About the Presenter • Jason Haddix (@jhaddix) • Director of Penetration Testing at HP/Fortify on their ShadowLabs team. • Previously worked in HP’s Professional Services as a security consultant, and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and Hakin9 magazine. • Serves on the advisory board for GIAC Penetration Testing curriculum as well is GSEC, GPEN, and eCPPT certified.
About the Presenter • Website: www.SecurityAegis.com • Presentations:
Why Application Security?
“Weve also seen 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised .” Sophos Threat Report (First half of 2011)
Why do we care? Your critical business Regulations and More than 60% of applications face the Standards (PCI, applications have Internet HIPAA, SOX, etc) serious flaws
Challenges • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results
What is Fortify on Demand? • SAAS-Based, Annual subscription • Business Logic Assessments model • Large Testing team at your • Unlimited Assessments, Unlimited fingertips Users • Scale Rapidly (10, 100, 1000) • The most Comprehensive Coverage Model – Verify False Positives & • Security Branding with HP FOD Manual Penetration Testing Logo on Web Applications • Single portal for consuming results • Market leading analyzers for Static and Dynamic Testing
Mobile Thick ClientWeb FOD 3rd Party API Binary
Dynamic Testing } Baseline Application Standard Premium 3
Dynamic Testing • Recommended for Low Risk Websites Baseline (Marketing Sites, Brochure, Not much Application change in the application) Standard • An automated solution for Websites WebInspect security scanner Premium • All results are manually reviewed by security experts to remove false positives
Dynamic Testing • Recommended for Medium Risk Websites Baseline Application • Use of multiple automated and manual testing solutions Standard • All results are manually reviewed by security experts to remove any false positives. Includes penetration testing. Premium • Single User Perspective
Dynamic Testing • Recommended for High Risk websites Baseline Application • Designed for mission-critical Technical and business logic vulnerabilities Standard • All results are manually reviewed by security experts to remove any false positives. Higher focus on manual penetration testing. Premium • Two User Perspective • Web Services
Terms and DefinitionsAutomated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditingof Web Applications.False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expertSecurity Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that alldata provided in the final report is free of false positives.User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising thetarget application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significantnumber of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”.Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation effortswhere successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initiallydiscovered) vulnerabilities.Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the targetapplication for non-standard web application security flaws.Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automatedscanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours ofmanual testing by a team of expert Application Security Engineers.Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Serviceendpoints.
Custom Testing • Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code • External Penetration Testing • External • Reverse Engineering Auditing in other languages • Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation • Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation & • Social Engineering • Embedded Device Testing Auditing • APT Breach Simulation • Secure Code Training • Vulnerability Assessment
World Renowned Technologies Fortify SCA Engine Fully mapped taxonomy of all Vulnerability categories (VulnCAT) HP WebInspect Largest set of Dynamic Engine Vulnerability Checks 8k+ (SecureBase) Leaders in Malware & 0-Day TippingPoint & ArcSight Research Vulnerability Intelligence
Fortify SCA Detect more than 480 types of software security vulnerabilities across 20+ development languages—the most in the industry. IDE Integration for faster identification earlier in the development lifecycle Mobile Application support: iPhone & AndroidFeatures • Pinpoint root cause of vulnerabilities – line of code detail • Prioritize fixes sorted by risk severity • Detailed “fix” instruction -- in the development language
HP WebInspect Largest Security Check Database (8k+ Dynamic Checks) Independent research study showed WI to outperform other enterprise dynamic scanners in application coverage and scored a 99.26% in injection accuracy. One of the only dynamic scanners to support web services and true REST APIs Features • Can integrate with server runtime to find more vulnerabilities, faster. (Security Scope) • Easy and simple export of vulnerabilities to TippingPoint WAF • Powerful Macro Engine to navigate custom authentication or heavy use of AJAX.Source: http://www.sectoolmarket.com/
Security Assessments by Security Professionals Mobile Automated Thick Client Static/Whitebox Engineers Analysis False Positive Reduction Web FOD Manual Source Code Analysis Automated Full Web/Mobile 3rd Dynamic/Blackbox Application Penetration Party Analysis Testing Binary
Dynamic Process Flow
Static Process Flow
(Some) Team Members • Daniel Miessler • Nick Childers • Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester • SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team • Dennis Antunes • Nick Denarski • Dynamic Assessment Lead • Metasploit Contributor and Trainer • Bucky Spires • Brooks Garret • Mobile Assessment Lead • DVWA Maintainer • Andre Gironda • Kevin Lynn • Sr. Application Tester • Sr. Application Tester • Cash Turner • Sr. Dynamic Application Tester
Repeatable, Highly Technical Methodologies Web Application Security Consortium Open Web Application Security Project Penetration Testers Execution Standard Web Application Hackers Handbook } Combined 7+ decades of practical application security testing experience
Leading By Example Over 1000 organizations worldwide have standardized on HP Fortify: 9 of the top 10 major banks 9 of the top 10 software companies All of the top 10 telecoms All major branches of U.S. DOD All 5 top insurance firms 2 out of 4 top oil and gas companies Many top car manufactures Big 4 accounting firms
Fortify & FoD Awards Dynamic Application Static Application Testing Testing Leader Leader “At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
An CTO’s Perspective on FoD “I was very impressed by the knowledge and the responsiveness of both the Fortify BU sales and delivery resources. They helped me in building the business case for Application security which was key in establishing client stakeholder support for this initiative . Besides, they also partnered with the account to conduct a PoC which helped showcase our capability to the client. I am very confident based on my own positive experience that anyone in the security officer role could benefit a lot by working closely with the Fortify team to introduce our Application security capabilities to their clients”.
Commonalities of Success, Developing a Winning SDLC• Internal app security research• External hacking research HP Fortify Solutions Static Source code QA & Integration Application Audit Production validation Testing Environment Assessment Audit Static Code Dynamic Static Code Functional Test Analysis Analysis in the Integration Continuous IDE (SCA) Assessment Dynamic Penetration Hybrid Testing