Application security enterprise strategies

Application Security –Enterprise Strategies K. K. Mookhey, CISA, CISSP, CISM Principal Consultant www.niiconsulting.com

Agenda The Biggest Hack in History How the Cookie Crumbles? Answers! www.niiconsulting.com

Speaker Introduction Founder & Principal Consultant, Network Intelligence Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Conducted numerous pen-tests, application security assessments, forensics, etc. www.niiconsulting.com

THE BIGGEST HACK INHISTORY www.niiconsulting.com

Gonzalez, TJX and Heart-break-land >200 million credit card number stolen Heartland Payment Systems, TJX, and 2 US national retailers hacked Modus operandi Visit retail stores to understand workings Analyze websites for vulnerabilities Hack in using SQL injection Inject malware Sniff for card numbers and details Hide tracks www.niiconsulting.com

The hacker underground Albert Gonzalez a/k/a “segvec,” a/k/a “soupnazi,” a/k/a “j4guar17” Malware, scripts and hacked data hosted on servers in: Latvia Ukraine New Jersey Netherlands California IRC chats March 2007: Gonzalez “planning my second phase against Hannaford” December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” www.niiconsulting.com

Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virginccCommands used on IRC !cardable !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk www.niiconsulting.com

TJX direct costs $200 million in fines/penalties $41 million to Visa$24 million to Mastercard www.niiconsulting.com

Cost of an incident $6.6 million average cost of a data breach From this, cost of lost business is $4.6 million More than $200 per compromised recordOn the other hand: Fixing a bug costs $400 to $4000 Cost increases exponentially as time lapses www.niiconsulting.com

How the Cookie Crumbles www.niiconsulting.com

www.niiconsulting.com

Betting blind! DB Name Table Names User IDs Table Structure Data www.niiconsulting.com

Net Result Enterprise Owned! www.niiconsulting.com

Other aspects www.niiconsulting.com

App2App Communication• App2App interaction requires an authentication process – Calling application needs to send credentials to target application• Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc. www.niiconsulting.com

Answers! www.niiconsulting.com

Technology Solutions Web Application Firewalls Privileged Identity Management Suites Application-Aware Firewalls Application-Aware SIEMS Database Access Management Solutions www.niiconsulting.com

Before we get to the technology… www.niiconsulting.com

Application Security – Holistic Solution Design Develop/ Train Manage Test www.niiconsulting.com

Secure Design Secure Designing Models Client Inputs Client Education Threat Modeling Vulnerability Classification – STRIDE Risk Classification – DREAD www.niiconsulting.com

Microsoft’s Threat Modeling Tool www.niiconsulting.com

Secure Coding Overview Secure coding isn’t taught in school Homeland Securitys Build Security In Maturity Model (BSIMM) Microsofts Security Development Lifecycle (SDL) OpenSAMM (Software Assurance Maturity Model) OWASP Secure Coding Guides www.niiconsulting.com

Secure Coding Principles1. Minimize attack surface area2. Establish secure defaults3. Principle of least privilege4. Principle of defense in depth5. Fail securely6. Don’t trust input – user or services7. Separation of duties8. Avoid security by obscurity9. Keep security simple10.Fix security issues correctly www.niiconsulting.com

Vendor Management Big names != Good security Contractual weaknesses Lack of vendor oversight No penalties for blatantly buggy code! www.niiconsulting.com

Secure Hosting Web Security OS Security Secured web server Security Patches Secured application server – Users and Groups all components Access Control Web application firewalls Security Policies Database Security Secured Login Security Patches Logging Users and Roles Access Control Logging Password Security Database Table Encryption Data Masking www.niiconsulting.com

Secure Testing Security testing options Blackbox Greybox Whitebox Source Code Review OWASP Top Ten (www.owasp.org) OWASP Testing GuideTools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite www.niiconsulting.com

Training Back to basics Natural thought process Look at larger picture Make it fun Giving back to the community www.niiconsulting.com

Application Security Vision Design Develop/ Train Manage Test www.niiconsulting.com

Questions? Thank you! kkmookhey@niiconsulting.comInformation Security Institute of InformationConsulting Services Security www.niiconsulting.com

Application security enterprise strategies

by Network Intelligence on Nov 01, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Application security enterprise strategies — Presentation Transcript