SlideShare una empresa de Scribd logo
1 de 37
Descargar para leer sin conexión
Cenzic Live! Webinar: Top 10 Application Security
Predictions for 2014

Chris Harget

1
Agenda

 2013 In Review

 2014 Predictions

 New Year’s Resolutions

2

Cenzic, Inc. - Confidential, All Rights Reserved.
2013 AppSec In Review

3
2013 Developments/News

4

Cenzic, Inc. - Confidential, All Rights Reserved.
160 Million Cards Stolen Via SQLi

5

Cenzic, Inc. - Confidential, All Rights Reserved.
Vulnerabilities Trended Down…
…Slightly

Source: Cenzic Application
Vulnerability Trends Report 2013
6

Cenzic, Inc. - Confidential, All Rights Reserved.
OWASP Updated Its Top 10
 Broadening of URL access control flaws to now
include actual application functions
 Expansion and merger of data-in-transit and data-atrest flaws on both the server side and client side
 Addition of a new category of flaws ‘Using
Components with Known Vulnerabilities’ to include
add-on and third-party software components (a
common issue that’s often overlooked in development
and security)

 Re-prioritization of authentication/user session
management and cross-site request forgery (CSRF)related flaws
https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/
7

Cenzic, Inc. - Confidential, All Rights Reserved.
Compliance: Hello PCI 3.0

 Penetration testing activities (internal and external)
now must follow an "industry-accepted penetration
testing methodology," such as that specifically
referenced NIST SP 800-115, Technical Guide to
Information Security Testing and Assessment.
8

Cenzic, Inc. - Confidential, All Rights Reserved.
2013 Was Kind Of A Stormy Year

=

9

Cenzic, Inc. - Confidential, All Rights Reserved.
2014 AppSec Predictions

7.2

10
1.The Internet Of Things = App Risk2
 “The Internet of Things (or IoT for short) refers to
uniquely identifiable objects and their virtual
representations in an Internet-like structure.”
– http://en.wikipedia.org/wiki/Internet_of_things

 “A family of four will move from having 10 connected
devices in 2012 to 25 in 2017 to 50 in 2022.”
–

http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf

 Many of these devices will be managed via apps

11

Cenzic, Inc. - Confidential, All Rights Reserved.
1.The Internet Of Things = App Risk2
 New Attack Surfaces Include:
– Smart Televisions

– Home Alarms
– Smart Meters
– Smartphone cameras and microphones

– Security Cameras
– Baby monitors
– Medical Equipment
– Supply Chain Goods
– Smart Thermostats
– Cars
12

Cenzic, Inc. - Confidential, All Rights Reserved.
1.The Internet Of Things = App Risk2
Top Ten Connected Applications in 2020

Value to the Connected Life

Connected Car

$600 billion

Clinical Remote Monitoring

$350 billion

Assisted Living

$270 billion

Home and Building Security

$250 billion

Pay-As-You-Drive Car Insurance

$245 billion

New Business Models for Car Usage

$225 billion

Smart Meters
Traffic Management
Electric Vehicle Charging
Building Automation

$105 billion
$100 billion
$75 billion
$40 billion

http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020
13

Cenzic, Inc. - Confidential, All Rights Reserved.
2. Enterprise App Stores Explode…

Cenzic, Inc. - Confidential, All Rights Reserved.

14
2. Enterprise App Stores Explode…
 …Not Necessarily In a Good Way
 Risks:
– Apps have privileged access to

corporate data
– Malware sent via links in SMS or
downloaded
– Rogue apps can act as a key
logger
– Vulnerabilities doubly problematic

15

Cenzic, Inc. - Confidential, All Rights Reserved.
3: Bug Bounties Go Large
 Glory, prizes and cash
offered to crowd source
finding security flaws in
social networks, cloud
apps, etc.
 May give COTS an
edge over open source
 220 Bugs found at
OWASP’s November
Hackathon
16

Cenzic, Inc. - Confidential, All Rights Reserved.

http://www.bugsheet.com/bug-bounties
4: Developers Incentivized on Security Evolve
 Status Quo: Developers primarily compensated for
code completed on schedule
 Enterprises experimenting with 10-20% of MBO
based on vulnerability scores (HARM™ or CVE)
 Intriguing…yet to be proven

