1 / 34

Can Behavioral-based Technology Benefit the Secure Software Development Life Cycle?

Can Behavioral-based Technology Benefit the Secure Software Development Life Cycle?. Speaker: Bob DeWolfe Title: Core Security Evangelist Company: DB Networks. Agenda. Problem: SQL Injection Who’s watching the “The Core”?

gabriella-consuela
Download Presentation

Can Behavioral-based Technology Benefit the Secure Software Development Life Cycle?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Can Behavioral-based Technology Benefit the Secure Software Development Life Cycle? Speaker: Bob DeWolfe Title: Core Security Evangelist Company: DB Networks

  2. Agenda • Problem: SQL Injection • Who’s watching the “The Core”? • Can “behavioral-based” technology show you what is happening in The Core? • Can this technology help AppSec identify vulnerabilities/malicious activities in The Core?

  3. SQL Injection Hall of Shame (# of Records or $ Loss) http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ 2013 FBI/NASA 1,600,000 100,000 50,000,000 11,000,000 2012 $9M in losses 6,500,000 950,000 records 37,000 2011 7,000,000 Getting worse 150,000 $92M in losses (Jordan) 800,000 1,000,000 2010 500,000 450,000 2,000,000 2009 2008 $1.7M loss 130,000,000 records $200M in losses 2,000,000 4,200,000 2007

  4. Current News … Teen Hackers … $100M

  5. Current News … Target … 40M CC … 70M PII

  6. Current News… JP Morgan Chase

  7. 2009 - 2012 … $300M + 160M CCNASDAQ, JCP, Discover, Heartland, Hannaford

  8. How often do breaches get reported in the press? 10% of the time? 1% of the time? 0.1% of the time? 0.01 % of the time? Of those, how often is the exploit reported? 10% of the time? 1% of the time? 0.1% of the time? 0.01 % of the time? You do the math

  9. All while growing in importance and flashing red on our dashboards

  10. Independent research confirms threat level, pervasiveness, and growth Sample Size = 50 organizations; 63,000 incidents; 1367 confirmed breaches

  11. Independent research confirms threat level, pervasiveness, and growth (April 2014) Sample Size = 595 respondents; Copies available

  12. Independent research confirms threat level, pervasiveness, and growth (April 2014)

  13. How can this be happening 15 years later? • Inadequate investment in perimeter security (IDS/IPS, WAF)? • Nope. That has consumed the vast majority of IT security spending for over 25 years. • Poor Secure Coding? • Nope. I’m personally familiar with the AppSec& developer focused preventive technologies and education programs at JPMC, Target, and NASDAQ BEFORE the breaches. • Lacking Real Time Pre-Production Detective Solutions? • Nope. These organizations have invested heavily in DAST and Penetration Testing and have worked hard to feed these solutions with SAST findings.

  14. How can this be happening 15 years later? There is no Silver Bullet for completely preventing Core Network Security breaches … including SQL and LDAP Injection.

  15. How can this be happening 15 years later? • But aren’t these infallible against SQL Injection? • Stored Procedures • Nope: Dynamic SQL with Execute Immediate • Parameterized Queries • Nope: Inadequately coded (not fully bound) • Nope: Need for SQL keywords, table names, column names • Nope: Ad-hoc / Dynamic SQL requirement / too many combinations • Escaping Input • Nope: Integer-based SQL Injection • What about LDAP? JNDI?

  16. How can this be happening 15 years later? • But my organization uses (false negatives listed): • SAST • Broken Dataflow Analysis; Missing Code; Improper Criticality; Missing Custom Rules; etc. • DAST / Penetration Testing • Blind SQL Injection; Unknown Attack Surface; Missing Workflow Macros; Insufficient Authentication Credentials; Web Services; etc. • WAFs • YouTube: “WAF Bypass”; Character Encodings; Infinite # of Signatures Needed due to SQL Language Options; SSL/TLS • Secure Coding initiatives • Competing priorities; Differing education levels; Gaps on prior slide • Lots of slides / data to support this … come talk to me

  17. How can this be happening 15 years later? • Still not convinced? How about: • COTS / 3rd Party Components, Libraries, Applications • Apps without Funding for Enhancement / Remediation • Apps without Source Code for Remediation • App Dev groups that don’t see the priority • Any App you can’t securely code

  18. What to do? Continue using education, people, process, and technology to prevent and identify vulnerabilities + Monitor your Production Core Network

  19. Core Network Monitoring • If there is no Silver Bullet and all of the techniques we’ve used for the past 15 years have gotten us to this point, we need to be monitoring our Production Core Network (DB, LDAP, etc.) and acting in Real Time to thwart them before attackers get a foothold. • Blacklist? Nope … easily circumvented (just like WAFs are) • Whitelist? Nope … impossible to maintain / blocks legit App requests • Signatures? Nope … infinite combinations for SQL/LDAP languages • Behavioral

