Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Top Application Security Trends of 2012


Published on

Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Top Application Security Trends of 2012

  1. 1. An IDG Ventures CompanyNovember 20, 2012 1
  2. 2. Welcome to our Webinar…We’re Glad You Are Here Today! By Jessica Quinn, Director of Marketing Cyber Defense Magazine 2
  3. 3. Today’s Agenda1. During today’s session, you’ll hear from two unique and complementary perspectives on Application Security Trends that have taken place throughout 2012 which will help you be better prepared for the coming year.2. First, our Editor of Cyber Defense Magazine will share some of the key trends and his insights in the area of Cloud Computing and related Network Security breaches.3. Then, the CEO of iViz Security will take you through some of the best “insider” information on in-the-field, boots-on-the- ground issues such as top 10 vulnerabilities in cloud/web apps, top 10 business logic vulnerabilities, top 3 reasons people were compromised and much more.4. Finally, we’ll open it up to Q&A and then share with you a special offer, as promised. 3
  4. 4. Today’s SpeakersGary Miliefsky, Editor, Cyber Defense MagazineGary is a Founding Member of the US Department of HomelandSecurity, has advised multiple US President’s Cyber Securityteams, serves on the boards of NAISG, MITRE and NorwichUniversity’s Cyber-war Research Labs.Bikash Barai, CEO, Co-founder, iViZ Security Inc.Bikash is the co-founder and CEO of iViZ, a pioneer in Cloud basedApplication Penetration Testing. He is credited of severalinnovations in the domain of Network Security and Anti-SpamTechnologies and has patents filed under his name. Bikash is alsoan active speaker at various platforms like Nasscom, University ofCalifornia - Berkeley, NUS Singapore, Global Security Challenge,TiE and several others. 4
  5. 5. INTRODUCTIONby Gary S. Miliefsky, CISSP, fmDHS Editor, Cyber Defense Magazine 5
  6. 6. SaaS, Web, Cloud Applications - #1 Target of Cyber Crime We’re gunning for your apps because that’s where the data is… 6
  7. 7. There is a Growing Epidemic of Security Breaches• “Every company in every conceivable industry with significant size and valuable intellectual property has been compromised (or will be shortly.) … the entire set of Fortune Global 2000 firms [can be divided] into two categories: those that know they’ve been compromised and those that don’t yet know.” 7
  8. 8. Look at The Current Stats….Cybercrime up by 6% in 2012(Source: PONEMON INSTITUTE) Over 60% of Bing search results lead to infected pagesWhiteHouse Hacked by China Over 30% of Google search(Sources: WHITEHOUSE.GOV and PENTAGON.MIL) results lead to infected pagesADOBE UPDATE SERVER – HACKED IN SEPTEMBERMICROSOFT INTERNET EXPLORER – HACKED IN OCTOBERORACLE – RELEASES OVER 109 SECURITY FIXES IN OCTOBERTotal Personally Identifiable Information Records Stolen (US): 563,000,000+Total Common Vulnerabilities and Exposures (CVEs aka “holes”): ~54,000Total MD5 Hash Entries in Top Anti-virus Databases: 100,000,000+ and growing(Sources: CDM, Adobe, Microsoft, Oracle, MITRE,, VirusBulletin) 8
  10. 10. Cyber Criminals Exploit Poorly Written Code...So… What are some of the Top Software Coding Flaws? (Source: 10
  11. 11. Top Software Coding Flaws (CWEs)Rank Score ID Name[1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)[2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)[3] 79.0 CWE-120 Buffer Copy without Checking Size of Input (Classic Buffer Overflow)[4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)[5] 76.9 CWE-306 Missing Authentication for Critical Function[6] 76.8 CWE-862 Missing Authorization[7] 75.0 CWE-798 Use of Hard-coded Credentials[8] 75.0 CWE-311 Missing Encryption of Sensitive Data[9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type[10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision[11] 73.1 CWE-250 Execution with Unnecessary Privileges[12] 70.1 CWE-352 Cross-Site Request Forgery (CSRF)[13] 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)[14] 68.5 CWE-494 Download of Code Without Integrity Check[15] 67.8 CWE-863 Incorrect Authorization[16] 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere[17] 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource[18] 64.6 CWE-676 Use of Potentially Dangerous Function[19] 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm[20] 62.4 CWE-131 Incorrect Calculation of Buffer Size[21] 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts 11