17

Cenzic, Inc. - Confidential, All Rights Reserved.
5: Increased Hacking Via Partner API
 Programmable Web now lists >10,000 APIs

 >100% compound annual growth.

http://blog.programmableweb.com/2013/10/26/hack-ofbuffer-should-raise-security-concerns-for-all-apiproviders/

18

Cenzic, Inc. - Confidential, All Rights Reserved.
6: A Major Supply Chain Hack
 An F1000 Enterprise will lose data or be vandalized
via a partner’s application
 Partners provide services,
goods, distribution,
marketing, & outsourcing.
 An enterprise’s total app
ecosystem may include
hundreds of partner apps
 The bigger brand will take
the hit

19

Cenzic, Inc. - Confidential, All Rights Reserved.
7: CSRF Crosses The Chasm

= Exploit Prevalence of apps , but
– SQL Injection vulnerabilities were found in only 18%

 Vulnerability Prevalence

1

from 2005-2011 were responsible for 83% of the records stolen2
– A famous 2005 incident (Card Systems Solutions) put SQL
Injection on the map3.

 Cross Site Request Forgery
– Caused by a lack of randomness in requests that allows hacker

to predict the request format and exploit it
– Breaches can be innocuous or devastating

 If one CSRF attack gets big headlines, could be the new
attack du jour.



2: http://www.darkreading.com/views/lets-ask-why/240003593


20

1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html

3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century

Cenzic, Inc. - Confidential, All Rights Reserved.
8: Mobile Hacking Goes Up
Projected MobileOS Data Volume Growth

21

Cenzic, Inc. - Confidential, All Rights Reserved.
8: Mobile Hacking Goes Up
 Mobile App Security Lags
– Mobile malware increasingly sophisticated
– BYOD/MDM challenges persist

 Security measures so far:
– Sandbox enterprise apps on phone
– Virtualize apps
– Biometric authentication

– Mobile Application Firewall
– Geofencing

 It’s unclear if they will limit breaches from
application vulnerabilities.
22

Cenzic, Inc. - Confidential, All Rights Reserved.
9. Hacking Prosecutions Will Go Up
 First Ever Cybercrime RICO Trial Began
– Nov. 20, 2013

http://www.wired.com/threatlevel/2013/11/openmarket-trial-begins/

 A hacker dealing in stolen credit cards is being
charged with the Racketeering

 If successful, others in his organization could be
prosecuted for criminal conspiracy
 This could dramatically expand the reach of
cybercrime prosecution.

23

Cenzic, Inc. - Confidential, All Rights Reserved.
10: Public Layer 7 Government Hack
 A nation-state will be implicated in a large Layer 7
app breach…
 Probably trying to steal credentials to target
– User sensitive info (dissident info)
– Financial info (for business advantage)
– Energy sector (critical infrastructure).

 The most sophisticated actors are the nation states.

24

Cenzic, Inc. - Confidential, All Rights Reserved.
Suggested AppSec New Year’s Resolutions

25
Internet of Things Resolutions

 Bake application security into your IoT plans early!

26

Cenzic, Inc. - Confidential, All Rights Reserved.
Enterprise App Store Resolutions

 Hold apps with privileged access to corporate data to
the highest vulnerability testing standards.

 Be 100% responsible for the security of your store
apps…no one else will.

27

Cenzic, Inc. - Confidential, All Rights Reserved.
Mobile Resolutions
 Encourage users to check the
General Settings for new
mobile apps to turn off
unnecessary permissions.
 Test mobile apps for
vulnerabilities proportionately
to their usage and data value
 Evaluate Mobile Antivirus
 Educate yourself
28

Cenzic, Inc. - Confidential, All Rights Reserved.
App Design Resolutions

 Leverage anti-CSRF frameworks

 Validate inputs
 Implement tighter session management
 Confirm your off-the-shelf application components
have no known vulnerabilities before use

29

Cenzic, Inc. - Confidential, All Rights Reserved.
Partner Apps & API

 Ensure Partners’ Web Services are tested and
hardened for security with the same standards as
your company-owned applications.

Note: Cenzic’s New Service Can Help

30

Cenzic, Inc. - Confidential, All Rights Reserved.
3 Pillars of Enterprise App Security

Enterprise Application Security
Pre-production &
App Development

31

Cenzic, Inc. - Confidential, All Rights Reserved.

