What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec


Published on

Despite being on vulnerability “Top 10” lists for many years, application vulnerabilities such as SQL injection and Cross-Site scripting continue to be significant attack paradigms for organizational data breaches. In fact, the IBM X-Force 2013 Mid-Year Trend and Risk Report confirmed that SQL Injection (SQLi) remained the most common paradigm for attackers to breach organizational security controls. Meanwhile, Cross-Site Scripting continued to be the most common type of application vulnerability.

In this session, we review the latest trends in application and mobile security vulnerabilities, and how to combat them with improved security awareness, organizational controls and application security testing technologies. We also address how to improve application security on your organization’s mobile devices.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec

  1. 1. IBM Security Systems OWASP Top Ten 2013 Update Diana Kelley Application Security Strategist Presented: February 2014 © 2013 IBM Corporation
  2. 2. IBM Security Systems Agenda  X-Force Latest Findings  OWASP and Top Ten Defined  OWASP Top Ten Web – 2013 Update Changes  Impacts   OWASP Top Ten Mobile  Making the Most of the OWASP Top Tens  How IBM Security AppScan can Help Web  Mobile  2 © 2014 IBM Corporation
  3. 3. IBM Security Systems X-Force Latest Findings 3 © 2014 IBM Corporation
  4. 4. IBM Security Systems X-Force 2013 Findings 4 © 2014 IBM Corporation
  5. 5. IBM Security Systems XSS and SQLi Still Lead in Web Attacks 5 © 2014 IBM Corporation
  6. 6. IBM Security Systems OWASP and Top Ten Defined 6 © 2014 IBM Corporation
  7. 7. IBM Security Systems OWASP Defined  OWASP – Open Web Application Security Project  Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.  Facts Came online December 1, 2001  Established as a Not-for-Profit April 21, 2004  International organization, over 36,000 global participants  Free to participate  All materials are available under a free and open software license  Vendor neutral  Does not endorse or recommend commercial products or services  7 © 2014 IBM Corporation
  8. 8. IBM Security Systems OWASP Projects  OWASP runs three types of projects  Incubator – experimental projects, ideas are being proven • Code • Tools • Documentation  Labs - have produced a deliverable of value • Tools • Documentation  Flagship - superior maturity, established quality, and strategic value • Code • Tools • Documentation  Top 10 is a Flagship, Documentation Project at OWASP 8 © 2014 IBM Corporation
  9. 9. IBM Security Systems Who Uses the OWASP Top Ten?  Standards and Practices  U.S. Federal Trade Commission recommends that companies use the OWASP Top Ten to help prioritize efforts when addressing software risks http://www.business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems  PCI DSS 3.0 Requirement 6.5 - for industry best practices and common coding vulnerabilities https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf  End User Companies Including  A.G. Edwards, CitiBank, IBM Global Services, Price Waterhouse Coopers,, Samsung, The Hartford https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=How_Are_Companies-ProjectsVendors_Using_the_OWASP_Top_10  Application Security Testing Vendors  9 Ex: for compliance reporting in testing tools (spoiler alert: IBM!) © 2014 IBM Corporation
  10. 10. IBM Security Systems OWASP Top Ten Web 10 © 2014 IBM Corporation
  11. 11. IBM Security Systems How the Ranking is Done  The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. OWASP provides generic information about likelihood and technical impact using this ratings scheme, which is based on the OWASP Risk Rating Methodology.*  Based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors *Image Source and Text: https://www.owasp.org/index.php/Top_10_2013-Risk 11 © 2014 IBM Corporation
  12. 12. IBM Security Systems Comparison of 2010 and 2013 OWASP Top 10 Lists 2010 2013 What Changed A1 Injection Injection N/A A2 Cross-Site Scripting (XSS) Broken Authentication and Session Management Was 2010-A3 A3 Broken Authentication and Session Management Cross-Site Scripting (XSS) Was 2010-A2 A4 Insecure Direct Object References Insecure Direct Object References N/A A5 Cross-Site Request Forgery (CSRF) Security Misconfiguration Was 2010-A6 A6 Security Misconfiguration Sensitive Data Exposure Merges 2010-A7 and 2010-A9 A7 Insecure Cryptographic Storage Missing Function Level Access Control Expanded from 2010-A8 A8 Failure to Restrict URL Access Cross-Site Request Forgery (CSRF) Was 2010-A5 A9 Insufficient Transport Layer Protection Using Known Vulnerable Components Expansion from 2010-A6 A10 Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards N/A 12 © 2014 IBM Corporation
