Building Secure Web        Applications In a Cloud        Services Environment                 Misha Logvinov             ...
Who are we?Misha Logvinov VP of Online Operations at IronKey Director of Operations at YodleeAlex Bello Director of Tec...
Reality check The Internet is full of web application hacking tools  and tutorials Botnets are used to scan for recent w...
Who gets attacked   Brick and Mortar Retail   Healthcare   Government   Small businesses   Web 2.0                   ...
Who attacks   Kids playing war   Researchers looking for fame   Organized crime   Competition   Governments          ...
How? The most widespread vulnerabilities in web apps  (Source: projects.webappsec.org): Attacks on the rise: SQL Injecti...
WhyInsufficient Security in:    SDLC    Web Operations                            OWASP   7
Consequences   Customers defect   Brand damaged and stock price plummets   Large fines   Legal consequences   Company...
Recent breachesDecember 2009SQL injection vulnerability, noencryption of critical data, insufficientsecurity monitoring, p...
Recent breachesApril 2010Insufficient security testing andmonitoringConsequencesPR nightmare                              ...
Recent breachesJune 2010Personally Identifiable Information wasdisplayed without properauthentication, insufficient output...
How to get started? Understand business, security and privacy  requirements Assess important security controls Create s...
Doing things right in the long run Implement a formal security program Integrate security into Software Development Life...
Implement a formal security program   Security framework   Policies and procedures   Training   Secure by design   Co...
Integrate security into SDLC2. Design   Security requirements   Threat modeling   Secure architecture design           ...
Threat matrix example                        OWASP   16
Integrate security into SDLC3. Development   Use modern frameworks   Develop secure coding standards   Secure implement...
Integrate security into SDLC3. Quality Assurance  • Security testing of changes    (automated/manual)  • Regression testin...
Integrate security into SDLC4-5. Operations   Infrastructure hardening   Vulnerability alerting   Web application firew...
Hardening CIS and NSA hardening guidelines  http://cisecurity.org/en-us/?route=downloads.multiform  http://www.nsa.gov/ia...
Standards & checklists OWASP Application Security Verification  Standard Project  http://www.owasp.org/index.php/Category...
Web app assessment initiativesWeb app scannersEvaluation & Deployment: 6-8 weeksSample Budget: $20-50KStatic source code a...
Rules of thumb Invest in security training and certification of  core personnel Encrypt all sensitive data and pay atten...
Conclusions Integrating security into SDLC from the beginning is  worth it! Shortcuts will cost more time and $$ later R...
Q&A      OWASP   25
Upcoming SlideShare
Loading in …5
×

OWASP - Building Secure Web Applications

1,766 views
1,679 views

Published on

This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,766
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

OWASP - Building Secure Web Applications

  1. 1. Building Secure Web Applications In a Cloud Services Environment Misha Logvinov Alex Bello IronKey, Inc.OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. Who are we?Misha Logvinov VP of Online Operations at IronKey Director of Operations at YodleeAlex Bello Director of Technical Operations at IronKey Product Threat Team Lead at IronKey Technical Operations at Anti-Phishing Working Group (APWG) OWASP 2
  3. 3. Reality check The Internet is full of web application hacking tools and tutorials Botnets are used to scan for recent web app exploits 75% of attacks happen at the app layer Majority of web app vulnerabilities remain undetected App security is an after-thought for most of the Internet-enabled businesses Security holes in web apps result in large business losses Bad guys are getting smarter and are not sitting still OWASP 3
  4. 4. Who gets attacked Brick and Mortar Retail Healthcare Government Small businesses Web 2.0 OWASP 4
  5. 5. Who attacks Kids playing war Researchers looking for fame Organized crime Competition Governments OWASP 5
  6. 6. How? The most widespread vulnerabilities in web apps (Source: projects.webappsec.org): Attacks on the rise: SQL Injection, File Inclusion, Web Server Intrusion (Source: zone-h.org) OWASP Top 10 Most Critical Security Risks OWASP 6
  7. 7. WhyInsufficient Security in:  SDLC  Web Operations OWASP 7
  8. 8. Consequences Customers defect Brand damaged and stock price plummets Large fines Legal consequences Company out of business You may get fired OWASP 8
  9. 9. Recent breachesDecember 2009SQL injection vulnerability, noencryption of critical data, insufficientsecurity monitoring, poor handling ofdisclosureConsequencesPR nightmareClass-action lawsuit OWASP 9
  10. 10. Recent breachesApril 2010Insufficient security testing andmonitoringConsequencesPR nightmare OWASP 10
  11. 11. Recent breachesJune 2010Personally Identifiable Information wasdisplayed without properauthentication, insufficient outputmonitoring, “great” exploit timingConsequencesPR nightmareSecurity researcher gets arrested ondrug charges OWASP 11
  12. 12. How to get started? Understand business, security and privacy requirements Assess important security controls Create security awareness and facilitate training Get release management under control Scan applications prior to new releases Benchmark against industry best-practices Create and communicate meaningful metrics Conduct independent security assessments OWASP 12
  13. 13. Doing things right in the long run Implement a formal security program Integrate security into Software Development Life Cycle (SDLC) Make security a competitive advantage for your business OWASP 13
  14. 14. Implement a formal security program Security framework Policies and procedures Training Secure by design Coding policy Risk assessments Security testing and evaluation Reporting Incident response Change management OWASP 14
  15. 15. Integrate security into SDLC2. Design  Security requirements  Threat modeling  Secure architecture design OWASP 15
  16. 16. Threat matrix example OWASP 16
  17. 17. Integrate security into SDLC3. Development  Use modern frameworks  Develop secure coding standards  Secure implementation and best practices  Security checklists  Code review (internal/third party)  Static code analysis OWASP 17
  18. 18. Integrate security into SDLC3. Quality Assurance • Security testing of changes (automated/manual) • Regression testing • Bug tracking integration OWASP 18
  19. 19. Integrate security into SDLC4-5. Operations  Infrastructure hardening  Vulnerability alerting  Web application firewalls  Security events alerting & analysis  Automated infrastructure testing  Penetration testing (internal/third party)  Tracking security metrics  Change & release management OWASP 19
  20. 20. Hardening CIS and NSA hardening guidelines http://cisecurity.org/en-us/?route=downloads.multiform http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml OWASP Backend Security Project http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project Automated open-source and commercial tools OWASP 20
  21. 21. Standards & checklists OWASP Application Security Verification Standard Project http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project The OWASP Code Review Top 9 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 OWASP 21
  22. 22. Web app assessment initiativesWeb app scannersEvaluation & Deployment: 6-8 weeksSample Budget: $20-50KStatic source code analysisEvaluation & Deployment: 8-12 weeksSample Budget: $50-100KWeb app firewallsEvaluation & Deployment: 6-8 weeksSample Budget: $25-100K+ OWASP 22
  23. 23. Rules of thumb Invest in security training and certification of core personnel Encrypt all sensitive data and pay attention to key management Never trust input, validate all input/output Harden your systems Tightly control who has access to your environment Stay on top of vulnerabilities and keep your networks, servers and applications up-to-date OWASP 23
  24. 24. Conclusions Integrating security into SDLC from the beginning is worth it! Shortcuts will cost more time and $$ later Rome wasn’t built in a day – take a phased approach Mold a security framework around your business, not the other way around Don’t underestimate the power of marketing security within your organization OWASP 24
  25. 25. Q&A OWASP 25

×