This document discusses application security and summarizes key points about securing web applications. It notes that 75% of attacks target applications rather than infrastructure. Dutch developers often take an agile approach and do not use many formal methods or tools in development. Cybercrime now surpasses illegal drug trafficking and identity theft occurs every 3 seconds. The document recommends focusing on application security and testing to address these growing threats.

1. Application Security
Protect your image & brand
© 2012 Sebyde BV

2. Who we are
SEBYDE (se-bie-de)
– Secure by Design
Derk Yntema
– 20+ year experience in ICT and IT Security
– IT management architect
– Portfolio manager security
Rob Koch
– 20+ years experience in account management at software companies
and telecom industry
IBM business partner
IBM authorised reseller
Gartner: 75% of all attacks on web sites and web applications target the
© 2012 Sebyde BV
application level and not the infrastructure.

3. The Dutch developer
“ The Dutch developer works more iterative
(agile) than linear (waterfall).”
(source: automatiseringsgids 10th may 2012)
© 2012 Sebyde BV

4. Internet has changed the world
© 2012 Sebyde BV

5. © 2012 Sebyde BV

6. Is ICT Security important?
The world has changed
– We work differently; “Het nieuwe werken”, BYOD
– More data in more applications
Internet
– Remote access to business networks
– Wireless Networks / Mobile applications
– Populair apps, email, Whatsapp, LinkedIn, Facebook, etc.
Hackers change their tactics
– Infrastructure -> applications
– Risk of digital theft become bigger and bigger …
© 2012 Sebyde BV

7. Internet / Web-based applications
Internet has become a very important business platform
– B2C
– B2B
Business use Internet for marketing, communication, customer
services, customer care etc
2011:
– 2,3 billion Internet users;
– 85% buy online;
– $ 200 billion turnover worldwide;
Applications are “Web-based” or “Web-facing”
© 2012 Sebyde BV

8. Webshops
# of webshops in NL
40,000
35,000
30,000
25,000
20,000
Aantal
15,000 webwinkels in
10,000 NL
5,000
0
Turnover online shopping
12
10
8
6
Online winkelen (in
4 miljard euro)
2
0
© 2012 Sebyde BV

9. The Dutch developer
“ the Dutch developer uses little to non
supporting resources in the preliminary
phase: when gathering requirements, or
when making a design. A formal use case
method (UML) is very seldom used. Tools
like Requisite Pro, ClearCase, Rational
Rose, Visual Pardigm are hardly ever used.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

10. Cybercrime
Cybercrime has surpassed illegal drug trafficking as a criminal
moneymaker
Every 3 seconds an identity is stolen
Without security, your unprotected PC can become infected within
four minutes of connecting to the internet
It is often facilitated by crime-ware programs such as keystroke
loggers, viruses, rootkits or Trojan horses.
Software flaws or vulnerabilities often provide the foothold for the
attacker. For example, criminals controlling a website may take
advantage of a vulnerability in a Web browser to place a Trojan
horse on the victim's computer.
© 2012 Sebyde BV

11. The reality …
Cybercrime is no temporary phenomenon
Two “Leagues”: Junior en Major
If you think safety is expensive … try an accident
Criminals look differently at the value of assets
Effective security needs a short and long term approach
100% security is an illusion … prevention is key !
The “Tone at the top” is important
Source : Summary of KPMG Advisory NV report “Een genuanceerde visie op cybercrime.
Nieuwe perspectieven vragen om actie”
© 2012 Sebyde BV

12. TNO: Damage Cybercrime: yearly € 10 billion
Cybercrime damage NL 10-30 billion / year
9 % aimed at web applications 0,9 – 2,7 billion
60% SQL injection / XSS 0,5 – 1,6 billion
© 2012 Sebyde BV

13. Vulnerabilities in websites
Probability
10%
14%
14% 64%
14% Information leakage
Cross Site Scripting
Content Spoofing
15% Cross Site Request Forgery
Brute Force
Insufficient authorisation
17% Predictable Resource Location
SQL Injection
Session fixation
Abuse of functionality
24% 64%
43%
© 2012 Sebyde BV

14. The Dutch developer
“ Release management is generally
accepted. Coding standards are commonly
used.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

15. Target organisations
Financials Hosting providers
– Internet banking – Image
– Financial transactions – Outages
Industries Application developers
– SCADA networks – Liability
Companies – High development costs
– IP Healthcare
– Merger & takeovers – Privacy (WBP; EU privacy act)
– Customer data
Governments
– Espionage
– Identity fraud
IBM’s X-Force Report 2011: 41% of all security incidents are caused by
Web applications. © 2012 Sebyde BV

16. Damage
Reputation / Brand
– Defacement
– Costs: ????
– Indirect (ISP)
Liability claims
Information damage
Theft
– Financial
– Business information
– Privacy info
– Identity
System outage
– Availability
81% of the Web applications do not comply to the PCI-DSS standard
© 2012 Sebyde BV
(Payment Card Industry Digital Security Standard).

