Top 10 Application Security Predictions for 2014

2,299 views

Published on

Chris Harget shares consolidated research data from Cenzic's security team, industry experts and security luminaries. The research-grounded predictions include:

>>> WHAT emerging initiatives (e.g., Enterprise App Stores, API proliferation) are most likely to increase appsec risk and what to do about it.

>>> WHY Cross Site Request Forgery (CSRF) may be the next exploitation to "go large."

>>> HOW the "Internet of Things" may have a huge impact on application security.

... plus several more predictions.

2013 is coming to a close but online application threats won't be taking a holiday. Prepare for a secure 2014 by checking out "Top 10 Application Security Predictions for 2014."

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Mediafire Download : http://www.mediafire.com/download/7aoel0kpzvwnzeh/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,299
On SlideShare
0
From Embeds
0
Number of Embeds
192
Actions
Shares
0
Downloads
62
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Top 10 Application Security Predictions for 2014

  1. 1. Cenzic Live! Webinar: Top 10 Application Security Predictions for 2014 Chris Harget 1
  2. 2. Agenda  2013 In Review  2014 Predictions  New Year’s Resolutions 2 Cenzic, Inc. - Confidential, All Rights Reserved.
  3. 3. 2013 AppSec In Review 3
  4. 4. 2013 Developments/News 4 Cenzic, Inc. - Confidential, All Rights Reserved.
  5. 5. 160 Million Cards Stolen Via SQLi 5 Cenzic, Inc. - Confidential, All Rights Reserved.
  6. 6. Vulnerabilities Trended Down… …Slightly Source: Cenzic Application Vulnerability Trends Report 2013 6 Cenzic, Inc. - Confidential, All Rights Reserved.
  7. 7. OWASP Updated Its Top 10  Broadening of URL access control flaws to now include actual application functions  Expansion and merger of data-in-transit and data-atrest flaws on both the server side and client side  Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)  Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)related flaws https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/ 7 Cenzic, Inc. - Confidential, All Rights Reserved.
  8. 8. Compliance: Hello PCI 3.0  Penetration testing activities (internal and external) now must follow an "industry-accepted penetration testing methodology," such as that specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. 8 Cenzic, Inc. - Confidential, All Rights Reserved.
  9. 9. 2013 Was Kind Of A Stormy Year = 9 Cenzic, Inc. - Confidential, All Rights Reserved.
  10. 10. 2014 AppSec Predictions 7.2 10
  11. 11. 1.The Internet Of Things = App Risk2  “The Internet of Things (or IoT for short) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.” – http://en.wikipedia.org/wiki/Internet_of_things  “A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.” – http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf  Many of these devices will be managed via apps 11 Cenzic, Inc. - Confidential, All Rights Reserved.
  12. 12. 1.The Internet Of Things = App Risk2  New Attack Surfaces Include: – Smart Televisions – Home Alarms – Smart Meters – Smartphone cameras and microphones – Security Cameras – Baby monitors – Medical Equipment – Supply Chain Goods – Smart Thermostats – Cars 12 Cenzic, Inc. - Confidential, All Rights Reserved.
  13. 13. 1.The Internet Of Things = App Risk2 Top Ten Connected Applications in 2020 Value to the Connected Life Connected Car $600 billion Clinical Remote Monitoring $350 billion Assisted Living $270 billion Home and Building Security $250 billion Pay-As-You-Drive Car Insurance $245 billion New Business Models for Car Usage $225 billion Smart Meters Traffic Management Electric Vehicle Charging Building Automation $105 billion $100 billion $75 billion $40 billion http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020 13 Cenzic, Inc. - Confidential, All Rights Reserved.
  14. 14. 2. Enterprise App Stores Explode… Cenzic, Inc. - Confidential, All Rights Reserved. 14
  15. 15. 2. Enterprise App Stores Explode…  …Not Necessarily In a Good Way  Risks: – Apps have privileged access to corporate data – Malware sent via links in SMS or downloaded – Rogue apps can act as a key logger – Vulnerabilities doubly problematic 15 Cenzic, Inc. - Confidential, All Rights Reserved.
  16. 16. 3: Bug Bounties Go Large  Glory, prizes and cash offered to crowd source finding security flaws in social networks, cloud apps, etc.  May give COTS an edge over open source  220 Bugs found at OWASP’s November Hackathon 16 Cenzic, Inc. - Confidential, All Rights Reserved. http://www.bugsheet.com/bug-bounties
  17. 17. 4: Developers Incentivized on Security Evolve  Status Quo: Developers primarily compensated for code completed on schedule  Enterprises experimenting with 10-20% of MBO based on vulnerability scores (HARM™ or CVE)  Intriguing…yet to be proven 17 Cenzic, Inc. - Confidential, All Rights Reserved.
  18. 18. 5: Increased Hacking Via Partner API  Programmable Web now lists >10,000 APIs  >100% compound annual growth. http://blog.programmableweb.com/2013/10/26/hack-ofbuffer-should-raise-security-concerns-for-all-apiproviders/ 18 Cenzic, Inc. - Confidential, All Rights Reserved.
