Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

7 Ways to Scale Web Security (SANS AppSec Summit 2012)

Website compromises are an everyday, headline-making reality. Sometimes a cyber-attacker's motivation is national security inclined, other times its profit-driven, or it's to express a political message, and sometimes it's just for the LulzSec. It also doesn't matter anymore if their targets are governments, military contractors, retailers, banks or even blogs - everyone online can now be on the receiving-end of a Web attack and, usually, by techniques we're already very familiar with yet often overlook: SQL Injection, PHP File Include, Cross-Site Scripting, Clickjacking, Cross-Site Request Forgery, the list goes on.

There truly is nothing new here that we haven't seen before. We know how to find these vulnerabilities, we know how to fix them, and we know how to prevent them. Yet, website compromises continue to increase anyways.

The answer to why they're increasing is simple: many companies haven't solved the challenge on how to address Web application security at scale.

Whether you are responsible for protecting 10, 100, 1000 websites or even more, the technical challenges for Web application security at scale are two-fold:

1)   How do you deal with an enormous backlog of Web code - already completed, riddled with vulnerabilities and developed in an era where security awareness was nonexistent?

2)   How do you successfully integrate Web application security into the push-or-die pace of agile software development so your next generation of Web code is able to defend itself from modern attacks?

Answering these two questions requires a two-prong strategy that addresses operational security and ongoing software security, which comprises the central focus of this presentation.

