Your Application Security Initiative – Beyond Finding Vulnerabilities Jeff Williams CEO, Aspect Security Chair, OWASP Foun...
Remember the Corvair?
The Automobile Market <ul><li>25 Years Ago </li></ul><ul><ul><li>Most cars were built without safety features </li></ul></...
Economics <ul><li>“ The Market for Lemons” </li></ul><ul><ul><li>By George Akerlof in 1970 (Nobel Prize for Economics in 2...
The Software Market <ul><li>Worse than the automobile market </li></ul><ul><li>Asymmetric information is carefully protect...
The Market is Changing! <ul><li>Microsoft </li></ul><ul><ul><li>Trustworthy Computing Initiative </li></ul></ul><ul><li>Or...
Disclosure Laws Work <ul><li>Recent Events </li></ul><ul><ul><li>Over 50 million SSN’s (1 in 6 Americans), credit card num...
The Future Ingredients:  Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0,...
Software Security Is A Different World <ul><li>Network Security </li></ul><ul><ul><li>Part of IT </li></ul></ul><ul><ul><l...
Root Causes of Application Insecurity <ul><li>People and Organization Examples </li></ul><ul><ul><li>Lack of training </li...
Targeting the Root Causes Process Goals Risk Understood Security activities driven by application security risk Security C...
Getting Started <ul><li>Check out some applications </li></ul><ul><ul><li>Find out whether you’re vulnerable or not </li><...
Key Enhancements <ul><li>Establish requirements and testing processes </li></ul><ul><ul><li>Tailor standard requirements f...
Advanced Enhancements <ul><li>Establish a global application risk register </li></ul><ul><ul><li>Track issues, create insi...
Application Security Capacity Scorecard Level 5 Continuous Improvement Level 0 Ad Hoc Level 4 Metrics Level 3 Institutiona...
OWASP Can Help <ul><li>Open Web Application Security Project </li></ul><ul><ul><li>Nonprofit Foundation </li></ul></ul><ul...
OWASP Supports Your Initiative <ul><li>OWASP Top Ten </li></ul><ul><ul><li>Set priorities, get management buy-in </li></ul...
Some of What You’ll Find at OWASP <ul><li>Community </li></ul><ul><ul><li>Local Chapters </li></ul></ul><ul><ul><li>Transl...
Q&A A Q & Q U E S T I O N S A N S W E R S
Upcoming SlideShare
Loading in …5
×

