The State of Application Security: What Hackers Break
-
Upload
imperva -
Category
Technology
-
view
1.043 -
download
3
description
Transcript of The State of Application Security: What Hackers Break
![Page 1: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/1.jpg)
The State of Application Security:What Hackers Break
Amichai Shulman, CTO, Imperva
![Page 2: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/2.jpg)
Agenda
The current state of Web vulnerabilities
Studying hackers
+ Why? Prioritizing defenses
+ How? Methodology
Analyzing real-life attack traffic
+ Key findings
+ Take-aways
Technical recommendations
2
![Page 3: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/3.jpg)
Imperva Overview
Imperva’s mission is simple:Protect the data that drives business
The leader in a new category:Data Security
HQ in Redwood Shores CA; Global Presence
+ Installed in 50+ Countries
1,200+ direct customers; 25,000+ cloud users
+ 3 of the top 5 US banks
+ 3 of the top 10 financial services firms
+ 3 of the top 5 Telecoms
+ 2 of the top 5 food & drug stores
+ 3 of the top 5 specialty retailers
+ Hundreds of small and medium businesses
3
![Page 4: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/4.jpg)
Today’s Presenter
Amichai Shulman – CTO Imperva
Speaker at industry events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks and financial services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
![Page 5: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/5.jpg)
WhiteHat Security Top Ten—2010
Percentage likelihood of a website having at least one vulnerability sorted by class
![Page 6: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/6.jpg)
The Situation Today
:
:
# of websites(estimated: July 2011)
# ofvulnerabilities
357,292,065
230x
1%
821,771,600vulnerabilities in active circulation
![Page 7: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/7.jpg)
The Situation Today
:
:
# of websites(estimated: July 2011)
# ofvulnerabilities
357,292,065
230x
1%
821,771,600vulnerabilities in active circulation
But which will be exploited?
![Page 8: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/8.jpg)
Studying Hackers
Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Devise new defenses based on real data
+ Reduce guess work
![Page 9: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/9.jpg)
Understanding the Threat Landscape: Methodology
Analyze hacker tools and activity
Tap into hacker forums
Record and monitor hacker activity
+ Categorized attacks across 30 applications
+ Monitored TOR traffic
+ Recorded over 10M suspicious requests
+ 6 months: December 2010-May 2011
![Page 10: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/10.jpg)
Lesson #1: Automation is Prevailing
Attacks are automated
+ Botnets
+ Mass SQL Injection attacks
+ Google dorks
![Page 11: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/11.jpg)
Lesson #1: Automation is Prevailing
Tools and kits exist for everything
![Page 12: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/12.jpg)
Lesson #1: Automation is Prevailing
On Average: 27 attacks per hour ≈ 1 attack per 2 min.
Apps under automated attack:25,000 attacks per hour.≈ 7 per second
![Page 13: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/13.jpg)
Lesson #1: Automation is Prevailing
On Average:
27 attacks per hour
≈ 1 attack per 2 minutes
Apps under automated attack:25,000 attacks per hour.≈ 7 per second
Take-away:Get ready to fight automation
![Page 14: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/14.jpg)
Lesson #2: The ―Unfab‖ Four
![Page 15: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/15.jpg)
Lesson #2A: The ―Unfab‖ FourSQL Injection
![Page 16: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/16.jpg)
Lesson #2B: The ―Unfab‖ FourRemote File Inclusion
![Page 17: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/17.jpg)
Lesson #2B: The ―Unfab‖ FourRemote File Inclusion
Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
![Page 18: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/18.jpg)
Lesson #2C: The ―Unfab‖ FourDirectory Traversal
![Page 19: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/19.jpg)
Lesson #2C: The ―Unfab‖ FourDirectory Traversal
![Page 20: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/20.jpg)
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
![Page 21: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/21.jpg)
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
![Page 22: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/22.jpg)
Lesson #2D: The ―Unfab‖ FourCross Site Scripting – Zooming into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
…http://HighRankingWebSite+PopularKeywords+XSS
![Page 23: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/23.jpg)
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
New Search Engine Indexing Cycle
![Page 24: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/24.jpg)
Lesson #2: The ―Unfab‖ Four
Take-away:Protect against these common attacks
These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
![Page 25: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/25.jpg)
Directory Traversal Missing from OWASP Top 10?
OWASP Rationale:
Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference.
―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
![Page 26: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/26.jpg)
Remote File Inclusion Missing from OWASP Top 10?
A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010.
OWASP Rationale:
REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
![Page 27: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/27.jpg)
Lesson #3: The U.S. is the Source of Most Attacks
We witnessed 29% of attack events originating from 10 sources.
![Page 28: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/28.jpg)
Lesson #3: The U.S. is the Source of Most Attacks
Take-away:Sort traffic based on reputation
We witnessed 29% of attack events originating from 10 sources.
![Page 29: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/29.jpg)
Organizations like these Funded a $27B Security Market in 2010…
…All had major breaches in 2011. What’s wrong?
![Page 30: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/30.jpg)
Threat vs. Spending Market Dislocation
1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit)2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
In 2010, 76% of all data
breached was from servers
and applications1
―
‖
Threats Spending
Yet well over 90% of the $27 billion spent on security
products was on traditional
security2
―
‖
The data theft industry is estimated at $1 trillion annually
Organized crime is responsible for 85% of data breaches 1
![Page 31: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/31.jpg)
Summary
Deploy security solutions that deter automated attacks
Detect known vulnerability attacks
Acquire intelligence on malicious sources and apply it in real time
Participate in a security community and share data on attacks
![Page 32: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/32.jpg)
Summary
―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1
1 Sun Tzu – The art of war
![Page 33: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/33.jpg)
Usage
Audit
Access
Control
Rights
Management
Attack
Protection
Reputation
Controls
Virtual
Patching
Imperva: Our Story in 60 Seconds
![Page 34: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/34.jpg)
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
Much more…
Get LinkedIn to Imperva Data Security Direct for…
![Page 35: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/35.jpg)
Questions
- CONFIDENTIAL -
![Page 36: The State of Application Security: What Hackers Break](https://reader033.fdocuments.in/reader033/viewer/2022052315/555dca3ed8b42ab56b8b4c41/html5/thumbnails/36.jpg)
Thank You
- CONFIDENTIAL -