Web Application Security: Connecting the Dots

1,520 views

Published on

Presented on May 3, 2012 for InnoTech Oregon. All rights reserved.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,520
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web Application Security: Connecting the Dots

  1. 1. Web Application Security:Connecting the DotsJeremiah GrossmanFounder & Chief Technology OfficerInnotech 2012(Portland, Oregon)05.20.2012 © 2012 WhiteHat Security, Inc. 1
  2. 2. Jeremiah GrossmanØFounder & CTO of WhiteHat SecurityØ6-Continent Public SpeakerØTED AlumniØAn InfoWorld Top 25 CTOØCo-founder of the Web Application Security ConsortiumØCo-author: Cross-Site Scripting AttacksØFormer Yahoo! information security officerØBrazilian Jiu-Jitsu Black Belt © 2012 WhiteHat Security, Inc. 2
  3. 3. WhiteHat Security : Company OverviewØHeadquartered in Santa Clara, CAØWhiteHat Sentinel – SaaS end-to-end website risk management platformØEmployees: 170+ØCustomers: 500+ Cool Vendor The FutureNow List © 2012 WhiteHat Security, Inc.
  4. 4. We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more. Cyber-war Cyber-crime HacktivismPwC Survey:“Cybercrime is now the second biggest cause of economiccrime experienced by the Financial Services sector.” © 2012 WhiteHat Security, Inc. 4
  5. 5. 8 out of 10 websites have serious* vulnerabilities Average annual amount of new serious* vulnerabilities introduced per website by year 1111 795 480 230 79 2007 2008 2009 2010 2011*  Serious  Vulnerability:  A  security  weakness  that  if  exploited  may  lead  to  breach  or  data  loss  of  a  system,  its  data,  or  users.  (PCI-­‐DSS  severity  HIGH,  CRITICAL,  or  URGENT)Vulnerabili*es  are  counted  by  unique  Web  applica*on  and  vulnerability  class.  If  three  of  the  five  parameters  of  a  single  Web  applica*on  (/foo/webapp.cgi)  are  vulnerable  to  SQL  Injec*on,  this  is  counted  as  3  individual  vulnerabili*es  (e.g.  aGack  vectors). © 2012 WhiteHat Security, Inc. 5
  6. 6. Website Hacked © 2012 WhiteHat Security, Inc. 6
  7. 7. Verizon Data Breach Investigations Report:2010 DBIR:“The majority of breaches and almost all of the data stolenin 2009 (95%) were perpetrated by remote organizedcriminal groups hacking "servers and applications."2011 DBIR:“The number of Web application breaches increased last yearand made up nearly 40% of the overall attacks.““Web applications abound in many larger companies, andremain a popular (54% of breaches) and successful (39% ofrecords) attack vector.” © 2012 WhiteHat Security, Inc. 7
  8. 8. 855 incidents, 174 million compromised records © 2012 WhiteHat Security, Inc. 8
  9. 9. © 2012 WhiteHat Security, Inc. 9
  10. 10. Attacker Profiles Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) © 2012 WhiteHat Security, Inc. 10
  11. 11. WhiteHat Sentinel – Assessment Platform• SaaS (Annual Subscription) - Unlimited Assessments / Users• Unique Methodology - Proprietary scanning technology - Expert website security analysis (TRC) - Satisfies PCI 6.6 requirements• Vulnerability Verification and prioritization – virtually eliminating false positives• XML API links other security solutions• Easy to get started – - Need URL and Credentials - No Management of Hardware or Software - No Additional Training
  12. 12. WhiteHat Sentinel 500+enterprises from start-ups to fortune 500 1,000,000 vulnerabilities processed per day 6 Terabytes data stored per day 7,000+websites receiving ~weekly assessments 940,000,000 http(s) requests per month © 2012 WhiteHat Security, Inc. 12
  13. 13. © 2012 WhiteHat Security, Inc. 13
  14. 14. WhiteHat Security Top Ten (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 14
  15. 15. Top Seven by Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 15
  16. 16. Top Seven by Industry (2011) Percentage likelihood of a website having at least one vulnerability sorted by class © 2012 WhiteHat Security, Inc. 16
  17. 17. Window of Exposure (2011)Number of days [in a year] a website is exposed to at least one serious* reported vulnerability. © 2012 WhiteHat Security, Inc. 17