六合彩香港-六合彩

1,185 views

Published on

王峰人在排队,眼睛不停地越过子允的肩膀扫向那边的周晨晨,几乎是看一眼香港六合彩应付下子允的话,发酸的心很是羡慕子允这只童子(又鸟),特别奇怪身边的香港六合彩怎开窍了,而且一开窍就迷住了周晨晨的美窍。子允不明其中奥秘,因自己正暗笑着王秀,以为王峰与自己笑的一件事,于是乎笑得更爽。王峰见心情极佳的子允这么配合,自知有愧,不再看,又忍不住,相对减少了频率。周晨晨的侧轮廓可谓中西合璧的精彩,在窗玻璃里和窗玻璃外的两堆人中很是醒目。王峰心不在焉地和子允搭话,心思飘扬,目光也飘扬。周晨晨看那老太太并不是在感伤自己也会变得那般模样,以香港六合彩现在的豆蔻年华绝不会产生三四十岁女人的惆怅。香港六合彩现在只是现在的心思,一种常被青春女孩放大的心思,而这种心思即使香港六合彩到了老太太时期也未必会说出来,所以女人的心思一直是心理学家攻克不破的难题。香港六合彩终于把脸转到室内,想看子允的,却撞见王峰不知冲着谁的笑容。香港六合彩看看东张西望的王秀,知道是对自己,礼貌地回了个笑容。这个笑容好像一炉炼钢水,王峰好像是温度计,那根赤色的水银柱像猫爬树似的从脚底直窜头顶。子允不知王峰为何如此,抱怨麦当劳态度太热情,空调也开得太足。两人端着托盘向座位走时,子允忽然犯难。和王秀一起洗手的周晨晨先回座位坐下,子允犹豫,是不是该跟周晨晨坐一排,这可是千载难逢的好机会,香港六合彩王秀回来看见也不好叫自己离开。子允下定决心,稍微调整脚的角度朝周晨晨旁边的位子走去。香港六合彩站在周晨晨旁边,只觉得心速比麦当劳还辛劳,眼神却固执地问香港六合彩可以坐这吗?周晨晨清澈的眸子闪了一下,嘴角月牙般一翘,看得子允是心花怒放,正要落下屁股,却见身后的王秀正甩着没烘干的手瞪着。子允背脊发冷,悻悻地回到王峰身边,香港六合彩简直悔青了肠子,万分懊悔为什么要回头,为什么要自觉地让开。香港六合彩发誓以后绝不回头,狼就是这样躲在身后咬人脖子的。周晨晨也是失望的模样,碍于女孩的面子没说。香港六合彩希望子允大胆说出来,这样才好顺水推舟让王秀离开。子允没考虑那么多,只在心里骂王秀讨嫌。王峰一改到哪都是中心人物的派头,拘谨得只顾埋头吃汉堡,子允找香港六合彩搭腔,也只象征性点点头,并不进行深层次探究。王峰,你平时不是很活跃吗?现在怎么蔫了?是因为今天的特殊情况有点自卑吧?又是王秀,说时,用下巴指了一下子允。子允赶忙咽下嘴里的可乐,不等王峰继续发愣,王秀,你名字中这个秀字特别好。王秀更来精神,这秀字怎么说都是好的意思,于是丢开王峰等着子允继续。《Y滋味》脱口秀主持人知道吗?你适合去当脱口秀主持人。说着用腿撞王峰的腿,示意香港六合彩一起反戈。王秀不知话里玄机,臭美起来,你这么一说,我倒觉得自己真有这方面天赋呢。所以今天有你在,我都觉得自卑。不过听我外国朋友说,一个三流的女脱口秀主持人,只要会讲话就可以,至于还靠……什么吸引人,就看香港六合彩敢不敢真的作秀了。子允打顿时明显省略了脱的意思,有意思的东西往住会因为含蓄地说出来而更有意思。你……王秀不笨,气红了香港六合彩那按物理学来说很不容易红起来的肥脸。平时很少有谁敢惹香港六合彩

