Application Security Landscape

Transcript

1. Rocky Mountains The Application Security Landscape

2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security

3. Census?

4. Case Study 1 e-Commerce Fraud

5. “This year, organized crime became the most frequently seen threat

   actor for Web App Attacks.” Verizon 2015 DBIR
6. None

7. See • Botnets • Widespread use of harvested credentials •

   Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS

8. Case Study 2 Healthcare Fraud

9. “Two thirds of the incidents in this pattern had no

   attacker-attribution information whatsoever.” Verizon 2015 DBIR Cyber-Espionage

10. See • Long term investment • Systematic targeting • Phishing

    / Social Engineering • Pivoting

11. 90% of security investments focus on network security.
    75% of

    attacks focus on vulnerable applications. From industry advertisement. Original source not cited.
12. None

13. Product Landscape

14. Static Analysis

15. Static Analysis Live App Scanning

16. Static Analysis Live App Scanning Dynamic Analysis

17. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks

18. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall

19. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring

20. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation

21. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation

22. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing

23. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
24. None

25. B+

26. B+ C

27. B+ C B+

28. B+ C B+ F

29. B+ C B+ F D

30. B+ C B+ F D D

31. B+ C B+ F D D F

32. B+ C B+ F D D F B

33. B+ C B+ F D D F B A-

34. B+ C B+ F D D F B A- C

35. None
36. None

37. Understanding Our Attack Surface

38. We need to understand applications: data flow, fraud scenarios and

    data sensitivity to build an appropriately focused security program.

39. Application Security is moving from a niche to a pillar

    of security programs.

40. Limited Resources

41. Developers

42. Application security teams need time and flexibility to implement automation

    and processes that work.

43. Data

44. None
45. None

46. What are we measuring?

47. OWASP OWASP

48. Organizational Health • 2184 members, 45 corporate. • Financially sound.

    • Excellent conference results including for AppSecUSA, AppSecEU and LATAM tour. • ED is full time employee (started summer 2014, full time Spring 2015) • Recently hired community manager - Noreen Whysel (November 2014) • Recently hired project co-ordinator - Claudia Casanovas (May) • Kate Hartmann and Kelly Santalucia continue to handle operational and membership awesomeness.

49. Active Work • Funded OWASP summer of code. • Increased

    activity in project summits. • Conference planning • All the background work of sponsors, elections, membership, project support…

50. DevOps and Security

51. Credit: Matt Tesauro at AppSecEU 2015 http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

52. App Inventory Pipeline CSV, JSON, Text Git webhooks Jenkins

53. None

54. Data Platform

55. Training

56. Flagship Projects Tools • ZAP • OWASP Dependency Check •

    Web Testing Environment Project • OWTF Code • ModSecurity • CSRFGuard • AppSensor Documentation • ASVS • SAMM • Top 10 • Testing Guide • Benchmark

57. ASVS

58. Tiers • 0  –  Cursory  –  You  have  done  

    something.    You  define.   • 1  –  Opportunistic  –  Adequately  defends   against  easily  discoverable  items.   • 2  –  Standard  –  Adequately  defends   against  items  of  moderate  to  serious   risk.   • 3  –  Advanced  –  Defends  against  even   advanced  attacks  and  demonstrates   good  security  design.
59. None

60. Thank you