際際滷

際際滷Share a Scribd company logo

Presentatie php benelux groep

Download as PPTX, PDF
Derk Yntema
Derk Yntema

This document discusses application security and summarizes key points about securing web applications. It notes that 75% of attacks target applications rather than infrastructure. Dutch developers often take an agile approach and do not use many formal methods or tools in development. Cybercrime now surpasses illegal drug trafficking and identity theft occurs every 3 seconds. The document recommends focusing on application security and testing to address these growing threats.

1 of 53
Download to read offline
Application Security Protect your image & brand 息 2012 Sebyde BV
Who we are SEBYDE (se-bie-de) Secure by Design Derk Yntema 20+ year experience in ICT and IT Security IT management architect Portfolio manager security Rob Koch 20+ years experience in account management at software companies and telecom industry IBM business partner IBM authorised reseller Gartner: 75% of all attacks on web sites and web applications target the 息 2012 Sebyde BV application level and not the infrastructure.
The Dutch developer The Dutch developer works more iterative (agile) than linear (waterfall). (source: automatiseringsgids 10th may 2012) 息 2012 Sebyde BV
Internet has changed the world 息 2012 Sebyde BV
息 2012 Sebyde BV
Is ICT Security important? The world has changed We work differently; Het nieuwe werken, BYOD More data in more applications Internet Remote access to business networks Wireless Networks / Mobile applications Populair apps, email, Whatsapp, LinkedIn, Facebook, etc. Hackers change their tactics Infrastructure -> applications Risk of digital theft become bigger and bigger 息 2012 Sebyde BV
Internet / Web-based applications Internet has become a very important business platform B2C B2B Business use Internet for marketing, communication, customer services, customer care etc 2011: 2,3 billion Internet users; 85% buy online; $ 200 billion turnover worldwide; Applications are Web-based or Web-facing 息 2012 Sebyde BV
Webshops # of webshops in NL 40,000 35,000 30,000 25,000 20,000 Aantal 15,000 webwinkels in 10,000 NL 5,000 0 Turnover online shopping 12 10 8 6 Online winkelen (in 4 miljard euro) 2 0 息 2012 Sebyde BV
The Dutch developer the Dutch developer uses little to non supporting resources in the preliminary phase: when gathering requirements, or when making a design. A formal use case method (UML) is very seldom used. Tools like Requisite Pro, ClearCase, Rational Rose, Visual Pardigm are hardly ever used. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Cybercrime Cybercrime has surpassed illegal drug trafficking as a criminal moneymaker Every 3 seconds an identity is stolen Without security, your unprotected PC can become infected within four minutes of connecting to the internet It is often facilitated by crime-ware programs such as keystroke loggers, viruses, rootkits or Trojan horses. Software flaws or vulnerabilities often provide the foothold for the attacker. For example, criminals controlling a website may take advantage of a vulnerability in a Web browser to place a Trojan horse on the victim's computer. 息 2012 Sebyde BV
The reality Cybercrime is no temporary phenomenon Two Leagues: Junior en Major If you think safety is expensive try an accident Criminals look differently at the value of assets Effective security needs a short and long term approach 100% security is an illusion prevention is key ! The Tone at the top is important Source : Summary of KPMG Advisory NV report Een genuanceerde visie op cybercrime. Nieuwe perspectieven vragen om actie 息 2012 Sebyde BV
TNO: Damage Cybercrime: yearly 10 billion Cybercrime damage NL 10-30 billion / year 9 % aimed at web applications 0,9 2,7 billion 60% SQL injection / XSS 0,5 1,6 billion 息 2012 Sebyde BV
Vulnerabilities in websites Probability 10% 14% 14% 64% 14% Information leakage Cross Site Scripting Content Spoofing 15% Cross Site Request Forgery Brute Force Insufficient authorisation 17% Predictable Resource Location SQL Injection Session fixation Abuse of functionality 24% 64% 43% 息 2012 Sebyde BV
The Dutch developer Release management is generally accepted. Coding standards are commonly used. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Target organisations Financials Hosting providers Internet banking Image Financial transactions Outages Industries Application developers SCADA networks Liability Companies High development costs IP Healthcare Merger & takeovers Privacy (WBP; EU privacy act) Customer data Governments Espionage Identity fraud IBMs X-Force Report 2011: 41% of all security incidents are caused by Web applications. 息 2012 Sebyde BV
Damage Reputation / Brand Defacement Costs: ???? Indirect (ISP) Liability claims Information damage Theft Financial Business information Privacy info Identity System outage Availability 81% of the Web applications do not comply to the PCI-DSS standard 息 2012 Sebyde BV (Payment Card Industry Digital Security Standard).
