Presentacion realizada en Argentina y Paraguay Durante Marzo 2014.
En Argentina por Faustino Sanchez. En Paraguay por Santiago Cavanna.
Trata sobre el problema de la presencia de vulnerabilidades en aplicaciones, el impacto que tiene en las organizaciones y la forma que se encuentra disponible para descubrirlas en forma temprana y facilitar su remediacion
Links disponibles en
http://www.santiagocavanna.com/segurinfo-2014-el-costo-oculto-de-las-aplicaciones-vulnerables/
1. Santiago Cavanna
IBM Security Systems
Argentina-Uruguay-Paraguay
Marzo 2014
cavanna@ar.ibm.com
El costo oculto
de las
aplicaciones …
Vulnerables
2. The Traditional Approach is Changing….
Security is no longer controlled and enforced through the network perimeter
Trusted
Intranet
Online
Banking
Applica5on
Employee
Applica5on
DMZ
Untrusted
Internet
3. …. With Mobile and Cloud There Is No Perimeter
Security must be centered on applications and transactions
Online
Banking
Applica5on
Investment
API
Services
Employee
Applica5on
Deliver
Mobile
App
Consume
Apps
and
Services
Leverage
Public
Clouds
Trusted
Intranet
DMZ
Untrusted
Internet
5. Threats increase along with old and new targets
??????????????????????
Web
Apps
Targeted
Mobile
Devices
Targeted
Escala9ng
Threats
??????????????????????
Mobile
Malware
Increasing
31%
of
new
aAacks
in
1H
2013
targeted
Web
app
vulnerabili9es
50%
+
of
Web
app
vulnerabili9es
are
cross-‐site
scrip9ng
Mobile
devices
are
twice
as
appealing
hackers
can
obtain
personal
and
business
data
Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 – 3/13
Source:
IBM
X-‐Force
2013
Mid-‐Year
Trend
and
Risk
Report
Source:
IBM
X-‐Force
2013
Mid-‐Year
Trend
and
Risk
Report
6. 83%
of enterprises
have difficulty finding the
security skills they need
tools from
vendors
85
45 IBM client example
70%
of security exec’s
are concerned about
cloud and mobile security
Mobile malware grew
614%
from March 2012 to March 2013
in one year
A New Security Reality Is Here
61%
Data theft and cybercrime
are the greatest threats
to their reputation
of organizations say
Average U.S.
breach cost
$7million+
2013 Cost of Cyber Crime Study
Ponemon Institute 2013 Juniper Mobile Threat Report
2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
7. A new security reality is here
Sophisticated attackers break through conventional safeguards every day.
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and
cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2
Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute
<MOUSE CLICK>
Cloud, mobile, social and big data drive unprecedented change.
Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and
more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to
defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud
and mobile security.3 Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection,
an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed.
Sources: (3) 2013 CISO Survey, IBM;
2013 Juniper Mobile Threat Report
<MOUSE CLICK>
Yesterday’s security practices are not sustainable
Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for
dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop
today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty
finding the security skills they need.4 And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by
an inability to measure the effectiveness of their current security efforts5 and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark.
Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
8. Agenda
• IBM as Security Solution Provider
• IBM Security Framework
• X-Force, Security Reports and SecurityIntelligence.com
• Standards and regulations (NIST)
• Challenges for Security team at Application Security.
• Application Security Framework.
• Vulnerability at different SDLC Stage.
– Dynamic and static analysis.
• Self-assessment and recommendations.
