7 Ways to Scale Web Security (SANS AppSec Summit 2012)

7 Ways to Scale Web Security
Jeremiah Grossman
Founder & Chief Technology Officer

SANS AppSec Summit
04.30.2012

© 2012 WhiteHat Security, Inc. 1

Jeremiah Grossman
ØFounder & CTO of WhiteHat Security
Ø6-Continent Public Speaker
ØTED Alumni
ØAn InfoWorld Top 25 CTO
ØCo-founder of the Web Application Security Consortium
ØCo-author: Cross-Site Scripting Attacks
ØFormer Yahoo! information security officer
ØBrazilian Jiu-Jitsu Black Belt


WhiteHat Security : Company Overview
ØHeadquartered in Santa Clara, CA
ØWhiteHat Sentinel – SaaS end-to-end website risk
management platform
ØEmployees: 170+
ØCustomers: 500+

Cool Vendor

The FutureNow List

© 2012 WhiteHat Security, Inc.

We shop, bank, pay bills, file taxes,
share photos, keep in touch with
friends & family, watch movies, play
games, and more.

Cyber-war Cyber-crime Hacktivism

PwC Survey:
“Cybercrime is now the second biggest cause of economic
crime experienced by the Financial Services sector.”

Website Hacked


Verizon Data Breach Investigations Report:

2010 DBIR:
“The majority of breaches and almost all of the data stolen
in 2009 (95%) were perpetrated by remote organized
criminal groups hacking "servers and applications."

2011 DBIR:
“The number of Web application breaches increased last year
and made up nearly 40% of the overall attacks.“

2012 DBIR:
“Web applications abound in many larger companies, and
remain a popular (54% of breaches) and successful (39% of
records) attack vector.”


855 incidents, 174 million compromised records


(Name of the Game)

SCALABILITY
“An algorithm, design, networking protocol,
program, or other system is said to scale, if it is
suitably efficient and practical when applied to
large situations (e.g. a large input data set, a
large number of outputs or users, or a large
number of participating nodes in the case of a
distributed system). If the design or system fails
when a quantity increases, it does not scale.”


People Process
SCALE

Technology

• People: Cognitive ability, operate and interpret technology results
• Process: Organize and make efficient use of resources
• Technology: To scale the people and the process

3 Hard Facts About Technology
1) Technology is incapable of eliminating the need for
people in any aspect of application security. This includes
source code reviews, penetration testing, threat
modeling, architectural review, development, etc.

2) Without technology there is far too much work than could
ever be completed manually by the number of people
available, even if monetary costs were not an issue.

3) The best technology can offer is increasing efficiency and
reducing the quantity and skill level of the people
necessary to complete a given process.


WhiteHat Sentinel – Assessment Platform
• Software-as-a-Service
• Annual Per Website Subscription
• Unlimited Assessments / Users
500+
enterprises from start-ups to fortune 500
1,000,000
vulnerabilities processed per day
6 Terabytes
data stored per day
7,000+
websites receiving ~weekly assessments
940,000,000
HTTP(s) requests per month

© 2012 WhiteHat Security, Inc.

7,000+ Customer Websites

https://blog.whitehatsec.com/our-process-how-we-do-what-we-do-and-why/


1 Game-ification


Elevation of Privilege (EoP)
Card Game
Elevation of Privilege (EoP) is the easy way to get started
threat modeling, which is a core component of the design
phase in the Microsoft Security Development Lifecycle (SDL).

The EoP card game helps clarify the details of threat
modeling and examines possible threats to software and
computer systems.

The EoP game focuses on the following threats:
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

EoP uses a simple point system that allows you to challenge
other developers and become your opponent's biggest threat. http://www.microsoft.com/security/sdl/adopt/eop.aspx


Capture
the
Flag


2
(Security Scorecards)

Peer Pressure


Publish Scorecards Internally &
Regularly -- For All To See
Avg.

High
Severity
Remedia5on
Window
of
Exposure

Group Time-‐to-‐Fix

Vulnerabili5es Rate (Days)
(Days)

2012
Corporate
Goal 20 30 75% 100

Industry
Average 55 32 63% 223

Business
Unit
1 17 45 74% 195

Business
Unit
2 53 30 46% 161

Business
Unit
3 67 66 63% 237

Business
Unit
4 48 35 69% 232


Computer-Based
3 Training (CBT)


The biggest problem in
application security today:
The huge shortage of qualified
application security people.


Gary McGraw (CTO, Cigital) says roughly
2% of all programmers should be software
security pros, or “Builders” in our case.
Gary, through a project called BSIMM,
arrived at 2% by surveying dozens of
software security programs among large
companies and measuring what they do.

Programmer Population (Worldwide): 17 million

We’ll need 340,000 “Builders”


We’ll use a ratio of 1 “breaker” per to 100
websites. This ratio comes from internal
metrics at WhiteHat Security generated
from assessment conducted over the last 8
years and encompassing more than 7,000
websites.

“Important” (SSL) website population: 1.2 million

We’ll need 12,000 “Breakers”


No idea how to begin to estimate the
Defender need, but it’ll be in the tens of
thousands at least. Considering the vast
number of website assets that must be
protected, the 1 billion online users who
someone needs to ensure are playing
nice, and monitoring the serious volume
of Web traffic they generate.

