Web Application Security Strategy

1,827 views

Published on

A presentation is given by K.K.Mookhey & Rohit Salecha at OWASP India 2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,827
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Application Security Strategy

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Web Application Security Strategy – Getting it Right! K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. kkmookhey@niiconsulting.com Rohit.salecha@niiconsulting.com 30 Aug 2013
  2. 2. OWASP Agenda • Research Background & Objectives • Appsec Initiatives – Options • Case Studies • Lessons Learnt • Way Forward
  3. 3. OWASP WAS Global Statistics AKA Standard FUD slides
  4. 4. OWASP WAS Global Statistics Vulnerability Population Trends for 2011-2012 as stated by Cenzic – 26% rise since 2011 Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application- Vulnerability-Trends-Report-2013.pdf
  5. 5. OWASP Ponemon Application Security Report Average cost of data breach in India $1.3 Million Average number of breached records 26,586 Average amount due to lost business $283,341 Attacks in which web app issues were exploited 86% Security budget allocated to appsec! 18%
  6. 6. OWASP Existing Studies/Reports WhiteHat Security – Annual Website Security Statistics Report https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf Coverity – Software Security Risk Report http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf Cenzic Application Vulnerability Trends Report https://info.cenzic.com/2013-Application-Security-Trends-Report.html Ponemon Application Security Report https://www.barracuda.com/docs/white_papers/barracuda_web_app_firew all_wp_cenzic_exec_summary.pdf OWASP Guide for CISOs https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
  7. 7. OWASP Outcomes “The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.” “The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?” Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre- production security testing
  8. 8. OWASP One size does not fit all! • Surveys/Reports cover organizations across industries • Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc. • Do not take into account current level of maturity • Try to draw general conclusions from average/sum of all data
  9. 9. OWASP Appsec Options
  10. 10. OWASP Appsec Program – Options • Annual PT • On-going Assessments • Source Code Reviews • Secure Coding Training • Secure Coding Guidelines • Web Application Firewall • Security Scanning Tool • Application Security Framework • Security Design Review
  11. 11. OWASP Burning questions • What should we invest in? What works and what doesn’t? • In what sequence? • What is likely to give the most ROI in terms of significant improvements? • Challenges with these initiatives – how to get them right?
  12. 12. OWASP A popular dotcom Case studies
  13. 13. OWASP Background • Working with them since 2004 • Annual Grey-box Testing • No secure coding guidelines • No on-going Appsec reviews • Just recently procured a WAF
  14. 14. OWASP Statistics – Number of Vulnerabilities The # of vulnerabilities have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 9 10 Jul-12 Mar-13 Sum of High Sum of Medium
  15. 15. OWASP Statistics – Type of Vulnerabilities The # of Business Logic Issues have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 Jul-12 Mar-13 Business Logic Input Validations Others
  16. 16. OWASP Analysis • Lots of new code going live every day. Multiple releases per day vs. one release per week previously • Pen-testing skills have improved • More scope for testing – lot more functionality on the sites • Increase in business-logic issues – as we have thoroughly understood their workings now
  17. 17. OWASP A BFSI Client Case studies
  18. 18. OWASP Background • BFSI Company • Used to get periodic penetration tests done • Contracted us in 2011 to do on-going appsec testing • We did 1 round of secure coding training as well • We work closely with their development teams to help address the issue • Development teams are largely outsourced – though many working onsite
  19. 19. OWASP Statistics The # of vulnerabilities goes up and down – no significant trends emerge! Why? 0 50 100 150 200 250 300 Sum of High Sum of Medium
  20. 20. OWASP Analysis • High turnover in the developer teams • Lessons imparted via training or daily interactions become useless due to the above • Reduction seen where metrics being used to penalize vendors • Source Code Review is effective but has inherent challenges
  21. 21. OWASP A Financial Products IT Company Case studies
  22. 22. OWASP Background • Financial Products Company • Used to get annual penetration tests done • Implemented SCR solution in 2011 • We did 1 round of training on secure coding • Secure coding guidelines also developed • Development done largely by internal teams
