IBM Technical Summit 2013

Erik OliveiraSenior Security Consultant, IBM Security Systemerikso@br.ibm.com

© 2013 IBM Corporation

2

Please note the following

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

3

Mundo interconectado

Organizações continuam mudando para novas plataformas, inclusive computação em

nuvem, virtualização, dispositivos móveis, negócio social e muito mais

TUDO ESTÁ EM TODA

PARTE

Com o advento da Empresa 2.0 e do negócio social, desapareceu a linha entre tempo,

dispositivos e dados pessoais e profissionais

CONSUMERIZAÇÃO DA TI

A era do "Big Data" – a explosão da informação digital – chegou e é facilitada pela difusão de aplicativos acessados de todos os

lugares

EXPLOSÃO DE DADOS

A velocidade e destreza dos ataques aumentaram, associados a novos agentes

com novas motivações, do crime cibernético e terrorismo, até invasões patrocinadas por

governos

SOFISTICAÇÃO DOS ATAQUES

4

Seu dispositivo é

5

Mobile Malware 2013

Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013

6

Distribuição de Vulnerabilidade por linguagem

7

Contexto Mundial

Tipo de ataque

Injeção SQL

Manipulação de URL

Phishing focalizado

SW de terceiros

DDoS

Secure ID

Desconhecido

Mar Abril Maio Junho Julho AgoFev

Sony

Epsilon

L3 Communications Sony BMG

Grécia

Senado dos EUAOTAN

Polícia do Arizona

GovernoTurco

SK Communications

Coreia

Monsanto

RSAHB Gary

NintendoGov.

Brasileiro

Lockheed Martin

Vanguard Defense

Booz Allen

Hamilton

PBS

PBS

SOCA

Site do gov. malaio Polícia

peruana

Contas do Gmail

Policia Federal

espanhola

Citigroup

Sega

Fox News X-Factor

Site do premier italiano

FMI

Northrop Grumman

Software Bethesda

O tamanho do círculo estima o impacto relativo da quebra de

segurança

8

Custo da brecha

1,000,000x

10x

1x

Desenvolvimento Teste Produção

Dan

o a

Em

presa

Fluxo Funcional

Fluxo de Segurança

Custos:

Notificação ao cliente Multas Litígio Exposição da reputação Exposição da marca Custo para reparo

9

Detectando SQL Injection

// ... String username = request.getParameter("username"); String password = request.getParameter("password");

// ... String query = "SELECT * from tUsers where " +

"userid='" + username + "' " + "AND password='" + password + "'";

// ...

ResultSet rs = stmt.executeQuery(query);

Usuário pode mudar o SQL executado commandos

Sink – um potencial método perigoso

Source – um métodos retornando string insegura

10

Detectando SQL Injection

// ...

String password = request.getParameter("password");

// ...

"userid='" + username + "' " + "AND password='" + password + "'";

// ...

String username = request.getParameter("username");

String query = "SELECT …" + username

ResultSet rs = stmt.executeQuery(query);

String username = request.getParameter("username");

String query = "SELECT * from tUsers where " +'

ResultSet rs = stmt.executeQuery(query);

11

Detectando SQL Injection

String username = request.getParameter("username");

String query = "SELECT …" + username

username = ‘anything' OR 'x'='x ‘

username = ‘x' AND userid IS NULL; --‘

username = ‘x' AND 1=(SELECT COUNT(*) FROM tabname); --‘

12

Fluxo de dados

METHOD process

METHOD read

s_html

Stored in variable

s_data

s_out

Input

request->get_form_field()

Output

out->print_string()

Passed on to another method and variable

Modifed and copied to another variable

Passed on to dangerous function

METHOD process .

DATA: s_out TYPE string. DATA: out TYPE REF TO if_bsp_writer.

CONCATENATE `<b>`s_data`</b>`INTO s_out.

out = me->get_previous_out( ).

out->print_string( s_out ).

ENDMETHOD.

METHOD read .

DATA: request TYPE REF TO if_http_request. DATA: s_html TYPE string. DATA: event TYPE string.

s_html = request->get_form_field( 'mydata' ).

CALL METHOD me->process EXPORTING s_data = s_html. RETURN.

ENDMETHOD.

