The document discusses the importance of application security, highlighting that the software market suffers from significant vulnerabilities comparable to past issues in the automobile industry. It emphasizes the need for organizations to recognize and mitigate risks associated with insecure applications and outlines methods for improving security practices, including the establishment of application security teams and training for developers. Additionally, it references the Open Web Application Security Project (OWASP) as a resource to aid in implementing effective security measures.

1. Your Application Security Initiative – Beyond Finding Vulnerabilities Jeff Williams CEO, Aspect Security Chair, OWASP Foundation [email_address] 410-707-1487

2. Remember the Corvair?

3. The Automobile Market 25 Years Ago Most cars were built without safety features No seatbelts, airbags, crumple zones, side impact protection, etc… Many different forces affected the market Pinto, Nader, Oil Crisis, Regulation, lots more… Automakers include more safety features Becomes a critical buying factor Competitors must improve to compete Today Can’t sell a car without safety

4. Economics “ The Market for Lemons” By George Akerlof in 1970 (Nobel Prize for Economics in 2001) Buyers can’t tell cherries from lemons (asymmetric information) Market price decreases to compensate for the risk Cherry owners are less inclined to sell Therefore , even a competitive market is filled with lemons

5. The Software Market Worse than the automobile market Asymmetric information is carefully protected Extremely difficult to analyze software (even with source) Restrictive license agreements Legal and regulatory restrictions on security analysts Virtually guarantees insecure software If you can’t tell the difference, why pay more? No way to establish the benefit of secure software Until recently, making secure software didn’t make sense

6. The Market is Changing! Microsoft Trustworthy Computing Initiative Oracle “ Unbreakable. Can’t break it, can’t break in.” VISA CISP and PCI Standards include OWASP Top Ten General Electric Application security built into contract language Mandatory code reviews Constellation Energy “ Convergence” – physical, infrastructure, and application layers

7. Disclosure Laws Work Recent Events Over 50 million SSN’s (1 in 6 Americans), credit card numbers, account numbers, and driver’s license numbers stolen in the last 6 months. ChoicePoint legal and notification costs $11.4m for 145,000 individuals 2005 FBI Survey shows 588% increase in costs associated with unauthorized access and an 80% increase in Web site incidents Government Action Federal government and over half the states have “breach, notify, and freeze” legislation pending. FTC leading lawsuits against companies that fail to protect consumer data in their applications NIST and DISA standards now include stringent application security requirements

8. The Future Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting 22 65 % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication 15 95 % Modularity .035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15 Usage Intranet Internet

9. Software Security Is A Different World Network Security Part of IT Networking Experts Product Focused 1000’s of Copies Signature Based Patch Management Software Security Part of Business Units Software Experts Custom Code Focused 1 Copy of Software No Signatures Prevent Vulnerabilities Don’t let anyone rely on network security techniques to gain software security

10. Root Causes of Application Insecurity People and Organization Examples Lack of training Responsibilities not clear No budget allocated Process Examples Underestimated risks Missed requirements Inadequate testing and reviews Lack of metrics No detection of attacks Technology Examples Lack of appropriate tools Lack of common infrastructure Configuration errors Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Untrained People and Organizational Structure Issues Missing or Inadequate Processes Missing or Inadequate Tools, Libraries, or Infrastructure

11. Targeting the Root Causes Process Goals Risk Understood Security activities driven by application security risk Security Considered Integrated into all the activities in the SDLC Security Open Information about security is available and verifiable Flaws Identified As quickly as possible after they are introduced Technology Goals Security Tracked Within projects and across the entire organization Best Tools For developing and testing the security of applications Standard Technology Common approach to the typical security areas Attacks Monitored Attacks on applications are identified and handled appropriately People Goals Shared Understanding Everyone in the organization shares an understanding of app security risk levels Responsibility Assigned Security assigned for each project and the organization as a whole Support Available For developers who need help with application security Developers Trained In application security and the organization’s approach

12. Getting Started Check out some applications Find out whether you’re vulnerable or not Build a case for management Evaluate your capability Assess your organization and processes How will security best fit into your culture

13. Key Enhancements Establish requirements and testing processes Tailor standard requirements for each project Use OWASP Testing Guide Start up an application security team A centralized team is key to building a capability Developer security training Check out OWASP WebGoat

14. Advanced Enhancements Establish a global application risk register Track issues, create insight Negotiate security in contracts Use OWASP secure software contract annex Build Application Security “Brand” Easy to understand labels for risk and security levels

15. Application Security Capacity Scorecard Level 5 Continuous Improvement Level 0 Ad Hoc Level 4 Metrics Level 3 Institutionalize Level 2 Fundamentals Level 1 Demonstrate Need Process Technology People AppSec Rqmts Process Coding Best Practices Global Risk Register Std. AppSec Mechanisms AppSec Testing Process Developer Training Assign Responsibility Secure Deployment AppSec Dev. Env. Security Architecture Risk Dashboard Contracting Process Form AppSec Group Analyze Critical Apps Evaluate Capabilities Certification Program Rely on Developers/Users Establish AppSec Brands AppSec Vuln. Analysis

16. OWASP Can Help Open Web Application Security Project Nonprofit Foundation All materials available under approved open source licenses Dozens of projects, over 50 chapters worldwide, thousands of participants, and millions of hits a month OWASP is dedicated to finding and fighting the causes of insecure software

17. OWASP Supports Your Initiative OWASP Top Ten Set priorities, get management buy-in OWASP Guide 300 page book for application security OWASP Secure Software Contract Annex Achieve meeting of the minds on application security OWASP Testing Guide & OWASP WebScarab Test/analysis methods for application security Web application & web service penetration tool

18. Some of What You’ll Find at OWASP Community Local Chapters Translations Conferences Mailing Lists Papers and more… All free and open source We encourage your company to support us by becoming a member Documentation Guide Top Ten Testing Legal AppSec FAQ and more… Tools WebGoat WebScarab Stinger DotNet and more…

19. Q&A A Q & Q U E S T I O N S A N S W E R S