SlideShare a Scribd company logo

Web Application Security Strategy

Download as PPTX, PDF
Network Intelligence India
Network Intelligence India

A presentation is given by K.K.Mookhey & Rohit Salecha at OWASP India 2013.

Technology
1 of 41
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Web Application Security Strategy – Getting it Right! K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. kkmookhey@niiconsulting.com Rohit.salecha@niiconsulting.com 30 Aug 2013
OWASP Agenda • Research Background & Objectives • Appsec Initiatives – Options • Case Studies • Lessons Learnt • Way Forward
OWASP WAS Global Statistics AKA Standard FUD slides
OWASP WAS Global Statistics Vulnerability Population Trends for 2011-2012 as stated by Cenzic – 26% rise since 2011 Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application- Vulnerability-Trends-Report-2013.pdf
OWASP Ponemon Application Security Report Average cost of data breach in India $1.3 Million Average number of breached records 26,586 Average amount due to lost business $283,341 Attacks in which web app issues were exploited 86% Security budget allocated to appsec! 18%
OWASP Existing Studies/Reports WhiteHat Security – Annual Website Security Statistics Report https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf Coverity – Software Security Risk Report http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf Cenzic Application Vulnerability Trends Report https://info.cenzic.com/2013-Application-Security-Trends-Report.html Ponemon Application Security Report https://www.barracuda.com/docs/white_papers/barracuda_web_app_firew all_wp_cenzic_exec_summary.pdf OWASP Guide for CISOs https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
OWASP Outcomes “The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.” “The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?” Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre- production security testing
OWASP One size does not fit all! • Surveys/Reports cover organizations across industries • Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc. • Do not take into account current level of maturity • Try to draw general conclusions from average/sum of all data
OWASP Appsec Options
OWASP Appsec Program – Options • Annual PT • On-going Assessments • Source Code Reviews • Secure Coding Training • Secure Coding Guidelines • Web Application Firewall • Security Scanning Tool • Application Security Framework • Security Design Review
OWASP Burning questions • What should we invest in? What works and what doesn’t? • In what sequence? • What is likely to give the most ROI in terms of significant improvements? • Challenges with these initiatives – how to get them right?
OWASP A popular dotcom Case studies
OWASP Background • Working with them since 2004 • Annual Grey-box Testing • No secure coding guidelines • No on-going Appsec reviews • Just recently procured a WAF
OWASP Statistics – Number of Vulnerabilities The # of vulnerabilities have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 9 10 Jul-12 Mar-13 Sum of High Sum of Medium
OWASP Statistics – Type of Vulnerabilities The # of Business Logic Issues have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 Jul-12 Mar-13 Business Logic Input Validations Others
OWASP Analysis • Lots of new code going live every day. Multiple releases per day vs. one release per week previously • Pen-testing skills have improved • More scope for testing – lot more functionality on the sites • Increase in business-logic issues – as we have thoroughly understood their workings now
OWASP A BFSI Client Case studies
OWASP Background • BFSI Company • Used to get periodic penetration tests done • Contracted us in 2011 to do on-going appsec testing • We did 1 round of secure coding training as well • We work closely with their development teams to help address the issue • Development teams are largely outsourced – though many working onsite
OWASP Statistics The # of vulnerabilities goes up and down – no significant trends emerge! Why? 0 50 100 150 200 250 300 Sum of High Sum of Medium
OWASP Analysis • High turnover in the developer teams • Lessons imparted via training or daily interactions become useless due to the above • Reduction seen where metrics being used to penalize vendors • Source Code Review is effective but has inherent challenges
OWASP A Financial Products IT Company Case studies
OWASP Background • Financial Products Company • Used to get annual penetration tests done • Implemented SCR solution in 2011 • We did 1 round of training on secure coding • Secure coding guidelines also developed • Development done largely by internal teams
