Application Security Testing - Tycho Schmidt


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Application Security Testing - Tycho Schmidt

  1. 1. HP DUTCHWORLD 2008 OUTSMART THE FUTURE! Application Security Testing Tycho Schmidt, HP consultant
  2. 2. HP Application Security Center Part of the industry’s most comprehensive IT management portfolio Business outcomes STRATEGY APPLICATIONS OPERATIONS Quality Business Service Business Service IT Service Management Management Automation Management Operations Orchestration Project & Portfolio Quality Management Center Business Center Availability Client Center Automation Center CIO Office Performance Service Center Operations Management Center Center Data Center SOA Application Network Automation Center Security Center Management Center Center CTO Office SAP, Oracle, SOA, J2EE, .Net Universal CMDB
  3. 3. BTO Solution Overview 11 December 3 2008
  4. 4. Security Risks have never been greater Everything has evolved Attacks Loose collaboration among groups Reliance on web based systems for Individual gain business Individual fame transactions Time Drivers Internal Increase in data Wide variety of measures Variety of breaches, online regulations by regulations under fraud and online industry and development Regulations begin to attacks geography come into force New ones under Regulation development
  5. 5. The Risks are Real PCI dead line loom ing hit by PCI Requ cked r Hannaford ire becomes ment 6.6 site ha Groce ef Ob ama web reach 30, 200 fective on June computer b 8, sites to b requires web ar ac k n may es vulnerab canned for edirects B Chain s ays intrusio Hacker R cards; ilities or site to e xpose 4.2m protected Obama's m using c ross- es seen 1,80 0 fraud cas hillaryclin lnerability site scripting vu usiness W eb 2 m s out of b .0 vuln Cardsyste e rable bbyists to ov e from ho My S p a Hackers M . ce site sh Ja v a S c professio nals ript wo ut down by vulnera r m e xp years, 40 bilities loit t on for 2 company Hack wen ds stolen, AJAX c i n t he s i ng cor ode ites million re business. n ow out of
  6. 6. Cross-Site Scripting (XSS) • Attacker injects a script in your browser via vulnerable web application. − Normally due to faulty input or output validation • This script accesses information in your browser − Installs Web Keylogger, Steal Cookies, etc 6
  7. 7. XSS example <script type=quot;text/javascriptquot;>alert('hello');</script> 11 December 7 2008
  8. 8. XSS example 11 December 8 2008
  9. 9. MySpace XSS Worm • 10/04, 12:34 pm: You have 73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. • 1 hour later, 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. • 7 hours later, 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. • 1 hour later, 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. • 1 hour later, 10:30 am: You have 518 friends and 561 friend requests. Oh crap. I'm getting messages from people pissed off that I'm their friend when they didn't add me. I'm also getting emails saying quot;Hey, how the hell did you get onto my myspace....not that I mind, you're hotquot;. From guys. But more girls than guys. This actually isn't so bad. The girls part. • 3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests. I'm canceling my account. This has gotten out of control. • 5 hours later, 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends. 917,084 friend requests. I refresh three seconds later. 918,268. I refresh three seconds later. 919,664 (screenshot below). A few minutes later, I refresh. 1,005,831. • It's official. I'm popular. 11 December 9 2008
  10. 10. The Costs to the Enterprise are Enormous • Costs incurred for − Discovery, response, and notification − Lost employee productivity − Regulatory fines − Customer losses • The total cost* of a data breach ranges from $90 to $305 per compromised record • Cost of a single breach may run into millions or even billions of dollars From scans of over 31,000 sites, over 85% showed a vulnerability that could give hackers the ability to read, modify and transmit sensitive data. -- Web Application Security Consortium -- Web Application Security Consortium *Forrester Research, “Calculating The Cost Of A Security Breach” April, 2007
  11. 11. Applications are the target Applications:  Unprotected and ignored Servers: Protected by intrusion prevention Network:  Secured by firewall “75% of hacks happen at the application.” - Gartner “Security at the Application Level”
  12. 12. Vulnerabilities exist within the apps themselves, so security can’t be “bolted on” Application teams must bridge the gap Security Application professionals don’t developers and QA know the professionals don’t applications know security 11 December 12 2008
  13. 13. HP Application Security Center Security for the Application lifecycle Enterprise application security assurance Code Test Production HP Application Security Center HP Application Security Center Source code QA Production validation testing assessment DevInspect DevInspect QAInspect QAInspect WebInspect WebInspect Assessment Management Platform Continuous Updates Assessment Management Platform HP Web Security Research Group Enterprise security assurance Enterprise security assurance • Internal app security research and reporting and reporting • External hacking research
  14. 14. DevInspect Find, Fix and Protect: Accelerate Secure Application Development Key Benefits • Find security defects in development − Unique Hybrid Analysis technology (Static Code Analysis + Dynamic Testing) provides the most accurate results • Fix Defects Automatically − HP SecureObjects technology fixes defects, hardens applications against attack • Supports most popular web development languages − C#, VB.NET, Java • Integrations with leading IDE's − Microsoft Visual Studio (2005, and 2008) − IBM Rational Application Developer − Eclipse
