management Suites Application-Aware Firewalls Application-Aware SIEMS Database Access Management Solutions www.niiconsulting.com
Before we get to the technology… www.niiconsulting.com
Application Security – Holistic Solution Design Develop/ Train Manage Test www.niiconsulting.com
Secure Design Secure Designing Models Client Inputs Client Education Threat Modeling Vulnerability Classification – STRIDE Risk Classification – DREAD www.niiconsulting.com
Microsoft’s Threat Modeling Tool www.niiconsulting.com
Secure Coding Overview Secure coding isn’t taught in school Homeland Security's Build Security In Maturity Model (BSIMM) Microsoft's Security Development Lifecycle (SDL) OpenSAMM (Software Assurance Maturity Model) OWASP Secure Coding Guides www.niiconsulting.com
Secure Coding Principles 1. Minimize attack surface area 2. Establish secure defaults 3. Principle of least privilege 4. Principle of defense in depth 5. Fail securely 6. Don’t trust input – user or services 7. Separation of duties 8. Avoid security by obscurity 9. Keep security simple 10.Fix security issues correctly www.niiconsulting.com
Vendor Management Big names != Good security Contractual weaknesses Lack of vendor oversight No penalties for blatantly buggy code! www.niiconsulting.com
Secure Hosting Web Security OS Security Secured web server Security Patches Secured application server – Users and Groups all components Access Control Web application firewalls Security Policies Database Security Secured Login Security Patches Logging Users and Roles Access Control Logging Password Security Database Table Encryption Data Masking www.niiconsulting.com
Secure Testing Security testing options Blackbox Greybox Whitebox Source Code Review OWASP Top Ten (www.owasp.org) OWASP Testing Guide Tools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite www.niiconsulting.com
Training Back to basics Natural thought process Look at larger picture Make it fun Giving back to the community www.niiconsulting.com
Application Security Vision Design Develop/ Train Manage Test www.niiconsulting.com
Questions? Thank you! kkmookhey@niiconsulting.com Information Security Institute of Information Consulting Services Security www.niiconsulting.com

Recommended

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threatsNetwork Intelligence India
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySantosh Satam
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 

Recommended

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threatsNetwork Intelligence India
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySantosh Satam
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017IGN MANTRA
 
Modern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesModern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Enterprise Management Associates
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Hitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX ComplianceHitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX ComplianceHitachi ID Systems, Inc.
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0Adam Lewis
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics rightDavid Doret
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerNetwork Intelligence India
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guardsNetwork Intelligence India
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 

More Related Content

What's hot

Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017IGN MANTRA
 
Modern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesModern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Enterprise Management Associates
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Hitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX ComplianceHitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX ComplianceHitachi ID Systems, Inc.
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0Adam Lewis
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics rightDavid Doret
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 

What's hot (19)

Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
Workshop Computer & Cyber Security, STTB Bandung, 23 Desember 2017
 
Modern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesModern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for Enterprises
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access Control
 
Hitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX ComplianceHitachi ID Solutions Supporting SOX Compliance
Hitachi ID Solutions Supporting SOX Compliance
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CV
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics right
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 

Viewers also liked

Real-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFEReal-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFENetwork Intelligence India
 

Viewers also liked (13)

XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Real-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFEReal-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFE
 

Similar to Application security enterprise strategies

Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 
SRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersSRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersCory Scott
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioShah Sheikh
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
Building frameworks: from concept to completion
Building frameworks: from concept to completionBuilding frameworks: from concept to completion
Building frameworks: from concept to completionRuben Goncalves
 

Similar to Application security enterprise strategies (20)

Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 
SRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersSRE and Security: Natural Force Multipliers
SRE and Security: Natural Force Multipliers
 
DTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services PortfolioDTS Solution - Cyber Security Services Portfolio
DTS Solution - Cyber Security Services Portfolio
 
black hat deephish
black hat deephishblack hat deephish
black hat deephish
 
Super1
Super1Super1
Super1
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
Building frameworks: from concept to completion
Building frameworks: from concept to completionBuilding frameworks: from concept to completion
Building frameworks: from concept to completion
 

More from Network Intelligence India

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 

More from Network Intelligence India (11)

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Scada assessment case study
Scada assessment case studyScada assessment case study
Scada assessment case study
 
Virtualization security audit
Virtualization security auditVirtualization security audit
Virtualization security audit
 

Recently uploaded

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Application security enterprise strategies