But still . Security is not my responsibility. Security? That is done by the ICT department I do not work with computers so I cant be hurt! I dont work with sensitive information. Our company is not a target. I am not a target! What can they steal here? We have several firewalls. We are safe, we have security guidelines. It is not our responsibility, we have out-sourced our IT. We use the cloud so our cloud provider has arranged security On average, every 1,000 lines of code has at least 5 to 15 defects 息 2012 Sebyde BV (United States Department of Defense)
I am no target? Febelfin Belgium federation of the financial sector. http://www.youtube.com/watch?v=F7pYHN9iC9I 息 2012 Sebyde BV
What can they get here? 息 2012 Sebyde BV
We will not be hacked! 息 2012 Sebyde BV
We have firewalls 息 2012 Sebyde BV
We have procedures! 息 2012 Sebyde BV
Security in real life We have to Testing is done for Government Functionality Noted on exchange (NYSE) Performance Law and directives Privacy Industry standards Incidents Reactive Fear Panic Google : Over 2 million searches every month on how to hack. 息 2012 Sebyde BV
The Dutch developer Too little time is spend on testing. Still testing, traditionally done at the end of development, is being compromised. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Focus shift hackers To Applications From Infrastructure 75% of all hacks are performed on Web applications / Websites 息 2012 Sebyde BV
From Chinese walls to integrated security 息 2012 Sebyde BV
More facts 60-80% of the Web applications / Websites have a minimum of one security weak point. 75% of all hacks are performed on Web applications / Websites IDC Research: 25% of all companies are exploited via a weak spot in Web Application security. Ignorant users are contaminated by websites with malware on it. Google : >2 Million searches on how to hack every month, or to download hacking tools etcetera. 息 2012 Sebyde BV
Why are applications unsafe? Time to market Business pressure Project budget Software is complex No education Windows 7 contains 50 million lines of code Chinese walls Networking False sense of security Internet technology Security awareness Globalizing Continue process Attitude / behavior Software comes from everywhere Extensibility Software ages JAVA VM, .NET, etc. Application security is not sexy 息 2012 Sebyde BV
OWASP top ten 1) SQL-Injection 60% of all attacks !!! 2) Cross Site Scripting (XSS) 3) Broken Authentication and 7) Failure to Restrict URL Access Session Management 8) Unvalidated Redirects and 4) Insecure Direct Object Forwards References 9) Insecure Cryptographic 5) Cross Site Request Forgery Storage (CSRF) 6) Security Misconfiguration 10) Insufficient Transport Layer Protection 息 2012 Sebyde BV
1. Injection Ability to inject commandstrings Database (SQL) Operating System LDAP Directories 息 2012 Sebyde BV
Vulnerability The best way to determine whether an application is vulnerable to injection is by checking whether input data is kept separate from a command or query. Poor error handling makes injection vulnerability easy to detect. 息 2012 Sebyde BV
Example The application uses non-validated data in the composition of the SQL call: String query = "SELECT * FROM accounts WHEREcustID = '" + request.getParameter ("id") + "'"; The attacker changes the 'id' parameter in their browser and sends: 'or '1' = '1. This change will query all records returned from the accounts database, instead of just one customer. http://example.com/app/accountView?id = 'or '1' = '1 In the worst case, the attacker can control a stored procedure so that the entire database is copied or even the operating system is controlled. 息 2012 Sebyde BV
Mitigation For SQL calls, this means the use of static queries or stored procedures. Avoid dynamic SQL! Use parameters to commands to send. Please note that improper use of parameters. Validate input through a white list. So only that which you know do you allow. Apply strict access control to what an application may systems; least privilege. Tip: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_ Sheet 息 2012 Sebyde BV
The pressure mounts Government EU NCSC Law & regulations Privacy law (CBP) Industry regulations (PCI-DSS, Basel III, NEN7510) 息 2012 Sebyde BV
What can we do Prevent Awareness Design & build secure Reduce Monitor Manage Transfer Insurance Accept 息 2012 Sebyde BV
The Dutch developer Documenting is reluctantly done. This is considered the most annoying aspect of the work. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Complete security People Security Secure by Design Process Technology 息 2012 Sebyde BV
Mens Zero incident culture Security awareness Training Education Awareness Motivation Attitude From unconscious unsafe tounconscious safe Security awareness must rest in the cortex IDC research: 25% van alle bedrijven worden exploited via een 息 2012 Sebyde BV zwakke plek in de Web Application security.
