FACTORS INFLUENCING SECURITY 1. End user satisfaction 2. Financial impact in the event of a breach 3. Business reputation 4. Compliance and Regulatory requirements 5. Insider threats
6 to 8 seconds for a dynamic sites.
Application Security Drivers - 1. Adoption of Internet for business and e-commerce activities 2. Advent of new technologies AJAX, SOA etc 3. Development and Operations teams Skillset 4. Outsourcing, software is no longer built inhouse 5. Diversity in application types 6. Usage of readymade application frameworks
STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
Security should be a process that should be implemented throughout the software development life cycle 1. A risk profile to determine the risk of an application to the organization. 2. Defining specific security requirements to use throughout the project. 3. A security design review 4. A security code review 5. A proper security test plan 6. A penetration test
Performance & Security Testing – Critical today in the Indian Testing Industry
Corporate Performance Corporate performance is about Effort spent vs. Value generated Performance services are about Optimizing effort and maximizing value Performance concerns are about Technology Business Users Performance is propelled by Stability Scalability Speed Performance management is central to corporate performance Bottom-line is
Should Performance be an Issue? Dipping sales Diminishing subscriptions Dipping advertisement revenues Direct costs of fixing errors Compensatory claims Outsourcing costs Performance failures reduce revenues Performance failures increases expenses Squeezing ROI Anything that adversely impacts ROI is an issue – Performance is an issue
Performance Failure Risks Resolution time Cost implications Influence on end-User Extremely high Performance issues Infrastructure/ bandwidth bottlenecks Crashes & breaches High response time Under/Over utilization of resources Downtimes Post production problem resolution Very high High
Security Failure Risks Resolution time Cost implications Influence on end-User Extremely high Security issues Information Loss or Theft Breaches Un authorized access Compliance Downtimes Post production problem resolution Very high High
The Independent Software Vendor (ISV) deployed an application to support end-user technology for a telecommunications service provider
Problem: Server crash, service request refusals, connection drops and slow response of application during peak hours
Reasons: Low weightage placed on the system performance while going live, improper server configuration, underutilized server resources
Business implications – loss of sales, subscriptions and revenues
Outsourcing service costs for performance testing
Post debacle measures:
Performance testing was outsourced
Root-cause analysis to address connection drop issues
Resolution of the server level performance of the application
Monitoring for CPU, Memory, Network, and Database performance
User’s View on Response Times Response time User’s view <1 Second User feels that the system is reacting instantaneously < 2 Seconds User experiences a slight delay but is still focused on the website < 5 to 6 Seconds (Static Web sites) Maximum time a user focuses on a web site, reaches the distract zone <6 to 8 Seconds (Dynamic Web sites) Maximum time a user focuses on a web site, reaches the distract zone > 10 Seconds User is most likely to be distracted from the website and looses interest
Web applications vulnerabilities should be identified, assessed and addressed as part of the overall Enterprise Risk Assessment Program
Expenditure on Recovery and Fixes – In addition to making an enterprise non-complaint, security issues cost a bomb, which includes data recovery, fixes and legal issues.
Regulatory and Legal Issues - Enterprises face enormous challenges trying to comply with a wide variety of regulatory issues. Security breaches will potentially put an enterprise in a never-ending legal battle.
Significantly reduce risks of information leakage and loss.
Enhanced ROI in the long run.
Avoid Network Downtime costs.
Supports and complements security policy
Aids in taking proactive protection measures
Avoid erosion of corporate goodwill and customer loyalty.
New download facilities - ring tones, games, music etc.
Increase in the number of travelers & travels per traveler
Annual growth in the number of travelers is expected to increase five-fold, from 300,000 to 1.5 million
Expected to rise by 30%
Physical cost elimination is giving buyers & sellers best deals
Competition is forcing down the value of online products while the number of online transactions is continuously rising
Users have access to large databases
Rise in sales of exclusive videos, research data, reports
Indian E-Commerce Market Source: Internet and Mobile Association of India (IAMAI) Indian B2C E-Commerce industry 2007-2008 (estimate) - INR 9210 cr. Indian B2C E-Commerce industry is expected to grow at 30%
Industry Trends & Facts Key survey findings: Source: CSI Survey 2007; The 12th Annual Computer Crime and Security Survey
The average annual loss reported in 2007 shot up to $350,424 from $168,000 the previous year (2006).
18% of the respondents suffered a “targeted attack” ; defined as a malware attack aimed exclusively at their organization
Financial fraud overtook virus attacks as the source of the greatest financial losses.
Virus attacks moved to second place: first time in the last seven years
Security Attacks – Industry Data Financial Fraud has overtaken Virus – This has happened for the first time
Financial services, though certainly keepers of great monetary assets, are also typically well protected in comparison to other industries; they account for 14 percent of breaches. The type of asset compromised most frequently is without doubt online data. Compromises to online data repositories were seen in more cases than all other asset classes combined by a ratio of nearly five to one. Security Breaches – Industry Data
Performance is Integral for Quality Locates and fixes errors in an operational program. Product meets specifications and fulfills user’s objectives. Product has access to required software or data Product performs its intended function with required precision. Product performs with optimum use of resources Product performs its intended function for intended number of users Product couples well with another system(s) Correctness Reliability Efficiency Integrity Maintainability Testability Interoperability Performance management ensures quality product
When to start Security Testing Security should be a process that should be implemented throughout the software development life cycle
To ascertain the impact of a security breach on their application, Pantaloon engaged AppLabs to carry out Web Application Penetration Testing on the servers exposed to the Internet.
Comprehensive application security checks were conducted to establish the applications susceptibility to hack attacks.
This phase complied with Open Web Application Security Project standards and vulnerabilities identified through research by AppLabs’ Security Center of Excellence.
These tests were run using a combination of automated and manual test tools.
The engagement concluded with the delivery of a comprehensive assessment report with severity ratings for the vulnerabilities, alongside detailed descriptions and recommendations on how to address them.
The intense level of security testing performed aided the client in maintaining information integrity and confidentiality of such sensitive information;
The test results supported the client in understanding business and technical risks to help fortify the security policy;
In working with an independent testing organization, the client’s customers would be more confident that the web site is secure and online transactions are safe – providing it with a differentiator in the market;
Implementation of the prioritized action plan which detailed the timelines to fix the different severity level vulnerabilities has enhanced the overall security posture of the application.