Best Quality Application Security
Best Quality Application Security
Agenda IntroductionsCyber is a big word!App. Sec FailingsWhat App. Sec isA Real SolutionAgileRun Time Binary AnalysisSummaryBest Quality Application Security
Software Provider delivering Quality and Excellence into theApplication Security and Performance Domains Producers of SeekerFounders each with over 15 years of experience in information andapplication security200 Enterprise CustomersOffices in London, New York, ParisBest Quality Application Security
Your SpeakerAdam Brown––––––UK Manager for15 years in application assurance , performance and security.GIAC Certified GWAPT Web Application Penetration TesterISEB PractitionerPerformance EngineerSpeaker at industry events on security, testing and performanceBest Quality Application Security
Best Quality Application Security
Some Exploit TypesBest Quality Application Security
Applications Remain VulnerableMore in the press:Best Quality Application Security
More Famous Web Application BreachesBathesdaSoftware6.5m records. .5m-1min initial forensics, 23m in remediationInjection 2.7m, 360k creditcards, ParameterTamperingURL TamperingUnkownSpannish Nat.PoliceCitigroupSega 170 - 1.5bn, XSS,SQLi Other MethodsDDoSSecure IDGmailAccountsEpsilon 66m, Spear Phishing,US National Security11m pwds, 8.2memails – largest leak of2012HB GaryPBSSonyLockheedMartinRSABest Quality Application SecurityBooz AllenHamiltonVanguardDefenceSOCAMalaysian PeruGvt. Site SpecialPoliceSony BMGGreeceTurkishGvtMonsantoBrazil cations50million customerspasswords! April 2013Business Impact of AttackItalian PMSiteX-Factor2011, techniqueundisclosed3rd Party SWIMFFox NewsLinked 225m - 4bnInMarchSpear PhishingNorthropGrumanUSSenateNATOSK CommunicationsKorea
Best Quality Application Security
Application Security in NumbersNIST: 92% of Vulnerabilities are inApplications – not in NetworksApplications remainvulnerable! Why?75% of attacks aimed atApplication LevelSource: Gartner85% of applicationvulnerabilities found at sourcecode levelSource: Gartner90% of Investment at NetworkLevelSource: OWASP97% of Applications areVulnerableSource: OWASPBest Quality Application Security
App. Sec still a very real problem in 2013Ponemon 2013 Post Breach Boom ReportBest Quality Application Security
Application Security in ContextApplications make data usefuland are directly connected tothe heart of the Organisation.NetworkServersApplicationNetworks Present Applicationsto Hackers – THEY HAVE TO! Application attacks are a meansto and end:DataConfidentialityIntegrityAvailabilityBest Quality Application Security
Things we have TriedFalse Positives - They Stink!Best Quality Application Security
Application Security Testing Techniques Scanning and Static Code Review not Delivering–––––SAST: Static Application Security TestingDAST: Dynamic Application Security TestingNoise & False Positives, False Negatives, Verification Issues3rd party issues, complexity & time, skillsCode at rest, not application Focus on Technology Instead of Risk– Vulnerability centric, not data centric– Injections & technical problems ratherthan business risk– Ignoring application data App Pen Testing – Can be very thorough– How can it fit with Agile?– Frequency, scalability, cost.Best Quality Application Security
Secure Software ApproachesSSDL, SDL-Agile, Microsoft's SDL have all been created to attempt toaddress information security risks coming from software.Best Quality Application Security
Current Techniques – Complex & HeavyScanning & Static Code Analysis failings:– Examined from Vulnerability Perspective Focus on Injections and Technical Problems Analysis of Code, rather than Application Ignoring Application Focus on Technology instead of RiskPen Testing– Expensive in Time, Resource and MoneySDL– Hard to fit into development lifecycleBest Quality Application Security
Best Quality Application Security
DefinitionsApplication Security is NOTControlsNetwork ProtocolsFirewalls, Routers, Operating Systems,VPN’s and Network Vulnerability ScannersOperating Systems, Web Servers,Application ServersPatches, Hardening & Configuration, OSAuthentication, Disk Encryption,Infrastructure Vulnerability Scanners /Patch Validation etc.Application Security ISControlsCOTS Web ApplicationsApplication Configuration, ApplicationLevel Authentication & AuthorisationTesting Thereof / Secure SoftwareCustomised COTS Applications &Custom ApplicationsApplication Configuration, ApplicationLevel Authentication & AuthorisationTesting Thereof / Secure SoftwareBest Quality Application Security
New OWASP Top 10 in 2013Best Quality Application Security
OWAPS Top 10 CalculationBest Quality Application Security
OWASP Top 10 CalculationBest Quality Application Security
What works Really well?Best Quality Application Security
Three Fundamentals to a Security SolutionBest Quality Application Security
Move Application Security Left 16,000 Cost85%% Defects Discovered% Bugs% Defects Introduced 1,000 250 100CodingUnitTestFunctionTestCapers Jones GraphBest Quality Application SecuritySystemTestAfterRelease
Costs and Benefits of Application SecurityCostsCost of Software SecurityFailuresCost of Software SecurityMeasuresABCDSoftware Security AssuranceBest Quality Application Security
Secure ALMSecureApplicationLifecycleManagementBest Quality Application SecurityYogi always preferred Salmon to Red Herring!
