Your SlideShare is downloading. ×
Ibm  עמרי וייסמן
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ibm עמרי וייסמן


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Dec 14, 2010Static and DynamicTechnologiesfor SecuringWeb ApplicationsOmri WeismanManager, Static Analysis GroupIBM Rational Software,
  • 2. IBM  IL
  • 3. Web Applications are the greatest risk to organizations  Web application vulnerabilities represented the largest category in vulnerability disclosures  In 2009, 49% of all vulnerabilities were Web application vulnerabilities  SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report3
  • 4. What is the Root Cause? 1. Developers not trained in security  Most computer science curricula have no security courses  Focus is on developing features  Security vulnerability = BUG 2. Under investment from security teams  Lack of tools, policies, process,  Lack of resources 3. Growth in complex, mission critical online applications  Online banking, commerce, Web 2.0, etc Result: Application security incidents are on the rise
  • 5. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production% of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live.
  • 6. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production% of Issue Found by Stage of SDLC Desired Profile
  • 7. IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management SECURITYREQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan onDemand AppScan Reporting Console Security AppScan Source Requirements AppScan AppScan AppScan AppScan Definition Build Tester Standard Standard Security Security / compliance Security & Outsourced testing requirements Automate Security Build security / Compliance testing incorporated Compliance for security audits & defined before testing into the into testing & Testing, oversight, production site design & testing in the IDE Build Process remediation control, policy, monitoring implementation workflows audits Application Security Best Practices – Secure Engineering Framework7
  • 8. Black White Box Box “Hacker in a box” “Automated code review”Requires running site Requires source-code/bytecodeCrawl, Test, Validate Source-to-Sink Analysis AppScan AppScan Standard Ed. Source Ed.
  • 9. White-Box: Source-to-Sink Analysis Many injection problems: Sources: •SQL Injection •Path Traversal •XSS •Code Execution •Log Forging •…Sanitizers: Undecidable problem Sinks:
  • 10. Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Black Box Examines infinite number of behaviors White in a finite approach (approximation) Box
  • 11. Black-Box vs. White-Box - Perspective - Works as an attacker - HTTP awareness only Black - Works on “the big picture” Box - Resembles code auditing - Inspects the small details SQL Injection Found White - Hard to “connect the dots” Box
  • 12. Black-Box vs. White-Box – Prerequisite - Any deployed application - Mainly used during testing stage Black Box - Application code White - Mainly used in development stage Box
  • 13. Black-Box vs. White-Box – Compatibility - Oblivious to languages, platforms - Different communication protocols require attention Black Box - Different languages require support - Some frameworks too White Box - Oblivious to communication protocols
  • 14. Black-Box vs. White-Box – Scope Exercises the entire system - Servers (Application, HTTP, DB, etc.) - External interfaces Black Box - Network, firewalls Identifies issues regardless of configuration White Box
  • 15. Black-Box vs. White-Box – Time/Accuracy Tradeoffs - Crawling takes time - Testing mutations takes Black (infinite) time Box - Refined model consumes space - And time… White - Analyzing only “important” code Box - Approximating the rest >> Summary
  • 16. Black-Box vs. White-Box – Accuracy Challenges Challenge: - Cover all attack vectors Black Box Challenge: - Eliminate non-exploitable issues White Box
  • 17. ORBlack ? White Box Box
  • 18. Security Testing Technologies... Combination Drives Greater Solution Accuracy Static Analysis (Whitebox ) Automated Code Review Total Potential Security Issues Static Best Dynamic Dynamic Analysis (Blackbox) Analysis Coverage Analysis Hacker in a box18
  • 19. Smarter security for a smarter planet