Production

Partner /
Supply Chain
Detects Web & Mobile App Vulnerabilities
 Easy-to-use Software, SaaS, or Managed Service
 Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce

 Delivers best continuous real-world Risk Management

32

Cenzic, Inc. - Confidential, All Rights Reserved.
Application Vulnerability Monitoring In Production

.Identify Risk

=

+
Mitigate
Risk

=

 One-click virtual patching
via tight integration with leading
Web Application Firewalls
33

Cenzic, Inc. - Confidential, All Rights Reserved.
Managed Services Offerings – At-a-glance
Bronze

Silver

Industry BestPractices for
Brochureware
sites

Phishing
Light input
validation
Data Security
Session
management
OWASP
compliance
PCI compliance
Business logic
testing
Application logic
testing
Manual
penetration
testing - Confidential, All Rights Reserved.
34
Cenzic, Inc.

X

Gold

Platinum

Industry BestPractices for forms
and login protected
sites

Compliance for
sites with user
data

X

X

Comprehensive
scans for Mission
critical
applications
x
x

X

X

X

X

X

X

x
x

X

X
x
X
X

x
x
x
x
Cenzic Can Help
 Train your people
 Give them better gear
 Have someone else carry the baton

35

Cenzic, Inc. - Confidential, All Rights Reserved.
Good Luck In The New Year!

36

Cenzic, Inc. - Confidential, All Rights Reserved.
Questions?
request@cenzic.com or 1.866-4-Cenzic
Blog: https://blog.cenzic.com
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Más contenido relacionado

Destacado

Evolution in memory games
Evolution in memory gamesEvolution in memory games
Evolution in memory gamesDEVART
 
8 Reason You Need Mobile CRM
8 Reason You Need Mobile CRM8 Reason You Need Mobile CRM
8 Reason You Need Mobile CRMEnbu Consulting
 
SoulCRM Brochure
SoulCRM BrochureSoulCRM Brochure
SoulCRM BrochureSoulCRM
 
Ecommerce In Sri Lanka: Building An Experience That Customers Will Love
Ecommerce In Sri Lanka: Building An Experience That Customers Will LoveEcommerce In Sri Lanka: Building An Experience That Customers Will Love
Ecommerce In Sri Lanka: Building An Experience That Customers Will LoveAdnan Issadeen
 
CRCC Corporate Overview
CRCC Corporate OverviewCRCC Corporate Overview
CRCC Corporate OverviewBrett Payne
 
Introducing ProspectStream
Introducing ProspectStreamIntroducing ProspectStream
Introducing ProspectStreamProspectStream
 
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...NexJ Systems Inc.
 
Where the most popular Youtube stars are today
Where the most popular Youtube stars are todayWhere the most popular Youtube stars are today
Where the most popular Youtube stars are todaySimply Zesty Ltd
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 

Destacado (12)

Evolution in memory games
Evolution in memory gamesEvolution in memory games
Evolution in memory games
 
8 Reason You Need Mobile CRM
8 Reason You Need Mobile CRM8 Reason You Need Mobile CRM
8 Reason You Need Mobile CRM
 
SoulCRM Brochure
SoulCRM BrochureSoulCRM Brochure
SoulCRM Brochure
 
How to Hire a PR Firm
How to Hire a PR FirmHow to Hire a PR Firm
How to Hire a PR Firm
 
Ecommerce In Sri Lanka: Building An Experience That Customers Will Love
Ecommerce In Sri Lanka: Building An Experience That Customers Will LoveEcommerce In Sri Lanka: Building An Experience That Customers Will Love
Ecommerce In Sri Lanka: Building An Experience That Customers Will Love
 
Infocom webinar race car metaphore
Infocom webinar   race car metaphoreInfocom webinar   race car metaphore
Infocom webinar race car metaphore
 
CRCC Corporate Overview
CRCC Corporate OverviewCRCC Corporate Overview
CRCC Corporate Overview
 
Introducing ProspectStream
Introducing ProspectStreamIntroducing ProspectStream
Introducing ProspectStream
 
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...
NexJ CDM Overview: Better Understand Customers with NexJ Customer Data Manage...
 
