Allianz Global CISO october-2015-draft
-
Upload
eoin-keary -
Category
Internet
-
view
512 -
download
1
Transcript of Allianz Global CISO october-2015-draft
“Application Security Life Cycle Management”.
Eoin Keary@eoinkeary
linkedin.com/eoinkeary
• CTO BCC Risk Advisory / edgescan.com• OWASP GLOBAL BOARD MEMBER (2009-2014)
OWASP“The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.”
Publications:• OWASP Top 10• OWASP Testing Guide• OWASP Code Review Guide• OWASP Application Security Verification Standard (ASVS).
Risks to Web Applications
A1 - InjectionDescription: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query.
Impact: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A3 – Cross Site Scripting (XSS)Description: XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
Impact: XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites
Demo
Why Application Security?
Threat Actors: Attacker Profiles
Organised Crime – Dedicated. Motivated by profitHacktivisim – political, social motivations
“Script kiddies” - curiousAutomated scanners/worms – systems used to identify “soft
targets”Cyber Terrorism – Political motivations
Nation States: Cyber Espionage/APTInsiders
HACKED
“(Cyber crime is the) second cause of economic crime experienced by the financial services sector”
2014 Cyber Crime• $445 Billion Global
“556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”
Globally, every second, 18 adults become victims of cybercrime- Symantec
“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history”
Almost 1 trillion USD was spent in 2014 protecting against cybercrime
Jimmy, I didn’t click it – My mum
“One hundred BILLION dollars” - Dr Evil
• Banking Malware– increased by 58 per cent last year compared to the year
before – Smartphone botnet:
• One “botnet” generated between $1,600 to $9,000 per day, the report said.
– booming market for exploit kits, malware packaged for sale and made to be very easy to use
DriDex, Carbanak, Zeus, SpyEye, Citadel, RedKit Exploit Kit, Neutrino Exploit Kit, Sweet Orange Exploit Kit, CrimePack Exploit Kit €135 - €500 each!
Increasing Threat
- PWC GISS 2015
edgescan™ Statistics - 201539% of web applications have a crypto flaw18% of web applications have an XSS flaw3% of web applications have a SQLI flaw5% of web applications have an Cmd Injection flaw
Most vulnerable Server: Apache™7% of Apache servers have a critical vulnerability
Crypto
XSS
SQL Injection
Cmd Injection
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
0.39
0.18
0.03
0.05
Vulnerability Density
• Trend towards Services based Security & Vulnerability Management
• All vulnerabilities are not equal:Fixing “the right” vulns not all vulns
• SDLC integration: Prevent Vs React
Do More with Less
The OWASP Foundationhttp://www.owasp.orgTwo weeks of ethical
hacking
Ten man-years of development
Business Logic Flaws
Code FlawsSecurity Errors
An inconvenient truth
Metrics: We can measure what problems we have
Measure: We cant improve what we cant measure
Priority: If we can measure we can prioritise
Delta: If we can measure we can detect change
Apply: We can apply our (limited) budget on the right things
Improve: We can improve where it matters……
Value: Demonstrate value to our business
Answer the question: “Are we secure?” < a little better?
Vulnerability Management
We know they are bad for us, but who cares, right?
If we eat too many we may get a heart attack? …sound familiar
We also write [in]secure code and deploy insecure systems until we get hacked
The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences
actually come to pass.”
Cheeseburger Security
Cheeseburger Security - Awareness
Application Code
COTS (Commercial off the shelf
Outsourced development Sub-Contractors
Bespoke outsourced
development
Bespoke Internal development
Third Party API’s
Third Party Components &
Systems
Degrees of trustYou may not let some of the people who have developed your code into your offices!!
More Less
Software Food-chain
System Topology: Host/Server/Framework
Building bricks – Frameworks / ComponentsSpring, Jquery, Jade, Angular, Hibernate
13 billion Open source downloads 201490% of application code is Open source63%* don’t monitor component security43%* don’t have open source policy
* http://www.sonatype.com/about/2014-open-source-software-development-survey
ComponentsSpring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discoveredCVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS4,000,000 downloads since vuln discoveredCVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discoveredCVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection179,050 downloads since vuln discoveredCVSS: 10
“65% of vulnerabilities discovered in 2015 by edgescan were outside of software development control – Operating System CVE, Component CVE, Misconfiguration etc ..” - edgescan Vulnerability Statistics Report 2015
“We Can” scale security in the SDLC..Automation of assessment:
Depth Coverage / BreadthRigour
Automation!!• Jenkins, Hudson, Bamboo
– Event driven– Scheduled– Incremental
– Sounds great…. but
Accuracy/Information/ContextThe “AntiScale”
Risk ContextBusiness ContextAccuracyInformation Vs DataHuman Decisions and IntelTechnical constraints
-> Chokepoints
The “AntiScale”New languages and programming methods
Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…)
Few automated tools to test APIs / RESTful APIs
Testing Window is squeezed, manual testing is doomed!?#
AppSec/Component Sec• “If you're not doing component vulnerability
management you’re not doing appsec…”– 90% of application code is Open source
• “If you’re not doing full-stack you are not doing security…”
Fighting The “AntiScale”Accuracy
“Rule Tuning” – DAST & SASTBuild Fails!White NoiseReal Security Vs “Best Practice”Updates to Rules
Scale“Delta Analysis”Previous Vs CurrentChangesFP’s
CI Integration
Fighting The “AntiScale” - Delta AnalysisMeasure of change in a target environment.Focusing on change in risk posture compared to last assessment.-> Closed, New, False Positives
Fighting The “AntiScale”;Testing like a Developer
Break testing into little pieces – Continuous, on demand– Testing duration drives testing frequency
Smoke / Incremental Vs full regression testing – “Early and Often”
edgescan™
Onboarding of Assets: We assess the assets to undergo continuous management. This in effect includes tuning our assessment tools, rules, approach in order to achieve high asset assessment coverage and rigour.We also assess the asset to help make sure the assessment techniques used are production safe. Technical & Logical Security Assessment. We assess the assets for both technical vulnerabilities and logical weaknesses.Our edgescan Advanced license includes behavioural testing and tests which cannot be delivered using automation.Our testing covers over 90,000+ CVE’s and also goes beyond the OWAPS Top 10 etc. Expert Manual Verification & Risk Rating Our expert analysts verify all discovered vulnerabilities for accuracy.False Positive Free: Manual verification by our expert security analysts ensures that all application and network vulnerabilities found are verified as real and ranked by security risk. This procedure allows for a false positive free vulnerability intelligence for all assets. Trending / Metrics / Reporting The edgescan online portal provides 24/7 visibility of security metrics, trending data, key performance indicators (KPI's) and enables users to generate custom reports to manage and remediate cybersecurity risk. Our fully extensible API and JIRA integration provides users with the ability to integrate edgescan vulnerability intelligence into any GRC or bug tracking system. Continuous Vulnerability Visibility and Intelligence edgescan provides continuous/on-demand vulnerability management as a managed service. Helping you identify and fix security weaknesses. - edgescan intelligence
Business & Behavioural TestingAt scale:
Can be Difficult to scale…..Technical Security is covered….AutomationMore Time to “Deep Dive”
FIN• We can scale but not everything is [easily] scalable• Discover Tech Vulns using Tech• No “Fire and forget” Security• Lets test to mirror development methodologies
Thanks for Listening