0
Security Verified            Introduction to Web Application Security                  Mohamed Ridha Chebbi, CISSP        ...
Agenda                                                                                       Security Verified•   Applicat...
Security Verified                                     Application InSecurityMohamed Ridha Chebbi, CISSP   Next-Gen Applica...
Web Application Security Defined                                                                                     Secur...
Why Website Security Matters                                                                             Security Verified...
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified             ...
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified             ...
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified             ...
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified             ...
Today’s Web Application Vulnerabilities (Q1-Q2 2010)                                        Security Verified             ...
Hacking Continues …                                                                         Security VerifiedNext-Gen Appl...
Breach Time to Detection                                                                                  Security Verifie...
Security Verified            The Top 10 Risks in Application SecurityNext-Gen Applications & Data Security conference, Mar...
OWASP Top Ten (2010 Edition)                                                                   Security Verified          ...
VERACODE Assessment Results                                                                 Security VerifiedNext-Gen Appl...
VERACODE Assessment Results                                                                 Security VerifiedNext-Gen Appl...
Security Verified                             Addressing the ProblemNext-Gen Applications & Data Security conference, Marc...
How to Start ?                                                                              Security Verified   1- Develop...
Application Security Training                                                               Security Verified   iCode in-C...
Application Security Life Cycle                                                                                  Security ...
Security Verified                         Application Security LevelsNext-Gen Applications & Data Security conference, Mar...
Security Requirements & Levels                                                                              Security Verif...
Application Security Level 1                                                                          Security Verified   ...
Application Security Level 2                                                                          Security Verified   ...
Application Security Level 1                                                                                             S...
Application Security Level 2                                                                                          Secu...
Application Security Level 2                                                                                         Secur...
Verification Output Report                                                                                        Security...
Security Verified                          Accreditation & BaselinesNext-Gen Applications & Data Security conference, Marc...
Example of Accreditation Document                                                            Security Verified            ...
Security Verified                   Applications & Data ProtectionNext-Gen Applications & Data Security conference, March ...
Application & Data Protection                                                                                        Secur...
Security Verified         ThanksNext-Gen Applications & Data Security conference, March 6th 2012                          ...
Upcoming SlideShare
Loading in...5
×

Appsec Introduction

561

Published on

Introduction to Application Security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
561
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Appsec Introduction"