Awareness: Information has value Customer data annual figures, the profit forecast (Re)modelling plans Bookkeeping Employee data Phone & email lists Tenders and contracts Smoelenboek Adding security during coding costs 6.5 times more than architecting it 息 2012 Sebyde BV during software design process.
What to achieve? Not only doing the right things, but do things right Attitude Unconscious Behavior safe Conscious safe Conscious unsafe Training Unconscious Education unsafe Instruction Repetition 息 2012 Sebyde BV
息 2012 Sebyde BV
The Dutch developer The appeal to the creativity and solving logical problems is considered to be the best aspect of his work, more fun than delivering a useful product. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Processes Policy Laws and regulations Guidelines, standards, rules Check Organisation Helpdesk CERT-team Resolve Evaluate Processes Identity/access management Incident management Patch management Analyse SDLC IDC research: 25% of all companies are exploited through a weakspot in 息 2012 Sebyde BV their Web Application security.
Prevent: Test Manual Automated Black box White box Network Pentesting Systems Applications Dynamic Source code 息 2012 Sebyde BV
Test early! Loss of customer trust Lawsuits Brand damage Early on testing saves a lot of money. 80% of development costs are spent on finding and 100x solving problems. Deployment phase Dynamic testen Solving a vulnerability in the production phase costs 100 times more than addressing it 15x in the design phase. Test phase Acceptance testen 6,5 x Development Static testen 1x Design Secure by Design 息 2012 Sebyde BV
Test often New releases Application Infrastructure Periodic 遜 year, a year Framework upgrades Integral part of the Software Development Life Cycle (UTAP) 息 2012 Sebyde BV
Technology Network Zoning (ie. DMZ) Firewalls, IPS, WAF Systemen Hardening Accesscontrol Updates / Patching Malware scanners Applicaties Testing Audits Secure by Design 息 2012 Sebyde BV
Why secure coding Governance Manageability Risk Reputation Compliance PCI-DSS Privacy law EU directive Efficiency Early on security saves money 息 2012 Sebyde BV
About the Dutch developer Repetitive tasks, like testing, is the most annoying aspect of the work. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
Best practices Prevention is key; test early & often Validate all input and output Deny by default, Fail Secure (closed) Fail Safe Make it simple (KISS) Defense in depth Only as secure as your weakest link Wrong: Security by obscurity https://www.owasp.org/index.php/How_to_write_insecure_code 息 2012 Sebyde BV
Important sources OWASP www.owasp.org Sans www.sans.org NCSC www.ncsc.nl CVE http://cve.mitre.org/ www.waarschuwingsdienst.nl 息 2012 Sebyde BV
Contact us E-mail info@sebyde.nl Web www.sebyde.nl Twitter http://www.twitter.com/SebydeBV LinkedIn http://www.linkedin.com/company/sebyde-bv Facebook http://facebook.com/SebydeBV Prezi http://t.co/eKr7VzE8 息 2012 Sebyde BV
Thank You Rob Koch (rob.koch@sebyde.nl) Derk Yntema (derk.yntema@sebyde.nl) 息 2012 Sebyde BV

More Related Content

Presentatie php benelux groep

  • 1. Application Security Protect your image & brand 息 2012 Sebyde BV
  • 2. Who we are SEBYDE (se-bie-de) Secure by Design Derk Yntema 20+ year experience in ICT and IT Security IT management architect Portfolio manager security Rob Koch 20+ years experience in account management at software companies and telecom industry IBM business partner IBM authorised reseller Gartner: 75% of all attacks on web sites and web applications target the 息 2012 Sebyde BV application level and not the infrastructure.
