1. Building Secure Web Applications In a Cloud Services Environment Misha Logvinov Alex Bello IronKey, Inc. July 1, 2010
2.
3.
4.
5.
6.
7.
8. Recent breaches December 2009 SQL injection vulnerability, no encryption of critical data, insufficient security monitoring, poor handling of disclosure Consequences PR nightmare Class-action lawsuit
9. Recent breaches April 2010 Insufficient security testing and monitoring Consequences PR nightmare
10. Recent breaches June 2010 Personally Identifiable Information was displayed without proper authentication, insufficient output monitoring, “great” exploit timing Consequences PR nightmare Security researcher gets arrested on drug charges
There are fewer attacks on the network layer. Based on our experience from talking with various IDS/IPS vendors, there is a growing need for hybrid web app security solutions that cover both network and app layers According to a recent VeriSign research, average price for renting a botnet is only $9 per hour
Who knows how many successful attacks will never be known
Security framework: Most of the existing framework methodologies are still getting worked on and improved, good examples to follow would be BSIMM and OWASP SAMM Incident response: Create a cross-functional body for reporting and managing security events (e.g. SIRT)
Threat model: entry & exit points of the app, threat scenarios, dataflow
Manual testing compliments automated testing. Detect logic flaws through manual testing since they are not easily detected by automated testing. Choose automated tools that work best with your application technology
Validating input/output: Do not trust your own requests (CSRF and click jacking)
From Alex’s SANS preso: Invest in security training and certification Integrate security into SDLC in phases Never trust input, validate all input/output Strong encryption of sensitive data and key management Strong access controls and hardening Stay on top of vulnerabilities and keep your networks, servers, applications up to date