1 / 27

Evolving Threats

End to end Application Security: a pre-emptive approach Michael Weider, Director of Security Products IBM Rational. Evolving Threats. Agenda. Introduction to Application Security Application Security Best Practices IBM Vision for Application Security. Desktop. Transport. Network.

kirk-snider
Download Presentation

Evolving Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. End to end Application Security: a pre-emptive approachMichael Weider, Director of Security ProductsIBM Rational

  2. Evolving Threats

  3. Agenda • Introduction to Application Security • Application Security Best Practices • IBM Vision for Application Security

  4. Desktop Transport Network Application Security - Understanding the Problem Info Security Landscape Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Application Servers Backend Server Firewall Databases Web Servers

  5. Hackers Exploit Unintended Functionality to Attack Apps Actual Functionality Intended Functionality Unintended Functionality

  6. Application Security Hacking Example

  7. 01/01/2006 union select userid,null,username+','+password,null fromusers-- Application responds with user names and passwords of other account holders!

  8. The OWASP Top 10

  9. Where Do These Problems Exist? Type: • Customer facing services • Partner portals • Employee intranets Source: • Applications you buy – e.g. COTS • Applications you build internally • Applications you outsource

  10. How Common Are These Problems? 80% of Websites and applications are vulnerable to these attacks – Watchfire Research

  11. Motives Behind Application Hacking Incidents Source: Breach/WASC 2007 Web Hacking Incident Annual Report

  12. Growth In Browser Vulnerabilities Source: IBM Xforce 2007 Annual Report

  13. Web Hacking Incidents by Industry Source: WASC 2007 Web Hacking Incident Annual Report

  14. PCI Application Security Requirements

  15. What is the Root Cause? • Developers not trained in security • Most computer science curricula have no security courses • Under investment from security teams • Lack of tools, policies, process, etc. • Growth in complex, mission critical online applications • Online banking, commerce, Web 2.0, etc • Number one focus by hackers • 75% of attacks focused on applications - Gartner Result: Application security incidents and lost data on the rise

  16. Agenda • Introduction to Application Security • Application Security Best Practices • IBM Vision for Application Security

  17. Application Security Maturity Model UNAWARE AWARENESS CORRECTIVE OPERATIONS PHASE PHASE EXCELLENCE PHASE 10 % 30 % Maturity 30 % 30 % Duration 2-3 Years Time

  18. Building Security Into the Development Process Define/Design Development • Security requirements, architecture, threat modeling, etc • Test apps for security issues in Development identifying issues at their earliest point • Realize optimum security testing efficiencies (cost reduction) Production • Test existing deployed apps • Eliminate security exposure inlive applications Deploy Test • Test apps before going to production • Deploy secure web applications • Test apps for security issues in QA organization along with performance and functional testing • Reduce costs of security testing *Graphics from OWASP.com

  19. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Developers Developers Developers Application Security Testing Maturity

  20. Application Security Adoption Within the SDLC Phase 3 Phase 2 Phase 1 High Security Team Security Team Security Team Development Team Difficulty & Cost of Test Criticality & Risk of App. Development Team QA Team QA Team Low Low High % Applications Tested

  21. Risk Oriented Approach to Application Security High Risk Exposure Low Low High Security Investment

  22. Educating Developers and Getting “Buy in” • Establish security accountability and stds for shipping • Create a “security architect” role • Create a security community of practice • Create a secure development portal or wiki • Conduct hacking demos to demonstrate risks • Online & offline courses for secure coding • Put developers through secure coding exams • Security reviews of real applications • Pay premiums for security architects

  23. Agenda • Introduction to Application Security • Application Security Best Practices • IBM Vision for Application Security

  24. IBM Security Framework External Representation Security Hardware and Software Managed Security Services Professional Services The IBM Security Framework Common Policy, Event Handling and Reporting Security Governance, Risk Management and Compliance Security Governance, Risk & Compliance Solutions People and Identity Identity and Access Management Solutions Data and Information Information Security Solutions Application and Process Network, Server, and End-point Application Security Lifecycle Mgmt Solutions Physical Infrastructure Threat and Vulnerability Mgmt & Monitoring Solutions Physical Security Solutions

  25. Software Security Development Ecosystem Control, Monitor and Report Security Auditor scanning Build System Developers Quality Assurance Testing Coding Build QA QA Security Web Based Security Training

  26. Product and Services • Products: • AppScan: Application Security Vulnerability Assessment Tools • Services: • AppScan OnDemand • Training: • Application security Web based training and onsite courses For more information see: www.watchfire.com

More Related