© 2008 IBM Corporation

THE VEHICLE THE SKILL THE SOLUTION

IBM Web Application Security

by John Smith, Senior Security Architect23rd April 2008

April 2008 2

IBM Web Application Security

© 2008 IBM Corporation

Agenda

Business & IT Challenges State of Security Today Setting the security scene Why Web Application Security?

April 2008 3

IBM Web Application Security

© 2008 IBM Corporation

IBM’s Security Philosophy

A secure environment is essential for organizations to deliver products and services to customers, and to take advantage of growth opportunities. Security management is integral to business strategy. It’s the result of a thoughtful balance between opportunity and exposure.

April 2008 4

IBM Web Application Security

© 2008 IBM Corporation

Network

Policy

Applications

Inside and outside groups

default deny

Hundreds of groups

default allow

Tens of applications

Web, mail, domain name server (DNS)

Hundreds of applications

custom protocols,

payroll, trading, self service

Tens of targets

Megabits of trafficThousands of targets

Gigabits of traffic

Present +Past

The evolving enterprise (networks, applications and systems)pose a unique challenge not addressed

satisfactorily by traditional REACTIVE solutions and approaches

Business Challenges

April 2008 5

IBM Web Application Security

© 2008 IBM Corporation

The Evolving Threats of e-crimes

FBI: e-crime now bigger than narcotics*

Big business driven by profit Innovation to capture new markets

(victims) Victim segmentation and focus Stealth is the new “black” Rate of attacks is accelerating Form of attack is more malicious Attacks are “Designer” in Nature

*Børsen, 19-2-2008

April 2008 6

IBM Web Application Security

© 2008 IBM Corporation

State of the Application Security Market

BJ's Settles Case with FTC over Customer Data

JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed

FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions

July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data

Visa, Amex Cut Ties with CardSystems

Jan 18, 2007Massive Security Breach Reveals Credit Card DataThe TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.

CNBC's Easy MoneyBusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stock-picking contest

USDA admits data breach, thousands of social security numbers revealedThursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.

April 2008 7

IBM Web Application Security

© 2008 IBM Corporation

Dynamic threats Limited IT resources Pressure to demonstrate risk

reduction and compliance Process complexity Reduce operating costs Security program must show value Proactive versus reactive

The IT Challenges

April 2008 8

IBM Web Application Security

© 2008 IBM Corporation

The EnterpriseWeb Server

ApplicationServer

Databases

BackendServer/System

Simple Application Security Landscape

• Host protection(server and desktop)

• Layer 4 – 7 protection(content, URL, Web)

• Content Control• Data Leakage

management

The Internet

• Anomaly detection• Intrusion prevention• Vulnerability management• Remediation/Patching• Compliance and risk

management

• User Identification• Access Control• Encrypted transport of

data• Firewall• Universal threat

management

Port Scanning

DoS

Anti-spoofing Web Server

knowvulner-abilities

Pattern-Based

Attacks

SQL Injection

Cross Site Scripting

Parameter Tampering

Cookie Poisoning

Access ControlAnd Firewall IDS/IPS

ApplicationFirewall

April 2008 9

IBM Web Application Security

© 2008 IBM Corporation

NetworkServer

WebApplication

Reality: Security and Spending Are Unbalanced

% of Attacks % of Amount

Sources: Gartner 2006

Security Investment

Of All Attacks on Information SecurityAre Directed to the Web Application Layer75%75%

of All Web Applications Are Vulnerable2/32/3

90%

25%

10%

75%

April 2008 10

IBM Web Application Security

© 2008 IBM Corporation

Why Application Security is a High Priority!

Web applications are the #1 focus of hackers:● XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)

Most sites are vulnerable:● 90% of sites have security issues (IBM)

● 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)

Web applications are high value targets for hackers:● Customer data, credit cards, ID theft, fraud, site defacement, etc

Compliance requirements:● Payment Card Industry (PCI) Standards, Sox/EuroSox, Basel II etc.

April 2008 11

IBM Web Application Security

© 2008 IBM Corporation

Is application security all about quality code?

*Graphics from OWASP.com

• Test existing deployed apps• Eliminate security exposure

inlive applications

Production1

• Test apps before going to production

• Deploy secure web applications

Deploy2• Test apps for security issues in QA

organization along with performance and functional testing

• Reduce costs of security testing

Test 3

• Test apps for security issues in Development identifying issues at their earliest point

• Realize optimum security testing efficiencies (cost reduction)

Development 4• Continuous security education

of architects, developers etc. on Web Application Security

Define/Design 5

April 2008 12

IBM Web Application Security

© 2008 IBM Corporation

What does a web application scanner do?

Explore web site to detect structure and

complexity

Identify Vulnerabilities ranked by severity and show how it

was identified

Software which automates the security testing of web applications for

vulnerabilities

Advanced remediation, fix recommendations and security

enablement

April 2008 13

IBM Web Application Security

© 2008 IBM Corporation

BuildCoding SecurityQAQA

Software Security Development Ecosystem

Defect Tracking System

Defect Logger pushes results

Results upload to AppScan Enterprise

Security Auditor

scanning

Review & address results

DevelopersBuild System

Upload/ download of results

2-way Defect Tracking

Quality Assurance Testing

Control, Monitor and Report

Reports from QA scans uploaded

Upload/ download of results

Web Based Security Training

April 2008 14

IBM Web Application Security

© 2008 IBM Corporation

Web Application Security Web Application Security EvolutionEvolution

StrategicStrategic

Which Phase Are You In?

Enterprise-Wide Scalable Solution

TacticalTactical Manual Efforts, Desktop Audit Tools 2-3 Internal Security Experts

OutsourcedOutsourced External Consultants Pen Testing

UnawareUnaware

AppScanAppScan

AppScan On Demand

AppScan On Demand

April 2008 15

IBM Web Application Security

© 2008 IBM Corporation

Use ProtectionUse IBM Security Solutions

© 2008 IBM Corporation

THE VEHICLE THE SKILL THE SOLUTION

Thank You!