1 / 30

Business Risk & Compliance Considerations for Application Security

Business Risk & Compliance Considerations for Application Security. Malathi Carthigaser Principal Consultant b-sec Consulting mcarthigaser@b-sec.com + 61 3 9682 0233. 28 th February 2008. What will this talk cover?. Drivers to App Sec Requirements and Controls Business Risk

octavius-burgess
Download Presentation

Business Risk & Compliance Considerations for Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Risk & Compliance Considerations for Application Security Malathi Carthigaser Principal Consultant b-sec Consulting mcarthigaser@b-sec.com + 61 3 9682 0233 28th February 2008

  2. What will this talk cover? • Drivers to App Sec Requirements and Controls • Business Risk • Compliance Considerations • Common Problems due to risk management process failures (b-sec Consulting observations)

  3. How will this talk help you? • Awareness of common problems • Assessment of all risks • Addressing risks appropriately

  4. Business Risks and Application Security “In 2005 and 2006 alone, over 100 million private records were reported stolen from American businesses; a significant portion (65 percent) of which was compromised as a direct result of a software breach.” “The Case for Application Security”, Fortify Software

  5. Security Breach – Financial Costs “Calculating the Cost of a Security Breach” April 10, 2007, Forrester Research Average cost of a data breach, involving 20,000 to 30,000 data records

  6. What is Risk? Threat Exploit Vulnerability in asset/process Likelihood Impact Risk

  7. What is Security Risk? • Probability of a compromise to Confidentiality, Integrity or Availability • Occurs due to inadequate Security Controls

  8. Business Risk vs Technical Risk • Business Risk Negative impacts at the Organisational levele.g. Damage to reputation • Technical Risk Negative impacts at the System (application / data) levele.g. Privilege escalation

  9. Business vs Technical Risk : An Example

  10. Business Risk - Causes Application and Data Infrastructure Policy / Process Business Risk Physical People Portable Devices Media

  11. Trends - Application Security impacts on Business Risk • “Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year” [SANS Top 20 2007] • Targeted attacks (data theft) and the “professionalisation of cybercrime” motivated by financial gain [CSI Survey 2007] • Credit card fraud (financial data) • Identity theft (personal data) Not all security breaches are reported Not all security breaches are detected Majority of applications tested by b-sec Consulting has at least one high severity security vulnerability

  12. Attacker Skills and Attack Types 79 17,122 • Number of Unique Visitors • 79 unique visitors • Number of Attacks • 17,122 total • 7,564 XSS • 4,477 Unhandled Exceptions • 2,381 Decoy Tampering • 1,694 SQL Injection • Number of Successful Attacks • 0 Attacks exploited the application • 27 Attacks deemed sophisticated Command Injection SQL Injection Identified Code Word Decoy Tampering Identified Code Word UnhandledException No Code Words Identified No Code Words Identified XSS XSS Results collated by Fortify Software during Black Hat 2007 Attacks against the “MyRewards” on-line shopping web site protected by Fortify Defender

  13. Security = Risk Management “Risk management is the term applied to a logical and systematic method of establishing the context of, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimise losses.” [Handbook 231]

  14. Addressing Risk Risks Controls GAP Select and implement appropriate security controls to reduce the risk to an acceptable level Business Risk  Application Security Requirements and Controls

  15. When to Consider Risks

  16. Compliance Considerations for Application Security

  17. Compliance Considerations Security Requirements

  18. Which compliance areas apply to a given application? Examples: • Privacy data  Privacy Principles • Credit card data  PCI DSS

  19. Legal Obligations: Privacy Principles

  20. Regulatory Obligations: PCI DSS

  21. Common problems - b-sec Consultingobservations • Weak Authorisation Controls • Poor Management of Outsourced Software Development / Application Hosting

  22. Weak Authorisation Controls “Authorisation ensures that the authenticated user has the appropriate privileges to access resources. The resources a user has access to depends on his/her role.” [OWASP Guide] (Based on over 200+ web applications in the last 4 years) Direct URL access, parameter manipulation, sequential IDs, SQL injection, Cross-Site Scripting etc…

  23. Example : Financial Institution • Financial transactions implemented well • Access to bank account statements implemented poorly • Unauthorised access to data • Exposure of sensitive data; potentially across entire system • Activity not logged; not detected Unauthorised data access via URL manipulation and sequential IDs https://www.highly-sensitive-data.com/sensitive-record.aspx?ID=100

  24. Weak Authorisation Controls Technical Risks Breach of data confidentiality Privilege escalation Business Risks Sensitive data exposure (potentially across entire system) Negative Reputational impacts Non-compliance with Privacy Principles Non-compliance with PCI DSS

  25. Poor Management of Outsourced Software Development / Application Hosting • Remain accountable for Security and Risk Management • Need to clearly specify Security Requirements in contracts with your service provider • Ensure compliance with Security Requirements

  26. Contract Security Requirements • Compliance with organisation’s security policy (for handling, storing and processing data etc) including security throughout development • Security requirements based on legal, regulatory and other compliance considerations • Segregation from other hosted applications / organisations

  27. Contract Security Requirements – Cont… • Mechanism to ensure compliance with contract, for example, to perform audits and testing with access to premises, resources and all records • Mechanism to address any shortfalls in security by the outsourced service provider • Mechanism for notification by the outsourced service provider of any security incidents • Mechanism for transferring data etc. at the end of a contract

  28. Root Cause • Inadequate risk management processes Resolution • Security requirements should incorporate risk and compliance obligations

  29. Summary of Key Points Application Security Requirements and Controlsare driven by: • Business Risk • Compliance Considerations Common Problems - b-sec Consulting observations

  30. Questions?

More Related