Static and DynamicTechnologiesfor SecuringWeb Applications

Omri WeismanManager, Static Analysis GroupIBM Rational Software, Israelweisman@il.ibm.com

Dec 14, 2010

IBM IL

Web Applications are the greatest risk to organizations

3

Web application vulnerabilities represented the largest category in vulnerability disclosures

In 2009, 49% of all vulnerabilities were Web application vulnerabilities

SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot

IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report

What is the Root Cause?

1. Developers not trained in security Most computer science curricula have no security courses Focus is on developing features Security vulnerability = BUG

2. Under investment from security teams Lack of tools, policies, process, Lack of resources

3. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc

Result: Application security incidents are on the rise

Security Testing Within the Software Lifecycle

Build

SDLCSDLC

Coding QA Security Production

Most Issues are found by security auditors prior to

going live.

Most Issues are found by security auditors prior to

going live.

% o

f Is

sue

Fo

un

d b

y S

tag

e o

f S

DL

C

Security Testing Within the Software Lifecycle

Build

SDLCSDLC

Coding QA Security Production

Desired ProfileDesired Profile

% o

f Is

sue

Fo

un

d b

y S

tag

e o

f S

DL

C

IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management

7

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD PRE-PRODPRE-PROD PRODUCTIONPRODUCTIONQAQA

AppScan Standard

AppScan SourceAppScan

Tester

Security Requirements

Definition AppScan Standard

Security / compliance testing incorporated

into testing & remediation

workflows

Security requirements

defined before design &

implementation

Outsourced testing for security audits &

production site monitoring

Security & Compliance

Testing, oversight, control,

policy, audits

Build security testing into the

IDE

Application Security Best Practices – Secure Engineering Framework

Automate Security / Compliance testing in the Build Process

SECURITYSECURITY

AppScan Build

AppScan Enterprise

AppScan Reporting Console AppScan onDemand

Black Box

White Box

“Hacker in a box”

Requires running site

Crawl, Test, Validate

AppScanStandard Ed.

“Automated code review”

Requires source-code/bytecode

Source-to-Sink Analysis

AppScanSource Ed.

White-Box: Source-to-Sink Analysis

Sources:

Sinks:

Sanitizers:

Undecidable problem

Many injection problems:

Many injection problems:

•SQL Injection•XSS•Log Forging

•Path Traversal•Code Execution•…

Black-Box vs. White-Box – Paradigm

Cleverly “guesses” behaviors that maydemonstrate vulnerabilities

Examines infinite number of behaviorsin a finite approach (approximation)

Black Box

White Box

Black-Box vs. White-Box - Perspective

- Works as an attacker- HTTP awareness only- Works on “the big picture”

- Resembles code auditing- Inspects the small details- Hard to “connect the dots”

SQL Injection Found

Black Box

White Box

Black-Box vs. White-Box – Prerequisite

- Any deployed application- Mainly used during testing stage

- Application code- Mainly used in development stage

Bank.

war

Black Box

White Box

Black-Box vs. White-Box – Compatibility

- Oblivious to languages, platforms- Different communication protocols require attention

- Different languages require support- Some frameworks too

- Oblivious to communication protocols

Black Box

White Box

Black-Box vs. White-Box – Scope

Exercises the entire system - Servers (Application, HTTP, DB, etc.)

- External interfaces

- Network, firewalls

Identifies issues regardless of configuration

Black Box

White Box

Black-Box vs. White-Box – Time/Accuracy Tradeoffs

- Crawling takes time- Testing mutations takes (infinite) time

- Refined model consumes space- And time…- Analyzing only “important” code

- Approximating the rest

>> Summary

Black Box

White Box

Black-Box vs. White-Box – Accuracy Challenges

Challenge:- Cover all attack vectors

Challenge:- Eliminate non-exploitable issues

Black Box

White Box

Black Box

White Box

OR

?

Security Testing Technologies... Combination Drives Greater Solution Accuracy

Static Analysis (Whitebox )

Automated Code Review

Dynamic Analysis (Blackbox)

Hacker in a box

Total PotentialTotal PotentialSecurity IssuesSecurity Issues

DynamicDynamicAnalysisAnalysis

StaticStaticAnalysisAnalysis

Best Coverage

18

Smarter security for a smarter planet