9. IBM Security Investment
• 6,000+ IBM Security experts worldwide
• 3,000+ IBM security patents
• 4,000+ IBM managed security services clients
worldwide
• 25 IBM Security labs worldwide
IBM Security: Market-changing milestones
Mainframe
and Server
Security
SOA Management
and Security
Network Intrusion
Prevention
Database
Monitoring
Access Management
Application
Security
Compliance
Management
1976
Resource Access Control
Facility
(RACF) is created,
eliminating the
need for each application
to imbed security
1999
Dascom is
acquired for
access
management
capabilities
2006
Internet Security
Systems, Inc. is
acquired for
security research
and network
protection
capabilities
2007
Watchfire is
acquired for
security and compliance
capabilities
Consul is acquired for
risk management
capabilities
Princeton Softech
is acquired for data
management capabilities
2008
Encentuate
is acquired
for enterprise
single-sign-on
capabilities
2009
Ounce Labs
is acquired
for application
security capabilities
Guardium
is acquired
for enterprise
database
monitoring
and protection
capabilities
2010
Big Fix is
acquired for
endpoint security
management
capabilities
NISC is acquired
for information
and analytics
management
capabilities2005
DataPower
is acquired
for SOA
management
and security
capabilities
2013
Intent to acquire
Trusteer for
mobile and
application
security,
counter-fraud
and malware
detection
2002
Access360
is acquired for
identity
management
capabilities
MetaMerge
is acquired for
directory
integration
capabilities
Identity Management
Advanced
Fraud Protection
Security Analytics
Security
Intelligence
IBM Security
Systems
division is
created
2011
Q1 Labs is
acquired for
security
intelligence
capabilities
2012
11. X-Force Threat Intelligence: The IBM Differentiator
IBM
Confiden9al
URL/Web
Filtering
• Provides
access
to
one
of
the
world’s
largest
URL
filter
databases
containing
more
than
20
billion
evaluated
Web
pages
and
images
An5-‐Spam
• Detect
spam
using
known
signatures,
discover
new
spam
types
automa9cally,
99.9%
accurate,
near
0%
overblocking
IP
Reputa5on
• Categorize
malicious
websites
via
their
IP
address
into
different
threat
segments,
including
malware
hosts,
spam
sources,
and
anonymous
proxies
Web
Applica5on
Control
• Iden9fying
and
providing
ac9ons
for
applica9on
traffic,
both
web-‐based,
such
as
Gmail,
and
client
based,
such
as
Skype
The mission of X-Force is to:
§ Monitor and evaluate the rapidly changing
threat landscape
§ Research new attack techniques and develop protection
for tomorrow’s security challenges
§ Educate our customers and the general public
Advanced Security
and Threat Research
14. Safeguard
pa9ent
data
Secure
the
credit
card
environment
Protect
self-‐service
DMV
portal
Protect
cri9cal
infrastructure
for
the
smart
grid
Reduce
online
banking
fraud
Secure
data
exchange
among
insurance
providers
Control
access
to
auto
designs
and
intellectual
property
Security
func9onality
examples
15. Standards and Regulations
hAp://securityintelligence.com/nist-‐cybersecurity-‐framework-‐applica9on-‐security-‐risk-‐management/
v1.0
of
the
NIST
Framework
for
Improving
Cri9cal
Infrastructure
Cybersecurity.
Execu9ve
Order
13636
from
President
Obama
was
issued
on
February
12th
2014
Sogware
Risk
and
the
Framework
SoRware
security
is
a
cri5cal
component
of
cybersecurity.
If
the
apps
you’re
running
can
be
exploited,
the
services
they’re
running
are
at
risk.
And
though
there
isn’t
a
special
sec9on
devoted
to
applica9ons
or
building
sogware
in
the
NIST
Framework,
sogware
is
men9oned
a
number
of
9mes
and
should
be
addressed
as
part
of
the
broader
cybersecurity
program.
16. Security team challenges
16
1000s
of
apps
A
small
team
What
is
our
applica5on
security
status?
Which
are
our
most
important
applica1ons?
How
many
of
them
have
we
assessed?
Which
ones
present
the
highest
risk?
Which
vulnerabili1es
should
we
fix
first?
What
are
the
most
common
mistakes
developers
make?
17. Applications
Reducing
the
costs
of
developing
secure
applica9ons
and
assuring
the
privacy
and
integrity
of
trusted
informa9on
Portfolio Overview
AppScan Enterprise Edition
• Enterprise-class solution for implementing and managing an application
security program, includes high-level dashboards, test policies, scan
templates and issue management capabilities
• Multi-user solution providing simultaneous security scanning and
centralized reporting
AppScan Standard Edition
• Desktop solution to automate web application security testing for IT
Security, auditors, and penetration testers
AppScan Source Edition
• Static application security testing to identify vulnerabilities at the line
of code. Enables early detection within the development life cycle.