  13. 13. IBM Security Systems Other Changes of Note  Sensitive Data Exposure Covers data in use (in browser), in transit and at rest  Combined into a single vulnerability to encompass the data protection lifecycle in an application environment   Assess the entire cycle for data exposure Classify data to understand what’s sensitive  Scope data protection to that data  • Ex: passwords, EHR, PII  Don’t Forget! For transport protection, SSL and TLS should be defined in requirements  Techniques like preventing auto-complete and disabling caching can help protect data in use in the browser  13 © 2014 IBM Corporation
  14. 14. IBM Security Systems How Apps are Developed is changing – and so are the Attacks  Missing Function Level Access Control   Functions can be accessed in ways not limited to the URL – ex; UI may show links or buttons that required login privs Or the UI hides them, but the access is still available through the server if the attacker can craft the correct request  Don’t Forget!    Test all methods of access Augment tools with manual pen testing for better coverage server. Expanding this vulnerability highlights the importance of doing thorough testing on all methods of access  Using Known Vulnerable Components    Previously part of “Security Misconfigurations” Component based development is on the rise Requires closer attention to security and testing of those components and open source modules  Don’t Forget!     14 Forbidding use of external components may slow down development Consider an approved component library Re-test components, frameworks and plug-ins when new revs are released before approving them for use Create guidance with recommended usage and configurations to prevent unintentional mis-use © 2014 IBM Corporation
  15. 15. IBM Security Systems OWASP Top Ten Mobile 15 © 2014 IBM Corporation
  16. 16. IBM Security Systems OWASP Top 10 Mobile, Release Candidate v1.0 16 Image Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks © 2014 IBM Corporation
  17. 17. IBM Security Systems Example: M4 Client Side Injection  Checking the code is a fast and accurate way to see if the application is handling data correctly. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.* *Image Source and Text: https://www.owasp.org/index.php/Mobile_Top_10_2012-M4 17 © 2014 IBM Corporation
  18. 18. IBM Security Systems Making the Most of the OWASP Top Tens 18 © 2014 IBM Corporation
  19. 19. IBM Security Systems OWASP is a Great Starting Point  But it’s not the final destination!  Software security testing is part of a broader application security program Security Intelligence: Information and event management Advanced correlation and deep analytics External threat research Optimized Secure app engineering processes Fraud detection Proficient Basic Glass box scanning Static analysis Dynamic analysis Applications 19 © 2014 IBM Corporation
  20. 20. IBM Security Systems What Works for You “Leverage your organization’s existing strengths to do and measure what works for you”*  In Practice Examples  Companies that outsource development • Use the OWASP Top Ten to evaluate code before acceptance/deployment  Companies that develop and test in-house • Use OWASP for training developers • Or as one of the baselines during security testing  Education for Executives • To help them understand the risks and problems associated with insecure/untested software *https://www.owasp.org/index.php/Top_10_2013 20 © 2014 IBM Corporation
  21. 21. IBM Security Systems Create Your Own Top Ten Ranking the OWASP Way  Start with the standard risk model RISK Likelihood Impact  Customize for application security and your organizational needs Step 1: Identifying a Risk  Step 2: Factors for Estimating Likelihood  Step 3: Factors for Estimating Impact  Step 4: Determining Severity of the Risk  Step 5: Deciding What to Fix  Step 6: Customizing Your Risk Rating Model  Learn More: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#The_OWASP_Risk_Rating_Metho dology 21 © 2014 IBM Corporation
  22. 22. IBM Security Systems How IBM Security AppScan can Help 22 © 2014 IBM Corporation