Published in: Business

六合彩香港-六合彩

  1. 1. Your Application Security Initiative – Beyond Finding Vulnerabilities Jeff Williams CEO, Aspect Security Chair, OWASP Foundation [email_address] 410-707-1487
  2. 2. Remember the Corvair?
  3. 3. The Automobile Market <ul><li>25 Years Ago </li></ul><ul><ul><li>Most cars were built without safety features </li></ul></ul><ul><ul><li>No seatbelts, airbags, crumple zones, side impact protection, etc… </li></ul></ul><ul><li>Many different forces affected the market </li></ul><ul><ul><li>Pinto, Nader, Oil Crisis, Regulation, lots more… </li></ul></ul><ul><li>Automakers include more safety features </li></ul><ul><ul><li>Becomes a critical buying factor </li></ul></ul><ul><ul><li>Competitors must improve to compete </li></ul></ul><ul><li>Today </li></ul><ul><ul><li>Can’t sell a car without safety </li></ul></ul>
  4. 4. Economics <ul><li>“ The Market for Lemons” </li></ul><ul><ul><li>By George Akerlof in 1970 (Nobel Prize for Economics in 2001) </li></ul></ul><ul><ul><li>Buyers can’t tell cherries from lemons (asymmetric information) </li></ul></ul><ul><ul><li>Market price decreases to compensate for the risk </li></ul></ul><ul><ul><li>Cherry owners are less inclined to sell </li></ul></ul><ul><ul><li>Therefore , even a competitive market is filled with lemons </li></ul></ul>
  5. 5. The Software Market <ul><li>Worse than the automobile market </li></ul><ul><li>Asymmetric information is carefully protected </li></ul><ul><ul><li>Extremely difficult to analyze software (even with source) </li></ul></ul><ul><ul><li>Restrictive license agreements </li></ul></ul><ul><ul><li>Legal and regulatory restrictions on security analysts </li></ul></ul><ul><li>Virtually guarantees insecure software </li></ul><ul><ul><li>If you can’t tell the difference, why pay more? </li></ul></ul><ul><ul><li>No way to establish the benefit of secure software </li></ul></ul><ul><li>Until recently, making secure software didn’t make sense </li></ul>
  6. 6. The Market is Changing! <ul><li>Microsoft </li></ul><ul><ul><li>Trustworthy Computing Initiative </li></ul></ul><ul><li>Oracle </li></ul><ul><ul><li>“ Unbreakable. Can’t break it, can’t break in.” </li></ul></ul><ul><li>VISA </li></ul><ul><ul><li>CISP and PCI Standards include OWASP Top Ten </li></ul></ul><ul><li>General Electric </li></ul><ul><ul><li>Application security built into contract language </li></ul></ul><ul><ul><li>Mandatory code reviews </li></ul></ul><ul><li>Constellation Energy </li></ul><ul><ul><li>“ Convergence” – physical, infrastructure, and application layers </li></ul></ul>
  7. 7. Disclosure Laws Work <ul><li>Recent Events </li></ul><ul><ul><li>Over 50 million SSN’s (1 in 6 Americans), credit card numbers, account numbers, and driver’s license numbers stolen in the last 6 months. </li></ul></ul><ul><ul><li>ChoicePoint legal and notification costs $11.4m for 145,000 individuals </li></ul></ul><ul><ul><li>2005 FBI Survey shows 588% increase in costs associated with unauthorized access and an 80% increase in Web site incidents </li></ul></ul><ul><li>Government Action </li></ul><ul><ul><li>Federal government and over half the states have “breach, notify, and freeze” legislation pending. </li></ul></ul><ul><ul><li>FTC leading lawsuits against companies that fail to protect consumer data in their applications </li></ul></ul><ul><ul><li>NIST and DISA standards now include stringent application security requirements </li></ul></ul>
  8. 8. The Future Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting 22 65 % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication 15 95 % Modularity .035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15 Usage Intranet Internet
  9. 9. Software Security Is A Different World <ul><li>Network Security </li></ul><ul><ul><li>Part of IT </li></ul></ul><ul><ul><li>Networking Experts </li></ul></ul><ul><ul><li>Product Focused </li></ul></ul><ul><ul><li>1000’s of Copies </li></ul></ul><ul><ul><li>Signature Based </li></ul></ul><ul><ul><li>Patch Management </li></ul></ul><ul><li>Software Security </li></ul><ul><ul><li>Part of Business Units </li></ul></ul><ul><ul><li>Software Experts </li></ul></ul><ul><ul><li>Custom Code Focused </li></ul></ul><ul><ul><li>1 Copy of Software </li></ul></ul><ul><ul><li>No Signatures </li></ul></ul><ul><ul><li>Prevent Vulnerabilities </li></ul></ul>Don’t let anyone rely on network security techniques to gain software security
  10. 10. Root Causes of Application Insecurity <ul><li>People and Organization Examples </li></ul><ul><ul><li>Lack of training </li></ul></ul><ul><ul><li>Responsibilities not clear </li></ul></ul><ul><ul><li>No budget allocated </li></ul></ul><ul><li>Process Examples </li></ul><ul><ul><li>Underestimated risks </li></ul></ul><ul><ul><li>Missed requirements </li></ul></ul><ul><ul><li>Inadequate testing and reviews </li></ul></ul><ul><ul><li>Lack of metrics </li></ul></ul><ul><ul><li>No detection of attacks </li></ul></ul><ul><li>Technology Examples </li></ul><ul><ul><li>Lack of appropriate tools </li></ul></ul><ul><ul><li>Lack of common infrastructure </li></ul></ul><ul><ul><li>Configuration errors </li></ul></ul>Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Untrained People and Organizational Structure Issues Missing or Inadequate Processes Missing or Inadequate Tools, Libraries, or Infrastructure