18. Application Security Framework
Test
Scan
&
Remediate
Security
Intelligence,
Policy
and
Governance
Ac9vity
monitoring,
context,
risk
assessment,
compliance
repor9ng
Development
eLearning
Correla5on
Vuln
Disclosure
Integra5ons
Integra5ons
Deployment
White/Black
Lists
Big
Data
Analy5cs
Procurement
Protect
Block
&
Prevent
Web
Applica9on
Firewall
Intrusion
Preven9on
Database
Ac9vity
Monitoring
Containeriza9on
/
Sandbox
Dynamic
Scanning
(light)
Assure
Rank
&
Validate
Applica9on
Reputa9on
Vendor
Rankings
Compliance
Scanning
Research
Updates…
Sta9c,
Dynamic,
Binary
of
Manifest
tes9ng
based
on
access
Sta9c
Source
Dynamic
Pre-‐Launch
Sta9c
Binary
Dynamic
Produc9on
Applica9on
Tes9ng
Services
from
the
Cloud
Full
managed
service
–
easy
to
start
and
easy
to
test
third
party
apps
Mobile
Applica9on
Tes9ng
Mobile
Applica9on
Reputa9on
Services
Integrated
Solu9ons
–
From
Development
to
Deployment
Risk
Management
and
Visibility
Key
Trends
19. The Old Story – Still Valid But There’s More….
Find
during
Development
$80/defect
Find
during
Build
$240/defect
Find
during
QA/Test
$960/defect
Find
in
Produc9on
$7,600
/
defect
80%
of
development
costs
are
spent
iden4fying
and
correc4ng
defects!*
**
Source:
Ponemon
Ins9tute
2009-‐10
*
Source:
Na9onal
Ins9tute
of
Standards
and
Technology
Average
Cost
of
a
Data
Breach
$7.2M**
from
law
suits,
loss
of
customer
trust,
damage
to
brand
21. Finding more vulnerabilities using advanced techniques
Sta9c
Analysis
- Analyze
Source
Code
- Use
during
development
- Uses
Taint
Analysis
/
PaAern
Matching
Dynamic
Analysis
- Correlate
Dynamic
and
Sta9c
results
- Assists
remedia9on
by
iden9fica9on
of
line
of
code
Hybrid
Analysis
21
- Analyze
Live
Web
Applica9on
- Use
during
tes9ng
- Uses
HTTP
tampering
Client-‐Side
Analysis
- Analyze
downloaded
Javascript
code
which
runs
in
client
- Unique
in
the
industry
Run-‐Time
Analysis
- Combines
Dynamic
Analysis
with
run-‐9me
agent
- More
results,
beAer
accuracy
Total
Poten9al
Security
Issues
Applica9ons
22. No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which
is why a single point tool can leave you exposed.
To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static
Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined
these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new
techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox).
Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle,
because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm
development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated
somewhere else in the code, so it may not manifest itself as a true vulnerability).
Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is
easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application
and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis
requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development
cycle).
Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be
traced to the offending line of code. Issues identified in static analysis can be validated with an external test.
Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the
prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market.
Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested.
This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox
analysis was introduced in the most recent release of AppScan, at the end of 2011.
23. Important Questions to Consider
Do the applications
contain sensitive data?
§ Is the data protected?
§ How do you know if it’s protected?
Do
you
outsource
your
mobile
applica5on
development?
How
do
you
keep
pace
with
the
constant
mobile
updates?
§ How
do
you
determine
risk?
§ Do
you
have
mobile
specific
security
exper9se?
§ Do
you
have
acceptance
criteria?
§ Do
you
check
applica9on
security
every
release?
§ Do
you
have
a
way
to
automate
tes9ng?
34. Guide to implementing a secure cloud
The following security measures represent general best practice implementations for cloud
security.
• Implement and maintain a security program.
• Build and maintain a secure cloud infrastructure.
• Ensure confidential data protection.
• Implement strong access and identity management.
• Establish application and environment provisioning.
• Implement a governance and audit management program.
• Implement a vulnerability and intrusion management program.
• Maintain environment testing and validation.
Build and maintain a secure cloud infrastructure
4. Protect administrative access.
4.3. Maintain am audit trail of administrative actions.
4.4. The cloud host should develop and publish configuration management guidelines.
4.5. Implement an Asset Discovery Mechanism to identify resources in use in the target environment.
4.6. Regularly review Asset Maps to understand assets in the cloud environment.
4.7. Maintain a Configuration Data Store to enable auditability and general security understanding.
5. Ensure patch management.
5.1. The cloud host should develop and publish a patch and change management program.
5.2. Develop a pre-production patch management system to enable business resiliency.
5.3. Ensure logging is enabled for all patch processes, and develop the appropriate documentation.
5.4. Ensure that all systems, and applications are running the latest vendor supplied patches, and updates within the specified
period as specified in the patch and change management program. Ensure that an appropriate time frame is established.
5.5. Establish a process or utilize a third-party vendor to maintain awareness of the latest security vulnerabilities.