Chris Harget shares consolidated research data from Cenzic's security team, industry experts and security luminaries. The research-grounded predictions include:
>>> WHAT emerging initiatives (e.g., Enterprise App Stores, API proliferation) are most likely to increase appsec risk and what to do about it.
>>> WHY Cross Site Request Forgery (CSRF) may be the next exploitation to "go large."
>>> HOW the "Internet of Things" may have a huge impact on application security.
... plus several more predictions.
2013 is coming to a close but online application threats won't be taking a holiday. Prepare for a secure 2014 by checking out "Top 10 Application Security Predictions for 2014."
7. OWASP Updated Its Top 10
Broadening of URL access control flaws to now
include actual application functions
Expansion and merger of data-in-transit and data-atrest flaws on both the server side and client side
Addition of a new category of flaws ‘Using
Components with Known Vulnerabilities’ to include
add-on and third-party software components (a
common issue that’s often overlooked in development
and security)
Re-prioritization of authentication/user session
management and cross-site request forgery (CSRF)related flaws
https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/
7
Cenzic, Inc. - Confidential, All Rights Reserved.
8. Compliance: Hello PCI 3.0
Penetration testing activities (internal and external)
now must follow an "industry-accepted penetration
testing methodology," such as that specifically
referenced NIST SP 800-115, Technical Guide to
Information Security Testing and Assessment.
8
Cenzic, Inc. - Confidential, All Rights Reserved.
9. 2013 Was Kind Of A Stormy Year
=
9
Cenzic, Inc. - Confidential, All Rights Reserved.
11. 1.The Internet Of Things = App Risk2
“The Internet of Things (or IoT for short) refers to
uniquely identifiable objects and their virtual
representations in an Internet-like structure.”
– http://en.wikipedia.org/wiki/Internet_of_things
“A family of four will move from having 10 connected
devices in 2012 to 25 in 2017 to 50 in 2022.”
–
http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf
Many of these devices will be managed via apps
11
Cenzic, Inc. - Confidential, All Rights Reserved.
12. 1.The Internet Of Things = App Risk2
New Attack Surfaces Include:
– Smart Televisions
– Home Alarms
– Smart Meters
– Smartphone cameras and microphones
– Security Cameras
– Baby monitors
– Medical Equipment
– Supply Chain Goods
– Smart Thermostats
– Cars
12
Cenzic, Inc. - Confidential, All Rights Reserved.
13. 1.The Internet Of Things = App Risk2
Top Ten Connected Applications in 2020
Value to the Connected Life
Connected Car
$600 billion
Clinical Remote Monitoring
$350 billion
Assisted Living
$270 billion
Home and Building Security
$250 billion
Pay-As-You-Drive Car Insurance
$245 billion
New Business Models for Car Usage
$225 billion
Smart Meters
Traffic Management
Electric Vehicle Charging
Building Automation
$105 billion
$100 billion
$75 billion
$40 billion
http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020
13
Cenzic, Inc. - Confidential, All Rights Reserved.
14. 2. Enterprise App Stores Explode…
Cenzic, Inc. - Confidential, All Rights Reserved.
14
15. 2. Enterprise App Stores Explode…
…Not Necessarily In a Good Way
Risks:
– Apps have privileged access to
corporate data
– Malware sent via links in SMS or
downloaded
– Rogue apps can act as a key
logger
– Vulnerabilities doubly problematic
15
Cenzic, Inc. - Confidential, All Rights Reserved.
16. 3: Bug Bounties Go Large
Glory, prizes and cash
offered to crowd source
finding security flaws in
social networks, cloud
apps, etc.
May give COTS an
edge over open source
220 Bugs found at
OWASP’s November
Hackathon
16
Cenzic, Inc. - Confidential, All Rights Reserved.
http://www.bugsheet.com/bug-bounties
17. 4: Developers Incentivized on Security Evolve
Status Quo: Developers primarily compensated for
code completed on schedule
Enterprises experimenting with 10-20% of MBO
based on vulnerability scores (HARM™ or CVE)
Intriguing…yet to be proven
17
Cenzic, Inc. - Confidential, All Rights Reserved.
18. 5: Increased Hacking Via Partner API
Programmable Web now lists >10,000 APIs
>100% compound annual growth.
http://blog.programmableweb.com/2013/10/26/hack-ofbuffer-should-raise-security-concerns-for-all-apiproviders/
18
Cenzic, Inc. - Confidential, All Rights Reserved.
19. 6: A Major Supply Chain Hack
An F1000 Enterprise will lose data or be vandalized
via a partner’s application
Partners provide services,
goods, distribution,
marketing, & outsourcing.
An enterprise’s total app
ecosystem may include
hundreds of partner apps
The bigger brand will take
the hit
19
Cenzic, Inc. - Confidential, All Rights Reserved.