  19. 19. 6: A Major Supply Chain Hack  An F1000 Enterprise will lose data or be vandalized via a partner’s application  Partners provide services, goods, distribution, marketing, & outsourcing.  An enterprise’s total app ecosystem may include hundreds of partner apps  The bigger brand will take the hit 19 Cenzic, Inc. - Confidential, All Rights Reserved.
  20. 20. 7: CSRF Crosses The Chasm = Exploit Prevalence of apps , but – SQL Injection vulnerabilities were found in only 18%  Vulnerability Prevalence 1 from 2005-2011 were responsible for 83% of the records stolen2 – A famous 2005 incident (Card Systems Solutions) put SQL Injection on the map3.  Cross Site Request Forgery – Caused by a lack of randomness in requests that allows hacker to predict the request format and exploit it – Breaches can be innocuous or devastating  If one CSRF attack gets big headlines, could be the new attack du jour.   2: http://www.darkreading.com/views/lets-ask-why/240003593  20 1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html 3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century Cenzic, Inc. - Confidential, All Rights Reserved.
  21. 21. 8: Mobile Hacking Goes Up Projected MobileOS Data Volume Growth 21 Cenzic, Inc. - Confidential, All Rights Reserved.
  22. 22. 8: Mobile Hacking Goes Up  Mobile App Security Lags – Mobile malware increasingly sophisticated – BYOD/MDM challenges persist  Security measures so far: – Sandbox enterprise apps on phone – Virtualize apps – Biometric authentication – Mobile Application Firewall – Geofencing  It’s unclear if they will limit breaches from application vulnerabilities. 22 Cenzic, Inc. - Confidential, All Rights Reserved.
  23. 23. 9. Hacking Prosecutions Will Go Up  First Ever Cybercrime RICO Trial Began – Nov. 20, 2013 http://www.wired.com/threatlevel/2013/11/openmarket-trial-begins/  A hacker dealing in stolen credit cards is being charged with the Racketeering  If successful, others in his organization could be prosecuted for criminal conspiracy  This could dramatically expand the reach of cybercrime prosecution. 23 Cenzic, Inc. - Confidential, All Rights Reserved.
  24. 24. 10: Public Layer 7 Government Hack  A nation-state will be implicated in a large Layer 7 app breach…  Probably trying to steal credentials to target – User sensitive info (dissident info) – Financial info (for business advantage) – Energy sector (critical infrastructure).  The most sophisticated actors are the nation states. 24 Cenzic, Inc. - Confidential, All Rights Reserved.
  25. 25. Suggested AppSec New Year’s Resolutions 25
  26. 26. Internet of Things Resolutions  Bake application security into your IoT plans early! 26 Cenzic, Inc. - Confidential, All Rights Reserved.
  27. 27. Enterprise App Store Resolutions  Hold apps with privileged access to corporate data to the highest vulnerability testing standards.  Be 100% responsible for the security of your store apps…no one else will. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
  28. 28. Mobile Resolutions  Encourage users to check the General Settings for new mobile apps to turn off unnecessary permissions.  Test mobile apps for vulnerabilities proportionately to their usage and data value  Evaluate Mobile Antivirus  Educate yourself 28 Cenzic, Inc. - Confidential, All Rights Reserved.
  29. 29. App Design Resolutions  Leverage anti-CSRF frameworks  Validate inputs  Implement tighter session management  Confirm your off-the-shelf application components have no known vulnerabilities before use 29 Cenzic, Inc. - Confidential, All Rights Reserved.
  30. 30. Partner Apps & API  Ensure Partners’ Web Services are tested and hardened for security with the same standards as your company-owned applications. Note: Cenzic’s New Service Can Help 30 Cenzic, Inc. - Confidential, All Rights Reserved.
  31. 31. 3 Pillars of Enterprise App Security Enterprise Application Security Pre-production & App Development 31 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
  32. 32. Detects Web & Mobile App Vulnerabilities  Easy-to-use Software, SaaS, or Managed Service  Accurate behavior-based Scanning protects – 500,000+ online applications – $Trillion+ of commerce  Delivers best continuous real-world Risk Management 32 Cenzic, Inc. - Confidential, All Rights Reserved.
  33. 33. Application Vulnerability Monitoring In Production .Identify Risk = + Mitigate Risk =  One-click virtual patching via tight integration with leading Web Application Firewalls 33 Cenzic, Inc. - Confidential, All Rights Reserved.
  34. 34. Managed Services Offerings – At-a-glance Bronze Silver Industry BestPractices for Brochureware sites Phishing Light input validation Data Security Session management OWASP compliance PCI compliance Business logic testing Application logic testing Manual penetration testing - Confidential, All Rights Reserved. 34 Cenzic, Inc. X Gold Platinum Industry BestPractices for forms and login protected sites Compliance for sites with user data X X Comprehensive scans for Mission critical applications x x X X X X X X x x X X x X X x x x x
  35. 35. Cenzic Can Help  Train your people  Give them better gear  Have someone else carry the baton 35 Cenzic, Inc. - Confidential, All Rights Reserved.
  36. 36. Good Luck In The New Year! 36 Cenzic, Inc. - Confidential, All Rights Reserved.
  37. 37. Questions? request@cenzic.com or 1.866-4-Cenzic Blog: https://blog.cenzic.com www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

×