“Application Security Life Cycle Management”.

Eoin Keary@eoinkeary

linkedin.com/eoinkeary

• CTO BCC Risk Advisory / edgescan.com• OWASP GLOBAL BOARD MEMBER (2009-2014)

OWASP“The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.”

Publications:• OWASP Top 10• OWASP Testing Guide• OWASP Code Review Guide• OWASP Application Security Verification Standard (ASVS).

Risks to Web Applications

A1 - InjectionDescription: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query.

Impact: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A3 – Cross Site Scripting (XSS)Description: XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.

Impact: XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites

Demo

Why Application Security?

Threat Actors: Attacker Profiles

Organised Crime – Dedicated. Motivated by profitHacktivisim – political, social motivations

“Script kiddies” - curiousAutomated scanners/worms – systems used to identify “soft

targets”Cyber Terrorism – Political motivations

Nation States: Cyber Espionage/APTInsiders

HACKED

“(Cyber crime is the) second cause of economic crime experienced by the financial services sector”

2014 Cyber Crime• $445 Billion Global

“556 million adults across the world have first-hand experience of cybercrime -- more than the entire population of the European Union.”

Globally, every second, 18 adults become victims of cybercrime- Symantec

“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history”

Almost 1 trillion USD was spent in 2014 protecting against cybercrime

Jimmy, I didn’t click it – My mum

“One hundred BILLION dollars” - Dr Evil

• Banking Malware– increased by 58 per cent last year compared to the year

before – Smartphone botnet:

• One “botnet” generated between $1,600 to $9,000 per day, the report said.

– booming market for exploit kits, malware packaged for sale and made to be very easy to use

DriDex, Carbanak, Zeus, SpyEye, Citadel, RedKit Exploit Kit, Neutrino Exploit Kit, Sweet Orange Exploit Kit, CrimePack Exploit Kit €135 - €500 each!

Increasing Threat

- PWC GISS 2015

edgescan™ Statistics - 201539% of web applications have a crypto flaw18% of web applications have an XSS flaw3% of web applications have a SQLI flaw5% of web applications have an Cmd Injection flaw

Most vulnerable Server: Apache™7% of Apache servers have a critical vulnerability

Crypto

XSS

SQL Injection

Cmd Injection

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

0.39

0.18

0.03

0.05

Vulnerability Density

• Trend towards Services based Security & Vulnerability Management

• All vulnerabilities are not equal:Fixing “the right” vulns not all vulns

• SDLC integration: Prevent Vs React

Do More with Less

The OWASP Foundationhttp://www.owasp.orgTwo weeks of ethical

hacking

Ten man-years of development

Business Logic Flaws

Code FlawsSecurity Errors

An inconvenient truth

Metrics: We can measure what problems we have

Measure: We cant improve what we cant measure

Priority: If we can measure we can prioritise

Delta: If we can measure we can detect change

Apply: We can apply our (limited) budget on the right things

Improve: We can improve where it matters……

Value: Demonstrate value to our business

Answer the question: “Are we secure?” < a little better?

Vulnerability Management

We know they are bad for us, but who cares, right?

If we eat too many we may get a heart attack? …sound familiar

We also write [in]secure code and deploy insecure systems until we get hacked

The Cheeseburger approach: “Cheeseburger risk’ is the kind of risk you deliberately take even knowing the consequences, until those consequences

actually come to pass.”

Cheeseburger Security

Cheeseburger Security - Awareness

Application Code

COTS (Commercial off the shelf

Outsourced development Sub-Contractors

Bespoke outsourced

development

Bespoke Internal development

Third Party API’s

Third Party Components &

Systems

Degrees of trustYou may not let some of the people who have developed your code into your offices!!