  • 3. The Dutch developer The Dutch developer works more iterative (agile) than linear (waterfall). (source: automatiseringsgids 10th may 2012) 息 2012 Sebyde BV
  • 4. Internet has changed the world 息 2012 Sebyde BV
  • 6. Is ICT Security important? The world has changed We work differently; Het nieuwe werken, BYOD More data in more applications Internet Remote access to business networks Wireless Networks / Mobile applications Populair apps, email, Whatsapp, LinkedIn, Facebook, etc. Hackers change their tactics Infrastructure -> applications Risk of digital theft become bigger and bigger 息 2012 Sebyde BV
  • 7. Internet / Web-based applications Internet has become a very important business platform B2C B2B Business use Internet for marketing, communication, customer services, customer care etc 2011: 2,3 billion Internet users; 85% buy online; $ 200 billion turnover worldwide; Applications are Web-based or Web-facing 息 2012 Sebyde BV
  • 8. Webshops # of webshops in NL 40,000 35,000 30,000 25,000 20,000 Aantal 15,000 webwinkels in 10,000 NL 5,000 0 Turnover online shopping 12 10 8 6 Online winkelen (in 4 miljard euro) 2 0 息 2012 Sebyde BV
  • 9. The Dutch developer the Dutch developer uses little to non supporting resources in the preliminary phase: when gathering requirements, or when making a design. A formal use case method (UML) is very seldom used. Tools like Requisite Pro, ClearCase, Rational Rose, Visual Pardigm are hardly ever used. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 10. Cybercrime Cybercrime has surpassed illegal drug trafficking as a criminal moneymaker Every 3 seconds an identity is stolen Without security, your unprotected PC can become infected within four minutes of connecting to the internet It is often facilitated by crime-ware programs such as keystroke loggers, viruses, rootkits or Trojan horses. Software flaws or vulnerabilities often provide the foothold for the attacker. For example, criminals controlling a website may take advantage of a vulnerability in a Web browser to place a Trojan horse on the victim's computer. 息 2012 Sebyde BV
  • 11. The reality Cybercrime is no temporary phenomenon Two Leagues: Junior en Major If you think safety is expensive try an accident Criminals look differently at the value of assets Effective security needs a short and long term approach 100% security is an illusion prevention is key ! The Tone at the top is important Source : Summary of KPMG Advisory NV report Een genuanceerde visie op cybercrime. Nieuwe perspectieven vragen om actie 息 2012 Sebyde BV
  • 12. TNO: Damage Cybercrime: yearly 10 billion Cybercrime damage NL 10-30 billion / year 9 % aimed at web applications 0,9 2,7 billion 60% SQL injection / XSS 0,5 1,6 billion 息 2012 Sebyde BV
  • 13. Vulnerabilities in websites Probability 10% 14% 14% 64% 14% Information leakage Cross Site Scripting Content Spoofing 15% Cross Site Request Forgery Brute Force Insufficient authorisation 17% Predictable Resource Location SQL Injection Session fixation Abuse of functionality 24% 64% 43% 息 2012 Sebyde BV
  • 14. The Dutch developer Release management is generally accepted. Coding standards are commonly used. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 15. Target organisations Financials Hosting providers Internet banking Image Financial transactions Outages Industries Application developers SCADA networks Liability Companies High development costs IP Healthcare Merger & takeovers Privacy (WBP; EU privacy act) Customer data Governments Espionage Identity fraud IBMs X-Force Report 2011: 41% of all security incidents are caused by Web applications. 息 2012 Sebyde BV
  • 16. Damage Reputation / Brand Defacement Costs: ???? Indirect (ISP) Liability claims Information damage Theft Financial Business information Privacy info Identity System outage Availability 81% of the Web applications do not comply to the PCI-DSS standard 息 2012 Sebyde BV (Payment Card Industry Digital Security Standard).