  1. 1. Security Verified Introduction to Web Application Security Mohamed Ridha Chebbi, CISSP iCode InfoSec – CEO & Head of PS ridha.chebbi@icodesecurity.comNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  2. 2. Agenda Security Verified• Application InSecurity• TOP 10 Risks in APPSEC• Addressing the Problem• APPSEC Training• APPSEC Verification Process• APPSEC Standard (Security Levels)• APPSEC Protection Infrastructure Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  3. 3. Security Verified Application InSecurityMohamed Ridha Chebbi, CISSP Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  4. 4. Web Application Security Defined Security Verified Intrusion Detection and Prevention Internet Desktop / Client Firewall Web App Database Server Server Server Ports 443 & 80 still open Web app layer: 75% of hacker attacks occur here Desktop & Content Security Network Security Application Security 1980s 1990s 2000s WEB APPLICATION SECURITY EVOLUTIONNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  5. 5. Why Website Security Matters Security Verified $7.2+ Million is the average cost of a data breach Ponemon Institute –2011 400+ 75%+ of cyber attacks & Internet security New violations are generated through applications Vulnerabilities a Gartner Group – 2011 Month and Growing 75% of enterprises experienced some form of cyber attack in 2011 Symantec Internet Security Report – April 2011 79% of victims subject to PCI DSS had not achieved compliance Verizon Business Data Breach Report – July 2011Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  6. 6. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities (% of total)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  7. 7. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities by Class (Commercial Applications)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  8. 8. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Other CategoryNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  9. 9. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Web Application Vulnerabilities (Proprietary Applications)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  10. 10. Today’s Web Application Vulnerabilities (Q1-Q2 2010) Security Verified Vulnerable Web Applications by type (Proprietary Applications)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  11. 11. Hacking Continues … Security VerifiedNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  12. 12. Breach Time to Detection Security Verified Average Number of Days from when a breach occurred and when it was Discovered = 156 Days (Between 5 & 6 Months) Main reason why an investigation launched? Because the Credit Card company detected a data pattern of unauthorized use.Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  13. 13. Security Verified The Top 10 Risks in Application SecurityNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  14. 14. OWASP Top Ten (2010 Edition) Security Verified http://www.owasp.org/index.php/Top_10Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  15. 15. VERACODE Assessment Results Security VerifiedNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  16. 16. VERACODE Assessment Results Security VerifiedNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  17. 17. Security Verified Addressing the ProblemNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  18. 18. How to Start ? Security Verified 1- Develop Secure Code Use Application Security Standard – Risk Mitigation Best Practices Training in Secure Coding 2- Test and Review Applications in accordance to Application Security Standard - Verification Process Security Considerations during the SDLC : Static Assessment (during build) Dynamic Assessment (during Testing) Internal Reviews (during design & build) PEN Testing (during operation) 3- Protect & Monitor Applications and Databases in accordance to Application Security Standard – Protection & Monitoring Architecture Protect applications & data by using : Web Application Firewalls (WAF) Database Firewalls (DBF) File Firewalls (FF)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  19. 19. Application Security Training Security Verified iCode in-Class Courses Application Security Fundamentals TOP 10 OWASP In detail Secure Coding Java Secure Coding .NET Mobile Application Security Security Testing SDL iCode Virtual Class Courses 50+ Hours of Online Courses 33+ Course Modules (from security fundamentals to Secure Coding)Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  20. 20. Application Security Life Cycle Security Verified Design Build Test Deploy Operate Internal Review Annually Static Assessment … Dynamic Assessment … PEN TestingNew Versions/Releases Web Application & Data Protection & Monitoring Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  21. 21. Security Verified Application Security LevelsNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  22. 22. Security Requirements & Levels Security Verified Level of rigor V1. Security Architecture V2. Authentication V3. Session Management V4. Access Control Level of rigor V5. Input Validation V6. Output Encoding/EscapingLevel 1 Level 2 V7. Cryptography V8. Error Handling and Logging V9. Data Protection V10. Communication Security V11. HTTP Security V12. Security Configuration V13. Malicious Code Search V14. Internal Security Sections Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  23. 23. Application Security Level 1 Security Verified Level 1 Verification is typically appropriate for applications where some confidence in the correct use of security controls is required. Threats to security will be typically viruses, warms and misuse. There are two constituent components for Level 1. - Level 1A is for the use of automated application vulnerability scanning (dynamic analysis) - Level 1B is for the use of automated source code scanning (static analysis). NOTE : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap. Level 1A + Level 1B = Level 1Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  24. 24. Application Security Level 2 Security Verified Level 2 is appropriate for applications that handle personal transactions, conduct business-to-business transactions, or process personally identifiable information. Threats to security will be typically viruses, warms and opportunists such as malicious attackers. There are two constituent components for Level 2. - Level 2A is for the use of automated application vulnerability scanning (dynamic analysis) - Level 2B is for the use of automated source code scanning (static analysis). Note 1 : if the verifier’s selected tool suite does not have the capability to verify a specified verification requirement, the verifier can perform manual verification to fill this gap. Note 2 : The verifier needs to manually review and augment all the results for each Level 2 requirement. Level 2A + Level 2B = Level 2Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  25. 25. Application Security Level 1 Security VerifiedExample : ADB/ASS-V2 Authentication Verification Requirements for Level 1 Verification Requirement Level 1A Level 1B V2.1 Verify that all pages and resources require authentication   except those specifically intended to be public. V2.2 Verify that all password fields do not echo the user’s password   when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled. V2.3 Verify that if a maximum number of authentication attempts is  exceeded, the account is locked for a period of time long enough to deter brute force attacks.Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  26. 26. Application Security Level 2 Security VerifiedExample : ADB/ASS-V2 Authentication Verification Requirements for Level 2 Verification Requirement Level 2A Level 2B V2.1 Verify that all pages and resources require authentication except   those specifically intended to be public. V2.2 Verify that all password fields do not echo the user’s password   when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled. V2.3 Verify that if a maximum number of authentication attempts is   exceeded, the account is locked for a period of time long enough to deter brute force attacks. V2.4 Verify that all authentication controls are enforced on the server   side. V2.5 Verify that all authentication controls (including libraries that call  external authentication services) have a centralized implementation. V2.6 Verify that all authentication controls fail securely.   V2.7 Verify that the strength of any authentication credentials are   sufficient to withstand attacks that are typical of the threats in the deployed environment.Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  27. 27. Application Security Level 2 Security VerifiedExample : ADB/ASS-V2 Authentication Verification Requirements for Level 2 (Continue) Verification Requirement Level 2A Level 2B V2.8 Verify that users can safely change their credentials using a   mechanism that is at least as resistant to attack as the primary authentication mechanism. V2.9 Verify that re-authentication is required before any application-   specific sensitive operations are permitted. V2.10 Verify that after an administratively-configurable period of time,   authentication credentials expire. V2.11 Verify that all authentication decisions are logged.  V2.12 Verify that account passwords are salted using a salt that is unique to  that account (e.g., internal user ID, account creation) and hashed before storing. V2.13 Verify that all authentication credentials for accessing services  external to the application are encrypted and stored in a protected location (not in source code).Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  28. 28. Verification Output Report Security Verified Level 1 or Level 2 Verification Report shall document the results of the analysis, including any remediation of vulnerabilities that was required. Level Pass Fail Requirement • Verdict • Verdict • Verdict justification • Location (URL (Level 2) w/parameters and/or source file path, name and line number(s)) • Description (including configuration information as appropriate) • Risk rating • Risk justification Any remediation of vulnerabilities that was discovered shall be provided apart of the report.Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  29. 29. Security Verified Accreditation & BaselinesNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  30. 30. Example of Accreditation Document Security Verified Accreditation Application Security Accreditation FormApplication Category Version Release DateApplication Supports The following Business Functions :Application makes use of the following Technology :Application makes use of the following IT Infrastructure :Application First Name Title DepartmentDeveloper/Vendor Last Name Telephone emailPrimary ContactInformation1 Security Verification P F N/T N/R Ref./Comments ProcessL1A Level 1A VerificationL1B Level 1B VerificationL2A Level 2A VerificationL2B Level 2B Verification Accreditation ZoneProduction Date : Notes/CommentsAccreditation Envolved Patries…Next-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  31. 31. Security Verified Applications & Data ProtectionNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  32. 32. Application & Data Protection Security Verified Security Operating Center Database Local Agent Databases Database Activity Monitoring N etw ork or M onitoring Discovery and Assessment Server N ative Audit Management Server Database Firewall Web Web Application FirewallNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  33. 33. Security Verified ThanksNext-Gen Applications & Data Security conference, March 6th 2012 © 2012 iCode information security All rights reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×