More Less

Software Food-chain

System Topology: Host/Server/Framework

Building bricks – Frameworks / ComponentsSpring, Jquery, Jade, Angular, Hibernate

13 billion Open source downloads 201490% of application code is Open source63%* don’t monitor component security43%* don’t have open source policy

* http://www.sonatype.com/about/2014-open-source-software-development-survey

ComponentsSpring (3.0-3.05) – CVE-2011-2894 – Code exe

7,000,000 downloads since vuln discoveredCVSS: 6.8

Apache Xerces2 – CVE-2009-2625 – DoS4,000,000 downloads since vuln discoveredCVSS: 5

Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM 4,000,000 downloads since vuln discoveredCVSS: 4.9

Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection179,050 downloads since vuln discoveredCVSS: 10

“65% of vulnerabilities discovered in 2015 by edgescan were outside of software development control – Operating System CVE, Component CVE, Misconfiguration etc ..” - edgescan Vulnerability Statistics Report 2015

“We Can” scale security in the SDLC..Automation of assessment:

Depth Coverage / BreadthRigour

Automation!!• Jenkins, Hudson, Bamboo

– Event driven– Scheduled– Incremental

– Sounds great…. but

Accuracy/Information/ContextThe “AntiScale”

Risk ContextBusiness ContextAccuracyInformation Vs DataHuman Decisions and IntelTechnical constraints

-> Chokepoints

The “AntiScale”New languages and programming methods

Growth of interpreted languages with no strong typing hurts SAST (Javascript, Ruby,…)

Few automated tools to test APIs / RESTful APIs

Testing Window is squeezed, manual testing is doomed!?#

AppSec/Component Sec• “If you're not doing component vulnerability

management you’re not doing appsec…”– 90% of application code is Open source

• “If you’re not doing full-stack you are not doing security…”

Fighting The “AntiScale”Accuracy

“Rule Tuning” – DAST & SASTBuild Fails!White NoiseReal Security Vs “Best Practice”Updates to Rules

Scale“Delta Analysis”Previous Vs CurrentChangesFP’s

CI Integration

Fighting The “AntiScale” - Delta AnalysisMeasure of change in a target environment.Focusing on change in risk posture compared to last assessment.-> Closed, New, False Positives

Fighting The “AntiScale”;Testing like a Developer

Break testing into little pieces – Continuous, on demand– Testing duration drives testing frequency

Smoke / Incremental Vs full regression testing – “Early and Often”

edgescan™

Onboarding of Assets: We assess the assets to undergo continuous management. This in effect includes tuning our assessment tools, rules, approach in order to achieve high asset assessment coverage and rigour.We also assess the asset to help make sure the assessment techniques used are production safe. Technical & Logical Security Assessment. We assess the assets for both technical vulnerabilities and logical weaknesses.Our edgescan Advanced license includes behavioural testing and tests which cannot be delivered using automation.Our testing covers over 90,000+ CVE’s and also goes beyond the OWAPS Top 10 etc. Expert Manual Verification & Risk Rating Our expert analysts verify all discovered vulnerabilities for accuracy.False Positive Free: Manual verification by our expert security analysts ensures that all application and network vulnerabilities found are verified as real and ranked by security risk. This procedure allows for a false positive free vulnerability intelligence for all assets. Trending / Metrics / Reporting The edgescan online portal provides 24/7 visibility of security metrics, trending data, key performance indicators (KPI's) and enables users to generate custom reports to manage and remediate cybersecurity risk. Our fully extensible API and JIRA integration provides users with the ability to integrate edgescan vulnerability intelligence into any GRC or bug tracking system. Continuous Vulnerability Visibility and Intelligence edgescan provides continuous/on-demand vulnerability management as a managed service. Helping you identify and fix security weaknesses. - edgescan intelligence

Business & Behavioural TestingAt scale:

Can be Difficult to scale…..Technical Security is covered….AutomationMore Time to “Deep Dive”

FIN• We can scale but not everything is [easily] scalable• Discover Tech Vulns using Tech• No “Fire and forget” Security• Lets test to mirror development methodologies

@eoinkearyeoin@bccriskadvisory.com

Thanks for Listening