Where the most popular Youtube stars are today
Where the most popular Youtube stars are todayWhere the most popular Youtube stars are today
Where the most popular Youtube stars are today
 
Nonprofit Special Events
Nonprofit Special EventsNonprofit Special Events
Nonprofit Special Events
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
 

Más de Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 

Más de Cenzic (7)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert Threats
 

Último

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Último (20)

20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

Top 10 Application Security Predictions for 2014

  • 1. Cenzic Live! Webinar: Top 10 Application Security Predictions for 2014 Chris Harget 1
  • 2. Agenda  2013 In Review  2014 Predictions  New Year’s Resolutions 2 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 3. 2013 AppSec In Review 3
  • 4. 2013 Developments/News 4 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 5. 160 Million Cards Stolen Via SQLi 5 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 6. Vulnerabilities Trended Down… …Slightly Source: Cenzic Application Vulnerability Trends Report 2013 6 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 7. OWASP Updated Its Top 10  Broadening of URL access control flaws to now include actual application functions  Expansion and merger of data-in-transit and data-atrest flaws on both the server side and client side  Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include add-on and third-party software components (a common issue that’s often overlooked in development and security)  Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)related flaws https://www.mavitunasecurity.com/blog/owasp-top-10-2013-review/ 7 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 8. Compliance: Hello PCI 3.0  Penetration testing activities (internal and external) now must follow an "industry-accepted penetration testing methodology," such as that specifically referenced NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. 8 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 9. 2013 Was Kind Of A Stormy Year = 9 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 11. 1.The Internet Of Things = App Risk2  “The Internet of Things (or IoT for short) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.” – http://en.wikipedia.org/wiki/Internet_of_things  “A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.” – http://go.gigaom.com/rs/gigaom/images/GigaOMResearch_The_internet_of_things_report.pdf  Many of these devices will be managed via apps 11 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 12. 1.The Internet Of Things = App Risk2  New Attack Surfaces Include: – Smart Televisions – Home Alarms – Smart Meters – Smartphone cameras and microphones – Security Cameras – Baby monitors – Medical Equipment – Supply Chain Goods – Smart Thermostats – Cars 12 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 13. 1.The Internet Of Things = App Risk2 Top Ten Connected Applications in 2020 Value to the Connected Life Connected Car $600 billion Clinical Remote Monitoring $350 billion Assisted Living $270 billion Home and Building Security $250 billion Pay-As-You-Drive Car Insurance $245 billion New Business Models for Car Usage $225 billion Smart Meters Traffic Management Electric Vehicle Charging Building Automation $105 billion $100 billion $75 billion $40 billion http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020 13 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 14. 2. Enterprise App Stores Explode… Cenzic, Inc. - Confidential, All Rights Reserved. 14
  • 15. 2. Enterprise App Stores Explode…  …Not Necessarily In a Good Way  Risks: – Apps have privileged access to corporate data – Malware sent via links in SMS or downloaded – Rogue apps can act as a key logger – Vulnerabilities doubly problematic 15 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 16. 3: Bug Bounties Go Large  Glory, prizes and cash offered to crowd source finding security flaws in social networks, cloud apps, etc.  May give COTS an edge over open source  220 Bugs found at OWASP’s November Hackathon 16 Cenzic, Inc. - Confidential, All Rights Reserved. http://www.bugsheet.com/bug-bounties
  • 17. 4: Developers Incentivized on Security Evolve  Status Quo: Developers primarily compensated for code completed on schedule  Enterprises experimenting with 10-20% of MBO based on vulnerability scores (HARM™ or CVE)  Intriguing…yet to be proven 17 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 18. 5: Increased Hacking Via Partner API  Programmable Web now lists >10,000 APIs  >100% compound annual growth. http://blog.programmableweb.com/2013/10/26/hack-ofbuffer-should-raise-security-concerns-for-all-apiproviders/ 18 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 19. 6: A Major Supply Chain Hack  An F1000 Enterprise will lose data or be vandalized via a partner’s application  Partners provide services, goods, distribution, marketing, & outsourcing.  An enterprise’s total app ecosystem may include hundreds of partner apps  The bigger brand will take the hit 19 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 20. 