  20. Whose watching ”The Core”? Perimeter Network F/W Network DoS Core Network IDS Critical Asset Protection WAF NAC Web / Application Servers Database Servers VPN Reverse Firewall Load Balancer

  21. Can Behavioral-based Technology Help? • Traditional blacklist / whitelist technologies cannot detect targeted attacks • An affirmative defense is necessary

  22. “Know what you have. Know when it changes.” Newly discovered app servers Attribution Requested Busy App servers DBA Access Application Servers Discovered App servers Busy connections It’s all in the protocols… Newly discovered DB Discovered DBs Inactive DB Incorporate TIME Undocumented DB

  23. Achieving the Behavorial-based Vision

  24. An Example: SQL Protocol • SQL Protocol contains a Wealth of Information • Know what you have! (static information…) • Applications & Application Servers • Database Servers & the Databases that available • Other end point access… • Things we’ve seen in the wild… • Databases sessions operating wireless networks • Application Development mapped into Production DB’s • Gbytes of unexpected traffic at unexpected times • Know when it changes!(dynamic information…) • New database online, or database inactive • New end point active, new Application server introduced • And the potential for enforcing Policy

  25. The Benefits of Behavioral Machine Learning • No Rules to write or maintain, ever! • Improved accuracy in attack detection • Cannot be defeated through obfuscation • 40% - 60% of the SQL generated is sufficient • Key advantage versus blacklist/white list • Learning can be done quickly / automatically • Manual exercise for many applications • Automated load generation • DAST “spidering” w/ OWASP ZAP Proxy

  26. Sophisticated, Real-Time SQL Inspection Target sql(175): select ​USERID ​from ​login ​where ​userName='alex' ​and ​password='alexpass' Suspect sql(185): select ​USERID ​from ​login ​where ​userName= '' ​or ​1=1 ​--' ​and ​password=‘junkpass' No Maybe Yes Yes Yes Is this SQL statement known safe? Does it contain Suspicious SQL? Insertion on Known, Safe Statement? Does Insertion Fall on a Literal Boundary? Is request syntactically consistent? Certain

  27. Traditional SDLC: QA/Test Environment • 3rd Party & In-House developed applications • Including SCADA • DAST cannot identify vulnerabilities without a return signal • Payload Response • Error Message, etc. • Vulnerabilities make their way into Production • Blind SQL Injections Development QA/Test Production

  28. Extended SDLC: Continuous Monitoring • Vulnerability detection continues in Production • The most cost effective way to identify & remediate vulnerabilities • Including Blind SQL Injection • Natural application usage exposes vulnerabilities • A continuation of SDLC benefits • Rogue SQL • Confirm no Dynamic SQL • Monitor in tandem w/ SOC Development QA/Test QA/Test Production Core IDS Installed

  29. Case Study • Medical Website • Lost PCI Certification because of a breach • 10,000 usernames/passwords compromised • Implemented Core IDS in Production • 6-months later during PCI Re-certification • Core IDS discovers a Blind SQL Injection • Commercial DAST reported “no vulnerabilities found” • PCI Certification granted that afternoon • Today Core IDS is supporting their SDLC • 2 attacks & 12+ vulnerabilities identified • Normal application usage • Orderly remediation

  30. Conclusions • Behavioral-based technology can benefit AppSec • Confirm that your applications are behaving the way you intend them to behave • Test & monitor 3rd Party / COTS applications • Identify Blind SQL Injections • Visibility beyond just QA/Test • Identify user-generated SQL vulnerabilities • Know that you have been attacked before the attacker knows • The technologies is available today! • Easy to implement & Easy-to-Use • Demonstration available

  31. Questions?

  32. Pass The Word • Companion PresentationIdentifying and Tracking Critical Software Infrastructure Using Behavioral-based Continuous Monitoring • Applicable to: ISSA, ISACA, OWASP, BeWize, IAPP, ISC2 Chapters • Animations: Continuous Monitoring & Analysis (2:15 min.) Adaptive Behavioral Analysis (2:01 min.) • New Whitepaper! Title: “SQL Injection Defense: There are No Silver Bullets”

  33. Companion Presentation • Identifying and Tracking Critical Software Infrastructure Using Behavioral-based Continuous Monitoring • Applicable to: ISSA, ISACA, OWASP, BeWize, IAPP, ISC2 Chapters • Animations: Continuous Monitoring & Analysis (2:15 min.) Adaptive Behavioral Analysis (2:01 min.) • New Whitepaper! SQL Injection Defense: There are No Silver Bullets

  34. Thank You Speaker: Bob DeWolfe Title: Core Security Evangelist Company: DB Networks Email: bob.dewolfe@dbnetworks.com

More Related