  15. 15. HP QAInspect Automated security testing for quality assurance teams and engineers Key benefits • Automated Security Defect discovery − Automatically finds and prioritizes security defects in a Web application • Integrated with Quality Center − Manage security testing within existing QM methodology − Correct security defects early in application lifecycle • Lower Application Risk − Ensures compliance with government regulations − Less exposure to application downtime • Targeted Security Testing − Holistic or targeted application security tests depending upon requirements • Built in Knowledgebase − Built-in Security Expertise combines daily updates of vulnerability checks with unique intelligent engines. − Comprehensive defect information and remediation advice about each vulnerability
  16. 16. HP WebInspect Security Testers For Security Professionals and Advanced Key Benefits • Find security defects during production or before you go live − Determine the current security status of your web or web service applications − Remediation advice for Development, QA and Operations • Accelerate Regulatory Compliance − Includes reports for more than 20 laws, regulations, and best practices, like SOX, HIPAA, PCI • Support for the latest web technologies − Supports the latest AJAX and JavaScript rich internet applications • Advanced Security Toolkit − High automated while allowing hands-on control − Advanced toolkit for penetration testers • Create customized reports and policies − Custom checks, report templates, policies, compliance reports
  17. 17. HP Assessment Management Platform Assess and manage application security risk across the enterprise Key Benefits • Controlled Visibility − Centralize all application security data − View and report on assessments conducted anytime by anyone − Strict access control of sensitive data • Scalability − Multi-scanner arrays amplify existing personnel to scan more systems faster • Managed Self-Service − Allow low usage customers can scan themselves via web portal • Control Sensitive Security Activities − Set user permissions, enforce policies and restrict activities − DevInspect, QAInspect, AMP Sensors and WebInspect SC Awards 2008 winner for “Best Enterprise Security Solution”
  18. 18. HP Application Security Center HP Application Security Center Dashboard Assessment Management Platform Policy and Centralized Vulnerability and Alerts and Distributed compliance administration risk management reporting scanning DevInspect QAInspect WebInspect Microsoft IBM HP Quality Center Production Application Eclipse Visual Studio RAD Assessment Foundation Intelligent Hybrid Security Reporting SecureBase SmartUpdate Open APIs engines analysis toolkit
  19. 19. Secure your outcome with Application Security Center A complete application lifecycle solution DevInspect’s hybrid analysis ensures code under development is secure QAInspect verifies the security of the entire application during QA WebInspect provides pre- and post-production application and environment security analysis Assessment Management Platform enforces security policies and manages activities across the lifecycle
  20. 20. Server and general HTTP • Secure Sockets Layer (SSL) certificate issues What Do We Check for • SSL protocols • SSL ciphers • Server misconfiguration Data injection and manipulation attacks • Directory indexing and enumeration • Reflected cross-site scripting (XSS) • Denial of Service (DoS) • Persistent cross-site scripting (XSS) • HTTP response splitting • Cross-site request forgery • Encoding attacks • SQL injection • Windows 8.3 file name • Blind SQL injection • DOS device handle DoS • Buffer overflows • Canonicalization attacks • Integer overflows • URL redirection attacks • Log injection • Password autocomplete • Remote File Include (RFI) injection • Cookie security • Server Side Include (SSI) injection • Custom fuzzing • Operating system command injection • Path manipulation—traversal • Local File Include (LFI) • Path truncation • Ajax auditing Sessions and authentication • WebDAV auditing • Session strength • Web services auditing • Authentication attacks • File enumeration • Insufficient authentication • Information disclosure • Insufficient session expiration • Directory and path traversal • Spam gateway detection • Brute force authentication attacks • Known application and platform vulnerabilities 20
  21. 21. Compliance Manager: Addresses the Following Best Practices and Legal Regulatory Initiatives: • Health Insurance Portability and • Sarbanes-Oxley Act, Section 404 Accountability Act (HIPAA) • 21CFR11 • Federal Information Security Management Act • NIST 800-53 (FISMA) • Director of Central Intelligence Directive • North America Electric Reliability Council 6/3 (DCID) (NERC) • California Online Privacy Protection Act • Safe Harbor • Children’s Online Privacy Protection Act • Payment Card Industry (PCI) Data Security (COPPA) Policy • Japan Personal Information Protection Act • UK Data Protection Act (JPIPA) • Basel II • Personal Information Protection and • ISO 17799 Electronic Documents Act (PIPEDA) • OWASP top 10 • California SB1386 • Gramm-Leach Bliley Act (GLBA) 21
  22. 22. HP Web Security Research Group • Formerly known as SPI Labs • Industry leading research group focused on the latest HP Web Security web security vulnerabilities and Research Group technologies • Ensures that the latest vulnerability updates are delivered within 24 hours of their discovery to your desktop using HP SmartUpdate
  23. 23. HP Application Security Services HP Application Security Services can help you jumpstart your Application Security programs and see results quickly
