1 / 25

Application Security Lessons from the Pro’s How leading US online banks secured their applications

Application Security Lessons from the Pro’s How leading US online banks secured their applications. Software isn’t complete unless its secure. Rob Rachwald August 2007. Wii Olympics & Free Beer (Boxing and Tennis) Fortify & Watchfire Tonight: 5 PM Maryland Room B & C Prizes include Wii

wallis
Download Presentation

Application Security Lessons from the Pro’s How leading US online banks secured their applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security Lessons from the Pro’sHow leading US online banks secured their applications Software isn’t complete unless its secure Rob Rachwald August 2007

  2. Wii Olympics & Free Beer (Boxing and Tennis) Fortify & Watchfire Tonight: 5 PM Maryland Room B & C Prizes include Wii iPod Shuffles

  3. Evidence Total online banking customers at the top 10 online banks surpasses Internet growth with 44M users. (Comscore Networks, April 2007) Strong Growth Only 8% top of US banks reported external hacks against their systems yet 2006 was the worst year for web application hacking in history. (Gartner 2007) Less Hacking 60% of banks report suffering from phishing attacks—security burden is on authentication and fraud detection. (Gartner 2007) New Forms of Attacks Required Hackers are targeting smaller banks with few resources with hacking and phishing schemes. (Gartner 2007) Weaker Banks Targeted 68 percent of respondents believe that their financial institutions’ websites are more secure. (Comscore Networks, April 2007) Better Perception

  4. Banking Online is Safer than Banking Offline? Around 75% of Fraud is Offline Less than 15% of Fraud is Online

  5. Can You Trust Your Mom?

  6. Can You Trust Your Mom? I want your password

  7. The Hackers “Oceans 1100” Followers (thousands and growing)

  8. Hacker Economics “The potential gain from even one successful computer intrusion makes [hacking] an attractive, relatively low-risk option… and the risk to sensitive information on US computer systems will increase.” —US Defense Security Service, 2007

  9. Defensive Economics “If the bear continues biting you long after you assume a defensive posture, it likely is a predatory attack. Fight back vigorously.”

  10. Online Banking Defensive Economics Don’t Run Fast, Just Faster

  11. Complex Code • Applications addressing • Personal banking • Retirement accounts • Stocks • Loans • Credit cards • Lots more • BIG: Online banking apps often 10 million lines of code • Lots of Java and .NET • Large attack surface • Hundreds of applications • Thousands of entry points

  12. Other Top Hacks Cross-Site Scripting Biggest avenue for phishing. Large attack surface and obtaining bits of customer data are critical in executing attacks. SQL Injection Horizontal or vertical escalations are especially pernicious. Authentication and fraud detection technologies are critical. Privilege Escalation OWASP Top 10 They never go out of style.

  13. The Software Security Problem "Since most security for Web applications can be implemented by a system administrator, application developers need not pay attention to the details of securing the application…" – BEA WebLogic Server Security Documentation

  14. Stage 1: Reactionary Code Developed Functional Tests Unit Tests Production

  15. Stage 2: Apply band aids Pen Test Code Developed Functional Tests Unit Tests Production

  16. Stage 3: Beyond the badness-ometer Code Reviews Code Developed Functional Tests Pen Test Unit Tests Production

  17. Stage 4: Teach a Man to Fish Static Analysis Functional Tests Code Developed Unit Tests Pen Test Code Reviews Production

  18. Stage 5: Homo securus Devs Trained Pen & Functional Static Analysis Unit Tests Code Reviews Code Developed Production

  19. Challenges Remain • New Web 2.0, SOA=Same problems all over again • Hacker sophistication continues to rise, especially phishing attacks • Keeping developer mindshare • Ensuring 3rd party code is secure (remember BEA?)

  20. Lessons • Security requires executive initiative • Security is a programming problem • Security is a process: Define a Secure Development Lifecycle (SDL) and implement it

  21. Don’t forget the whitepaperRob Rachwaldrr@fortify.com(650) 213-5683

  22. Fortify Within the Secure Software Lifecycle FPR Fortify ManagerCentral reporting and management of software security across the enterprise Fortify SCA Fortify SCA Dev Proactive security with targeted, accurate analysis tuned for low false positives Security Ops Team Management Fortify Defender Monitors and measures web applications in production Developers Fortify SCA Analyzes code comprehensively and accurately Security Testers Fortify TracerMakes every black box security test measurable and actionable Build Server Fortify Tracer & Watchfire AppScanThorough black box application security testing Security Leads / Auditors

  23. Wii Olympics & Free Beer (Boxing and Tennis) Fortify & Watchfire Tonight: 5 PM Maryland Room B & C Prizes include Wii iPod Shuffles

  24. Thanks Software isn’t complete unless its secure

More Related