  • Login to see the comments

  • Be the first to like this

7 Ways to Scale Web Security (SANS AppSec Summit 2012)

  1. 1. 7 Ways to Scale Web SecurityJeremiah GrossmanFounder & Chief Technology OfficerSANS AppSec Summit04.30.2012 © 2012 WhiteHat Security, Inc. 1
  2. 2. Jeremiah GrossmanØFounder & CTO of WhiteHat SecurityØ6-Continent Public SpeakerØTED AlumniØAn InfoWorld Top 25 CTOØCo-founder of the Web Application Security ConsortiumØCo-author: Cross-Site Scripting AttacksØFormer Yahoo! information security officerØBrazilian Jiu-Jitsu Black Belt © 2012 WhiteHat Security, Inc. 2
  3. 3. WhiteHat Security : Company OverviewØHeadquartered in Santa Clara, CAØWhiteHat Sentinel – SaaS end-to-end website risk management platformØEmployees: 170+ØCustomers: 500+ Cool Vendor The FutureNow List © 2012 WhiteHat Security, Inc.
  4. 4. We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more. Cyber-war Cyber-crime HacktivismPwC Survey:“Cybercrime is now the second biggest cause of economiccrime experienced by the Financial Services sector.” © 2012 WhiteHat Security, Inc. 4
  5. 5. Website Hacked © 2012 WhiteHat Security, Inc. 5
  6. 6. Verizon Data Breach Investigations Report: 2010 DBIR: “The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." 2011 DBIR: “The number of Web application breaches increased last year and made up nearly 40% of the overall attacks.“ 2012 DBIR: “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” © 2012 WhiteHat Security, Inc. 6
  7. 7. 855 incidents, 174 million compromised records © 2012 WhiteHat Security, Inc. 7
  8. 8. © 2012 WhiteHat Security, Inc. 8
  9. 9. (Name of the Game)SCALABILITY “An algorithm, design, networking protocol, program, or other system is said to scale, if it is suitably efficient and practical when applied to large situations (e.g. a large input data set, a large number of outputs or users, or a large number of participating nodes in the case of a distributed system). If the design or system fails when a quantity increases, it does not scale.” © 2012 WhiteHat Security, Inc. 9
  10. 10. © 2012 WhiteHat Security, Inc. 10
  11. 11. People Process SCALE Technology• People: Cognitive ability, operate and interpret technology results• Process: Organize and make efficient use of resources• Technology: To scale the people and the process © 2012 WhiteHat Security, Inc. 11
  12. 12. 3 Hard Facts About Technology1) Technology is incapable of eliminating the need for people in any aspect of application security. This includes source code reviews, penetration testing, threat modeling, architectural review, development, etc.2) Without technology there is far too much work than could ever be completed manually by the number of people available, even if monetary costs were not an issue.3) The best technology can offer is increasing efficiency and reducing the quantity and skill level of the people necessary to complete a given process. © 2012 WhiteHat Security, Inc. 12
  13. 13. WhiteHat Sentinel – Assessment Platform• Software-as-a-Service• Annual Per Website Subscription• Unlimited Assessments / Users 500+ enterprises from start-ups to fortune 500 1,000,000 vulnerabilities processed per day 6 Terabytes data stored per day 7,000+ websites receiving ~weekly assessments 940,000,000 HTTP(s) requests per month © 2012 WhiteHat Security, Inc.
  14. 14. © 2012 WhiteHat Security, Inc. 14
  15. 15. 7,000+ Customer Websites © 2012 WhiteHat Security, Inc. 15
  16. 16. 1 Game-ification © 2012 WhiteHat Security, Inc. 16
  17. 17. Elevation of Privilege (EoP)Card GameElevation of Privilege (EoP) is the easy way to get startedthreat modeling, which is a core component of the designphase in the Microsoft Security Development Lifecycle (SDL).The EoP card game helps clarify the details of threatmodeling and examines possible threats to software andcomputer systems.The EoP game focuses on the following threats:• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of PrivilegeEoP uses a simple point system that allows you to challengeother developers and become your opponents biggest threat. © 2012 WhiteHat Security, Inc. 17
  18. 18. Capture  the  Flag © 2012 WhiteHat Security, Inc. 18
  19. 19. 2 (Security Scorecards) Peer Pressure © 2012 WhiteHat Security, Inc. 19
  20. 20. Publish Scorecards Internally &Regularly -- For All To See Avg.   High  Severity   Remedia5on   Window  of  Exposure   Group Time-­‐to-­‐Fix   Vulnerabili5es Rate (Days) (Days)2012  Corporate  Goal 20 30 75% 100Industry  Average 55 32 63% 223Business  Unit  1 17 45 74% 195Business  Unit  2 53 30 46% 161Business  Unit  3 67 66 63% 237Business  Unit  4 48 35 69% 232 © 2012 WhiteHat Security, Inc. 20
  21. 21. Computer-Based3 Training (CBT) © 2012 WhiteHat Security, Inc. 21
  22. 22. The biggest problem inapplication security today:The huge shortage of qualifiedapplication security people. © 2012 WhiteHat Security, Inc. 22
  23. 23. Gary McGraw (CTO, Cigital) says roughly 2% of all programmers should be software security pros, or “Builders” in our case. Gary, through a project called BSIMM, arrived at 2% by surveying dozens of software security programs among large companies and measuring what they do.Programmer Population (Worldwide): 17 million We’ll need 340,000 “Builders” © 2012 WhiteHat Security, Inc. 23
  24. 24. We’ll use a ratio of 1 “breaker” per to 100 websites. This ratio comes from internal metrics at WhiteHat Security generated from assessment conducted over the last 8 years and encompassing more than 7,000 websites.“Important” (SSL) website population: 1.2 million We’ll need 12,000 “Breakers” © 2012 WhiteHat Security, Inc. 24