  24. 24. The HP difference Application Security Center leadership Accelerates the Used by the worlds Award winning process of managing leading companies* your application risk • 5 of the top 6 banks SC Magazine “Reduced the security • 5 of the top 6 Awarded ASC validation cycle for diversified financials and AMP the critical web • 3 of the top 4 food 2008 winner for applications from one markets week to one hour” “Best Enterprise • 4 of the top 6 Security Solution” insurance companies - Jes Beirholm, End2End • 5 of the top 7 overall * Forbes Global 2000
  25. 25. JC Penney On-Line Retailer “I can’t say enough good things about WebInspect. It’s an incredible tool. It’s unbelievably fast. And it’s so much more accurate than anything else that we’ve tried.” Security Engineer for intrusion prevention team Objective Approach Results • Required to comply with • Began using HP WebInspect • Complete web application Payment Card Industry (PCI) for automated assessments assessments in hours—not days Standard • Used HP Assessment or weeks • Manual web application Management Platform to build • Rapid assessment enables assessments were too an enterprise-wide secure web continuous compliance with PCI expensive and time consuming application development DSS and other regulations lifecycle • Purchased HP DevInspect to help developers build secure applications
  26. 26. Sony Pictures Global Entertainment Company “The key has been our ability to gain security visibility into the development and quality assurance processes, and express quality in terms of actionable security defects that need to be fixed.” VP of Enterprise Architecture and Planning Objective Approach Results • Coordinate 25 development • Implemented HP WebInspect • Maintained fast-moving teams Across eight business and HP QAInspect for HP production schedule units Quality Center • Enabled QA & dev teams to • Needed an easily managed, • Integrated Security testing with standardize the defect quick-to-deploy, accurate web existing quality assurance management process application vulnerability processes and activities • Helped ensure compliance with scanner • Automated web application Sarbanes-Oxley & privacy laws • Needed to promote security testing from within HP from other countries collaboration across the Quality Center using HP company’s development, QAInspect security, audit, & management teams.
  27. 27. Hewlett-Packard Global Technology Company HP is a technology solutions provider to consumers, businesses and institutions globally. The company’s offerings span IT infrastructure, global services, business and home computing, and imaging & printing. Objective Approach Results • Reduce risk to the business by • By implementing the HP • Significantly reduced the risk to meeting the demand of Assessment Management the business by allowing all scanning thousands of Platform HP was able to applications to receive a applications a year integrate security testing into security assessment before • Assists application developer existing go live processes going live community with embedding • HP used the AMP WebServices • Fewer security defects— security throughout system API to integrate AMP with Application launched without development life cycle and in existing systems and automate any significant security defects turn helps with creating secure assessment configuration • Integrated Security testing—has applications. become a core part of the application deployment process for all of HP
  28. 28. Key things to remember Web Security Risk has never been greater The ASC is an integrated solution for the entire application security lifecycle Scales from small teams to the entire organization
  29. 29. Q&A
  30. 30. HP Software approach to Application quality management Strategic End-user Business control Demand Portfolio Requirements Validation management application impact change points mapping management Define/ Develop/ Strategy Plan Launch Operate design test Projects and The real programs application  Portfolio lifecycle New mgmt. deployment Fix/ Fix/ Fix/  patch patch patch Demand Minor release Minor release Full Quality process Accelerated Quality process Three pillars Does it work? Does it perform? Is it secure? of quality FUNCTIONALITY PERFORMANCE SECURITY
  31. 31. Integrating Security Into the Quality Process Align with management and stakeholders STRATEGY / REQUIREMENTS RISK-BASED TEST MANAGEMENT Go/ No OPERATIONS DEMAND MANAGEMENT TEST PLANNING AND EXECUTION Go Strategic Business Create manual Connect to production demand requirements test cases Execute • New apps functional Integrate with demand • New Automate tests Functional Assess and services regression test requirements Analyze risk • Integrations cases Operational demand Establish Performance testing Production requirements Create Execute tests, priorities monitoring • Defects performance diagnose and • Enhancements scripts and resolve • Change scenarios problems Security Create requests requirements test plans Service desk Enterprise Architecture Quality Teams Policies Other non- Security- functional Identify and related Operational requirements customize Execute Business Risk security security security scans Enterprise management policies Security Security Policies /Privacy Hybrid Analysis Security Teams Compliance Requirements Dynamic Threat Model Attack Surface Analysis Static Analysis (Black Box Testing) Developers DEFECT MANAGEMENT
  32. 32. HP Application Security Center HP Application Security Center Dashboard Assessment Management Platform Policy and Centralized Vulnerability and Alerts and Distributed compliance administration risk management reporting scanning DevInspect QAInspect WebInspect Microsoft IBM HP Quality Center Production Application Eclipse Visual Studio RAD Assessment Foundation Intelligent Hybrid Security Reporting SecureBase SmartUpdate Open APIs engines analysis toolkit
  33. 33. Application Security Center Enterprise Solution for Security ALM
  34. 34. Q&A