? © 2012 WhiteHat Security, Inc. 25

OWASP Appsec Tutorial Series

The OWASP AppSec Tutorial Series project provides a video based means of
conveying complex application security concepts in an easily accessible and
understandable way. Each video is approximately 5-10 minutes long and highlights one
or more specific application security concepts, tools, or methodologies. The goal of the
project is quite simple and yet quite audacious - provide top notch application security
video based training... for free!
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series


Centralized
4 Security Controls


Development Frameworks

ESAPI is a free, open source, web application security control library that
makes it easier for programmers to write lower-risk applications. The
ESAPI libraries are designed to make it easier for programmers to retrofit
security into existing applications. The ESAPI libraries also serve as a
solid foundation for new development.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API


5 Work Flow


Model an Application

http://sdelements.com/


Check against
library of
security tasks
with rules


Produce tailored security tasks

• Distills application security personnel expertise to developers.
• Fits cleanly into development processes.
• Tasks are continuously updated to keep up with new technologies & threats.
• In retroactive analysis of years of penetration-testing data, following SDE would
have prevented approximately 85% of secure coding weaknesses.


6 Virtual-Patching


8 out of 10 websites have
serious* vulnerabilities
(10 out of 10 if you are willing to wait long enough.)

*
Serious
Vulnerability:
A
security
weakness
that
if
exploited
may
lead
to
breach
or
data
loss
of
a

system,
its
data,
or
users.
(PCI-‐DSS
severity
HIGH,
CRITICAL,
or
URGENT)
http://news.netcraft.com/archives/2012/04/04/april-2012-web-server-survey.html


Average annual amount of new
serious* vulnerabilities introduced per
website per year

1111 795 480 230 79

2007 2008 2009 2010 2011

VulnerabiliQes
are
counted
by
unique
Web
applicaQon
and
vulnerability
class.
If
three
of
the
ﬁve

parameters
of
a
single
Web
applicaQon
(/foo/webapp.cgi)
are
vulnerable
to
SQL
InjecQon,
this
is

counted
as
3
individual
vulnerabiliQes
(e.g.
aZack
vectors).

Websites

676,919,707
+32.6 million since March
(Producing more code / websites than the industry is able to review.)

http://news.netcraft.com/archives/2012/04/04/april-2012-web-server-survey.html


SSL Websites

1,200,000

1.2 million x 79 vulns per year =

94,800,000
Undiscovered serious* vulnerabilities
on just the SSL websites.


Overall Vulnerability Population (2011)
Percentage breakdown of all the serious* vulnerabilities discovered

Web Application Firewalls are best
at mitigating vulnerabilities such as
Cross-Site Scripting, Content
Spoofing, SQL Injection, Response
Splitting, etc. By summing all these
percentages up we might safely say:

A WAF could feasible help mitigate
the risk of at least 71% of all custom
Web application vulnerabilities.


7
(Crowd-Sourcing Vulnerability Assessment)

Bug Bounties


Websites Accepting
“Security Research” $
1) Paypal 12) GitHub
2) Facebook 13) Constant Contact
3) 37 Signals 14) Zeggio
4) Salesforce 15) Simplify, LLC
5) Microsoft 16) Team Unify
6) Google 17) Skoodat
7) Twitter 18) Relaso
8) Mozilla 19) Modus CSR
9) eBay 20) CloudNetz
10) Adobe 21) EMPTrust
11) Reddit 22) Apriva

Millions of dollars to hundreds of researchers.
Closed hundreds, if not thousands, of vulnerabilities.
Protected hundreds of millions of users.
http://dankaminsky.com/2012/02/26/review/


How to develop
secure-(enough) software?


Little-to-No
Supporting Data.


Connect the Dots...

(SDL)
Production Attack
Security Breaches
Vulnerabilities Traffic
Controls

BSIMM WhiteHat Security Akamai Verizon DBIR
IBM Trustwave

Then we’ll start getting some real answers
about how to product secure-enough.


Thank You!
Blog: http://blog.whitehatsec.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com


Why do vulnerabilities go unfixed?
• No one at the organization understands or is responsible for
maintaining the code.
• Development group does not understand or respect the vulnerability.
• Lack of budget to fix the issues.
• Affected code is owned by an unresponsive third-party vendor.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Solution conflicts with business use case.
• Compliance does not require fixing the issue.
• Feature enhancements are prioritized ahead of security fixes.


Testing Speed & Frequency Matters


Remediation Rates by Industry (Trend)

A steady improvement in the percentage of reported vulnerabilities
that have been resolved during each of the last four years, which now
resides at 63%. Progress!

7 Ways to Scale Web Security (SANS AppSec Summit 2012)

7 Ways to Scale Web Security (SANS AppSec Summit 2012)

Recommended

More Related Content

More from Jeremiah Grossman

More from Jeremiah Grossman(20)

Recently uploaded

Recently uploaded(20)

7 Ways to Scale Web Security (SANS AppSec Summit 2012)