Published on

Challenge Web Application Today!!!
Promote CSSLP Certification.
Introduce OWASP 2010 Top 10 Risks?
Practice with Web Goat?

For Education only.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
  2. 2. Speaker Profile , CSSLP, ECSA , LPT 2
  3. 3. Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
  4. 4. Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
  5. 5. Source: Issue number 9 Info Security Professional Magazine
  6. 6. W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
  7. 7. What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
  8. 8. • Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
  9. 9. Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
  10. 10. Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
  11. 11. Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
  12. 12. Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
  13. 13. Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
  14. 14. CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
  15. 15. CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
  16. 16. CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
  17. 17. Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
  18. 18. Hear what Anthony Lim, from IBM, has to say about CSSLP
  19. 19. CSSLP Certification My CSSLP Certification
  20. 20. Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
  21. 21. Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
  22. 22. Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
  23. 23. The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
  24. 24. Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
  25. 25. Source: Web Hacking Incidents Database
  26. 26. Source: Web Hacking Incidents Database
  27. 27. Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
  28. 28. Hacking Incidents (Defacement)
  29. 29. Hacking Incidents (Defacement)
  30. 30. Hacking Incidents (Defacement)
  31. 31. Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
  32. 32. Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
  33. 33. People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
  34. 34. SDLC & OWASP Guidelines Source: OWASP 34
  35. 35. Source: OWASP
  36. 36. Source: OWASP
  37. 37. Source: OWASP
  38. 38. Source: Microsoft
  39. 39. CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
  40. 40. OWASP Foundation has over 130 Local Chapters
  41. 41. 41
  42. 42. CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  43. 43. CSSLP is WebGoat? What Certification
  44. 44. CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
  45. 45. tion WebGoat Lesson 1
  46. 46. tion WebGoat Lesson 2
  47. 47. tion WebGoat Lesson 3
  48. 48. tion Solution: WebGoat Lesson 3
  49. 49. tion Solution: WebGoat Lesson 3 True OR ? = True
  50. 50. tion WebGoat Lesson 4
  51. 51. tion Solution: WebGoat Lesson 4
  52. 52. tion WebGoat Lesson 5
  53. 53. tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
  54. 54. Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com