If internal presentations are confidential, please add: “IBM Confidential” to the slide masters Select: View / Master / Slide Master and add “IBM Confidential” to both the title master and slide master Use sentence case capitalization for presentation titles, slide titles, category labels and bullets: Format / Change Case / Sentence Case. Initial capitalization is limited to our products and offerings. Applying this template to your existing presentation Task Pane needs to be viewable: Select View / Task Pane Select Slide Design - Design Templates from the Task Pane pull-down menu Select “Browse” at the bottom, and find “Rational_Standard_Template.pot” on your hardrive and click Apply Please note that not all slides will reformat appropriately once template is applied. Some reformatting will be necessary Printing your presentation on a black and white printer Prior to printing your presentation, view the slides in grayscale mode: Select View / Color/Grayscale / Grayscale Select problem graphics or text and right-click and select Grayscale Setting Select the grayscale setting that displays the problem graphic/text the best Note: Changing the greyscale setting does not affect the color view Return to Normal View by selecting View / Color/Grayscale / Color
Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database that provides analysis for more than 14 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking billions of events per day, we have more than 40 million documented spam attacks, and 54,000 documented unique vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases.
According to the X-Force database tracking, 2010 had the largest number of vulnerability disclosures in history— 8,562 . This is a 27 percent increase over 2009 We think this increase demonstrates the effort software developers are working hard to discover, patching vulnerabilities and make better products. Top ten vendors who make software 8 of those 10 had increase in 2010 and average increase was 66% -- so lots of work happening on patching products and it is keeping everyone very busy.
These are only Web application vulnerabilities that are publically used and reported against. Most customers also deploy “custom Web apps” that are not public so we feel this data is just scratching the surface of what is publically available but does not speak to the volumes of 3 rd party or in-house applications that are custom built. Although the number of vulnerabilities affecting Web applications has grown at a staggering rate, the growth demonstrated in the first half of 2009 and continuing through the second half may indicate the start of a plateau, at least in standard (off-the-shelf) software applications for the Web. These figures do not include custom-developed Web applications or customized versions of these standard packages, which also introduce vulnerabilities.
The gap between when vulnerabilities are announced and the weeks that follow (sometimes) of when a patch is released is relevant to IBM customer conversations surrounding IPS. Intrusion prevention systems are designed to protect customers until they are able to get these patches applied.
Because there were more public vulnerabilities reported in 2010, the public exploits to those vulnerabilities were also increasing and reported publically. Total number is up and has continually increased in past 2 years. In the report we have some interesting data that shows that public exploit disclosure occurs sometimes 10’s to 100 days after the initial vulnerability disclosure. We think this is an important point for our customers. Attackers begin using that exploit to break into networks and when it is no longer valuable, then they dump it publically. We see there is a huge time window before patches are developed that attackers utilize to do bad. IPS is designed to protect between vuln disclosure and when a patch is made available.
Speaker’s notes: One of the things that we did 2 years ago was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploit Effort vs. Potential Reward Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
Slide: Just remember, when we talk about securing an application it is important to understand applications don't live in isolation, it lives in broader environment. For example we put in firewalls, implement SSL, and add many more pieces to the puzzle in an attempt to create a secure system. Speaking Points -Firewalls and network protections protect the network, but ports 80 and 443 are wide open, we use SSL to encrypt the traffic, and so on, but if the application can’t protect itself, the rest of the environment could potentially be compromised. Similarly if the application is secure, but you’re not encrypting the traffic, an illegitimate user can gain access simply by sniffing out the username/password credentials. -Network protections can never fully understand the context of the application communication – what is allowed and what is not
The red ones are the new ones.
While cross-site scripting vulnerabilities continue to be one of the predominant types of vulnerabilities affecting Web applications, activity targeting these vulnerabilities seems to have leveled off in 2010. Ultimately want to control the end-user endpoint and load malware on it.
This is an example of a tool kit attackers can use for SQL injection. This toolkit allows an attacker to use Google to search websites that are vulnerable to SQL Injection. This took kit will give the the attacker page rankings and prioritized results based on the probability of success. This allows attackers to go after rich websites that are going to give them a big return which can be used for data theft or they can simply overwrite information in the database to redirect victims to a malicious site. Attackers have taken this simplistic model and made it scalable so that any novice attacker can use it without deep technical knowledge or skill.