20. 7: CSRF Crosses The Chasm
= Exploit Prevalence of apps , but
– SQL Injection vulnerabilities were found in only 18%
Vulnerability Prevalence
1
from 2005-2011 were responsible for 83% of the records stolen2
– A famous 2005 incident (Card Systems Solutions) put SQL
Injection on the map3.
Cross Site Request Forgery
– Caused by a lack of randomness in requests that allows hacker
to predict the request format and exploit it
– Breaches can be innocuous or devastating
If one CSRF attack gets big headlines, could be the new
attack du jour.
2: http://www.darkreading.com/views/lets-ask-why/240003593
20
1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html
3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century
Cenzic, Inc. - Confidential, All Rights Reserved.
21. 8: Mobile Hacking Goes Up
Projected MobileOS Data Volume Growth
21
Cenzic, Inc. - Confidential, All Rights Reserved.
22. 8: Mobile Hacking Goes Up
Mobile App Security Lags
– Mobile malware increasingly sophisticated
– BYOD/MDM challenges persist
Security measures so far:
– Sandbox enterprise apps on phone
– Virtualize apps
– Biometric authentication
– Mobile Application Firewall
– Geofencing
It’s unclear if they will limit breaches from
application vulnerabilities.
22
Cenzic, Inc. - Confidential, All Rights Reserved.
23. 9. Hacking Prosecutions Will Go Up
First Ever Cybercrime RICO Trial Began
– Nov. 20, 2013
http://www.wired.com/threatlevel/2013/11/openmarket-trial-begins/
A hacker dealing in stolen credit cards is being
charged with the Racketeering
If successful, others in his organization could be
prosecuted for criminal conspiracy
This could dramatically expand the reach of
cybercrime prosecution.
23
Cenzic, Inc. - Confidential, All Rights Reserved.
24. 10: Public Layer 7 Government Hack
A nation-state will be implicated in a large Layer 7
app breach…
Probably trying to steal credentials to target
– User sensitive info (dissident info)
– Financial info (for business advantage)
– Energy sector (critical infrastructure).
The most sophisticated actors are the nation states.
24
Cenzic, Inc. - Confidential, All Rights Reserved.
26. Internet of Things Resolutions
Bake application security into your IoT plans early!
26
Cenzic, Inc. - Confidential, All Rights Reserved.
27. Enterprise App Store Resolutions
Hold apps with privileged access to corporate data to
the highest vulnerability testing standards.
Be 100% responsible for the security of your store
apps…no one else will.
27
Cenzic, Inc. - Confidential, All Rights Reserved.
28. Mobile Resolutions
Encourage users to check the
General Settings for new
mobile apps to turn off
unnecessary permissions.
Test mobile apps for
vulnerabilities proportionately
to their usage and data value
Evaluate Mobile Antivirus
Educate yourself
28
Cenzic, Inc. - Confidential, All Rights Reserved.
29. App Design Resolutions
Leverage anti-CSRF frameworks
Validate inputs
Implement tighter session management
Confirm your off-the-shelf application components
have no known vulnerabilities before use
29
Cenzic, Inc. - Confidential, All Rights Reserved.
30. Partner Apps & API
Ensure Partners’ Web Services are tested and
hardened for security with the same standards as
your company-owned applications.
Note: Cenzic’s New Service Can Help
30
Cenzic, Inc. - Confidential, All Rights Reserved.
31. 3 Pillars of Enterprise App Security
Enterprise Application Security
Pre-production &
App Development
31
Cenzic, Inc. - Confidential, All Rights Reserved.
Production
Partner /
Supply Chain
32. Detects Web & Mobile App Vulnerabilities
Easy-to-use Software, SaaS, or Managed Service
Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce
Delivers best continuous real-world Risk Management
32
Cenzic, Inc. - Confidential, All Rights Reserved.
33. Application Vulnerability Monitoring In Production
.Identify Risk
=
+
Mitigate
Risk
=
One-click virtual patching
via tight integration with leading
Web Application Firewalls
33
Cenzic, Inc. - Confidential, All Rights Reserved.
34. Managed Services Offerings – At-a-glance
Bronze
Silver
Industry BestPractices for
Brochureware
sites
Phishing
Light input
validation
Data Security
Session
management
OWASP
compliance
PCI compliance
Business logic
testing
Application logic
testing
Manual
penetration
testing - Confidential, All Rights Reserved.
34
Cenzic, Inc.
X
Gold
Platinum
Industry BestPractices for forms
and login protected
sites
Compliance for
sites with user
data
X
X
Comprehensive
scans for Mission
critical
applications
x
x
X
X
X
X
X
X
x
x
X
X
x
X
X
x
x
x
x
35. Cenzic Can Help
Train your people
Give them better gear
Have someone else carry the baton
35
Cenzic, Inc. - Confidential, All Rights Reserved.
36. Good Luck In The New Year!
36
Cenzic, Inc. - Confidential, All Rights Reserved.