  23. 23. IBM Security Systems Application Security: The Source of Security Protection 1. 2. Mobile Application Attacks are Increasing Rapidly 3. Vulnerabilities spread through a wide variety of applications (internal development / external in use without code) 4. Common questions: where are your vulnerabilities and how to validate the risk? 5. 23 Web application vulnerabilities dominate the enterprise threat landscape Many clients still do not understand the need for Application Security in their environment © 2014 IBM Corporation
  24. 24. IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 24 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2014 IBM Corporation
  25. 25. IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 25 © 2014 IBM Corporation
  26. 26. Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Dynamic Analysis Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Total Potential Security Issues - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 26 26 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2014 IBM Corporation
  27. 27. IBM Security Systems The IBM Security AppScan Solution AppScan Enterprise Server Governance -- Collaboration -- Security Intelligence -- Correlation Source for Analysis Source for Automation • Configure Software • Build integration • Scan • Automate Scans • Triage Results • ANT, Make, Maven integration • Manage Security Policies Penetration Testing 27 • Data Access API    Source for Development • Investigate Flaws • Remediate with Guidance • IDE Scan • Confirm Fix Source for Remediation • Non-scanning IDE plugin AppScan Standard Desktop solution for security consultants and in-house security testers Combines advanced security testing with ease of use DAST with advanced hybrid technology included (JavaScript Analyzer & new Glass box) © 2014 IBM Corporation
  28. 28. IBM Security Systems Remediation Assistance  Vulnerability Found Details  Explanation of Vulnerability  Fix Recommendation 28 © 2014 IBM Corporation
  29. 29. IBM Security Systems Enterprise Dashboards – Measure Progress  Compare the number of issues across teams and applications  Identify top security issues and risks  View trending of the number of issues by severity over time  Monitor the progress of issue resolution 29 © 2014 IBM Corporation
  30. 30. IBM Security Systems Bridging the Security/Development gap Break down organizational silos  Security experts establish security testing policies  Development teams test early in the cycle Provide Management Visibility  Dashboard of application risk  Enable compliance with regulation-specific reporting  Treat vulnerabilities as development defects “… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and sharing information on identified issues.” Alex Jalso, Asst Dir, Office of InfoSecurity, WVU 30 Developer Architect Quality Professional Enables Collaboration Security Auditor © 2014 IBM Corporation
  31. 31. IBM Security Systems AppScan Enterprise – OWASP Top Ten 2013 Reporting 31 © 2014 IBM Corporation
  32. 32. Under NDA until date of announce IBM Security Systems AppScan Source - 100% coverage of OWASP Mobile Top Ten OWASP TOP 10 IBM Security AppScan Coverage  1. Insecure Data Storage Trace routes of sensitive data  2. Weak Server Side Controls Security scanning of server side code  3. Insufficient Transport Layer Protection Check for use of SSL/TLS  4. Client Side Injection Checks for common injection flaws including SQLi, HTMLi, and XSS  5. Poor Authentication and Authorization Track where IDs and Passwords enter/exit the system  6. Improper Session Handling Verify UUID is not used for session management  7. Security Decisions via Untrusted Inputs Track where data originates and how it is used  8. Side Channel Data Leakage Test for data leakage to log files, pasteboard, property lists, etc  9. Broken Cryptography Identify proper usage of cryptographic usage  10. Sensitive Information Disclosure Test for data leakage to peripherals, network, sockets, etc. 32 © 2014 IBM Corporation
  33. 33. IBM Security Systems Wrap-Up!  X-Force is IBM’s Leading Research and attack insights from today’s security threat landscape  Stay ahead of the threat, know what attackers are doing  OWASP and the OWASP Top Ten  Industry accepted rankings of the most critical web and mobile software vulnerabilities  Use these to help inform and mature your software security programs  IBM Security AppScan can be a cirtical part of that program Test for the high severity vulnerabilities  Prioritize fixes  Help developers remediate existing problems and learn how to code to prevent new ones  Run reports for auditors and assessors  33 © 2014 IBM Corporation
  34. 34. IBM Security Systems ibm.com/security 34 © 2014 IBM Corporation