1

3

4

2

13

Como funciona AppScan

Scan das aplicações Análise

(identificar riscos)

Automação de Testes de Segurança em Aplicações

Relatório

(detalhado e assertivo)

Fix

14

Ciclo de Vida

AppScan Standard(desktop)

AppScan Enterprise user

(web client)

AppScan Enterprise userAppScan Standard

(scanning agent)

Eclipse, Visual

Studio, RAD

Gerenciamento de Ameaças

IBM AppScan Enterprise Server

CODIFICAÇÃOCODIFICAÇÃO BUILDBUILD QAQASEGURANCA E

PRODUÇÃOSEGURANCA E

PRODUÇÃO

AppScan Source for Automation

AppScan Standard (via CLI)

AppScan Source usersAppScan Enterprise user

Build Management

15

AppScan

IDE Plug-InsIDE Plug-Ins

• Fluxo de InvestigaçãoFluxo de Investigação

• Guia de remediaçãoGuia de remediação

• ScanScan

• Confirmação de FixConfirmação de Fix

• Fluxo de InvestigaçãoFluxo de Investigação

• Guia de remediaçãoGuia de remediação

• ScanScan

• Confirmação de FixConfirmação de Fix

Relatório CorporativoRelatório Corporativo

• Registro de progressoRegistro de progresso

• Compare ApplicationsCompare Applications

• Dashboardas Dashboardas customizadoscustomizados

• Gerenciamento de riscoGerenciamento de risco

• Registro de progressoRegistro de progresso

• Compare ApplicationsCompare Applications

• Dashboardas Dashboardas customizadoscustomizados

• Gerenciamento de riscoGerenciamento de risco

AutomaçãoAutomação

• Integração de BuidlIntegração de Buidl

• Scan automatizadosScan automatizados

• ANT, Make, MavenANT, Make, Maven

• APIs de acessos de APIs de acessos de dadosdados

• Integração de BuidlIntegração de Buidl

• Scan automatizadosScan automatizados

• ANT, Make, MavenANT, Make, Maven

• APIs de acessos de APIs de acessos de dadosdados

SegurançaSegurança

• Configuração de SoftwareConfiguração de Software

• ScanScan

• Triagem de ResultadosTriagem de Resultados

• Manage Security PoliciesManage Security Policies

• Configuração de SoftwareConfiguração de Software

• ScanScan

• Triagem de ResultadosTriagem de Resultados

• Manage Security PoliciesManage Security PoliciesAppScan Enterprise

Server

AppScan Enterprise

Server

• Base de conhecimento

• Banco de Assessment

• Regras Customizadas

• Base de conhecimento

• Banco de Assessment

• Regras Customizadas

16

AppScan

Templates

Wizards

Importe Eclipse Workspaces e soluções .NET

Matrix de Vulnerabilidade

Isolamento de vulnerabilidades confirmadas

Otimização de triagem de issues

Auxilia na falta de expertise de segurança

Filtros poderosos

Facilidade de utilização

Foco em baixo número de riscos prioritários

Filtros pré definidos

VulnerabilidadeConfirmadas

17

AppScan

Análise rápida

–Gereciamento de memória e cache

–Otimização de re-scan

–100+ patentes

Fluxo de dados / Fluxo de chamadas

–Suporte para longas trilhas

–Facilidade em idetificar código malicioso ou não

Desconsidera coisas que a análise não entende

Nada é ignorado

–Relatório de “Lost Sinks”

Análise de StringString Analysis

– Identifica de forma automática a validação de rotinas

– Tecnologia de IBM Research– Checa efetividade da validação lógica

18

AppScan

Java

JSP

C

C++

.NET– C#

– VB.NET

– ASP.NET

Classic ASP (VB6)

PHP

HTML

Perl

ColdFusion

Client-Side JavaScript

Server-Side JavaScript

VBScript

COBOL

PL/SQL

T-SQL

SAP ABAP

Android e IOS

Out-of-the-Box Extensível

Análises por expressão regular Definir regras customizadas Usar o poder da expressões regulares Associação de regras com maioria das

linguagem

Linguagem Suportadas

19

20

Acknowledgements and disclaimers

© Copyright IBM Corporation 2013. All rights reserved.

– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Other company, product, or service names may be trademarks or service marks of others.

Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

21

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.