17. But still ….
Security is not my responsibility.
Security? “That is done by the ICT department”
I do not work with computers so I can’t be hurt!
I don’t work with sensitive information.
Our company is not a target.
I am not a target!
What can they steal here?
We have several firewalls.
We are safe, we have security guidelines.
It is not our responsibility, we have out-sourced our IT.
We use the cloud so our cloud provider has arranged security
On average, every 1,000 lines of code has at least 5 to 15 defects
© 2012 Sebyde BV
(United States Department of Defense)

18. I am no target?
Febelfin
– Belgium federation of the financial sector.
http://www.youtube.com/watch?v=F7pYHN9iC9I
© 2012 Sebyde BV

19. “What can they get here?”
© 2012 Sebyde BV

20. “We will not be hacked!”
© 2012 Sebyde BV

21. “We have firewalls”
© 2012 Sebyde BV

22. “We have procedures!”
© 2012 Sebyde BV

23. Security in real life
We have to Testing is done for
– Government – Functionality
– Noted on exchange (NYSE) – Performance
– Law and directives
– Privacy
– Industry standards
Incidents
– Reactive
Fear
– Panic
Google : Over 2 million searches every month on “how to hack”.
© 2012 Sebyde BV

24. The Dutch developer
“ Too little time is spend on testing. Still
testing, traditionally done at the end of
development, is being compromised.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

25. Focus shift hackers
To
Applications
From
Infrastructure
75% of all hacks are performed on Web applications / Websites
© 2012 Sebyde BV

26. From Chinese walls to integrated security
© 2012 Sebyde BV

27. More facts …
60-80% of the Web applications / Websites have a minimum of
one security weak point.
75% of all hacks are performed on Web applications / Websites
IDC Research: 25% of all companies are “exploited” via a weak
spot in Web Application security.
Ignorant users are contaminated by websites with malware on it.
Google : >2 Million searches on “how to hack” every month, or to
download hacking tools etcetera.
© 2012 Sebyde BV

28. Why are applications unsafe?
Time to market
– Business pressure
– Project budget
Software is complex
No education
– Windows 7 contains 50 million
lines of code Chinese walls
Networking – False sense of security
– Internet technology Security awareness
Globalizing – Continue process
– Attitude / behavior
– Software comes from everywhere
Extensibility Software ages
– JAVA VM, .NET, …etc. Application security is not sexy
© 2012 Sebyde BV

29. OWASP top ten
1) SQL-Injection
60% of all attacks !!!
2) Cross Site Scripting (XSS)
3) Broken Authentication and 7) Failure to Restrict URL Access
Session Management
8) Unvalidated Redirects and
4) Insecure Direct Object Forwards
References
9) Insecure Cryptographic
5) Cross Site Request Forgery Storage
(CSRF)
6) Security Misconfiguration 10) Insufficient Transport Layer
Protection
© 2012 Sebyde BV

30. 1. Injection
Ability to inject commandstrings
– Database (SQL)
– Operating System
– LDAP
– Directories
© 2012 Sebyde BV

31. Vulnerability
The best way to determine whether an application is vulnerable to
injection is by checking whether input data is kept separate from a
command or query.
Poor error handling makes injection vulnerability easy to detect.
© 2012 Sebyde BV

32. Example
The application uses non-validated data in the composition of the
SQL call:
String query = "SELECT * FROM accounts WHEREcustID = '" +
request.getParameter ("id") + "'";
The attacker changes the 'id' parameter in their browser and sends:
'or '1' = '1. This change will query all records returned from the
accounts database, instead of just one customer.
http://example.com/app/accountView?id = 'or '1' = '1
In the worst case, the attacker can control a stored procedure so
that the entire database is copied or even the operating system is
controlled.
© 2012 Sebyde BV

33. Mitigation
For SQL calls, this means the use of static queries or stored
procedures. Avoid dynamic SQL!
Use parameters to commands to send. Please note that improper use
of parameters.
Validate input through a white list. So only that which you know do
you allow.
Apply strict access control to what an application may systems; least
privilege.
Tip:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_
Sheet
© 2012 Sebyde BV