  • 17. But still . Security is not my responsibility. Security? That is done by the ICT department I do not work with computers so I cant be hurt! I dont work with sensitive information. Our company is not a target. I am not a target! What can they steal here? We have several firewalls. We are safe, we have security guidelines. It is not our responsibility, we have out-sourced our IT. We use the cloud so our cloud provider has arranged security On average, every 1,000 lines of code has at least 5 to 15 defects 息 2012 Sebyde BV (United States Department of Defense)
  • 18. I am no target? Febelfin Belgium federation of the financial sector. http://www.youtube.com/watch?v=F7pYHN9iC9I 息 2012 Sebyde BV
  • 19. What can they get here? 息 2012 Sebyde BV
  • 20. We will not be hacked! 息 2012 Sebyde BV
  • 21. We have firewalls 息 2012 Sebyde BV
  • 22. We have procedures! 息 2012 Sebyde BV
  • 23. Security in real life We have to Testing is done for Government Functionality Noted on exchange (NYSE) Performance Law and directives Privacy Industry standards Incidents Reactive Fear Panic Google : Over 2 million searches every month on how to hack. 息 2012 Sebyde BV
  • 24. The Dutch developer Too little time is spend on testing. Still testing, traditionally done at the end of development, is being compromised. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 25. Focus shift hackers To Applications From Infrastructure 75% of all hacks are performed on Web applications / Websites 息 2012 Sebyde BV
  • 26. From Chinese walls to integrated security 息 2012 Sebyde BV
  • 27. More facts 60-80% of the Web applications / Websites have a minimum of one security weak point. 75% of all hacks are performed on Web applications / Websites IDC Research: 25% of all companies are exploited via a weak spot in Web Application security. Ignorant users are contaminated by websites with malware on it. Google : >2 Million searches on how to hack every month, or to download hacking tools etcetera. 息 2012 Sebyde BV
  • 28. Why are applications unsafe? Time to market Business pressure Project budget Software is complex No education Windows 7 contains 50 million lines of code Chinese walls Networking False sense of security Internet technology Security awareness Globalizing Continue process Attitude / behavior Software comes from everywhere Extensibility Software ages JAVA VM, .NET, etc. Application security is not sexy 息 2012 Sebyde BV
  • 29. OWASP top ten 1) SQL-Injection 60% of all attacks !!! 2) Cross Site Scripting (XSS) 3) Broken Authentication and 7) Failure to Restrict URL Access Session Management 8) Unvalidated Redirects and 4) Insecure Direct Object Forwards References 9) Insecure Cryptographic 5) Cross Site Request Forgery Storage (CSRF) 6) Security Misconfiguration 10) Insufficient Transport Layer Protection 息 2012 Sebyde BV
  • 30. 1. Injection Ability to inject commandstrings Database (SQL) Operating System LDAP Directories 息 2012 Sebyde BV
  • 31. Vulnerability The best way to determine whether an application is vulnerable to injection is by checking whether input data is kept separate from a command or query. Poor error handling makes injection vulnerability easy to detect. 息 2012 Sebyde BV
  • 32. Example The application uses non-validated data in the composition of the SQL call: String query = "SELECT * FROM accounts WHEREcustID = '" + request.getParameter ("id") + "'"; The attacker changes the 'id' parameter in their browser and sends: 'or '1' = '1. This change will query all records returned from the accounts database, instead of just one customer. http://example.com/app/accountView?id = 'or '1' = '1 In the worst case, the attacker can control a stored procedure so that the entire database is copied or even the operating system is controlled. 息 2012 Sebyde BV
  • 33. Mitigation For SQL calls, this means the use of static queries or stored procedures. Avoid dynamic SQL! Use parameters to commands to send. Please note that improper use of parameters. Validate input through a white list. So only that which you know do you allow. Apply strict access control to what an application may systems; least privilege. Tip: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_ Sheet 息 2012 Sebyde BV
  • 34. The pressure mounts Government EU NCSC Law & regulations Privacy law (CBP) Industry regulations (PCI-DSS, Basel III, NEN7510) 息 2012 Sebyde BV
  • 35. What can we do Prevent Awareness Design & build secure Reduce Monitor Manage Transfer Insurance Accept 息 2012 Sebyde BV
  • 36. The Dutch developer Documenting is reluctantly done. This is considered the most annoying aspect of the work. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 37. Complete security People Security Secure by Design Process Technology 息 2012 Sebyde BV
  • 38. Mens Zero incident culture Security awareness Training Education Awareness Motivation Attitude From unconscious unsafe tounconscious safe Security awareness must rest in the cortex IDC research: 25% van alle bedrijven worden exploited via een 息 2012 Sebyde BV zwakke plek in de Web Application security.