  18. 18. © 2012 WhiteHat Security, Inc. 18
  19. 19. Time-to-Fix in DaysCumulative Website Percentage Average Time-to-Fix (Days) © 2012 WhiteHat Security, Inc. 19
  20. 20. Remediation Rates by Industry (Trend) A steady improvement in the percentage of reported vulnerabilitiesthat have been resolved during each of the last three years, which now resides at 53%. Progress! © 2012 WhiteHat Security, Inc. 20
  21. 21. Publish Scorecards Internally &Regularly -- For All To See Avg.   High  Severity   RemediaAon   Window  of  Exposure   Group Time-­‐to-­‐Fix   VulnerabiliAes Rate (Days) (Days)2012  Corporate  Goal 20 30 75% 100Industry  Average 55 32 63% 223Business  Unit  1 17 45 74% 195Business  Unit  2 53 30 46% 161Business  Unit  3 67 66 63% 237Business  Unit  4 48 35 69% 232 © 2012 WhiteHat Security, Inc. 21
  22. 22. Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discoveredWeb Application Firewalls are bestat mitigating vulnerabilities such asCross-Site Scripting, ContentSpoofing, SQL Injection, ResponseSplitting, etc. By summing all thesepercentages up we might safely say:A WAF could feasible help mitigatethe risk of at least 71% of all customWeb application vulnerabilities. © 2012 WhiteHat Security, Inc. 22
  23. 23. Why do vulnerabilities go unfixed?• No one at the organization understands or is responsible for maintaining the code.• Development group does not understand or respect the vulnerability.• Lack of budget to fix the issues.• Affected code is owned by an unresponsive third-party vendor.• Website will be decommissioned or replaced “soon.”• Risk of exploitation is accepted.• Solution conflicts with business use case.• Compliance does not require fixing the issue.• Feature enhancements are prioritized ahead of security fixes. © 2012 WhiteHat Security, Inc. 23
  24. 24. Testing Speed & Frequency Matters © 2012 WhiteHat Security, Inc. 24
  25. 25. Why Do Breaches(and vulnerabilities)Continue to Happen? © 2012 WhiteHat Security, Inc. 25
  26. 26. Typical IT Budget Allocation Applications Host Network Software, development, Servers, desktops, laptops, Routers, switches, network CRM, ERP, etc. etc. admins, etc. © 2012 WhiteHat Security, Inc. 26
  27. 27. Typical IT Security Budget Applications Host Network Vulnerability management, Firewalls, Network IDS, SSL, Software architecture, system config,patching, monitoring, etc. trainings,testing, etc. etc. © 2012 WhiteHat Security, Inc. 27
  28. 28. Budget PrioritizationThe biggest line item in [non-security] spendingSHOULD match the biggest line item in security. IT IT Security 1 3Applications 2 2 Host 3 1 Network © 2012 WhiteHat Security, Inc. 28
  29. 29. Survey [2010] of IT pros and C-level executives from 450 Fortune 1000 companies (FishNet Security)... “Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." The report goes on to say... “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)."http://www.darkreading.com/security-services/167801101/security/perimeter-security/227300116/index.html © 2012 WhiteHat Security, Inc. 29
  30. 30. Big Picture“Market-sizing estimates for network security rangeanywhere from $5-8bn, whereas our calculation for theaggregate application security market is about $444m.Despite the spending boost on application securitymandated by the Payment Card Industry Data SecurityStandards (PCI-DSS), it’s still not commensurate with thedemonstrated level of risk.”The Application Security Spectrum (The 451 Group) “...we expect this revenue will grow at a CAGR of 23% to reach $1bn by 2014.” © 2012 WhiteHat Security, Inc. 30
  31. 31. How to developsecure-(enough) software? © 2012 WhiteHat Security, Inc. 31
  32. 32. Little-to-NoSupporting Data. © 2012 WhiteHat Security, Inc. 32
  33. 33. Connect the Dots... (SDL) Production Attack Security Breaches Vulnerabilities Traffic Controls BSIMM WhiteHat Security Akamai Verizon DBIR IBM TrustwaveThen we’ll start getting some real answersabout how to product secure-enough. © 2012 WhiteHat Security, Inc. 33
  34. 34. Thank You!Blog: http://blog.whitehatsec.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com © 2012 WhiteHat Security, Inc. 34

×