  23. 23. OWASP Statistics The # of vulnerabilities going down Why? 0 2 4 6 8 10 12 May-11 Oct-12 Sum of High Sum of Medium
  24. 24. OWASP Analysis • Low turnover in developer team • Team leads have been with them since past 6-7 years • SCR tool faced lot of resistance, but gradually acceptability has grown • Developers have written custom sanitization functions and configured these in SCR • No code is uploaded without running it through SCR • Lessons learnt from pen-tests have also been incorporated into secure coding guidelines
  25. 25. OWASP SCR Tool • Challenges • Does not identify business logic issues • Large number of false positives “60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.” • May not support your coding platform • Not able to handle large codebases • Positives • Can scan incrementally • Allows custom sanitization functions to be configured • Allows false positives to be marked • Exports data into Excel for easy tracking • Has extensive knowledge base • Pin-points exact location
  26. 26. OWASP A Telco Case studies
  27. 27. OWASP Background • Large Telco • On-going Appsec assessments • On-going SCR • Periodic penetration tests • Development done by vendors • WAF Implemented since a year, but…
  28. 28. OWASP Statistics 0 50 100 150 200 250 300 350 400 Sep-12 Jan-13 May-13 Jun-13 Aug-13 Sum of High Sum of Medium The # of vulnerabilities are stable – no significant trends emerge! Why? Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues
  29. 29. OWASP Analysis • Vendor delays in fixing the issues • Multiple reassessments leads to the issues remaining open and overlapped in subsequent assessments • High level of exposure on the Internet • Multiple approaches adopted and strong focus on appsec in recent times • WAF implementation remains a challenge
  30. 30. OWASP WAF Challenges
  31. 31. OWASP WAF Right Approach • Understanding of the Applications that will be integrated with WAF • Enabling the right security policies for the application • Testing the alerts and violations for identifying the false positives • Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references
  32. 32. OWASP WAF Implementation Mistakes • Not changing the default error page of WAF • Not informing about the changes that happen in the application code • Not checking the broken link and broken references • Not fine-tuning the web directory and Web URL’s • Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.
  33. 33. OWASP Summary of the Options Exercised Option Dotcom BFSI IT Telco Annual VAPT     Round-the-clock Assessments     SCR – Tool     SC Guidelines     Threat Modeling     WAF     SC Training     Appsec Tools     Security Frameworks in use     Vulnerability Management    
  34. 34. OWASP So… Where do we go now?
  35. 35. OWASP Strategic Options / 1  If you have all your development done in-house  If your team is relatively stable  Then:  Embed security into the SDLC by beginning with on- going assessments  Source code reviews  Have someone manage the SCR Tool output  Training  Development of secure coding guidelines  Development/Embedding of a security framework
  36. 36. OWASP Strategic Options / 2  If you have many complex, heterogeneous systems, some from vendors, some in-house  Then  Same strategy as #1, plus…  Strong vendor management processes for meeting security objectives  WAF
  37. 37. OWASP Strategic Options / 3  If all your applications are from vendors  And if you have limited budgets  On-going assessments  But eventually…
  38. 38. OWASP Strategic Options / 4  If you are a vendor  Then:  Do everything! Seriously, is that even a question?  Pre-hiring checks  Training – after hiring and periodically thereafter  Secure coding guidelines  Security frameworks  Threat modeling  Grey-box assessments  Source code reviews – embed SCR into IDE  Include # of security bugs in developer appraisals  Incentivize security innovation  Internal & external marketing, nay, evangelism!
  39. 39. OWASP Common Elements of any Strategy  Management Commitment  Prioritized Approach  Measurement & Metrics  # of issues per application – trend over time  # of issues by vendor  Time taken to fix issues  # of issues by source (grey-box, external PT, source code review, etc.)  See what works and what doesn’t for your organization  Vendor Management  SLAs for fixing security bugs  Service credits for bugs found  Enforcing security assessments by the vendor  Enforcing adoption of SDL by the vendor
  40. 40. OWASP Open Questions… • Outsource vs. In-house Security Assessment • Legacy Apps – Orphaned • Level of enforcement at the vendor’s end • Procure tool vs. Security as a Service • Business Logic Issues • Bug Bounty Program
  41. 41. OWASP Any Questions? Thank You! Take the Survey! http://niiconsulting.com/surveys/wass/index.php

×