  • 1. Application Security – Enterprise Strategies K. K. Mookhey, CISA, CISSP, CISM Principal Consultant www.niiconsulting.com
  • 2. Agenda The Biggest Hack in History How the Cookie Crumbles? Answers! www.niiconsulting.com
  • 3. Speaker Introduction Founder & Principal Consultant, Network Intelligence Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Conducted numerous pen-tests, application security assessments, forensics, etc. www.niiconsulting.com
  • 4. THE BIGGEST HACK IN HISTORY www.niiconsulting.com
  • 5. Gonzalez, TJX and Heart-break-land >200 million credit card number stolen Heartland Payment Systems, TJX, and 2 US national retailers hacked Modus operandi Visit retail stores to understand workings Analyze websites for vulnerabilities Hack in using SQL injection Inject malware Sniff for card numbers and details Hide tracks www.niiconsulting.com
  • 6. The hacker underground Albert Gonzalez a/k/a “segvec,” a/k/a “soupnazi,” a/k/a “j4guar17” Malware, scripts and hacked data hosted on servers in: Latvia Ukraine New Jersey Netherlands California IRC chats March 2007: Gonzalez “planning my second phase against Hannaford” December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” www.niiconsulting.com
  • 7. Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc Commands used on IRC !cardable !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk www.niiconsulting.com
  • 8. TJX direct costs $200 million in fines/penalties $41 million to Visa $24 million to Mastercard www.niiconsulting.com
  • 9. Cost of an incident $6.6 million average cost of a data breach From this, cost of lost business is $4.6 million More than $200 per compromised record On the other hand: Fixing a bug costs $400 to $4000 Cost increases exponentially as time lapses www.niiconsulting.com
  • 10. How the Cookie Crumbles www.niiconsulting.com
  • 21. Betting blind! DB Name Table Names User IDs Table Structure Data www.niiconsulting.com
  • 22. Net Result Enterprise Owned! www.niiconsulting.com
  • 23. Other aspects www.niiconsulting.com
  • 24. App2App Communication • App2App interaction requires an authentication process – Calling application needs to send credentials to target application • Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc. www.niiconsulting.com
  • 25. Answers! www.niiconsulting.com
  • 26. Technology Solutions Web Application Firewalls Privileged Identity Management Suites Application-Aware Firewalls Application-Aware SIEMS Database Access Management Solutions www.niiconsulting.com
  • 27. Before we get to the technology… www.niiconsulting.com
  • 28. Application Security – Holistic Solution Design Develop/ Train Manage Test www.niiconsulting.com
  • 29. Secure Design Secure Designing Models Client Inputs Client Education Threat Modeling Vulnerability Classification – STRIDE Risk Classification – DREAD www.niiconsulting.com
  • 30. Microsoft’s Threat Modeling Tool www.niiconsulting.com
  • 31. Secure Coding Overview Secure coding isn’t taught in school Homeland Security's Build Security In Maturity Model (BSIMM) Microsoft's Security Development Lifecycle (SDL) OpenSAMM (Software Assurance Maturity Model) OWASP Secure Coding Guides www.niiconsulting.com
  • 32. Secure Coding Principles 1. Minimize attack surface area 2. Establish secure defaults 3. Principle of least privilege 4. Principle of defense in depth 5. Fail securely 6. Don’t trust input – user or services 7. Separation of duties 8. Avoid security by obscurity 9. Keep security simple 10.Fix security issues correctly www.niiconsulting.com
  • 33. Vendor Management Big names != Good security Contractual weaknesses Lack of vendor oversight No penalties for blatantly buggy code! www.niiconsulting.com
  • 34. Secure Hosting Web Security OS Security Secured web server Security Patches Secured application server – Users and Groups all components Access Control Web application firewalls Security Policies Database Security Secured Login Security Patches Logging Users and Roles Access Control Logging Password Security Database Table Encryption Data Masking www.niiconsulting.com
  • 35. Secure Testing Security testing options Blackbox Greybox Whitebox Source Code Review OWASP Top Ten (www.owasp.org) OWASP Testing Guide Tools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite www.niiconsulting.com
  • 36. Training Back to basics Natural thought process Look at larger picture Make it fun Giving back to the community www.niiconsulting.com
  • 37. Application Security Vision Design Develop/ Train Manage Test www.niiconsulting.com
  • 38. Questions? Thank you! kkmookhey@niiconsulting.com Information Security Institute of Information Consulting Services Security www.niiconsulting.com