OWASP Statistics The # of vulnerabilities going down Why? 0 2 4 6 8 10 12 May-11 Oct-12 Sum of High Sum of Medium
OWASP Analysis • Low turnover in developer team • Team leads have been with them since past 6-7 years • SCR tool faced lot of resistance, but gradually acceptability has grown • Developers have written custom sanitization functions and configured these in SCR • No code is uploaded without running it through SCR • Lessons learnt from pen-tests have also been incorporated into secure coding guidelines
OWASP SCR Tool • Challenges • Does not identify business logic issues • Large number of false positives “60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.” • May not support your coding platform • Not able to handle large codebases • Positives • Can scan incrementally • Allows custom sanitization functions to be configured • Allows false positives to be marked • Exports data into Excel for easy tracking • Has extensive knowledge base • Pin-points exact location
OWASP A Telco Case studies
OWASP Background • Large Telco • On-going Appsec assessments • On-going SCR • Periodic penetration tests • Development done by vendors • WAF Implemented since a year, but…
OWASP Statistics 0 50 100 150 200 250 300 350 400 Sep-12 Jan-13 May-13 Jun-13 Aug-13 Sum of High Sum of Medium The # of vulnerabilities are stable – no significant trends emerge! Why? Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues
OWASP Analysis • Vendor delays in fixing the issues • Multiple reassessments leads to the issues remaining open and overlapped in subsequent assessments • High level of exposure on the Internet • Multiple approaches adopted and strong focus on appsec in recent times • WAF implementation remains a challenge
OWASP WAF Challenges
OWASP WAF Right Approach • Understanding of the Applications that will be integrated with WAF • Enabling the right security policies for the application • Testing the alerts and violations for identifying the false positives • Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references
OWASP WAF Implementation Mistakes • Not changing the default error page of WAF • Not informing about the changes that happen in the application code • Not checking the broken link and broken references • Not fine-tuning the web directory and Web URL’s • Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.
OWASP Summary of the Options Exercised Option Dotcom BFSI IT Telco Annual VAPT     Round-the-clock Assessments     SCR – Tool     SC Guidelines     Threat Modeling     WAF     SC Training     Appsec Tools     Security Frameworks in use     Vulnerability Management    
OWASP So… Where do we go now?
OWASP Strategic Options / 1  If you have all your development done in-house  If your team is relatively stable  Then:  Embed security into the SDLC by beginning with on- going assessments  Source code reviews  Have someone manage the SCR Tool output  Training  Development of secure coding guidelines  Development/Embedding of a security framework
OWASP Strategic Options / 2  If you have many complex, heterogeneous systems, some from vendors, some in-house  Then  Same strategy as #1, plus…  Strong vendor management processes for meeting security objectives  WAF
OWASP Strategic Options / 3  If all your applications are from vendors  And if you have limited budgets  On-going assessments  But eventually…
OWASP Strategic Options / 4  If you are a vendor  Then:  Do everything! Seriously, is that even a question?  Pre-hiring checks  Training – after hiring and periodically thereafter  Secure coding guidelines  Security frameworks  Threat modeling  Grey-box assessments  Source code reviews – embed SCR into IDE  Include # of security bugs in developer appraisals  Incentivize security innovation  Internal & external marketing, nay, evangelism!
OWASP Common Elements of any Strategy  Management Commitment  Prioritized Approach  Measurement & Metrics  # of issues per application – trend over time  # of issues by vendor  Time taken to fix issues  # of issues by source (grey-box, external PT, source code review, etc.)  See what works and what doesn’t for your organization  Vendor Management  SLAs for fixing security bugs  Service credits for bugs found  Enforcing security assessments by the vendor  Enforcing adoption of SDL by the vendor
OWASP Open Questions… • Outsource vs. In-house Security Assessment • Legacy Apps – Orphaned • Level of enforcement at the vendor’s end • Procure tool vs. Security as a Service • Business Logic Issues • Bug Bounty Program
OWASP Any Questions? Thank You! Take the Survey! http://niiconsulting.com/surveys/wass/index.php

