The document discusses web application security and securing the software development lifecycle. It notes that web applications are the top target of hackers, with many sites being vulnerable. It emphasizes that network defenses like firewalls are not enough, and that application security needs to be addressed throughout development. The document promotes IBM Rational products for automating security testing of web applications across the entire development lifecycle.

1. ®
IBM Software Group
Nebezpečný internet
nezapomínejte na aplikace
Jan Valdman, BP IBM
© 2007 IBM Corporation

2. IBM Software Group | Rational software
Agenda
 W eb Application Security Issues
 W eb Application Security Model
 Application Security and Software development
 Application Security Maturity Model

3. IBM Software Group | Rational software
Application Security Today
“Web application vulnerabilities accounted for 69% of vulnerabilities
disclosed between July 2005 and June 2006”
Gartner
“64% of developers are not confident in their ability to write secure
applications”
Microsoft Developer Research
“70% of companies today are NOT applying secure application
development techniques in their software development practices”
Aberdeen Group, May 2007
“90% of applications, when tested are vulnerable”
Watchfire

4. IBM Software Group | Rational software
The Reality: Security and Spending Are Unbalanced
Security Spending
% of Attacks % of Dollars
Web 10%
Applications
75% 90%
Network
25% Server
75% of All Attacksto the Web Application Layer
Are Directed
on Information Security
2/3 of All Web Applications Are Vulnerable
Sources: Gartner, Watchfire

5. IBM Software Group | Rational software
Why Application Security is a High Priority
 Web applications are the #1 focus of hackers:
 75% of attacks at Application layer (Gartner)
 XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
 Most sites are vulnerable:
 90% of sites are vulnerable to application attacks (Watchfire)
 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
 80% of organizations will experience an application security incident by 2010 (Gartner)
 Web applications are high value targets for hackers:
 Customer data, credit cards, ID theft, fraud, site defacement, etc
 Compliance requirements:
 Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,

6. IBM Software Group | Rational software
The Myth: “Our Site Is Safe”
We Have Firewalls
in Place We Audit It Once a
Quarter with Pen Testers
We Use Network
Vulnerability Scanners

7. IBM Software Group | Rational software
Network Defenses for Web Applications
Security
Perimeter IDS IPS App Firewall
Firewall Intrusion Intrusion Application
Detection Prevention Firewall
System System
System Incident Event Management (SIEM)
7

8. IBM Software Group | Rational software

9. IBM Software Group | Rational software
12 Most Frequent Hacker Attacks
 Cookie Poisoning
 Hidden Field Manipulation
 Parameter Tampering
 Buffer Overflow
 Cross-site Scripting
 Backup and Debug Options
 Forceful Browsing
 HTTP Response Splitting
 Stealth commanding
 3rd Party Misconfiguration
 Known vulnerabilities
 XML & Web service vulnerabilities

10. IBM Software Group | Rational software
Going Beyond Pointing out Security Problems

11. IBM Software Group | Rational software
Web Application Environment
Security
Web Application Scanners
Web Application Web Services
Network
Scanners Web Server
Database Operating System
Database Scanners Host Scanners
11

12. IBM Software Group | Rational software
Network vs. Application Security - Complimentary
Info Security Landscape
Desktop Transport Network Web Applications
Antivirus Encryption Firewalls /
Protection (SSL) Advanced
Routers
Application Backend
Firewall
Servers Server
Databases
Web Servers
Network & Application Security
solutions address different problems
ISS Rational AppScan
12

13. IBM Software Group | Rational software
High Level Web App. Architecture Review
Sensitive
Customer data is
App is deployed stored here
here
Internet
Firewall
Client Tier
(Browser) Database
SSL App Server
(Presentation)
(Business
Logic)
Protects
Transport Protects Network Data Tier
Middle Tier

14. IBM Software Group | Rational software
Why Application Security Problems Exist
 Root Cause
 Developers are not trained to write or test for secure code
 Firewalls and IPS’s don’t block application attacks.
 Port 80 is wide open for attack.
 Network scanners won’t find application vulnerabilities.
 Nessus, ISS, Qualys, Nmap, etc.
 Network security (firewall, IDS, etc) do nothing once an organization web enables an
application.
 Current State
 Organizations test tactically at a late & costly stage in the development process
 A communication gap exists between security and development as such vulnerabilities
are not fixed
 Testing coverage is incomplete
14

15. IBM Software Group | Rational software
Application Security Threats

16. IBM Software Group | Rational software
Building Security & Compliance into the SDLC
SDLC
Coding Build QA Security Production
Enable Security
Developers to effectively
drive
remediation into
development
Developers
Ensure
vulnerabilities
are addressed
before
Developers Provides Developers and Testers applications
with expertise on detection and are put into
remediation ability production

17. IBM Software Group | Rational software
Application Security Maturity Model
BLISSFUL AWARENESS CORRECTIVE OPERATIONS
IGNORANCE PHASE PHASE EXCELLENCE PHASE
10 %
30 %
Maturity
30 %
30 %
Duration 2-3 Years Time

18. IBM Software Group | Rational software
Reduced Costs, Increased Coverage
External Security
Internal Tactical
Cost
Per
Application
Tested
Strategic
Operationalized
0% 25% 50% 75% 100%
Application Coverage

19. IBM Software Group | Rational software
IBM Rational Application Security Testing Products
AppScan Enterprise
Web Application Security Testing Across the SDLC
Application Quality Security Production
Development Assurance Audit Monitoring
Test Test Test Monitor or
Applications Applications Applications Re-Audit
As Developed As Part of Before Deployed
QA Process Deployment Application
s

20. ®
IBM Software Group
Backup Slides
© 2007 IBM Corporation

21. IBM Software Group | Rational software
IBM Rational in the IBM Security Portfolio
4 – Monitor and fix !
 Centrally manage security Assess
events, report on security 1 – Where are you ?
posture, remediate  Understand customer security needs and
 Watchfire Solutions Monitor security exposures
Access
3 – Let the good guys IN !
 Manage and control user identities and
access privileges Defend
2 – Keep the bad guys OUT !
 Preemptively protect the enterprise against threats
to the infrastructure, confidential data and services
 Watchfire Solutions
21

22. IBM Software Group | Rational software
Bad Press Decreases Shareholder Value
 One-day market cap
drop of $200M

23. IBM Software Group | Rational software
Build Better and More Secure Applications/Websites
 Improve business integrity before you go live
 Address the security issues during the development cycle before applications go live, where
business risk is magnified, and costs to remediate are high.
 Reduce application costs by automating manual processes
 Automate accurate vulnerability and compliance issues detection and their remediation
throughout the entire web application lifecycle, from the development cycle into operations.
 Comply to the Government Regulations and Industry Security Requirements
 Incorporates most comprehensive compliance reporting solution, which generates 41out-of-
the-box regulatory compliance templates and reports
 Provide ‘core to perimeter’ view into enterprise security
 Add web-application security and compliance testing to network-level offerings
IBM Rational AppScan® automates web
application security audits to help ensure the
security and compliance of web applications
23

24. IBM Software Group | Rational software
IBM Rational AppScan Vulnerability Detection
 AppScan runs following simulated hacker attacks
 cross-site scripting  known vulnerabilities
 HTTP response splitting  HTTP attacks
 parameter tampering  SQL injections
 hidden field manipulation  suspicious content
 backdoor/debug options  XML/SOAP tests
 stealth commanding  content spoofing
 forceful browsing  Lightweight Directory Access Protocol
 application buffer overflow (LDAP) injection
 XPath injection
 cookie poisoning
 session fixation
 third-party misconfiguration
24