7: CSRF Crosses The Chasm = Exploit Prevalence of apps , but – SQL Injection vulnerabilities were found in only 18%  Vulnerability Prevalence 1 from 2005-2011 were responsible for 83% of the records stolen2 – A famous 2005 incident (Card Systems Solutions) put SQL Injection on the map3.  Cross Site Request Forgery – Caused by a lack of randomness in requests that allows hacker to predict the request format and exploit it – Breaches can be innocuous or devastating  If one CSRF attack gets big headlines, could be the new attack du jour.   2: http://www.darkreading.com/views/lets-ask-why/240003593  20 1: https://info.cenzic.com/2013-Application-Security-Trends-Report.html 3: http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century Cenzic, Inc. - Confidential, All Rights Reserved.
  • 21. 8: Mobile Hacking Goes Up Projected MobileOS Data Volume Growth 21 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 22. 8: Mobile Hacking Goes Up  Mobile App Security Lags – Mobile malware increasingly sophisticated – BYOD/MDM challenges persist  Security measures so far: – Sandbox enterprise apps on phone – Virtualize apps – Biometric authentication – Mobile Application Firewall – Geofencing  It’s unclear if they will limit breaches from application vulnerabilities. 22 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 23. 9. Hacking Prosecutions Will Go Up  First Ever Cybercrime RICO Trial Began – Nov. 20, 2013 http://www.wired.com/threatlevel/2013/11/openmarket-trial-begins/  A hacker dealing in stolen credit cards is being charged with the Racketeering  If successful, others in his organization could be prosecuted for criminal conspiracy  This could dramatically expand the reach of cybercrime prosecution. 23 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 24. 10: Public Layer 7 Government Hack  A nation-state will be implicated in a large Layer 7 app breach…  Probably trying to steal credentials to target – User sensitive info (dissident info) – Financial info (for business advantage) – Energy sector (critical infrastructure).  The most sophisticated actors are the nation states. 24 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 25. Suggested AppSec New Year’s Resolutions 25
  • 26. Internet of Things Resolutions  Bake application security into your IoT plans early! 26 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 27. Enterprise App Store Resolutions  Hold apps with privileged access to corporate data to the highest vulnerability testing standards.  Be 100% responsible for the security of your store apps…no one else will. 27 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 28. Mobile Resolutions  Encourage users to check the General Settings for new mobile apps to turn off unnecessary permissions.  Test mobile apps for vulnerabilities proportionately to their usage and data value  Evaluate Mobile Antivirus  Educate yourself 28 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 29. App Design Resolutions  Leverage anti-CSRF frameworks  Validate inputs  Implement tighter session management  Confirm your off-the-shelf application components have no known vulnerabilities before use 29 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 30. Partner Apps & API  Ensure Partners’ Web Services are tested and hardened for security with the same standards as your company-owned applications. Note: Cenzic’s New Service Can Help 30 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 31. 3 Pillars of Enterprise App Security Enterprise Application Security Pre-production & App Development 31 Cenzic, Inc. - Confidential, All Rights Reserved. Production Partner / Supply Chain
  • 32. Detects Web & Mobile App Vulnerabilities  Easy-to-use Software, SaaS, or Managed Service  Accurate behavior-based Scanning protects – 500,000+ online applications – $Trillion+ of commerce  Delivers best continuous real-world Risk Management 32 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 33. Application Vulnerability Monitoring In Production .Identify Risk = + Mitigate Risk =  One-click virtual patching via tight integration with leading Web Application Firewalls 33 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 34. Managed Services Offerings – At-a-glance Bronze Silver Industry BestPractices for Brochureware sites Phishing Light input validation Data Security Session management OWASP compliance PCI compliance Business logic testing Application logic testing Manual penetration testing - Confidential, All Rights Reserved. 34 Cenzic, Inc. X Gold Platinum Industry BestPractices for forms and login protected sites Compliance for sites with user data X X Comprehensive scans for Mission critical applications x x X X X X X X x x X X x X X x x x x
  • 35. Cenzic Can Help  Train your people  Give them better gear  Have someone else carry the baton 35 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 36. Good Luck In The New Year! 36 Cenzic, Inc. - Confidential, All Rights Reserved.
  • 37. Questions? request@cenzic.com or 1.866-4-Cenzic Blog: https://blog.cenzic.com www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)