© 2008 IBM Corporation THE VEHICLETHE SKILLTHE SOLUTION IBM Web Application Security by John Smith,...
-
date post
20-Dec-2015 -
Category
Documents
-
view
220 -
download
3
Transcript of © 2008 IBM Corporation THE VEHICLETHE SKILLTHE SOLUTION IBM Web Application Security by John Smith,...
© 2008 IBM Corporation
THE VEHICLE THE SKILL THE SOLUTION
IBM Web Application Security
by John Smith, Senior Security Architect23rd April 2008
April 2008 2
IBM Web Application Security
© 2008 IBM Corporation
Agenda
Business & IT Challenges State of Security Today Setting the security scene Why Web Application Security?
April 2008 3
IBM Web Application Security
© 2008 IBM Corporation
IBM’s Security Philosophy
A secure environment is essential for organizations to deliver products and services to customers, and to take advantage of growth opportunities. Security management is integral to business strategy. It’s the result of a thoughtful balance between opportunity and exposure.
April 2008 4
IBM Web Application Security
© 2008 IBM Corporation
Network
Policy
Applications
Inside and outside groups
default deny
Hundreds of groups
default allow
Tens of applications
Web, mail, domain name server (DNS)
Hundreds of applications
custom protocols,
payroll, trading, self service
Tens of targets
Megabits of trafficThousands of targets
Gigabits of traffic
Present +Past
The evolving enterprise (networks, applications and systems)pose a unique challenge not addressed
satisfactorily by traditional REACTIVE solutions and approaches
Business Challenges
April 2008 5
IBM Web Application Security
© 2008 IBM Corporation
The Evolving Threats of e-crimes
FBI: e-crime now bigger than narcotics*
Big business driven by profit Innovation to capture new markets
(victims) Victim segmentation and focus Stealth is the new “black” Rate of attacks is accelerating Form of attack is more malicious Attacks are “Designer” in Nature
*Børsen, 19-2-2008
April 2008 6
IBM Web Application Security
© 2008 IBM Corporation
State of the Application Security Market
BJ's Settles Case with FTC over Customer Data
JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed
FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions
July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data
Visa, Amex Cut Ties with CardSystems
Jan 18, 2007Massive Security Breach Reveals Credit Card DataThe TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.
CNBC's Easy MoneyBusinessWeek uncovers that the cable channel's own design flaw may be behind the investigation into its million-dollar stock-picking contest
USDA admits data breach, thousands of social security numbers revealedThursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.
April 2008 7
IBM Web Application Security
© 2008 IBM Corporation
Dynamic threats Limited IT resources Pressure to demonstrate risk
reduction and compliance Process complexity Reduce operating costs Security program must show value Proactive versus reactive
The IT Challenges
April 2008 8
IBM Web Application Security
© 2008 IBM Corporation
The EnterpriseWeb Server
ApplicationServer
Databases
BackendServer/System
Simple Application Security Landscape
• Host protection(server and desktop)
• Layer 4 – 7 protection(content, URL, Web)
• Content Control• Data Leakage
management
The Internet
• Anomaly detection• Intrusion prevention• Vulnerability management• Remediation/Patching• Compliance and risk
management
• User Identification• Access Control• Encrypted transport of
data• Firewall• Universal threat
management
Port Scanning
DoS
Anti-spoofing Web Server
knowvulner-abilities
Pattern-Based
Attacks
SQL Injection
Cross Site Scripting
Parameter Tampering
Cookie Poisoning
Access ControlAnd Firewall IDS/IPS
ApplicationFirewall
April 2008 9
IBM Web Application Security
© 2008 IBM Corporation
NetworkServer
WebApplication
Reality: Security and Spending Are Unbalanced
% of Attacks % of Amount
Sources: Gartner 2006
Security Investment
Of All Attacks on Information SecurityAre Directed to the Web Application Layer75%75%
of All Web Applications Are Vulnerable2/32/3
90%
25%
10%
75%
April 2008 10
IBM Web Application Security
© 2008 IBM Corporation
Why Application Security is a High Priority!
Web applications are the #1 focus of hackers:● XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
Most sites are vulnerable:● 90% of sites have security issues (IBM)
● 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
Web applications are high value targets for hackers:● Customer data, credit cards, ID theft, fraud, site defacement, etc
Compliance requirements:● Payment Card Industry (PCI) Standards, Sox/EuroSox, Basel II etc.
April 2008 11
IBM Web Application Security
© 2008 IBM Corporation
Is application security all about quality code?
*Graphics from OWASP.com
• Test existing deployed apps• Eliminate security exposure
inlive applications
Production1
• Test apps before going to production
• Deploy secure web applications
Deploy2• Test apps for security issues in QA
organization along with performance and functional testing
• Reduce costs of security testing
Test 3
• Test apps for security issues in Development identifying issues at their earliest point
• Realize optimum security testing efficiencies (cost reduction)
Development 4• Continuous security education
of architects, developers etc. on Web Application Security
Define/Design 5
April 2008 12
IBM Web Application Security
© 2008 IBM Corporation
What does a web application scanner do?
Explore web site to detect structure and
complexity
Identify Vulnerabilities ranked by severity and show how it
was identified
Software which automates the security testing of web applications for
vulnerabilities
Advanced remediation, fix recommendations and security
enablement
April 2008 13
IBM Web Application Security
© 2008 IBM Corporation
BuildCoding SecurityQAQA
Software Security Development Ecosystem
Defect Tracking System
Defect Logger pushes results
Results upload to AppScan Enterprise
Security Auditor
scanning
Review & address results
DevelopersBuild System
Upload/ download of results
2-way Defect Tracking
Quality Assurance Testing
Control, Monitor and Report
Reports from QA scans uploaded
Upload/ download of results
Web Based Security Training
April 2008 14
IBM Web Application Security
© 2008 IBM Corporation
Web Application Security Web Application Security EvolutionEvolution
StrategicStrategic
Which Phase Are You In?
Enterprise-Wide Scalable Solution
TacticalTactical Manual Efforts, Desktop Audit Tools 2-3 Internal Security Experts
OutsourcedOutsourced External Consultants Pen Testing
UnawareUnaware
AppScanAppScan
AppScan On Demand
AppScan On Demand
April 2008 15
IBM Web Application Security
© 2008 IBM Corporation
Use ProtectionUse IBM Security Solutions
© 2008 IBM Corporation
THE VEHICLE THE SKILL THE SOLUTION
Thank You!