IBM עמרי וייסמן


Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Author Notes: This is the PowerPoint template for the Innovate 2010 Track Sessions Confused whether to convert this deck to Lotus Symphony? Learn more here: Additional IBM Rational presentation resource links can be found on Rational’s Managing the Brand W3 Intranet site
  • USDA personal data on 47,000 individuals breached – free credit checks for a year BJ’s (wholesale club) Millions of dollars of unauthorized and fraudulent purchases were made on customer credit and debit cards after the customers had visited BJ’s stores in early 2004, the FTC alleged . In its investigation of the case, the FTC alleged that BJ’s failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores and then created unnecessary security risks by storing it for up to 30 days in violation of bank security rules. BJ’s also failed to use adequate security methods by storing the credit card information in files that could be accessed using commonly known default user IDs and passwords and failed to use readily available security measures to prevent unauthorized wireless connections to its networks
  • BB - hard to find: backdoors, really blind SQLi,…) WB – hard to be sure about exploitability (though string analysis can show this)
  • IBM עמרי וייסמן

    1. 1. Static and Dynamic Technologies for Securing Web Applications Omri Weisman Manager, Static Analysis Group IBM Rational Software, Israel [email_address] Dec 14, 2010
    2. 2. IBM  IL
    3. 3. Web Applications are the greatest risk to organizations <ul><li>Web application vulnerabilities represented the largest category in vulnerability disclosures </li></ul><ul><li>In 2009, 49% of all vulnerabilities were Web application vulnerabilities </li></ul><ul><li>SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot </li></ul>IBM Internet Security Systems 2009 X-Force ® Year End Trend & Risk Report
    4. 4. What is the Root Cause? <ul><li>Developers not trained in security </li></ul><ul><ul><li>Most computer science curricula have no security courses </li></ul></ul><ul><ul><li>Focus is on developing features </li></ul></ul><ul><ul><li>Security vulnerability = BUG </li></ul></ul><ul><li>Under investment from security teams </li></ul><ul><ul><li>Lack of tools, policies, process, </li></ul></ul><ul><ul><li>Lack of resources </li></ul></ul><ul><li>Growth in complex, mission critical online applications </li></ul><ul><ul><li>Online banking, commerce, Web 2.0, etc </li></ul></ul>Result: Application security incidents are on the rise
    5. 5. Security Testing Within the Software Lifecycle SDLC Most Issues are found by security auditors prior to going live. % of Issue Found by Stage of SDLC Build Coding QA Security Production
    6. 6. Security Testing Within the Software Lifecycle SDLC Desired Profile % of Issue Found by Stage of SDLC Build Coding QA Security Production
    7. 7. IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management REQUIREMENTS CODE BUILD PRE-PROD PRODUCTION QA AppScan Standard AppScan Tester Security Requirements Definition AppScan Standard Security / compliance testing incorporated into testing & remediation workflows Security requirements defined before design & implementation Outsourced testing for security audits & production site monitoring Security & Compliance Testing, oversight, control, policy, audits Build security testing into the IDE Application Security Best Practices – Secure Engineering Framework Automate Security / Compliance testing in the Build Process SECURITY AppScan Build AppScan Enterprise AppScan Reporting Console AppScan onDemand AppScan Source
    8. 8. Black Box White Box “ Hacker in a box” Requires running site Crawl, Test, Validate AppScan Standard Ed. “ Automated code review” Requires source-code/bytecode Source-to-Sink Analysis AppScan Source Ed.
    9. 9. White-Box: Source-to-Sink Analysis Sources: Sinks: Sanitizers : Undecidable problem Many injection problems: <ul><li>SQL Injection </li></ul><ul><li>XSS </li></ul><ul><li>Log Forging </li></ul><ul><li>Path Traversal </li></ul><ul><li>Code Execution </li></ul><ul><li>… </li></ul>
    10. 10. Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Examines infinite number of behaviors in a finite approach (approximation) Black Box White Box
    11. 11. Black-Box vs. White-Box - Perspective <ul><li>Works as an attacker </li></ul><ul><li>HTTP awareness only </li></ul><ul><li>Works on “the big picture” </li></ul><ul><li>Resembles code auditing </li></ul><ul><li>Inspects the small details </li></ul><ul><li>Hard to “connect the dots” </li></ul>SQL Injection Found Black Box White Box
    12. 12. Black-Box vs. White-Box – Prerequisite <ul><li>Any deployed application </li></ul><ul><li>Mainly used during testing stage </li></ul><ul><li>Application code </li></ul><ul><li>Mainly used in development stage </li></ul>Bank.war Black Box White Box
    13. 13. Black-Box vs. White-Box – Compatibility <ul><li>Oblivious to languages, platforms </li></ul><ul><li>Different communication protocols require attention </li></ul><ul><li>Different languages require support </li></ul><ul><ul><li>Some frameworks too </li></ul></ul><ul><li>Oblivious to communication protocols </li></ul>Black Box White Box
    14. 14. Black-Box vs. White-Box – Scope <ul><li>Exercises the entire system </li></ul><ul><ul><li>Servers (Application, HTTP, DB, etc.) </li></ul></ul><ul><ul><li>External interfaces </li></ul></ul><ul><ul><li>Network, firewalls </li></ul></ul>Identifies issues regardless of configuration Black Box White Box
    15. 15. Black-Box vs. White-Box – Time/Accuracy Tradeoffs <ul><li>Crawling takes time </li></ul><ul><li>Testing mutations takes (infinite) time </li></ul><ul><li>Refined model consumes space </li></ul><ul><li>And time… </li></ul><ul><li>Analyzing only “important” code </li></ul><ul><ul><li>Approximating the rest </li></ul></ul>>> Summary Black Box White Box
    16. 16. Black-Box vs. White-Box – Accuracy Challenges <ul><li>Challenge: </li></ul><ul><li>Cover all attack vectors </li></ul><ul><li>Challenge: </li></ul><ul><li>Eliminate non-exploitable issues </li></ul>Black Box White Box
    17. 17. OR ? Black Box White Box
    18. 18. Security Testing Technologies... Combination Drives Greater Solution Accuracy <ul><li>Static Analysis (Whitebox ) </li></ul><ul><li>Automated Code Review </li></ul><ul><li>Dynamic Analysis (Blackbox) </li></ul><ul><li>Hacker in a box </li></ul>Total Potential Security Issues Dynamic Analysis Static Analysis Best Coverage
    19. 19. Smarter security for a smarter planet