Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strategies for Web Application Security


Published on

Learn about OpSource enterprise cloud and managed hosting in a webinar on ‘Strategies for web application security’.

Published in: Technology, Business
  • Be the first to comment

Strategies for Web Application Security

  1. 1. The webinar will begin at 9am PT / Noon ETWebinar: Strategies for Web Application SecurityFeaturing:Andy Hoernecke Turn up the speakers on your computerSr. Application Security Consultant for streamed audio or dial in to:Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room:David McKenzie *8886695051#)Sr. Director Business ConsultingOpSource © 2010 OpSource, Inc. All rights reserved.
  2. 2. Agenda• Housekeeping• Intro to OpSource• Featured Presentation by Neohapsis• Q&A Session © 2010 OpSource, Inc. All rights reserved.
  3. 3. Welcome!• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource• All phones are set on mute• If you have a question, please use the Chat Q&A box located below the presentation panel• We will collect questions throughout the webinar and answer as many as we can at the end• If we don’t answer your question, we’ll follow-up with an answer via email• Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
  4. 4. OpSource: Enterprise Cloud and Managed Hosting• OpSource provides Enterprise Cloud and Managed Hosting Services• Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms• Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore• Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
  5. 5. OpSource Serves 600+ Clients with Millions of End-UsersSaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
  6. 6. OpSource Partner EcosystemTelecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
  7. 7. Andy Hoernecke, Sr. Application Security Consultant,Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Masters degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
  8. 8. Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
  9. 9. Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures9 Neohapsis Confidential
  10. 10. Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team10 Neohapsis Confidential
  11. 11. Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis11 Neohapsis Confidential
  12. 12. Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted12 Neohapsis Confidential
  13. 13. Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection13 Neohapsis Confidential
  14. 14. Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use14 Neohapsis Confidential
  15. 15. Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)15 Neohapsis Confidential
  16. 16. Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation16 Neohapsis Confidential
  17. 17. Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment17 Neohapsis Confidential
  18. 18. Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites18 Neohapsis Confidential
  19. 19. Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production19 Neohapsis Confidential
  20. 20. Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application20 Neohapsis Confidential
  21. 21. Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness21 Neohapsis Confidential
  22. 22. Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – Sales Inquiries – or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.