IBM עמרי וייסמן
-
Upload
meda-conferences -
Category
Education
-
view
259 -
download
0
description
Transcript of IBM עמרי וייסמן
Static and DynamicTechnologiesfor SecuringWeb Applications
Omri WeismanManager, Static Analysis GroupIBM Rational Software, [email protected]
Dec 14, 2010
IBM IL
Web Applications are the greatest risk to organizations
3
Web application vulnerabilities represented the largest category in vulnerability disclosures
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report
What is the Root Cause?
1. Developers not trained in security Most computer science curricula have no security courses Focus is on developing features Security vulnerability = BUG
2. Under investment from security teams Lack of tools, policies, process, Lack of resources
3. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc
Result: Application security incidents are on the rise
Security Testing Within the Software Lifecycle
Build
SDLCSDLC
Coding QA Security Production
Most Issues are found by security auditors prior to
going live.
Most Issues are found by security auditors prior to
going live.
% o
f Is
sue
Fo
un
d b
y S
tag
e o
f S
DL
C
Security Testing Within the Software Lifecycle
Build
SDLCSDLC
Coding QA Security Production
Desired ProfileDesired Profile
% o
f Is
sue
Fo
un
d b
y S
tag
e o
f S
DL
C
IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management
7
REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD PRE-PRODPRE-PROD PRODUCTIONPRODUCTIONQAQA
AppScan Standard
AppScan SourceAppScan
Tester
Security Requirements
Definition AppScan Standard
Security / compliance testing incorporated
into testing & remediation
workflows
Security requirements
defined before design &
implementation
Outsourced testing for security audits &
production site monitoring
Security & Compliance
Testing, oversight, control,
policy, audits
Build security testing into the
IDE
Application Security Best Practices – Secure Engineering Framework
Automate Security / Compliance testing in the Build Process
SECURITYSECURITY
AppScan Build
AppScan Enterprise
AppScan Reporting Console AppScan onDemand
Black Box
White Box
“Hacker in a box”
Requires running site
Crawl, Test, Validate
AppScanStandard Ed.
“Automated code review”
Requires source-code/bytecode
Source-to-Sink Analysis
AppScanSource Ed.
White-Box: Source-to-Sink Analysis
Sources:
Sinks:
Sanitizers:
Undecidable problem
Many injection problems:
Many injection problems:
•SQL Injection•XSS•Log Forging
•Path Traversal•Code Execution•…
Black-Box vs. White-Box – Paradigm
Cleverly “guesses” behaviors that maydemonstrate vulnerabilities
Examines infinite number of behaviorsin a finite approach (approximation)
Black Box
White Box
Black-Box vs. White-Box - Perspective
- Works as an attacker- HTTP awareness only- Works on “the big picture”
- Resembles code auditing- Inspects the small details- Hard to “connect the dots”
SQL Injection Found
Black Box
White Box
Black-Box vs. White-Box – Prerequisite
- Any deployed application- Mainly used during testing stage
- Application code- Mainly used in development stage
Bank.
war
Black Box
White Box
Black-Box vs. White-Box – Compatibility
- Oblivious to languages, platforms- Different communication protocols require attention
- Different languages require support- Some frameworks too
- Oblivious to communication protocols
Black Box
White Box
Black-Box vs. White-Box – Scope
Exercises the entire system - Servers (Application, HTTP, DB, etc.)
- External interfaces
- Network, firewalls
Identifies issues regardless of configuration
Black Box
White Box
Black-Box vs. White-Box – Time/Accuracy Tradeoffs
- Crawling takes time- Testing mutations takes (infinite) time
- Refined model consumes space- And time…- Analyzing only “important” code
- Approximating the rest
>> Summary
Black Box
White Box
Black-Box vs. White-Box – Accuracy Challenges
Challenge:- Cover all attack vectors
Challenge:- Eliminate non-exploitable issues
Black Box
White Box
Black Box
White Box
OR
?
Security Testing Technologies... Combination Drives Greater Solution Accuracy
Static Analysis (Whitebox )
Automated Code Review
Dynamic Analysis (Blackbox)
Hacker in a box
Total PotentialTotal PotentialSecurity IssuesSecurity Issues
DynamicDynamicAnalysisAnalysis
StaticStaticAnalysisAnalysis
Best Coverage
18
Smarter security for a smarter planet