300 likes | 468 Views
Business Risk & Compliance Considerations for Application Security. Malathi Carthigaser Principal Consultant b-sec Consulting mcarthigaser@b-sec.com + 61 3 9682 0233. 28 th February 2008. What will this talk cover?. Drivers to App Sec Requirements and Controls Business Risk
E N D
Business Risk & Compliance Considerations for Application Security Malathi Carthigaser Principal Consultant b-sec Consulting mcarthigaser@b-sec.com + 61 3 9682 0233 28th February 2008
What will this talk cover? • Drivers to App Sec Requirements and Controls • Business Risk • Compliance Considerations • Common Problems due to risk management process failures (b-sec Consulting observations)
How will this talk help you? • Awareness of common problems • Assessment of all risks • Addressing risks appropriately
Business Risks and Application Security “In 2005 and 2006 alone, over 100 million private records were reported stolen from American businesses; a significant portion (65 percent) of which was compromised as a direct result of a software breach.” “The Case for Application Security”, Fortify Software
Security Breach – Financial Costs “Calculating the Cost of a Security Breach” April 10, 2007, Forrester Research Average cost of a data breach, involving 20,000 to 30,000 data records
What is Risk? Threat Exploit Vulnerability in asset/process Likelihood Impact Risk
What is Security Risk? • Probability of a compromise to Confidentiality, Integrity or Availability • Occurs due to inadequate Security Controls
Business Risk vs Technical Risk • Business Risk Negative impacts at the Organisational levele.g. Damage to reputation • Technical Risk Negative impacts at the System (application / data) levele.g. Privilege escalation
Business Risk - Causes Application and Data Infrastructure Policy / Process Business Risk Physical People Portable Devices Media
Trends - Application Security impacts on Business Risk • “Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year” [SANS Top 20 2007] • Targeted attacks (data theft) and the “professionalisation of cybercrime” motivated by financial gain [CSI Survey 2007] • Credit card fraud (financial data) • Identity theft (personal data) Not all security breaches are reported Not all security breaches are detected Majority of applications tested by b-sec Consulting has at least one high severity security vulnerability
Attacker Skills and Attack Types 79 17,122 • Number of Unique Visitors • 79 unique visitors • Number of Attacks • 17,122 total • 7,564 XSS • 4,477 Unhandled Exceptions • 2,381 Decoy Tampering • 1,694 SQL Injection • Number of Successful Attacks • 0 Attacks exploited the application • 27 Attacks deemed sophisticated Command Injection SQL Injection Identified Code Word Decoy Tampering Identified Code Word UnhandledException No Code Words Identified No Code Words Identified XSS XSS Results collated by Fortify Software during Black Hat 2007 Attacks against the “MyRewards” on-line shopping web site protected by Fortify Defender
Security = Risk Management “Risk management is the term applied to a logical and systematic method of establishing the context of, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimise losses.” [Handbook 231]
Addressing Risk Risks Controls GAP Select and implement appropriate security controls to reduce the risk to an acceptable level Business Risk Application Security Requirements and Controls
Compliance Considerations Security Requirements
Which compliance areas apply to a given application? Examples: • Privacy data Privacy Principles • Credit card data PCI DSS
Common problems - b-sec Consultingobservations • Weak Authorisation Controls • Poor Management of Outsourced Software Development / Application Hosting
Weak Authorisation Controls “Authorisation ensures that the authenticated user has the appropriate privileges to access resources. The resources a user has access to depends on his/her role.” [OWASP Guide] (Based on over 200+ web applications in the last 4 years) Direct URL access, parameter manipulation, sequential IDs, SQL injection, Cross-Site Scripting etc…
Example : Financial Institution • Financial transactions implemented well • Access to bank account statements implemented poorly • Unauthorised access to data • Exposure of sensitive data; potentially across entire system • Activity not logged; not detected Unauthorised data access via URL manipulation and sequential IDs https://www.highly-sensitive-data.com/sensitive-record.aspx?ID=100
Weak Authorisation Controls Technical Risks Breach of data confidentiality Privilege escalation Business Risks Sensitive data exposure (potentially across entire system) Negative Reputational impacts Non-compliance with Privacy Principles Non-compliance with PCI DSS
Poor Management of Outsourced Software Development / Application Hosting • Remain accountable for Security and Risk Management • Need to clearly specify Security Requirements in contracts with your service provider • Ensure compliance with Security Requirements
Contract Security Requirements • Compliance with organisation’s security policy (for handling, storing and processing data etc) including security throughout development • Security requirements based on legal, regulatory and other compliance considerations • Segregation from other hosted applications / organisations
Contract Security Requirements – Cont… • Mechanism to ensure compliance with contract, for example, to perform audits and testing with access to premises, resources and all records • Mechanism to address any shortfalls in security by the outsourced service provider • Mechanism for notification by the outsourced service provider of any security incidents • Mechanism for transferring data etc. at the end of a contract
Root Cause • Inadequate risk management processes Resolution • Security requirements should incorporate risk and compliance obligations
Summary of Key Points Application Security Requirements and Controlsare driven by: • Business Risk • Compliance Considerations Common Problems - b-sec Consulting observations