Nebezpecny Internet Novejsi Verze


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Nebezpecny Internet Novejsi Verze

  1. 1. ® IBM Software Group Nebezpečný internet nezapomínejte na aplikace Jan Valdman, BP IBM © 2007 IBM Corporation
  2. 2. IBM Software Group | Rational software Agenda  W eb Application Security Issues  W eb Application Security Model  Application Security and Software development  Application Security Maturity Model
  3. 3. IBM Software Group | Rational software Application Security Today “Web application vulnerabilities accounted for 69% of vulnerabilities disclosed between July 2005 and June 2006” Gartner “64% of developers are not confident in their ability to write secure applications” Microsoft Developer Research “70% of companies today are NOT applying secure application development techniques in their software development practices” Aberdeen Group, May 2007 “90% of applications, when tested are vulnerable” Watchfire
  4. 4. IBM Software Group | Rational software The Reality: Security and Spending Are Unbalanced Security Spending % of Attacks % of Dollars Web 10% Applications 75% 90% Network 25% Server 75% of All Attacksto the Web Application Layer Are Directed on Information Security 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire
  5. 5. IBM Software Group | Rational software Why Application Security is a High Priority  Web applications are the #1 focus of hackers:  75% of attacks at Application layer (Gartner)  XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)  Most sites are vulnerable:  90% of sites are vulnerable to application attacks (Watchfire)  78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)  80% of organizations will experience an application security incident by 2010 (Gartner)  Web applications are high value targets for hackers:  Customer data, credit cards, ID theft, fraud, site defacement, etc  Compliance requirements:  Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
  6. 6. IBM Software Group | Rational software The Myth: “Our Site Is Safe” We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use Network Vulnerability Scanners
  7. 7. IBM Software Group | Rational software Network Defenses for Web Applications Security Perimeter IDS IPS App Firewall Firewall Intrusion Intrusion Application Detection Prevention Firewall System System System Incident Event Management (SIEM) 7
  8. 8. IBM Software Group | Rational software
  9. 9. IBM Software Group | Rational software 12 Most Frequent Hacker Attacks  Cookie Poisoning  Hidden Field Manipulation  Parameter Tampering  Buffer Overflow  Cross-site Scripting  Backup and Debug Options  Forceful Browsing  HTTP Response Splitting  Stealth commanding  3rd Party Misconfiguration  Known vulnerabilities  XML & Web service vulnerabilities
  10. 10. IBM Software Group | Rational software Going Beyond Pointing out Security Problems
  11. 11. IBM Software Group | Rational software Web Application Environment Security Web Application Scanners Web Application Web Services Network Scanners Web Server Database Operating System Database Scanners Host Scanners 11
  12. 12. IBM Software Group | Rational software Network vs. Application Security - Complimentary Info Security Landscape Desktop Transport Network Web Applications Antivirus Encryption Firewalls / Protection (SSL) Advanced Routers Application Backend Firewall Servers Server Databases Web Servers Network & Application Security solutions address different problems ISS Rational AppScan 12
  13. 13. IBM Software Group | Rational software High Level Web App. Architecture Review Sensitive Customer data is App is deployed stored here here Internet Firewall Client Tier (Browser) Database SSL App Server (Presentation) (Business Logic) Protects Transport Protects Network Data Tier Middle Tier
  14. 14. IBM Software Group | Rational software Why Application Security Problems Exist  Root Cause  Developers are not trained to write or test for secure code  Firewalls and IPS’s don’t block application attacks.  Port 80 is wide open for attack.  Network scanners won’t find application vulnerabilities.  Nessus, ISS, Qualys, Nmap, etc.  Network security (firewall, IDS, etc) do nothing once an organization web enables an application.  Current State  Organizations test tactically at a late & costly stage in the development process  A communication gap exists between security and development as such vulnerabilities are not fixed  Testing coverage is incomplete 14
  15. 15. IBM Software Group | Rational software Application Security Threats
  16. 16. IBM Software Group | Rational software Building Security & Compliance into the SDLC SDLC Coding Build QA Security Production Enable Security Developers to effectively drive remediation into development Developers Ensure vulnerabilities are addressed before Developers Provides Developers and Testers applications with expertise on detection and are put into remediation ability production
  17. 17. IBM Software Group | Rational software Application Security Maturity Model BLISSFUL AWARENESS CORRECTIVE OPERATIONS IGNORANCE PHASE PHASE EXCELLENCE PHASE 10 % 30 % Maturity 30 % 30 % Duration 2-3 Years Time
  18. 18. IBM Software Group | Rational software Reduced Costs, Increased Coverage External Security Internal Tactical Cost Per Application Tested Strategic Operationalized 0% 25% 50% 75% 100% Application Coverage
  19. 19. IBM Software Group | Rational software IBM Rational Application Security Testing Products AppScan Enterprise Web Application Security Testing Across the SDLC Application Quality Security Production Development Assurance Audit Monitoring Test Test Test Monitor or Applications Applications Applications Re-Audit As Developed As Part of Before Deployed QA Process Deployment Application s
  20. 20. ® IBM Software Group Backup Slides © 2007 IBM Corporation
  21. 21. IBM Software Group | Rational software IBM Rational in the IBM Security Portfolio 4 – Monitor and fix !  Centrally manage security Assess events, report on security 1 – Where are you ? posture, remediate  Understand customer security needs and  Watchfire Solutions Monitor security exposures Access 3 – Let the good guys IN !  Manage and control user identities and access privileges Defend 2 – Keep the bad guys OUT !  Preemptively protect the enterprise against threats to the infrastructure, confidential data and services  Watchfire Solutions 21
  22. 22. IBM Software Group | Rational software Bad Press Decreases Shareholder Value  One-day market cap drop of $200M
  23. 23. IBM Software Group | Rational software Build Better and More Secure Applications/Websites  Improve business integrity before you go live  Address the security issues during the development cycle before applications go live, where business risk is magnified, and costs to remediate are high.  Reduce application costs by automating manual processes  Automate accurate vulnerability and compliance issues detection and their remediation throughout the entire web application lifecycle, from the development cycle into operations.  Comply to the Government Regulations and Industry Security Requirements  Incorporates most comprehensive compliance reporting solution, which generates 41out-of- the-box regulatory compliance templates and reports  Provide ‘core to perimeter’ view into enterprise security  Add web-application security and compliance testing to network-level offerings IBM Rational AppScan® automates web application security audits to help ensure the security and compliance of web applications 23
  24. 24. IBM Software Group | Rational software IBM Rational AppScan Vulnerability Detection  AppScan runs following simulated hacker attacks  cross-site scripting  known vulnerabilities  HTTP response splitting  HTTP attacks  parameter tampering  SQL injections  hidden field manipulation  suspicious content  backdoor/debug options  XML/SOAP tests  stealth commanding  content spoofing  forceful browsing  Lightweight Directory Access Protocol  application buffer overflow (LDAP) injection  XPath injection  cookie poisoning  session fixation  third-party misconfiguration 24