Your SlideShare is downloading. ×
Ibm  עמרי וייסמן
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ibm עמרי וייסמן

238
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
238
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Dec 14, 2010Static and DynamicTechnologiesfor SecuringWeb ApplicationsOmri WeismanManager, Static Analysis GroupIBM Rational Software, Israelweisman@il.ibm.com
  • 2. IBM  IL
  • 3. Web Applications are the greatest risk to organizations  Web application vulnerabilities represented the largest category in vulnerability disclosures  In 2009, 49% of all vulnerabilities were Web application vulnerabilities  SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report3
  • 4. What is the Root Cause? 1. Developers not trained in security  Most computer science curricula have no security courses  Focus is on developing features  Security vulnerability = BUG 2. Under investment from security teams  Lack of tools, policies, process,  Lack of resources 3. Growth in complex, mission critical online applications  Online banking, commerce, Web 2.0, etc Result: Application security incidents are on the rise
  • 5. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production% of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live.
  • 6. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production% of Issue Found by Stage of SDLC Desired Profile
  • 7. IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management SECURITYREQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan onDemand AppScan Reporting Console Security AppScan Source Requirements AppScan AppScan AppScan AppScan Definition Build Tester Standard Standard Security Security / compliance Security & Outsourced testing requirements Automate Security Build security / Compliance testing incorporated Compliance for security audits & defined before testing into the into testing & Testing, oversight, production site design & testing in the IDE Build Process remediation control, policy, monitoring implementation workflows audits Application Security Best Practices – Secure Engineering Framework7
  • 8. Black White Box Box “Hacker in a box” “Automated code review”Requires running site Requires source-code/bytecodeCrawl, Test, Validate Source-to-Sink Analysis AppScan AppScan Standard Ed. Source Ed.
  • 9. White-Box: Source-to-Sink Analysis Many injection problems: Sources: •SQL Injection •Path Traversal •XSS •Code Execution •Log Forging •…Sanitizers: Undecidable problem Sinks:
  • 10. Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Black Box Examines infinite number of behaviors White in a finite approach (approximation) Box
  • 11. Black-Box vs. White-Box - Perspective - Works as an attacker - HTTP awareness only Black - Works on “the big picture” Box - Resembles code auditing - Inspects the small details SQL Injection Found White - Hard to “connect the dots” Box
  • 12. Black-Box vs. White-Box – Prerequisite - Any deployed application - Mainly used during testing stage Black Box - Application code White - Mainly used in development stage Box
  • 13. Black-Box vs. White-Box – Compatibility - Oblivious to languages, platforms - Different communication protocols require attention Black Box - Different languages require support - Some frameworks too White Box - Oblivious to communication protocols
  • 14. Black-Box vs. White-Box – Scope Exercises the entire system - Servers (Application, HTTP, DB, etc.) - External interfaces Black Box - Network, firewalls Identifies issues regardless of configuration White Box
  • 15. Black-Box vs. White-Box – Time/Accuracy Tradeoffs - Crawling takes time - Testing mutations takes Black (infinite) time Box - Refined model consumes space - And time… White - Analyzing only “important” code Box - Approximating the rest >> Summary
  • 16. Black-Box vs. White-Box – Accuracy Challenges Challenge: - Cover all attack vectors Black Box Challenge: - Eliminate non-exploitable issues White Box
  • 17. ORBlack ? White Box Box
  • 18. Security Testing Technologies... Combination Drives Greater Solution Accuracy Static Analysis (Whitebox ) Automated Code Review Total Potential Security Issues Static Best Dynamic Dynamic Analysis (Blackbox) Analysis Coverage Analysis Hacker in a box18
  • 19. Smarter security for a smarter planet