  25. 25. No idea how to begin to estimate theDefender need, but it’ll be in the tens ofthousands at least. Considering the vastnumber of website assets that must beprotected, the 1 billion online users whosomeone needs to ensure are playingnice, and monitoring the serious volumeof Web traffic they generate. ? © 2012 WhiteHat Security, Inc. 25
  26. 26. OWASP Appsec Tutorial SeriesThe OWASP AppSec Tutorial Series project provides a video based means ofconveying complex application security concepts in an easily accessible andunderstandable way. Each video is approximately 5-10 minutes long and highlights oneor more specific application security concepts, tools, or methodologies. The goal of theproject is quite simple and yet quite audacious - provide top notch application securityvideo based training... for free! © 2012 WhiteHat Security, Inc. 26
  27. 27. Centralized4 Security Controls © 2012 WhiteHat Security, Inc. 27
  28. 28. Development Frameworks ESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. © 2012 WhiteHat Security, Inc. 28
  29. 29. 5 Work Flow © 2012 WhiteHat Security, Inc. 29
  30. 30. Model an Application © 2012 WhiteHat Security, Inc. 30
  31. 31. Check againstlibrary ofsecurity taskswith rules © 2012 WhiteHat Security, Inc. 31
  32. 32. Produce tailored security tasks• Distills application security personnel expertise to developers.• Fits cleanly into development processes.• Tasks are continuously updated to keep up with new technologies & threats.• In retroactive analysis of years of penetration-testing data, following SDE would have prevented approximately 85% of secure coding weaknesses. © 2012 WhiteHat Security, Inc. 32
  33. 33. 6 Virtual-Patching © 2012 WhiteHat Security, Inc. 33
  34. 34. 8 out of 10 websites have serious* vulnerabilities (10 out of 10 if you are willing to wait long enough.)*  Serious  Vulnerability:  A  security  weakness  that  if  exploited  may  lead  to  breach  or  data  loss  of  a  system,  its  data,  or  users.  (PCI-­‐DSS  severity  HIGH,  CRITICAL,  or  URGENT) © 2012 WhiteHat Security, Inc. 34
  35. 35. Average annual amount of newserious* vulnerabilities introduced per website per year 1111 795 480 230 79 2007 2008 2009 2010 2011VulnerabiliQes  are  counted  by  unique  Web  applicaQon  and  vulnerability  class.  If  three  of  the  five  parameters  of  a  single  Web  applicaQon  (/foo/webapp.cgi)  are  vulnerable  to  SQL  InjecQon,  this  is  counted  as  3  individual  vulnerabiliQes  (e.g.  aZack  vectors). © 2012 WhiteHat Security, Inc. 35
  36. 36. Websites 676,919,707 +32.6 million since March(Producing more code / websites than the industry is able to review.) © 2012 WhiteHat Security, Inc. 36
  37. 37. SSL Websites1,200,000 © 2012 WhiteHat Security, Inc. 37
  38. 38. 1.2 million x 79 vulns per year =94,800,000 Undiscovered serious* vulnerabilities on just the SSL websites. © 2012 WhiteHat Security, Inc. 38
  39. 39. Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discoveredWeb Application Firewalls are bestat mitigating vulnerabilities such asCross-Site Scripting, ContentSpoofing, SQL Injection, ResponseSplitting, etc. By summing all thesepercentages up we might safely say:A WAF could feasible help mitigatethe risk of at least 71% of all customWeb application vulnerabilities. © 2012 WhiteHat Security, Inc. 39
  40. 40. 7 (Crowd-Sourcing Vulnerability Assessment) Bug Bounties © 2012 WhiteHat Security, Inc. 40
  41. 41. Websites Accepting“Security Research” $1) Paypal 12) GitHub2) Facebook 13) Constant Contact3) 37 Signals 14) Zeggio4) Salesforce 15) Simplify, LLC5) Microsoft 16) Team Unify6) Google 17) Skoodat7) Twitter 18) Relaso8) Mozilla 19) Modus CSR9) eBay 20) CloudNetz10) Adobe 21) EMPTrust11) Reddit 22) AprivaMillions of dollars to hundreds of researchers.Closed hundreds, if not thousands, of vulnerabilities.Protected hundreds of millions of users. © 2012 WhiteHat Security, Inc. 41
  42. 42. How to developsecure-(enough) software? © 2012 WhiteHat Security, Inc. 42
  43. 43. Little-to-NoSupporting Data. © 2012 WhiteHat Security, Inc. 43
  44. 44. Connect the Dots... (SDL) Production Attack Security Breaches Vulnerabilities Traffic Controls BSIMM WhiteHat Security Akamai Verizon DBIR IBM TrustwaveThen we’ll start getting some real answersabout how to product secure-enough. © 2012 WhiteHat Security, Inc. 44
  45. 45. Thank You!Blog: © 2012 WhiteHat Security, Inc. 45
  46. 46. Why do vulnerabilities go unfixed?• No one at the organization understands or is responsible for maintaining the code.• Development group does not understand or respect the vulnerability.• Lack of budget to fix the issues.• Affected code is owned by an unresponsive third-party vendor.• Website will be decommissioned or replaced “soon.”• Risk of exploitation is accepted.• Solution conflicts with business use case.• Compliance does not require fixing the issue.• Feature enhancements are prioritized ahead of security fixes. © 2012 WhiteHat Security, Inc. 46
  47. 47. Testing Speed & Frequency Matters © 2012 WhiteHat Security, Inc. 47
  48. 48. Remediation Rates by Industry (Trend) A steady improvement in the percentage of reported vulnerabilitiesthat have been resolved during each of the last four years, which now resides at 63%. Progress! © 2012 WhiteHat Security, Inc. 48