  12. 12. Cyber Criminals Exploit Network-based Holes…So… What are some of the Top CVEs? (Source: 12
  13. 13. Top External Vulnerabilities (CVEs)Apache Chunked-Encoding Memory Corruption VulnerabilityCVE-2002-0392Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100)CVE-2011-3414, CVE-2011-3415, CVE-2011-3416, CVE-2011-3417Microsoft SMB Remote Code Execution Vulnerability (MS09-001)CVE-2008-4834, CVE-2008-4835, CVE-2008-4114SSH Protocol Version 1 SupportedCVE-2001-1473Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)CVE-2008-4250Microsoft Windows Remote Desktop Protocol Remote Code ExecutionVulnerability (MS12-020)CVE-2012-0002, CVE-2012-0152 13 13
  14. 14. So Why Consider Going SaaS, Web or Cloud-based App?• On-demand Benefits – No Capacity Issues…it’s all there when you need it, sized right.• Lower Costs – The TCO is much lower and you don’t worry about hardware upgrades• Rent vs Own – Why own all that expensive equipment – cloud elasticity allows your SaaS/Web/Cloud Apps to shrink or grow automatically• Space/Time Saver – Updates are faster and it takes less time to deploy newer versions or scale to larger platforms• Reliability – Business Continuity and Disaster Recovery Planning (BCP/DRP) and all related redundancies and backup systems is not your problem just make sure you have a really good Service Level Agreement (SLA)• 7x24x365 Access to your Apps – It’s up to the service provider but you will usually have more uptime and IT service support without bearing the costs and get a year round 24 hour system in place 14 14
  15. 15. Hmm…when moving to SaaS, Web or Cloud-apps, I ponder… • What are the most critical vulnerabilities that threaten the security of my perimeter defenses on the web or in the ‘Cloud’? • What is the probability that a cyber criminal could penetrate my Web-based applications and gain access to my data? • How can I find my vulnerabilities and do so in a way that has no time sync of false positive, so I can work through them quicker? • How do I prioritize the vulnerabilities, create a plan for improvement and get the budget approved? 15
  16. 16. DEEP DIVEwith Bikash Barai, CEO & Co-founder iViZ Security Inc. 16
  17. 17. Background• iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee • Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage• Funded by IDG Ventures• 30+ Zero Day Vulnerabilities discovered• 10+ Recognitions from Analysts and Industry• 300+ Customers 17
  18. 18. Research Methodology• Application security Data Collection • 300+ Customers • 5,000 + Application Security Tests• 25% Apps from Asia, 40% Apps from USA and 25% from Europe 18
  19. 19. Key Findings• 99% of the Apps tested had at least 1 vulnerability• 82% of the web application had at least 1 High/Critical Vulnerability• 90% of hacking incidents never gets known to public• Very low correlation between Security and Compliance (Correlation Coefficient: 0.2)• Average number of vulnerability per website: 35• 30% of the hacked organizations knew the vulnerability (for which they got hacked) before hand• #1 Vulnerability: Cross site scripting (61%)• #1 Secure vertical: Banking• #1 Vulnerable Vertical: Retail 19
  20. 20. Average number of Vulnerabilities 20
  21. 21. Top 5 Application FlawsPercentage of websites containing the “Type of Vulnerability” 21
  22. 22. 5 Common Business Logic Flaws• Weak Password recovery• Abusing Discount Logic/Coupons• Denial of Service using Business Logic• Price Manipulation during Transaction• Insufficient Server Side Validation (One Time Password (OTP) bypass) 22
  23. 23. Which are the most vulnerable Industry Verticals? Average number of Vulnerabilities per Application 23
  24. 24. Application Security Posture by Geography Average number of Vulnerability per Application 24
  25. 25. Top 5 Application Security Trends 25
  26. 26. Runtime Application Security Protection (RASP)• RASP is an integral part of an application run time environment.• RASP can detect an attacks at runtime (attempt to write high volume data /unauthorized database access)• It has real time capability to take actions like terminate sessions, raise alerts etc.• Web Application Firewall (WAF) can detect attacks and RASP verify/take actions. 26
  27. 27. Collaborative Security Intelligence• DAST+SAST=IAST• SAST+DAST+WAF• SAST+DAST+SIM/SIEM• WAF+RASP• Grand UnificationDAST: Dynamic Application Security TestingSAST: Static Application Security TestingIAST: Interactive Application Security TestingSIM: Security Incident ManagementSIEM: Security Incident and Event Management 27