Recommended

AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical OverviewDavid Lutz
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 

Recommended

AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical OverviewDavid Lutz
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldAmazon Web Services
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study materialNagesh Ramamoorthy
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS PresentationShyam Kumar
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guardsNetwork Intelligence India
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategiesNetwork Intelligence India
 

More Related Content

What's hot

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldAmazon Web Services
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study materialNagesh Ramamoorthy
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS PresentationShyam Kumar
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 

What's hot (20)

Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS Shield
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - Beach
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
 
Basics AWS Presentation
Basics AWS PresentationBasics AWS Presentation
Basics AWS Presentation
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 

Viewers also liked

Real-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFEReal-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFENetwork Intelligence India
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 

Viewers also liked (17)

Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case Study
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 
Real-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFEReal-time Static Malware Analysis Using NepenthesFE
Real-time Static Malware Analysis Using NepenthesFE
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 

Similar to Web Application Security Strategy

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Software Operation Knowledge
Software Operation KnowledgeSoftware Operation Knowledge
Software Operation KnowledgeDevnology
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 

Similar to Web Application Security Strategy (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Hemachandra_s
Hemachandra_sHemachandra_s
Hemachandra_s
 
Software Operation Knowledge
Software Operation KnowledgeSoftware Operation Knowledge
Software Operation Knowledge
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 

More from Network Intelligence India

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 

More from Network Intelligence India (11)

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Scada assessment case study
Scada assessment case studyScada assessment case study
Scada assessment case study
 
Virtualization security audit
Virtualization security auditVirtualization security audit
Virtualization security audit
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Web Application Security Strategy

