Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ibm עמרי וייסמן


Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

Ibm עמרי וייסמן

  1. 1. Static and Dynamic Technologies for Securing Web Applications Omri Weisman Manager, Static Analysis Group IBM Rational Software, Israel [email_address] Dec 14, 2010
  2. 2. IBM  IL
  3. 3. Web Applications are the greatest risk to organizations <ul><li>Web application vulnerabilities represented the largest category in vulnerability disclosures </li></ul><ul><li>In 2009, 49% of all vulnerabilities were Web application vulnerabilities </li></ul><ul><li>SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot </li></ul>IBM Internet Security Systems 2009 X-Force ® Year End Trend & Risk Report
  4. 4. What is the Root Cause? <ul><li>Developers not trained in security </li></ul><ul><ul><li>Most computer science curricula have no security courses </li></ul></ul><ul><ul><li>Focus is on developing features </li></ul></ul><ul><ul><li>Security vulnerability = BUG </li></ul></ul><ul><li>Under investment from security teams </li></ul><ul><ul><li>Lack of tools, policies, process, </li></ul></ul><ul><ul><li>Lack of resources </li></ul></ul><ul><li>Growth in complex, mission critical online applications </li></ul><ul><ul><li>Online banking, commerce, Web 2.0, etc </li></ul></ul>Result: Application security incidents are on the rise
  5. 5. Security Testing Within the Software Lifecycle SDLC Most Issues are found by security auditors prior to going live. % of Issue Found by Stage of SDLC Build Coding QA Security Production
  6. 6. Security Testing Within the Software Lifecycle SDLC Desired Profile % of Issue Found by Stage of SDLC Build Coding QA Security Production
  7. 7. IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management REQUIREMENTS CODE BUILD PRE-PROD PRODUCTION QA AppScan Standard AppScan Tester Security Requirements Definition AppScan Standard Security / compliance testing incorporated into testing & remediation workflows Security requirements defined before design & implementation Outsourced testing for security audits & production site monitoring Security & Compliance Testing, oversight, control, policy, audits Build security testing into the IDE Application Security Best Practices – Secure Engineering Framework Automate Security / Compliance testing in the Build Process SECURITY AppScan Build AppScan Enterprise AppScan Reporting Console AppScan onDemand AppScan Source
  8. 8. Black Box White Box “ Hacker in a box” Requires running site Crawl, Test, Validate AppScan Standard Ed. “ Automated code review” Requires source-code/bytecode Source-to-Sink Analysis AppScan Source Ed.
  9. 9. White-Box: Source-to-Sink Analysis Sources: Sinks: Sanitizers : Undecidable problem Many injection problems: <ul><li>SQL Injection </li></ul><ul><li>XSS </li></ul><ul><li>Log Forging </li></ul><ul><li>Path Traversal </li></ul><ul><li>Code Execution </li></ul><ul><li>… </li></ul>
  10. 10. Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Examines infinite number of behaviors in a finite approach (approximation) Black Box White Box
  11. 11. Black-Box vs. White-Box - Perspective <ul><li>Works as an attacker </li></ul><ul><li>HTTP awareness only </li></ul><ul><li>Works on “the big picture” </li></ul><ul><li>Resembles code auditing </li></ul><ul><li>Inspects the small details </li></ul><ul><li>Hard to “connect the dots” </li></ul>SQL Injection Found Black Box White Box
  12. 12. Black-Box vs. White-Box – Prerequisite <ul><li>Any deployed application </li></ul><ul><li>Mainly used during testing stage </li></ul><ul><li>Application code </li></ul><ul><li>Mainly used in development stage </li></ul>Bank.war Black Box White Box
  13. 13. Black-Box vs. White-Box – Compatibility <ul><li>Oblivious to languages, platforms </li></ul><ul><li>Different communication protocols require attention </li></ul><ul><li>Different languages require support </li></ul><ul><ul><li>Some frameworks too </li></ul></ul><ul><li>Oblivious to communication protocols </li></ul>Black Box White Box
  14. 14. Black-Box vs. White-Box – Scope <ul><li>Exercises the entire system </li></ul><ul><ul><li>Servers (Application, HTTP, DB, etc.) </li></ul></ul><ul><ul><li>External interfaces </li></ul></ul><ul><ul><li>Network, firewalls </li></ul></ul>Identifies issues regardless of configuration Black Box White Box
  15. 15. Black-Box vs. White-Box – Time/Accuracy Tradeoffs <ul><li>Crawling takes time </li></ul><ul><li>Testing mutations takes (infinite) time </li></ul><ul><li>Refined model consumes space </li></ul><ul><li>And time… </li></ul><ul><li>Analyzing only “important” code </li></ul><ul><ul><li>Approximating the rest </li></ul></ul>>> Summary Black Box White Box
  16. 16. Black-Box vs. White-Box – Accuracy Challenges <ul><li>Challenge: </li></ul><ul><li>Cover all attack vectors </li></ul><ul><li>Challenge: </li></ul><ul><li>Eliminate non-exploitable issues </li></ul>Black Box White Box
  17. 17. OR ? Black Box White Box
  18. 18. Security Testing Technologies... Combination Drives Greater Solution Accuracy <ul><li>Static Analysis (Whitebox ) </li></ul><ul><li>Automated Code Review </li></ul><ul><li>Dynamic Analysis (Blackbox) </li></ul><ul><li>Hacker in a box </li></ul>Total Potential Security Issues Dynamic Analysis Static Analysis Best Coverage
  19. 19. Smarter security for a smarter planet