We offer customers choice and flexibility in how they purchase and use our products and services. These range from modular software suites like Symantec Protection Suites for enterprises to all-in-one software products such as Norton 360 for consumers. We have professional services – 4,000 security experts providing everything from advisory to supports services – to Norton Live consumer services. There are a variety of solutions that we offer as a service (SaaS) – from online backup for consumers to messaging security for enterprises. And then there are managed services – from residency to MSS to Norton Live for consumers.
Fewer site-specific vulns in 2008 but they still aren’t being patched. Only 394 (3%) patched in 2008 compared to 1,240 (7%) in 2007. The number of site-specific vulns is adding up over time. In 2008, 63% of identified vulnerabilities affected Web applications, an increase over 2007, when 59% did. In 2008 there were a number of high-profile incidents involving SQL injection vulnerabilities. The purpose of these attacks was to inject malicious content into compromised sites that would then attempt to exploit subsequent site visitors. Attackers used a technique that allowed them to dynamically inject malicious content into strings throughout the database without detection. This provided a means of generically exploiting vulnerable applications rather than having to develop application-specific payloads. Messaging: Web servers can be difficult to secure. Patching requires downtime and frequently corporate sites are hosted on third-party server networks. As a result they can frequently be easy targets for attackers. Because of this, Web servers and connected databases need to be continuously monitored for suspicious activity.
STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
Security Lifecycle Management Process
INFOSECFORCE Application Security INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS 1
INFOSECFORCE Security and Project LifecyclesSecurity and Lifecycle Management Process (SLCMP) Said “slickum”A “practitioner’s” view ….. Bill Ross
INFOSECFORCE Slickum brief objectives Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
INFOSECFORCE What You Need to Know Symantec Internet Security Threat Report, Volume XIV 4
INFOSECFORCE Operational report Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project. Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives. Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild
INFOSECFORCE Common attack tools1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into enteringvalid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank theuser is doing business with.2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, butactually gains unauthorized access to system resources or tricks a user into executing other malicious logic.Malware A generic term for a number of different types of malicious code.3. Spam Electronic junk mail or junk newsgroup postings.4. Worms. A computer program that can run independently, can propagate a complete working version ofitself onto other hosts on a network, and may consume computer resources destructively.5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentiallymalicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of asystem entity that invokes the program.6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates byinfecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself;it requires that its host program be run to make the virus active.8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covertmanner so that the person using the keyboard is unaware that their actions are being monitored9. Denial of service. The prevention of authorized access to a system resource or the delaying of systemoperations and functions10. Web application attacks
INFOSECFORCE “ the Cyber Battle Field” Google China cyber attack part of vast espionage campaign, experts sayComputer attacks on Google that the search giant said originated in Chinawere part of a concerted political and corporate espionage effort that exploitedsecurity flaws in e-mail attachments to sneak into the networks of majorfinancial, defense and technology companies and research institutions in theUnited States, security experts said. (New York Times) Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
INFOSECFORCE Malicious code is installed • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information.Symantec Internet Security Threat Report
INFOSECFORCE Key trends“The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response.The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity.It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Web-based Cyber criminals want Increased sophistication Rapid adaptation to malicious activity YOUR information of the Underground security measures has accelerated Economy • Focus on exploits • Primary vector for targeting end-users • Well-established • Relocating operations to malicious activity for financial gain infrastructure for new geographic areas • Target reputable, monetizing stolen • Evade traditional security high-traffic websites information protection Symantec Internet Security Threat Report
INFOSECFORCE Key Trends – Global Activity • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase in identities exposed Downadup infections propagated spam across the Internet • Threat activity • 95% vulnerabilities as shared executable with 349.6 billion increases with attacked were client- files messages growth in side • 90% spam email Internet/Broadband distributed by Bot networks usage Internet Security Threat Report