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Web Application Security Strategy – Getting it Right! K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. kkmookhey@niiconsulting.com Rohit.salecha@niiconsulting.com 30 Aug 2013
  • 2. OWASP Agenda • Research Background & Objectives • Appsec Initiatives – Options • Case Studies • Lessons Learnt • Way Forward
  • 4. OWASP WAS Global Statistics Vulnerability Population Trends for 2011-2012 as stated by Cenzic – 26% rise since 2011 Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application- Vulnerability-Trends-Report-2013.pdf
  • 5. OWASP Ponemon Application Security Report Average cost of data breach in India $1.3 Million Average number of breached records 26,586 Average amount due to lost business $283,341 Attacks in which web app issues were exploited 86% Security budget allocated to appsec! 18%
  • 6. OWASP Existing Studies/Reports WhiteHat Security – Annual Website Security Statistics Report https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf Coverity – Software Security Risk Report http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf Cenzic Application Vulnerability Trends Report https://info.cenzic.com/2013-Application-Security-Trends-Report.html Ponemon Application Security Report https://www.barracuda.com/docs/white_papers/barracuda_web_app_firew all_wp_cenzic_exec_summary.pdf OWASP Guide for CISOs https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
  • 7. OWASP Outcomes “The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.” “The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?” Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre- production security testing
  • 8. OWASP One size does not fit all! • Surveys/Reports cover organizations across industries • Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc. • Do not take into account current level of maturity • Try to draw general conclusions from average/sum of all data
  • 10. OWASP Appsec Program – Options • Annual PT • On-going Assessments • Source Code Reviews • Secure Coding Training • Secure Coding Guidelines • Web Application Firewall • Security Scanning Tool • Application Security Framework • Security Design Review
  • 11. OWASP Burning questions • What should we invest in? What works and what doesn’t? • In what sequence? • What is likely to give the most ROI in terms of significant improvements? • Challenges with these initiatives – how to get them right?
  • 13. OWASP Background • Working with them since 2004 • Annual Grey-box Testing • No secure coding guidelines • No on-going Appsec reviews • Just recently procured a WAF
  • 14. OWASP Statistics – Number of Vulnerabilities The # of vulnerabilities have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 9 10 Jul-12 Mar-13 Sum of High Sum of Medium
  • 15. OWASP Statistics – Type of Vulnerabilities The # of Business Logic Issues have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 Jul-12 Mar-13 Business Logic Input Validations Others
  • 16. OWASP Analysis • Lots of new code going live every day. Multiple releases per day vs. one release per week previously • Pen-testing skills have improved • More scope for testing – lot more functionality on the sites • Increase in business-logic issues – as we have thoroughly understood their workings now
  • 18. OWASP Background • BFSI Company • Used to get periodic penetration tests done • Contracted us in 2011 to do on-going appsec testing • We did 1 round of secure coding training as well • We work closely with their development teams to help address the issue • Development teams are largely outsourced – though many working onsite
  • 19. OWASP Statistics The # of vulnerabilities goes up and down – no significant trends emerge! Why? 0 50 100 150 200 250 300 Sum of High Sum of Medium
  • 20. OWASP Analysis • High turnover in the developer teams • Lessons imparted via training or daily interactions become useless due to the above • Reduction seen where metrics being used to penalize vendors • Source Code Review is effective but has inherent challenges
  • 21. OWASP A Financial Products IT Company Case studies
  • 22. OWASP Background • Financial Products Company • Used to get annual penetration tests done • Implemented SCR solution in 2011 • We did 1 round of training on secure coding • Secure coding guidelines also developed • Development done largely by internal teams
  • 23. OWASP Statistics The # of vulnerabilities going down Why? 0 2 4 6 8 10 12 May-11 Oct-12 Sum of High Sum of Medium
  • 24. OWASP Analysis • Low turnover in developer team • Team leads have been with them since past 6-7 years • SCR tool faced lot of resistance, but gradually acceptability has grown • Developers have written custom sanitization functions and configured these in SCR • No code is uploaded without running it through SCR • Lessons learnt from pen-tests have also been incorporated into secure coding guidelines
  • 25. OWASP SCR Tool • Challenges • Does not identify business logic issues • Large number of false positives “60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.” • May not support your coding platform • Not able to handle large codebases • Positives • Can scan incrementally • Allows custom sanitization functions to be configured • Allows false positives to be marked • Exports data into Excel for easy tracking • Has extensive knowledge base • Pin-points exact location
  • 27. OWASP Background • Large Telco • On-going Appsec assessments • On-going SCR • Periodic penetration tests • Development done by vendors • WAF Implemented since a year, but…
  • 28. OWASP Statistics 0 50 100 150 200 250 300 350 400 Sep-12 Jan-13 May-13 Jun-13 Aug-13 Sum of High Sum of Medium The # of vulnerabilities are stable – no significant trends emerge! Why? Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues
  • 29. OWASP Analysis • Vendor delays in fixing the issues • Multiple reassessments leads to the issues remaining open and overlapped in subsequent assessments • High level of exposure on the Internet • Multiple approaches adopted and strong focus on appsec in recent times • WAF implementation remains a challenge
  • 31. OWASP WAF Right Approach • Understanding of the Applications that will be integrated with WAF • Enabling the right security policies for the application • Testing the alerts and violations for identifying the false positives • Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references
  • 32. OWASP WAF Implementation Mistakes • Not changing the default error page of WAF • Not informing about the changes that happen in the application code • Not checking the broken link and broken references • Not fine-tuning the web directory and Web URL’s • Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.
  • 33. OWASP Summary of the Options Exercised Option Dotcom BFSI IT Telco Annual VAPT     Round-the-clock Assessments     SCR – Tool     SC Guidelines     Threat Modeling     WAF     SC Training     Appsec Tools     Security Frameworks in use     Vulnerability Management    
  • 35. OWASP Strategic Options / 1  If you have all your development done in-house  If your team is relatively stable  Then:  Embed security into the SDLC by beginning with on- going assessments  Source code reviews  Have someone manage the SCR Tool output  Training  Development of secure coding guidelines  Development/Embedding of a security framework
  • 36. OWASP Strategic Options / 2  If you have many complex, heterogeneous systems, some from vendors, some in-house  Then  Same strategy as #1, plus…  Strong vendor management processes for meeting security objectives  WAF
  • 37. OWASP Strategic Options / 3  If all your applications are from vendors  And if you have limited budgets  On-going assessments  But eventually…
  • 38. OWASP Strategic Options / 4  If you are a vendor  Then:  Do everything! Seriously, is that even a question?  Pre-hiring checks  Training – after hiring and periodically thereafter  Secure coding guidelines  Security frameworks  Threat modeling  Grey-box assessments  Source code reviews – embed SCR into IDE  Include # of security bugs in developer appraisals  Incentivize security innovation  Internal & external marketing, nay, evangelism!
  • 39. OWASP Common Elements of any Strategy  Management Commitment  Prioritized Approach  Measurement & Metrics  # of issues per application – trend over time  # of issues by vendor  Time taken to fix issues  # of issues by source (grey-box, external PT, source code review, etc.)  See what works and what doesn’t for your organization  Vendor Management  SLAs for fixing security bugs  Service credits for bugs found  Enforcing security assessments by the vendor  Enforcing adoption of SDL by the vendor
  • 40. OWASP Open Questions… • Outsource vs. In-house Security Assessment • Legacy Apps – Orphaned • Level of enforcement at the vendor’s end • Procure tool vs. Security as a Service • Business Logic Issues • Bug Bounty Program
  • 41. OWASP Any Questions? Thank You! Take the Survey! http://niiconsulting.com/surveys/wass/index.php