Jump Start Your Application Security Knowledge
1 like•458 views
The document discusses the importance of application security, highlighting the disconnect between security officers and development teams regarding application vulnerabilities. It emphasizes the lack of knowledge among security professionals in understanding application-level risks and the need for better communication and collaboration with developers. Additionally, it introduces WhiteHat Security's Sentinel product and its integration with Snort for real-time application-level protection.
Jump Start Your Application Security Knowledge
- 1. Jump-Start Your Application Security p pp y Knowledge: For the Network Security Guy Who Knows Nothing about Applications A li ti Jeremiah Grossman John B. Dickson, CISSP
- 2. Speaker’s Backgrounds • Jeremiah Grossman – Founder & CTO of WhiteHat Security – World-renowned expert in Web security and founder of the Web Application Security Consortium (WASC) – Former information security officer at Yahoo! • John Dickson – Denim Group Principal and career security professional – Assists CISO’s build application security programs CISO s – Prior to Denim Group, was a information security consultant at SecureLogix, KPMG, Trident Data Systems, and US Air Force 1
- 3. Company Backgrounds • WhiteHat Security Background – WhiteHat Security is the leading provider of website risk management solutions – WhiteHat serves hundreds of customers in e-commerce, financial services, information technology and healthcare including many of the Fortune 1000 WhiteHat Sentinel the company’s flagship product family launched in 2003 Sentinel, company s family, • Denim Group Background – Denim Group is a professional services company that • develops secure software • helps organizations assess and mitigate risk with existing software • provides training on best practices in software security – WhiteHat Security’s Premier Integration Partner • Built Snort-Sentinel Integration for real-time application level blocking 2
- 4. “Houston we have a Problem” • Throughout industry security officers are responsible for the security of applications – If a breach occurs involving applications, who gets called first? – CIO’s largely can’t distinguish between web applications and the infrastructure in which applications reside – Rarely, if ever, do security manager have control of development efforts to remediate • It begs the question – Why are development colleagues not on the “hot seat” as well? • Security professionals are rushing into the application security world – New entrants into the field have less background knowledge in applications g g pp – Demand to increase for application-smart security professionals 3
- 5. The Key Problem Security officers worry about application vulnerabilities, but have little power to f them… fix Development managers have power to fix application vulnerabilities, but don’t worry about them 4
- 6. Business Impact of this Problem • Many Security professionals are ill-equipped to secure applications – Difficulty analyzing application-level scan reports – Sometimes powerless to overcome development team objections – Network vulnerabilities get fixed relatively quickly – not the case for applications • WhiteHat Website Security Statistics Report – 82% of websites have had a HIGH, CRITICAL, or URGENT issue – V l Vulnerability time-to-fix metrics are not changing substantively, t i ll requiring bilit ti t fi ti t h i b t ti l typically ii weeks to months to achieve resolution – Security managers need to do a better job of managing or influencing the solution 5
- 7. Results of Denim Group Survey • 75% of security respondents did not know the likely outcome of the exploitation of a Cross-Site Scripting (XSS) vulnerability • Nearly 70% did not know that modern development languages like Java and .NET could provide protection against buffer overflow vulnerabilities • Nearly 50% thought developers could perform source code reviews in the requirements • Nearly 70% of respondents could not identify that logical vulnerabilities involving authorization and authentication are typically more difficult to remediate than coding flaws such as Cross-Site Scripting (XSS) or buffer overflow vulnerabilities 6
- 8. A Journey of 1,000 Miles Starts with one Step… • Raise the bar on your knowledge of key aspects of software development, including: – Key coding terms – software architecture terms – Different software development methodologies • Build up a dictionary of terms tailored to your environment • Find a trusted development colleague to ask questions you wouldn’t ask in a public meeting • Understand what SDLC’s their organization uses – Different software development methodologies will drive how you want to introduce security practices to internal development teams 7
- 9. Ask a Better Set of Questions! • Consider Participating in Threat Modeling Process – A structured approach to understanding where vulnerabilities might exist in complex systems such as software applications – Enables security professionals to characterize risk and ask a more sophisticated set of questions to developers without diving to the level of application source code – Will help a non-coder think in more concrete terms by decomposing a complex application into its component pieces 8
- 10. How Security Guys Think 9
- 11. How Developers Think 10
- 12. How Security Guys Should Think 11
- 13. WhiteHat Sentinel – Snort Integration • Denim Group developed technology based on the WhiteHat’s open XML application programming interface (API), allowing for a seamless integration with Snort® to block website attacks – Highly accurate vulnerability information combined with an open XML API allows WhiteHat Sentinel data to be shared and employed within an organization s organization’s existing communications and reporting infrastructure – Integration supports both open source and commercial versions of IPS/IDS – Any IDS/IPS that imports these rules will work • Sentinel S ti l customers can now use vulnerability d t t quickly create t l bilit data to i kl t ultra-targeted Snort rules – Expands capability of IPS to detect and block application layer attacks in real- time – Fine-tunes Snort alerts and correlate findings to reduce noise – Leverages existing, deployed infrastructure » 80% Fortune 100 use Snort » No need to retrain employees or reconfigure networks
- 14. How the integration works: • Implemented as a script, which when executed will securely script executed, connect to the Sentinel open API to extract website’s vulnerability details – Script translates downloaded data into Snort alert rules – Users apply rules to Snort IPS to alert on or block attacks • Simple deployment – All Sentinel customers have access to Open XML API free of charge • WhiteHat Open XML API also enables data exchange with: – W b Application Fi Web A li ti Firewalls ll – Bug tracking systems – Security Information and Event Management systems
- 15. Contact Information • Jeremiah Grossman – [email protected] – Twitter @jeremiahg www.whitehatsec.com • John B. Dickson, CISSP – [email protected] – Twitter @johnbdickson www.denimgroup.com 14