  • 39. Awareness: Information has value Customer data annual figures, the profit forecast (Re)modelling plans Bookkeeping Employee data Phone & email lists Tenders and contracts Smoelenboek Adding security during coding costs 6.5 times more than architecting it 息 2012 Sebyde BV during software design process.
  • 40. What to achieve? Not only doing the right things, but do things right Attitude Unconscious Behavior safe Conscious safe Conscious unsafe Training Unconscious Education unsafe Instruction Repetition 息 2012 Sebyde BV
  • 42. The Dutch developer The appeal to the creativity and solving logical problems is considered to be the best aspect of his work, more fun than delivering a useful product. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 43. Processes Policy Laws and regulations Guidelines, standards, rules Check Organisation Helpdesk CERT-team Resolve Evaluate Processes Identity/access management Incident management Patch management Analyse SDLC IDC research: 25% of all companies are exploited through a weakspot in 息 2012 Sebyde BV their Web Application security.
  • 44. Prevent: Test Manual Automated Black box White box Network Pentesting Systems Applications Dynamic Source code 息 2012 Sebyde BV
  • 45. Test early! Loss of customer trust Lawsuits Brand damage Early on testing saves a lot of money. 80% of development costs are spent on finding and 100x solving problems. Deployment phase Dynamic testen Solving a vulnerability in the production phase costs 100 times more than addressing it 15x in the design phase. Test phase Acceptance testen 6,5 x Development Static testen 1x Design Secure by Design 息 2012 Sebyde BV
  • 46. Test often New releases Application Infrastructure Periodic 遜 year, a year Framework upgrades Integral part of the Software Development Life Cycle (UTAP) 息 2012 Sebyde BV
  • 47. Technology Network Zoning (ie. DMZ) Firewalls, IPS, WAF Systemen Hardening Accesscontrol Updates / Patching Malware scanners Applicaties Testing Audits Secure by Design 息 2012 Sebyde BV
  • 48. Why secure coding Governance Manageability Risk Reputation Compliance PCI-DSS Privacy law EU directive Efficiency Early on security saves money 息 2012 Sebyde BV
  • 49. About the Dutch developer Repetitive tasks, like testing, is the most annoying aspect of the work. (source: automatiseringsgids 10th May 2012) 息 2012 Sebyde BV
  • 50. Best practices Prevention is key; test early & often Validate all input and output Deny by default, Fail Secure (closed) Fail Safe Make it simple (KISS) Defense in depth Only as secure as your weakest link Wrong: Security by obscurity https://www.owasp.org/index.php/How_to_write_insecure_code 息 2012 Sebyde BV
  • 51. Important sources OWASP www.owasp.org Sans www.sans.org NCSC www.ncsc.nl CVE http://cve.mitre.org/ www.waarschuwingsdienst.nl 息 2012 Sebyde BV
  • 52. Contact us E-mail info@sebyde.nl Web www.sebyde.nl Twitter http://www.twitter.com/SebydeBV LinkedIn http://www.linkedin.com/company/sebyde-bv Facebook http://facebook.com/SebydeBV Prezi http://t.co/eKr7VzE8 息 2012 Sebyde BV
  • 53. Thank You Rob Koch (rob.koch@sebyde.nl) Derk Yntema (derk.yntema@sebyde.nl) 息 2012 Sebyde BV