34. The pressure mounts
Government
– EU
– NCSC
Law & regulations
– Privacy law (CBP)
– Industry regulations (PCI-DSS, Basel III, NEN7510)
© 2012 Sebyde BV

35. What can we do
Prevent
– Awareness
– Design & build secure
Reduce
– Monitor
– Manage
Transfer
– Insurance
Accept
© 2012 Sebyde BV

36. The Dutch developer
“Documenting is reluctantly done. This is
considered the most annoying aspect of the
work.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

37. Complete security
People
Security
Secure by
Design
Process Technology
© 2012 Sebyde BV

38. Mens
Zero incident culture
Security awareness
– Training
– Education
– Awareness
– Motivation
– Attitude
From “unconscious unsafe” to“unconscious safe”
Security awareness must rest in the cortex
IDC research: 25% van alle bedrijven worden “exploited” via een
© 2012 Sebyde BV
zwakke plek in de Web Application security.

39. Awareness: Information has value
Customer data
annual figures, the profit
forecast
(Re)modelling plans
Bookkeeping
Employee data
Phone & email lists
Tenders and contracts
“Smoelenboek”
Adding security during coding costs 6.5 times more than architecting it
© 2012 Sebyde BV
during software design process.

40. What to achieve?
Not only doing the right
things, but do things right
Attitude
Unconscious
Behavior safe
Conscious safe
Conscious
unsafe
Training
Unconscious Education
unsafe
Instruction
Repetition
© 2012 Sebyde BV

41. © 2012 Sebyde BV

42. The Dutch developer
“The appeal to the creativity and solving
logical problems is considered to be the best
aspect of his work, more fun than delivering
a useful product.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

43. Processes
Policy
– Laws and regulations
– Guidelines, standards, rules
Check
Organisation
– Helpdesk
– CERT-team
Resolve Evaluate
Processes
– Identity/access management
– Incident management
– Patch management Analyse
– SDLC
IDC research: 25% of all companies are exploited through a weakspot in
© 2012 Sebyde BV
their Web Application security.

44. Prevent: Test
Manual
Automated
Black box
White box
Network
– Pentesting
Systems
Applications
– Dynamic
– Source code
© 2012 Sebyde BV

45. Test early! Loss of customer trust
Lawsuits
Brand damage
Early on testing saves a lot of
money. 80% of
development costs are
spent on finding and 100x
solving problems. Deployment phase
Dynamic testen
Solving a vulnerability in the
production phase costs 100
times more than addressing it 15x
in the design phase. Test phase
Acceptance testen
6,5 x
Development
Static testen
1x
Design
Secure by Design
© 2012 Sebyde BV

46. Test often
New releases
– Application
– Infrastructure
Periodic
– ½ year, a year
Framework upgrades
Integral part of the Software Development Life Cycle (UTAP)
© 2012 Sebyde BV

47. Technology
Network
– Zoning (ie. DMZ)
– Firewalls, IPS, WAF
Systemen
– Hardening
– Accesscontrol
– Updates / Patching
– Malware scanners
Applicaties
– Testing
– Audits
– Secure by Design
© 2012 Sebyde BV

48. Why secure coding
Governance
– Manageability
Risk
– Reputation
Compliance
– PCI-DSS
– Privacy law
– EU directive
Efficiency
– Early on security saves money
© 2012 Sebyde BV

49. About the Dutch developer
“Repetitive tasks, like testing, is the most
annoying aspect of the work.”
(source: automatiseringsgids 10th May 2012)
© 2012 Sebyde BV

50. Best practices
Prevention is key; test early & often
Validate all input and output
Deny by default, Fail Secure (closed)
Fail Safe
Make it simple (KISS)
Defense in depth
Only as secure as your weakest link
Wrong: “Security by obscurity”
https://www.owasp.org/index.php/How_to_write_insecure_code
© 2012 Sebyde BV

51. Important sources
OWASP www.owasp.org
Sans www.sans.org
NCSC www.ncsc.nl
CVE http://cve.mitre.org/
www.waarschuwingsdienst.nl
© 2012 Sebyde BV

52. Contact us
E-mail info@sebyde.nl
Web www.sebyde.nl
Twitter http://www.twitter.com/SebydeBV
LinkedIn http://www.linkedin.com/company/sebyde-bv
Facebook http://facebook.com/SebydeBV
Prezi http://t.co/eKr7VzE8
© 2012 Sebyde BV

53. Thank You
Rob Koch (rob.koch@sebyde.nl)
Derk Yntema (derk.yntema@sebyde.nl)
© 2012 Sebyde BV