INFOSECFORCE Website compromise• Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts• Once the site is compromised, attackers modify pages so malicious content is served to visitors Site-specific vulnerabilities Web application vulnerabilities Internet Security Threat Report, 11 11
INFOSECFORCE Impact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each 5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week Gartner Group
INFOSECFORCE The SDL Reduces the Total Cost of Development The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
INFOSECFORCE Top 10 Web Security Threats Broken authentication Cross-site scripting (XSS)Broken access control Unvalidated input Insecure storage Buffer overflowsImproper error handling Injection flaws Insecure configuration management Application denial-of-service SUN
INFOSECFORCE Web Application Security Threats1. Unvalidated input (Mother of all Web Tiered Attacks)Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL,Cookies, Form Fields, Hidden Fields, Headers )2. Broken Access ControlInsecured IDs, Poor file permissions, Service account exploit, Path Traversal3. Broken Authentication and Session ManagementFocus is in USER authentication and user active sessions. Example is if “cookies” not proper protected,attacker can assume the identity of user4. Cross site scriptingMalicious script sent to server which is then sent to user accessing same server (Chat server). User believesscript came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flashand etc)
INFOSECFORCE Web Application Security Threats 2 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting
INFOSECFORCE Attack vector analysesHacker targets• From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.” Source: IBM
INFOSECFORCE Application security paradoxApplications, data and business processes arevulnerable even when a robust network andinfrastructure security program is in place. Internet DMZ Trusted IIS ASP .NET Inside SunOne SQL WebSphere Oracle Apache Java DB2HTTP(S) Corporate IMAP, FTP Firewall only Firewall only Firewall only allow Inside allows PORT 80 allows application server SSH , TELNET (or 443 SSL) applications to talk to POP3, XML traffic from the on the web database server. Internet to the server to talk to web server. application Any – Web server. Server: 80 SOURCE: SPIDYNAMICS
INFOSECFORCE How did this happen ?Business engines fueled by multiple and powerful applications
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secureSocial networks, and I-Pod, I-PAD as a network, peripheral-geddon Easy & “ anywhere access ” “THE CLOUD” Bill Gates, 2007 RSA
INFOSECFORCE This ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
INFOSECFORCE Security Business CaseSecurity Defects Matter Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner) Pervasive • Majority of hacks occur at the Application level (Gartner) = Undetected • QA testing tools not designed to detect security defects in applications Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the1000 application sample ‘Healthchecks’ with market has become a mandatory requirementAppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deploymentand encryption solutions in place… is almost 100 times greater than detecting and eliminating them during development. SOURCE: Seagate Technology
INFOSECFORCE Best practice solutions Application security requirements define the high level specifications for securelydeveloping and deploying applications Application Planning Application Development Prod and Maintenance Minimal set of coding practices Data Classification – Classify Input Validation – Validate input Applications shall be hosted on data according to the sensitivity of from all sources. servers compliant with the corporate the data. Security requirements for IT system Default deny – Access control Risk Assessment – Conduct should be based on specific hardening preliminary risk assessment before permission rather than exclusion. development begins and after Applications classified as planning is complete. Security By default all access should be sensitive shall at a minimum have Requirements – Identify and denied. document the security requirements annual vulnerability assessments, of the application early in the Principle of Least Privilege – when a significant change to the development lifecycle. Perform all processes with the least application has occurred, or set of required privileges depending on the data sensitivity Security Design – Use the Data and risk. Classification process to determine Quality Assurance – Quality specific security services needed by assurance identifies and eliminates the application software vulnerabilities. SDLC – Address security within Perform internal testing – Use all stages of the SDLC. source code auditing, pen testing, manual code review, or automated source code review
INFOSECFORCE Principles of Secure Programming TARGET THESE AREAS Minimize attack surface area Secure defaults Principle of least privilege Principle of defense in depth Fail securely External systems are insecure Separation of duties Do not trust security through obscurity Simplicity Fix security issues correctly SUN
INFOSECFORCE Application security risk analyses Vulnerability Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Threat Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Risk Multiple avenues of attack on organizational vital information assets Likelihood rating High Risk Impact High rating Overall risk High rating Risk summary High Relevant Hardened infrastructure (will not block port 80 attacks) controls Risk mitigation Follow application security planning, development and production best practices. Build security into all SDLC phases.
