The webinar on web application security strategies will begin at 9am PT / Noon ET. It will feature Andy Hoernecke from Neohapsis who will present on web application scanning strengths, weaknesses, and how scanning fits into the secure development lifecycle. The webinar will include an introduction, presentation, and question and answer session.

1. The webinar
will begin at 9am PT /
Noon ET
Webinar: Strategies for Web Application Security
Featuring:
Andy Hoernecke Turn up the speakers on your computer
Sr. Application Security Consultant for streamed audio or dial in to:
Neohapsis – U.S.: (888) 669-5051
– International: (303) 330-0440 (Room:
David McKenzie *8886695051#)
Sr. Director Business Consulting
OpSource
© 2010 OpSource, Inc. All rights reserved.

2. Agenda
• Housekeeping
• Intro to OpSource
• Featured Presentation by Neohapsis
• Q&A Session
© 2010 OpSource, Inc. All rights reserved.

3. Welcome!
• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource
• All phones are set on mute
• If you have a question, please use the Chat Q&A box located below the
presentation panel
• We will collect questions throughout the webinar and answer as many as
we can at the end
• If we don’t answer your question, we’ll follow-up with an answer via email
• Full-screen button will let you toggle between a larger image view and the
view with Q&A box to type in questions – you can use it throughout the
webinar
© 2010 OpSource, Inc. All rights reserved.

4. OpSource: Enterprise Cloud and Managed Hosting
• OpSource provides Enterprise Cloud
and Managed Hosting Services
• Solutions for SaaS, Enterprise, Telecoms
and Cloud Platforms
• Investors: Crosslink Ventures, Velocity Founded in 2002
Interactive Group, Intel and NTT
• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore
• Unmatched Industry Experience
– SaaS Hosting and Scaling Software-Oriented Architectures (SOA)
– High Performance, Secure Cloud Computing
© 2010 OpSource, Inc. All rights reserved.

5. OpSource Serves 600+ Clients with Millions of End-Users
SaaS & Managed Hosting Hybrid Hosting Cloud Hosting
© 2010 OpSource, Inc. All rights reserved.

6. OpSource Partner Ecosystem
Telecom Distribution Consulting Cloud Platform Infrastructure
© 2010 OpSource, Inc. All rights reserved.

7. Andy Hoernecke, Sr. Application Security Consultant,
Neohapsis
• Sr. Application Security Consultant
• Graduate of Iowa State University with a Master's degree in
Information Assurance and Computer Engineering.
• Performs a variety of assessments including penetration tests,
blackbox / whitebox assessment, SDLC review, and security tool
implementation
• Industries Served include Federal/Local Government, Financial
Services, Entertainment, Manufacturing, Retail, and Internet
Service Providers
© 2010 OpSource, Inc. All rights reserved.

8. Strategies for Web Application Security
Andy Hoernecke
Sr. Application Security Consultant
April 13th, 2011

9. Agenda
Background
Tool Introduction
Web Application Scanning Strengths/Weaknesses
Where Scanning Makes Sense
SDL Integration
Supplemental Security Measures
9 Neohapsis Confidential

10. Background
~96% of records breached involved “hacking” or
malware
~92% of records stolen through “hacking” involved a web
application
Most commonly exploited web application vulnerabilities
include:
SQL Injection
Brute Force Attacks
OS Commanding
Default/Guessable Credentials
Cross-Site Scripting
Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team
10 Neohapsis Confidential

11. Tool Introduction-Dynamic Analysis
Tests running web applications by making requests as a
normal user would
Examples:
IBM AppScan
HP WebInspect
WhiteHat
Scanning phases generally include
Spidering
Fault Injection
Analysis
11 Neohapsis Confidential

12. Tool Introduction-Static Analysis
Tests through the analysis of source or object code
Examples:
Fortify
Veracode
Capabilities vary greatly
May require compilable code
May only handle certain languages
Not currently as widely adopted
12 Neohapsis Confidential

13. Dynamic Analysis Strengths
Performing tedious tests (Fuzzing)
XSS
File Path manipulation
SSL issues
Signature Based Tests
Known vulnerabilities in common applications
Sensitive Information Checks
Default files/scripts
Certain types of information disclosure (internal IP addresses)
Configuration Issues
Parameter based fault injection
13 Neohapsis Confidential

14. Dynamic Analysis Weaknesses
Logic Bugs
Example: Negative Pricing/Quantity
Authentication Issues
SSO Related
Authorization Problems
User Role Enforcement
Forced Browsing
Vulnerabilities part of complex/multi-step processes
Identifying discrete pages in “rewritten URLs”
Results can vary greatly based on configuration and
scanner in use
14 Neohapsis Confidential

15. Percent Vulnerabilities Identified
Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)
15 Neohapsis Confidential

16. Experience Needed
Web application scanners are not like antivirus tools
Most will require tuning and customization to get good results
Login and session management can often cause problems
There WILL be false positives
Tuning and interpretation of results requires application
security knowledge
Unlikely that canned reports can be handed off to average
developers without some additional explanation
16 Neohapsis Confidential

17. Where Scanning Makes Sense
Application Scanning is a piece of the overall SDL
Most standard web applications using HTTP/HTTPS
Modern scanners provide decent JavaScript parsing
Mostly platform/language independent
As the first stage of a manual assessment
17 Neohapsis Confidential

18. Where Scanning Makes Doesn’t Sense
Applications heavily reliant on client side code
Non-HTTP applications
CORBA
RMI
Proprietary protocols
Results could be limited for:
Web Services/SOAP APIs
Very AJAX intensive applications
Other client-side technologies
Flash
Silverlight
Completely static sites
18 Neohapsis Confidential

19. Application Scanning and SDL
Web application scanners are valuable as part of the Secure
Development Lifecycle
Variables include:
How frequently to scan
Dependent on several factors:
Application/Data sensitivity
Development Cycle
Business Criticality
Available Resources
Which environments to scan?
Production
Generally the most important code base to be secure
Requires the most care as outages are generally not well received
QA, Staging, Development
Good to catch vulnerabilities before rolled into production
Many development groups have hands full fixing issues in production
19 Neohapsis Confidential

20. Application Scanning and SDL
Dynamic scanning has
limitations
Won’t be able to find
everything a code review
could find
Can provide finding
relatively quickly and help
focus on potentially
insecure areas of an
application
20 Neohapsis Confidential

21. Supplementing Application Scanning
Periodic manual testing for sensitive applications
Blackbox, Greybox, Whitebox
May be targeted to certain functionality
Standard IT best practices
Separation of duties
Defense in depth
Working in security during earlier development phases
Security requirements
Architecture review
Developer security training/awareness
21 Neohapsis Confidential

22. Questions & Answers / Contact Info
Q&A
Type your questions into the chat box below the presentation panel
Contact OpSource:
Dave McKenzie – david@opsource.net
Sales Inquiries – sales@opsource.net or 800-664-9973
Recorded webinar and slides will be posted within 48 hours on the
OpSource website.
© 2010 OpSource, Inc. All rights reserved.