  11. 11. Targeting the Root Causes Process Goals Risk Understood Security activities driven by application security risk Security Considered Integrated into all the activities in the SDLC Security Open Information about security is available and verifiable Flaws Identified As quickly as possible after they are introduced Technology Goals Security Tracked Within projects and across the entire organization Best Tools For developing and testing the security of applications Standard Technology Common approach to the typical security areas Attacks Monitored Attacks on applications are identified and handled appropriately People Goals Shared Understanding Everyone in the organization shares an understanding of app security risk levels Responsibility Assigned Security assigned for each project and the organization as a whole Support Available For developers who need help with application security Developers Trained In application security and the organization’s approach
  12. 12. Getting Started <ul><li>Check out some applications </li></ul><ul><ul><li>Find out whether you’re vulnerable or not </li></ul></ul><ul><ul><li>Build a case for management </li></ul></ul><ul><li>Evaluate your capability </li></ul><ul><ul><li>Assess your organization and processes </li></ul></ul><ul><ul><li>How will security best fit into your culture </li></ul></ul>
  13. 13. Key Enhancements <ul><li>Establish requirements and testing processes </li></ul><ul><ul><li>Tailor standard requirements for each project </li></ul></ul><ul><ul><li>Use OWASP Testing Guide </li></ul></ul><ul><li>Start up an application security team </li></ul><ul><ul><li>A centralized team is key to building a capability </li></ul></ul><ul><li>Developer security training </li></ul><ul><ul><li>Check out OWASP WebGoat </li></ul></ul>
  14. 14. Advanced Enhancements <ul><li>Establish a global application risk register </li></ul><ul><ul><li>Track issues, create insight </li></ul></ul><ul><li>Negotiate security in contracts </li></ul><ul><ul><li>Use OWASP secure software contract annex </li></ul></ul><ul><li>Build Application Security “Brand” </li></ul><ul><ul><li>Easy to understand labels for risk and security levels </li></ul></ul>
  15. 15. Application Security Capacity Scorecard Level 5 Continuous Improvement Level 0 Ad Hoc Level 4 Metrics Level 3 Institutionalize Level 2 Fundamentals Level 1 Demonstrate Need Process Technology People AppSec Rqmts Process Coding Best Practices Global Risk Register Std. AppSec Mechanisms AppSec Testing Process Developer Training Assign Responsibility Secure Deployment AppSec Dev. Env. Security Architecture Risk Dashboard Contracting Process Form AppSec Group Analyze Critical Apps Evaluate Capabilities Certification Program Rely on Developers/Users Establish AppSec Brands AppSec Vuln. Analysis
  16. 16. OWASP Can Help <ul><li>Open Web Application Security Project </li></ul><ul><ul><li>Nonprofit Foundation </li></ul></ul><ul><ul><li>All materials available under approved open source licenses </li></ul></ul><ul><ul><li>Dozens of projects, over 50 chapters worldwide, thousands of participants, and millions of hits a month </li></ul></ul>OWASP is dedicated to finding and fighting the causes of insecure software
  17. 17. OWASP Supports Your Initiative <ul><li>OWASP Top Ten </li></ul><ul><ul><li>Set priorities, get management buy-in </li></ul></ul><ul><li>OWASP Guide </li></ul><ul><ul><li>300 page book for application security </li></ul></ul><ul><li>OWASP Secure Software Contract Annex </li></ul><ul><ul><li>Achieve meeting of the minds on application security </li></ul></ul><ul><li>OWASP Testing Guide & OWASP WebScarab </li></ul><ul><ul><li>Test/analysis methods for application security </li></ul></ul><ul><ul><li>Web application & web service penetration tool </li></ul></ul>
  18. 18. Some of What You’ll Find at OWASP <ul><li>Community </li></ul><ul><ul><li>Local Chapters </li></ul></ul><ul><ul><li>Translations </li></ul></ul><ul><ul><li>Conferences </li></ul></ul><ul><ul><li>Mailing Lists </li></ul></ul><ul><ul><li>Papers </li></ul></ul><ul><ul><li>and more… </li></ul></ul><ul><li>All free and open source </li></ul><ul><li>We encourage your company to support us by becoming a member </li></ul><ul><li>Documentation </li></ul><ul><ul><li>Guide </li></ul></ul><ul><ul><li>Top Ten </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><ul><li>AppSec FAQ </li></ul></ul><ul><ul><li>and more… </li></ul></ul><ul><li>Tools </li></ul><ul><ul><li>WebGoat </li></ul></ul><ul><ul><li>WebScarab </li></ul></ul><ul><ul><li>Stinger </li></ul></ul><ul><ul><li>DotNet </li></ul></ul><ul><ul><li>and more… </li></ul></ul>
  19. 19. Q&A A Q & Q U E S T I O N S A N S W E R S

×