Static and DynamicTechnologiesfor SecuringWeb Applications

Omri WeismanManager, Static Analysis GroupIBM Rational Software, Israelweisman@il.ibm.com

Dec 14, 2010

IBM IL

Web Applications are the greatest risk to organizations

3

Web application vulnerabilities represented the largest category in vulnerability disclosures

In 2009, 49% of all vulnerabilities were Web application vulnerabilities

SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot

IBM Internet Security Systems 2009 X-Force®

Year End Trend & Risk Report

What is the Root Cause?

1. Developers not trained in security

Most computer science curricula have no security courses

Focus is on developing features

Security vulnerability = BUG

2. Under investment from security teams

Lack of tools, policies, process,

Lack of resources

3. Growth in complex, mission critical online applications

Online banking, commerce, Web 2.0, etc

Result: Application security incidents are on the rise

Security Testing Within the Software Lifecycle

Build

SDLC

Coding QA Security Production

Most Issues are found by security auditors prior to

going live.

% o

f Is

su

e F

ou

nd

by S

tag

e o

f S

DL

C

Security Testing Within the Software Lifecycle

Build

SDLC

Coding QA Security Production

Desired Profile

% o

f Is

su

e F

ou

nd

by S

tag

e o

f S

DL

C

IBM Rational AppScan Suite –Comprehensive Application Vulnerability Management

7

REQUIREMENTS CODE BUILD PRE-PROD PRODUCTIONQA

AppScan Standard

AppScan SourceAppScan

Tester

Security Requirements

Definition AppScan Standard

Security / compliance testing incorporated

into testing & remediation workflows

Security requirements defined before

design & implementation

Outsourced testing for security audits &

production site monitoring

Security & Compliance

Testing, oversight, control, policy,

audits

Build security testing into the

IDE

Application Security Best Practices – Secure Engineering Framework

Automate Security / Compliance testing in the Build Process

SECURITY

AppScan Build

AppScan Enterprise

AppScan Reporting Console AppScan onDemand

Black

Box

White

Box

“Hacker in a box”

Requires running site

Crawl, Test, Validate

AppScan

Standard Ed.

“Automated code review”

Requires source-code/bytecode

Source-to-Sink Analysis

AppScan

Source Ed.

White-Box: Source-to-Sink Analysis

Sources:

Sinks:

Sanitizers:

Undecidable

problem

Many injection problems:

•SQL Injection

•XSS

•Log Forging

•Path Traversal

•Code Execution

•…

Black-Box vs. White-Box – Paradigm

Cleverly “guesses” behaviors that may

demonstrate vulnerabilities

Examines infinite number of behaviors

in a finite approach (approximation)

Black

Box

White

Box

Black-Box vs. White-Box - Perspective

- Works as an attacker

- HTTP awareness only

- Works on “the big picture”

- Resembles code auditing

- Inspects the small details

- Hard to “connect the dots”

SQL Injection Found

Black

Box

White

Box

Black-Box vs. White-Box – Prerequisite

- Any deployed application

- Mainly used during testing stage

- Application code

- Mainly used in development stage

Black

Box

White

Box

Black-Box vs. White-Box – Compatibility

- Oblivious to languages, platforms

- Different communication protocols

require attention

- Different languages require support

- Some frameworks too

- Oblivious to communication protocols

Black

Box

White

Box

Black-Box vs. White-Box – Scope

Exercises the entire system

- Servers (Application, HTTP, DB, etc.)

- External interfaces

- Network, firewalls

Identifies issues regardless of configuration

Black

Box

White

Box

Black-Box vs. White-Box – Time/Accuracy Tradeoffs

- Crawling takes time

- Testing mutations takes

(infinite) time

- Refined model consumes space

- And time…

- Analyzing only “important” code

- Approximating the rest

>> Summary

Black

Box

White

Box

Black-Box vs. White-Box – Accuracy Challenges

Challenge:

- Cover all attack vectors

Challenge:

- Eliminate non-exploitable issues

Black

Box

White

Box

Black

Box

White

Box

OR

?

Security Testing Technologies... Combination Drives Greater Solution Accuracy

Static Analysis (Whitebox )

Automated Code Review

Dynamic Analysis (Blackbox)

Hacker in a box

Total PotentialSecurity Issues

DynamicAnalysis

StaticAnalysis

Best Coverage

18

Smarter security for a smarter planet