INFOSECFORCE SLCMP Embed information security in the SDLC and PLCMP by applying the practices and procedures defined in SLCMP
INFOSECFORCE An art form “ Building highly secure software is nothing less than an eloquently choreographed dance that calls upon the talent and skills of the developer, project manager and information security teaming to ensure that an application securely glides with grace across the technical stage ”
INFOSECFORCE SLCMP and the SDLC …“The Dance” Initiate Design/Develop Implement Production Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod for new business requirements technical development prod testing prod testing process, document architecture application or designed developed technology INFOSEC architecture document created based on data security Application andINFOSEC participation categorization, policy, infrastructurein feasibility analyses, application functionality penetration testingno documentation and risk and vulnerabilityrequired Server cert assessments Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests, application security process to decompile code follows phase one guidelines. Preliminary risk and testing. Once code acceptance vulnerability test plan defining as much as possible to testing process. vulnerability assessment done. begins solidifying, Used as final document assessments, Measures requirements against testing tools, use soft tools such as determine if code has verification that risk policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC requirements stated based on testers. Gain level testing. the security architecture. perspective preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide manager. to developers to fix or define assessments. If necessary, developers for code mitigating controls. Aspect ** Security certification and requirements document adjusted correction security has expertise in this accreditation should be area finalized
INFOSECFORCE SLCMP Deliverables Initiate Develop Implement Production - Security control integration - Second phase app security- Data security categorization testing- Preliminary risk assessment - Third phase app security testing - Security certification- Security plan - Security accreditation- Risk assessment - Security architecture - Threat management- Functional requirements - Functional and vulnerability - Configurationanalyses test plan management and control- Assurance requirements - First phase testing - Continuous monitoring- Control selection - Additional planning - Incident response plan assignments
INFOSECFORCE SLCMP and the PLCMP Initiate Design/Develop Implement Production Demand manger reviews the request Control selection begins. and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and Detailed technical and solutions and designs designs implemented as part of the security design infrastructure. • Architecture • Design security controls • Security architecture • Implementation • Patch management Standards and • Begin organizing security • Design and technical • Change Management • Monitoring Convergence plan development architecture developed Capacity Monitoring • Incident response • Project Review • Architecture Review • Day to Day Operations • Security administration • Scoping • Detailed Design planning • KPI reporting on security • Solution Design • Level 4 Support design metrics • Cost Estimation • Define Security requirements • Security architecture • Threat management • Data and Infrastructure Categorization • Security control integration • Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability • Risk assessment • Security penetration and • Control selection and standard testing • Functional requirements analyses vulnerability testing integration • Determines validity of security • Assurance requirements analyses • Security certification architecture • Control selection and standard • Security accreditation • Determines security process integration • Final risk assessment shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoringINPUTSECURITY PLANFEEDBACK
INFOSECFORCE SLCMP adopted guidelines Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 SP 800-37 Security Security Control Categorization Security Control Selection Monitoring Defines category of information Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the safeguards and countermeasures) planned or impact of loss information system that may affect security in place to protect the information system controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 Security Control SLCMP System Refinement Authorization Uses risk assessment to adjust minimum control INPUTS Determines risk to agency operations, agency set based on local conditions, required threat assets, or individuals and, if acceptable, coverage, and specific agency requirements authorizes information system processing SP 800-18 SP 800-53A / SP 800-26 / SP 800-37 SP 800-70 Security Control Security Control Documentation Security Control Assessment Implementation In system security plan, provides a an Determines extent to which the security overview of the security requirements for Implements security controls in controls are implemented correctly, operating the information system and documents the new or legacy information as intended, and producing desired outcome security controls planned or in place systems; implements security with respect to meeting security configuration checklists requirements Source: NIST
INFOSECFORCE SLCMP Benefits SLCMP ROI Fortified applications or infrastructure projects Hardened against internal and external attack Meets regulatory compliance mandates Enhances IS staff knowledge and capability Reduces long term costs
INFOSECFORCE Conclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
INFOSECFORCE Initiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the applications requirements for confidentiality, integrity and availability (CIA)
INFOSECFORCE Develop and designRisk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development teamSecurity plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented.Functional requirements Ensure that enterprise security policy and standards are followed. Determine which lawsanalyses must be followed by the application.Assurance requirements Determine what level of certification application requires. For example, governmentanalyses applications might require a FISMA C&A.
INFOSECFORCE Develop …..continuedControl selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet.Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan.Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that businesstest plan logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models.First phase testing Provides developers early high level look at code stabilityAdditional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etccomponents
INFOSECFORCE Implement deliverablesSecurity control integration Security control settings and switches enabled IAW Security plan and architectureSecond phase app security Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correcttesting findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this areaThird phase app security Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspectivetestingSecurity certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestationRMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
INFOSECFORCE Production deliverablesThreat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment.Configuration management Operational process and plan to ensure environment receives current security patches andand control other software preventive updates ensuring application or environment integrity is maintainedContinuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work.Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
INFOSECFORCE SDLC/PLCMP DeliverablesInitiate - Data security categorization - Security Plan - Preliminary risk assessmentDesign and - Risk assessment - Security architecturedevelop - Functional and vulnerability - Functional requirements analyses test plan - Assurance requirements - First phase testing - Control selection - Additional planning assignmentsImplement - Security control integration - Security certification - Security accreditation - Second phase app security testing - Final risk acceptance - Third phase app security testing documentProduction - Threat management - Configuration management and control - Continuous monitoring - Incident response plan REF: NIST 800-53