Attackers use SQL Injection attacks to inject HTML redirects into legitimate websites. If you are out surfing the web and you visit a legitimate website that has been SQL injected you may get redirected to a malicious web server controlled by the attacker. These malicious web servers send down exploits that target vulnerabilities in your web browser and then dump malware on your system. At that point you end up as a zombie on a botnet that is used to send out spam or phishing emails to other victims. This shows how interconnected the threat landscape is and why it is important to use a defense in depth strategy to manage your IT security.
Highly automated tools that have these exploits built into them. This is an example of the public exploit and the automated tools that are available to target them.
Slide: In this module we discussed how software is tested. All technologies have their advantages and drawbacks. Whitebox and blackbox are both extremely valuable technologies, but remember, it’s not about technologies, it’s about how do we introduce security testing earlier! The goal is to introduce it earlier to reduce costs. So we may implement security in several or even all of these stages! Speaking Points The goal is to drive security responsibility back into the development organization The chief failure of creating secure software is leaving it till the last minute The sweet spot for security testing ROI seems to be automating testing into the Build process
Author Note: Optional Rational QUESTIONS slide. Available in English only.
Author Note: Mandatory Rational closing slide (includes appropriate legal disclaimer). Graphic is available in English only.
Transcript of "Web Application Testing for Today’s Biggest and Emerging Threats"
Web Application Testing for Today’s Biggest and Emerging Threats Alan Kan Technical Manager IBM Rational Software
Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
The mission of the IBM X-Force ® research and development team is to: <ul><li>Research and evaluate threat and protection issues </li></ul><ul><li>Deliver security protection for today’s security problems </li></ul><ul><li>Develop new technology for tomorrow’s security challenges </li></ul><ul><li>Educate the media and user communities </li></ul><ul><li>X-Force Research </li></ul><ul><li>14B analyzed Web pages & images </li></ul><ul><li>40M spam & phishing attacks </li></ul><ul><li>54K documented vulnerabilities </li></ul><ul><li>Billions of intrusion attempts daily </li></ul><ul><li>Millions of unique malware samples </li></ul><ul><li>Provides Specific Analysis of: </li></ul><ul><ul><li>Vulnerabilities & exploits </li></ul></ul><ul><ul><li>Malicious/Unwanted websites </li></ul></ul><ul><ul><li>Spam and phishing </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><ul><li>Other emerging trends </li></ul></ul>X-Force R&D - Unmatched Security Leadership
Vendors Reporting the Largest Number of Vulnerability Disclosures in History <ul><ul><li>Vulnerability disclosures up 27%. </li></ul></ul><ul><ul><ul><li>Web applications continue to be the largest category of disclosure. </li></ul></ul></ul><ul><ul><li>Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities. </li></ul></ul>
Web App Vulnerabilities Continue to Dominate <ul><ul><li>Nearly half ( 49% ) of all vulnerabilities are Web application vulnerabilities. </li></ul></ul><ul><ul><li>Cross-Site Scripting & SQL injection vulnerabilities continue to dominate. </li></ul></ul>
Patches Still Unavailable for Many Vulnerabilities <ul><ul><li>44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability. </li></ul></ul><ul><ul><ul><li>Most patches become available for most vulnerabilities at the same time that they are publicly disclosed. </li></ul></ul></ul><ul><ul><ul><li>However some vulnerabilities are publicly disclosed for many weeks before patches are released. </li></ul></ul></ul>Patch Release Timing – First 8 Weeks of 2010
Public Exploit Exposures Up in 2010 <ul><ul><li>Public exploit disclosures up 21% in 2010 versus 2009 </li></ul></ul><ul><ul><ul><li>Approximately 14.9% of the vulnerabilities disclosed in 2010 had public exploits, which is down slightly from the 15.7% last year </li></ul></ul></ul><ul><ul><ul><li>However more vulnerabilities were disclosed this year, so the total number of exploits increased. </li></ul></ul></ul><ul><ul><ul><li>The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability. </li></ul></ul></ul>
Exploit Effort vs. Potential Reward <ul><ul><li>Economics continue to play heavily into the exploitation probability of a vulnerability </li></ul></ul><ul><ul><li>All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients. </li></ul></ul><ul><ul><li>The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys. </li></ul></ul>
Understanding the Web Application Hacking 102: Integrating Web Application Security Testing into Development Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Web Servers Databases Backend Server Application Servers Desktop Transport Network
Why are Web Applications so Vulnerable? <ul><li>Network scanners won’t find application vulnerabilities </li></ul><ul><li>Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications </li></ul><ul><li>Developers are not generally educated in secure code practices </li></ul><ul><li>Product innovation is driving development of increasingly complicated software for a Smarter Planet </li></ul>Volumes of applications continue to be deployed that are riddled with security flaws… … and are non compliant with industry regulations
Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
OWASP Top Ten (2010 Edition) Source: http://www.owasp.org/index.php/Top_10
SQL Injection Attacks <ul><li>During each of the past three years, there has been a globally scaled SQL injection attack some time during the months of May through August. </li></ul><ul><li>The anatomy of these attacks is generally the same: they target .ASP pages that are vulnerable to SQL injection. </li></ul>2010 2009 2008
SQL Injection Attack Tools * Automatic page-rank verification * Search engine integration for finding “vulnerable” sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.