  28. 28. Hybrid Application Security Testing• Problems with Automation • False Positive • Business Logic Testing• Why Artificial Intelligence is not enough? • Multi Stage Attack Planning is not solved • Modeling Creativity, Intuition is suboptimal • Cannot discover and verify assumptions• How to solve? • Not “Man vs Machine” but “Man and Machine” • Hybrid Testing with power of automation but manual augmentation model which can scale • Model can be very steep linear or non-linear depending on innovations 28
  29. 29. Application Security as a Service• #1 Problem the Appsec industry is facing… • Severe dearth of trained AppSec professionals• Trends in overall Tech Industry • Focus on Core Competency, Cloud, “Get it done” vs “Do it Yourself”• What are the options to leverage • WAF as a service • SIM as a service • DAST/SAST/VM as a service • Hybrid Pen Testing as a SaaS• Benefits • Resolving the problems of talent acquisition and retention • Reduction of fixed operational costs • Help in focusing on core competency • Reduction of operational management overheads 29
  30. 30. Beyond SDLC: Secure Dev-Ops• What is Dev-Ops? • Software Development methodology which focuses on communication, collaboration and integration of Developers and IT Operations professionals • Software Engineering+Quality Assurance+Tech Operations• Dev-Ops is beyond (Software Development Lifecycle) SDLC• Need to move from Secure SDLC to Secure Dev-Ops 30
  31. 31. Application Security Vulnerability Management Model• Types of Apps by Business Criticality • High • Medium • Low• Type of Testing • Automated • Standard: Automated + False Positive Removal • Premium: Automated + False Positive Removal + Business Logic Testing 31
  32. 32. Application Security Vulnerability Management Model• Testing Strategy for Apps with following Business Criticality (Minimum Requirement) • High • Premium Test for every major release • Standard test for every minor release • Medium • Standard test for every release • Low • Automated test on a quarterly, yearly basis or during every release 32
  33. 33. 80/20 Rule: Top 5 focus• #1: Identify and Classify all Apps based on Business Criticality• #2: Regular Testing • Hybrid Testing (Auto+Manual): All Business Critical Apps during every major release • Automated Testing: All Business Critical Apps during every release + Rest on Quarterly basis• #3: Implement efficient Patching Process• #4: Implement WAF for Business Critical Apps• #5: Implement Secure SDLC/Secure Dev-Ops 33
  35. 35. How do I get my freebies?• Free Penetration Test: Simply mail us •• Free Checklist to evaluate a Pen Testing vendor • We will send you the download link over email 35
  36. 36. Additional Bonus to Attendees…Get Your Free Copy…Signup Today for FREE E-Subscriptions:FREE MONTHLY NEWSLETTERS20-40 pages packed with tips, tricks, tools andtechniques for better IT Security and RegulatoryComplianceFREE QUARTERLY MAGAZINEShips in print at RSA Conference and BlackHat in2013, Covers next generation tools andtechniques, Cyber Defense Test Labs (CDTL)INFOSEC product reviews, and much more… 36
  37. 37. Thank You• Bikash Barai • • @bikashbarai1• Gary Milefsky • 37
  38. 38. Q&A• What are the secrets vendors don’t tell?• How to evaluate a security testing vendor?• Can you tell me a real life case study of an organization which you consider as a “good example”…. 38
  39. 39. Solantus: “Advancing the Distribution Model”Quick thanks to our silent sponsor, Solantus:Through well formulated business practices and processes, wetake new product and service introductions to successfulmainstream market acceptance.Our technology “Story” is one in which we embrace productsand services that incorporate proven innovations which helpdifferentiate our channel partners and serve the best interests oftheir customers.Learn more about next-gen distribution at 39
  40. 40. Call To ActionTo receive your free penetration testing, please contact us usingyour real email address at the company you work where youhave permission to allow this offering.We cannot accept emails from google oryahoo, etc…as our service requirescorporate approval. Send your emailrequest to:sales@ivizsecurity.comIn addition, we will send you your free checklist to selecting yourapplication penetration testing (APT) vendor. 40