IAST at its Best: Context and DataFront EndBack EndDatabaseClient SidePresentation LayerProtocol & EncryptionEncoding & PresentationBest Quality Application SecurityBusiness FunctionsUser LibrariesRuntime LibrariesApplication ServerData LayerStored ProceduresData
Agile & Security Agile Firms: 37% faster, 30% more profit What does this mean for Security?––––Done the right way mitigates riskVisible progress in right directionDevelopers more responsiveFor secure applications we need security by design Secure Software Secure Applications– Discovery on eve of delivery is no longer an option– Find issues early and test to maturityBest Quality Application Security
Secure Application Lifecycle ManagementOn each iteration we work on the itemsthat give us most value.Until the list is empty or resources runout (time or money)Prioritised‘to do’ listGeneral View ofProjectFixed Duration Iterations(typically 2 weeks each)‘to do’ thingsmust bedone, done.AnalysisTestClientIntegrate Analysis Project REVIEW Iteration PLANNING Work procedures reviewBest Quality Application SecurityInformation outside the teamDevelopInformation inside the teamPrioritised‘to do’ listfor thisiterationWorking Software Application (andother deliverables).Public PresentationAll stakeholders should be informedabout
Continuous Integration – Check Every BuildDeveloperBuild / Integration EnvironmentVerification BuildBuild ServerIntegration TestsApplication SecurityTestsTesterBest Quality Application SecurityBugTracker
RTBA (IAST) Process in SDLC (SALMan)Integration EnvironmentStart RTBA CaptureRun Auto Test(s)Build ServerControl and SchedulingAutoScriptsStop RTBA CaptureExecute RTBA TestsLog RTBA Result/OutputPush RTBA ReportBest Quality Application SecurityRun Time BinaryAnalyserRTBA Tests Run here andRTBA agents connect intohere.
Summary“can’t build a secure application without performing securitytesting on it”(OWASP Testing Guide) Vulnerabilities are Software Bugs - Dangerous Ones. Application Security is a Quality Issue Security Bugs are Complex and must be Fixed at Code level Leverage Existing Processes and Resources Modern Software Development isSecurity must be ImplicitBest Quality Application Securityand Application
Feedback &Questions?Best Quality Application Security
Stand n 15Best Quality Application Security
New OWASP Top 10 in 2013. Best Quality Application Security OWAPS Top 10 Calculation. Best Quality Application Security OWASP Top 10 Calculation. Best Quality Application Security What works Reallywell? Best Quality Application Security Three Fundamentals to a Security Solution.
Application Security Testing (DAST) Origin Analysis / Software Composition Analysis (SCA) Mobile Application Security Testing (MAST) Application Security Testing as a Service (ASTaaS) Correlation Tools Application Security Testing Orchestration (ASTO) Database Security Scanning Test Coverage Analyzers Interactive Application Security Testing .
HPE Secure IoT Application Lifecycle IoT Endpoints Connectivity Edge Computing Visualization IoT Cloud / Platform HPE Security ArcSight (Security Intelligence)HPE Security Fortify (Application Security)HPE Security -Data Security (Voltage/Atalla) HPE Aruba (Communication Security)HPE ADM (Application Delivery Management)HPE ITOM (IT Operations Management)
ISO 27034 . ISO 27001/2: IT Security ISO 27034: Application Security Part 1: Overview & concepts (Nov. 2011) Part 2: Organization normative framework (Aug. 2015) Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security controls data structure Part 6: Security guidance for specific .
Knowledge of OWASP Top 10, threat modelling, SAST and DAST Capturing security requirements of an application in development Defining, maintaining, and enforcing application security best practices Performing manual and automated code review of application Conducting application security testing f
KCOM Azure Best Practices 6 Azure Best Practice SECURITY Cloud IAM Infrastructure Security Application security Protecting data Operational security RESILIENCY Business objectives Designing for resiliency Infrastructure design Database management Security and resilience SCALABILITY AND PERFORMANCE Application
042187201764 Best Yet Best Yet Frz Italian Blend Vegetables 16oz 1.00 042187201641 Best Yet Best Yet Frz Mixed Vegetables 10oz 1.00 042187024905 Best Yet Best Yet Frz Mixed Vegetables 12oz 1.00 042187021256 Best Yet Best Yet Frz Mixed Vegetables 16oz 1.00 042187202211 Best Yet Best Yet Frz Mixed Vegetables 32oz 1.00
AVG Internet Security 9 ESET Smart Security 4 F-Secure Internet Security 2010 Kaspersky Internet Security 2011 McAfee Internet Security Microsoft Security Essentials Norman Security Suite Panda Internet Security 2011 Sunbelt VIPRE Antivirus Premium 4 Symantec Norton Internet Security 20
ISO 14001:2015 EMS Manual Insert your company’s name or logo, and address. This EMS manual is the property of Your Company. It must not be reproduced in whole or in part or otherwise disclosed without prior written consent. The official controlled copy of this EMS manual is the digitally signed PDF document held within network server and visible to all authorised users. All printed copies .
