AWS Webcast - Top 3 Ways to Improve Web App Security
-
Upload
amazon-web-services -
Category
Technology
-
view
594 -
download
4
description
Transcript of AWS Webcast - Top 3 Ways to Improve Web App Security
Top 3 Ways to Improve Web App Security in AWS
Ryan Holland
Sr Manager, Partner Solution Architects
Amazon Web Services
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & contentC
ust
om
ers
Security & Compliance is a Shared Responsibility
Customers are responsible for
their security INthe Cloud
AWS is responsible for the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Culture of security and continual
improvement
Ongoing audit and assurance program
Your content
Your controls
AWS Marketplace
Security & Compliance is a Shared ResponsibilityC
ust
om
ers
Every customer has access to the same security capabilities
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
• SOC 2 Security
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP (FISMA), ITAR, FIPS 140-2
• HIPAA and MPAA capable
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Let AWS take care of the heavy lifting for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
AWS partners can help you build secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =
AWS partner solutions
These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management
Your secure AWS
solutions
Top 3 Ways to Improve Web App Security in AWS
Dawn SmeatonProduct Marketing, Web App Security
Cloud Security is a Shared Responsibility
Copyright 2014 Trend Micro Inc.
Cloud Service Provider
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Cloud User
Operation System
Applications
Data
Identity & Access
Security Groups
Anti-malware
Intrusion Prevention
Host Firewall
Integrity Monitoring
Log Inspection
Application Scanning
Data Encryption
ADAPTIVEIntelligent, dynamic provisioning & policy enforcement
CONTEXTWorkload &
application-aware
SCALABLEAuto-detect new instances and rapidly applies security
PLATFORMComprehensive
capabilities across data center & cloud
Copyright 2014 Trend Micro Inc.
Web Apps are a Favorite Target
Copyright 2014 Trend Micro Inc.
Easy to develop exploits
High value of data
Ripped from the headlines
Copyright © 2014 Trend Micro Inc.
1.2 billion internet credentials
stolen by Russian hackers
4.5 million Healthcare records stolen
by exploiting Heartbleed vulnerability
SQL Injection example
1. Application presents a form
2. Attacker enters a SQL query in the form data
3. Application forwards query to database Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs the attack query and sends encrypted results back to app
5. Application decrypts data as normal and sends results to the attacker
Username:
Password:
“SELECT * FROM acc"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--’"
Confidential | Copyright 2013 Trend Micro Inc. 13
We
b A
pp
Vu
lne
rab
iliti
es
Injection
Broken authentication
XSS
Sensitive data exposure
Cross site request forgery
Insecure direct object references
Security misconfiguration
Missing Function level access control
Unvalidated redirects
Tech
nic
al Im
pac
ts Site defacement
Access to databases & internal networks
Loss of sensitive data
Google search blacklisting
Malware
User accounts hijacked
Web server availability
Bu
sin
ess
Imp
acts Damage to brand
reputation
Loss of customer trust
Revenue loss
Fail PCI Compliance
The impact of vulnerabilities can be huge
Copyright 2014 Trend Micro Inc.
Top Three ways to improve Web App Security
Expand Detection
Strengthen Defenses
Centralize Visibility
1
2
3
Copyright 2014 Trend Micro Inc.
Expand Detection1
Expand Detection
Operating System(Known Vulnerabilities)
Web Server(Known Vulnerabilities)
Web Apps
Copyright 2014 Trend Micro Inc.
TECHNICAL FLAWS
OGICAL FLAWS
Different vulnerabilities need different approaches
• Automated tools crawl websites, imitating
user interaction to find errors in code,
malware or links to inappropriate sites
• Find common coding errors like SQL
injection, cross site scripting, ineffective
security controls
Technical Flaws
• Looking at site in context to find
potential weaknesses
• Manual testing uncovers flaws that are
difficult or impossible to find with
automated tools
Logical Flaws
18Copyright 2014 Trend Micro Inc.
Demo
Strengthen Defenses2
Traditional web app protection
• Detects & blocks malicious activityat platform (Web server and OS)
• Virtual patching from some offerings can shield discovered platform vulnerabilities without requiring code updates, patches, or configuration fixes
• Analyzes traffic, including SSL-encrypted communication
• Rules govern application behavior and block attacks without requiring app modification
• Can help with PCI-DSS compliance
Web Application Firewall (WAF) Intrusion Prevention
Copyright 2014 Trend Micro Inc.
Continuous Visibility3
Web App security that fits the cloud
BUT… AWS requires pre-approval before scanning
Hosting on AWS provides agility & scalability
Copyright 2014 Trend Micro Inc.
Auto Scaling group
www.example.com
security group
root volume
data volume
Elastic Load
BalancingEC2 instance
web app
server
UNLESS you use an AWS pre-authorized scanner like Trend Micro
Demo
Continuous Visibility
• Need actionable insights
• Reduce number of solutions– App scanning– Manual testing– Platform scanning– SSL
• Understand countermeasures available in overall security architecture
Copyright 2014 Trend Micro Inc.
“Single dashboard take lots of info and
boils it down to make it easy to
consume and share”
Comprehensive Detection: Automated scanning of applications and platforms, plus app logic testing by security experts
AWS Pre-authorized Scanner: No manual scan approvals required, Trend Micro is pre-authorized to scan web apps hosted on AWS
1
2
3Integrated Management: Cloud-based, centralized single console for scanning, SSL certificates and protection
Trend Micro Delivers Unparalleled Web App Security
Copyright 2014 Trend Micro Inc.
Get Started!
• Schedule a personal product demo
• Get a free trial– Scanning of up to 3 web apps in AWS,
including full vulnerability report and SSL certificates
Request your trial at
webappsecurity.trendmicro.com
Copyright 2014 Trend Micro Inc.
Q&A