The drive-by-download process Desktop Users Browse The Internet Malicious iframe host Web server with embedded iframe Web browser targeted Downloader installed Malware installed and activated Exploit material Served
Cross Site Scripting – The Exploit Process Hacking 102: Integrating Web Application Security Testing into Development Evil.org User bank.com 1) Link to bank.com sent to user via E-mail or HTTP 2) User sends script embedded as data 3) Script/data returned, executed by browser 4) Script sends user’s cookie and session information without the user’s consent or knowledge 5) Evil.org uses stolen session information to impersonate user
Application Logic is Migrating From Server to Client <ul><li>We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010 </li></ul>
DOM-Based Cross-site Scripting <ul><li>Attack Example </li></ul>http://www.vuln.site/welcome.html # ?name= <script>alert('hacked')</script> <ul><li>The attack took place entirely on the client-side (# fragment identifier) </li></ul><ul><li>Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc. </li></ul>1: <HTML> 2: <TITLE>Welcome!</TITLE> 3: Hi 4: <SCRIPT> 5: var pos = document.URL.indexOf("name=") + 5; 6: document.write ( document.URL . substring (pos,document.URL.length)); 7: </SCRIPT> <BR/> 8: Welcome to our system 9: </HTML> Source : document.URL Sink : document.write() Results : document.write("<script>alert('hacked')</script>")
Agenda Let the Numbers Speak Testing for Vulnerabilities 1 3 Top and Emerging Attacks 2
What to Test <ul><li>Black Box </li></ul><ul><li>Verify all user input is encoded – test with special characters in input fields (“, ‘, <, >, -) </li></ul><ul><li>Verify all URL variables are encoded in scripts – test with special characters on URL </li></ul><ul><li>Verify that SSL protects credentials and session id at all times – watch for HTTPS on all pages </li></ul><ul><li>Verify the user and the requested mode of access is allowed to the target object </li></ul><ul><li>Identify sensitive data and verify encryption exists at all times including in transit and storage </li></ul><ul><li>Verify the server configuration disallows requests to unauthorized file types </li></ul><ul><li>Verify that you can’t browse to the directory page of the website </li></ul><ul><li>Verify that you can’t browse to log files of the website </li></ul><ul><li>WhiteBox </li></ul><ul><li>Verify outputs from all user supplied input are encoded </li></ul><ul><li>Verify that the code uses stored procedures instead of dynamically constructed SQL statements </li></ul><ul><li>Verify that authentication and authorisation is centralised and standardised </li></ul><ul><li>Verify that logoff actually destroys the session </li></ul><ul><li>Verify security patches are applied </li></ul>
Car Safety – Protect Valuable Assets Security System Seatbelts Safety Cage Crash Test
Building Security & Compliance into the SDLC Developers Architects Developers Enable Security to effectively drive remediation into development Provides Developers and Testers with expertise and tools to detect and remediate vulnerabilities Ensure vulnerabilities are addressed before applications are put into production Provides Architects and Developers with knowledge to design and develop more secure applications Security penetration testing and application monitoring for on going protection Build Coding Testing Security Production Architecture