1 / 41

Web Application Security Strategy – Getting it Right!

K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. kkmookhey@niiconsulting.com Rohit.salecha@niiconsulting.com. Web Application Security Strategy – Getting it Right!. 30 Aug 2013. Research Background & Objectives Appsec Initiatives – Options

Download Presentation

Web Application Security Strategy – Getting it Right!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. kkmookhey@niiconsulting.com Rohit.salecha@niiconsulting.com Web Application Security Strategy – Getting it Right! 30 Aug 2013

  2. Research Background & Objectives Appsec Initiatives – Options Case Studies Lessons Learnt Way Forward Agenda

  3. WAS Global StatisticsAKAStandard FUD slides

  4. Vulnerability Population Trends for 2011-2012 as stated by Cenzic – 26% rise since 2011 WAS Global Statistics Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application-Vulnerability-Trends-Report-2013.pdf

  5. Ponemon Application Security Report

  6. Existing Studies/Reports • WhiteHat Security – Annual Website Security Statistics Report • https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf • Coverity – Software Security Risk Report • http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf • Cenzic Application Vulnerability Trends Report • https://info.cenzic.com/2013-Application-Security-Trends-Report.html • Ponemon Application Security Report • https://www.barracuda.com/docs/white_papers/barracuda_web_app_firewall_wp_cenzic_exec_summary.pdf • OWASP Guide for CISOs • https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs

  7. Outcomes “The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.” “The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?” Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre-production security testing

  8. One size does not fit all! • Surveys/Reports cover organizations across industries • Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc. • Do not take into account current level of maturity • Try to draw general conclusions from average/sum of all data

  9. Appsec Options

  10. Annual PT On-going Assessments Source Code Reviews Secure Coding Training Secure Coding Guidelines Web Application Firewall Security Scanning Tool Application Security Framework Security Design Review Appsec Program – Options

  11. What should we invest in? What works and what doesn’t? In what sequence? What is likely to give the most ROI in terms of significant improvements? Challenges with these initiatives – how to get them right? Burning questions

  12.  Case studies A popular dotcom

  13. Working with them since 2004 Annual Grey-box Testing No secure coding guidelines No on-going Appsecreviews Just recently procured a WAF Background

  14. Statistics – Number of Vulnerabilities The # of vulnerabilities have gone up between 2012 and 2013

  15. Statistics – Type of Vulnerabilities The # of Business Logic Issues have gone up between 2012 and 2013

  16. Lots of new code going live every day. Multiple releases per day vs. one release per week previously Pen-testing skills have improved More scope for testing – lot more functionality on the sites Increase in business-logic issues – as we have thoroughly understood their workings now Analysis

  17.  Case studies A BFSI Client

  18. BFSI Company Used to get periodic penetration tests done Contracted us in 2011 to do on-going appsec testing We did 1 round of secure coding training as well We work closely with their development teams to help address the issue Development teams are largely outsourced – though many working onsite Background

  19. Statistics The # of vulnerabilities goes up and down – no significant trends emerge! Why?

  20. High turnover in the developer teams Lessons imparted via training or daily interactions become useless due to the above Reduction seen where metrics being used to penalize vendors Source Code Review is effective but has inherent challenges Analysis

  21.  Case studies A Financial Products IT Company

  22. Financial Products Company Used to get annual penetration tests done Implemented SCR solution in 2011 We did 1 round of training on secure coding Secure coding guidelines also developed Development done largely by internal teams Background

  23. Statistics The # of vulnerabilities going down Why?

  24. Low turnover in developer team Team leads have been with them since past 6-7 years SCR tool faced lot of resistance, but gradually acceptability has grown Developers have written custom sanitization functions and configured these in SCR No code is uploaded without running it through SCR Lessons learnt from pen-tests have also been incorporated into secure coding guidelines Analysis

  25. SCR Tool • Challenges • Does not identify business logic issues • Large number of false positives • “60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.” • May not support your coding platform • Not able to handle large codebases • Positives • Can scan incrementally • Allows custom sanitization functions to be configured • Allows false positives to be marked • Exports data into Excel for easy tracking • Has extensive knowledge base • Pin-points exact location

  26.  Case studies A Telco

  27. Large Telco On-going Appsecassessments On-going SCR Periodic penetration tests Development done by vendors WAF Implemented since a year, but… Background

  28. Statistics The # of vulnerabilities are stable – no significant trends emerge! Why? Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues

  29. Vendor delays in fixing the issues Multiple reassessments leads to the issues remaining open and overlapped in subsequent assessments High level of exposure on the Internet Multiple approaches adopted and strong focus on appsec in recent times WAF implementation remains a challenge Analysis

  30. WAF Challenges

  31. WAF Right Approach • Understanding of the Applications that will be integrated with WAF • Enabling the right security policies for the application • Testing the alerts and violations for identifying the false positives • Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references

  32. WAF Implementation Mistakes • Not changing the default error page of WAF • Not informing about the changes that happen in the application code • Not checking the broken link and broken references • Not fine-tuning the web directory and Web URL’s • Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.

  33. Summary of the Options Exercised

  34. So… Where do we go now?

  35. Strategic Options / 1 • If you have all your development done in-house • If your team is relatively stable • Then: • Embed security into the SDLC by beginning with on-going assessments • Source code reviews • Have someone manage the SCR Tool output • Training • Development of secure coding guidelines • Development/Embedding of a security framework

  36. Strategic Options / 2 • If you have many complex, heterogeneous systems, some from vendors, some in-house • Then • Same strategy as #1, plus… • Strong vendor management processes for meeting security objectives • WAF

  37. Strategic Options / 3 • If all your applications are from vendors • And if you have limited budgets • On-going assessments • But eventually…

  38. Strategic Options / 4 • If you are a vendor • Then: • Do everything! Seriously, is that even a question? • Pre-hiring checks • Training – after hiring and periodically thereafter • Secure coding guidelines • Security frameworks • Threat modeling • Grey-box assessments • Source code reviews – embed SCR into IDE • Include # of security bugs in developer appraisals • Incentivize security innovation • Internal & external marketing, nay, evangelism!

  39. Common Elements of any Strategy • Management Commitment • Prioritized Approach • Measurement & Metrics • # of issues per application – trend over time • # of issues by vendor • Time taken to fix issues • # of issues by source (grey-box, external PT, source code review, etc.) • See what works and what doesn’t for your organization • Vendor Management • SLAs for fixing security bugs • Service credits for bugs found • Enforcing security assessments by the vendor • Enforcing adoption of SDL by the vendor

  40. Outsource vs. In-house Security Assessment Legacy Apps – Orphaned Level of enforcement at the vendor’s end Procure tool vs. Security as a Service Business Logic Issues Bug Bounty Program Open Questions…

  41. Thank You!Take the Survey!http://niiconsulting.com/surveys/wass/index.php Any Questions?

More Related