The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach, especially after some of last years' heavily publicized cyber breaches. Join this session for a high-level overview on the industry trends in the area of web application security, and find out why security is bound to become a hot topic in any organization developing or using web applications.

1. Tudor Damian
Executive Manager @ Avaelgo
The state of web applications (in)security

2. Tudor Damian
• Executive Manager @ Avaelgo
• IT Advisory Services
• Microsoft Gold Cloud Platform Partner
• Consulting, Software Development, Tech Support, Security, Training
• Co-founder @ ITCamp & ITCamp Community
• Cloud and Datacenter Management MVP (Microsoft)
• Certified Ethical Hacker (EC-Council)
• Certified Security Professional (CQURE)
• Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel

3. VIDEO
Source: Microsoft Ignite 2016 Keynote (Atlanta, Sep 2016)
https://vimeo.com/191623226

5. Video summary
• 75% of CEOs see rising risks from technology
• On average, it takes 200 days to detect a security breach, and
another 80 days to recover from it
• The average cost per security incident is around $12 million
• Estimated loss in productivity and growth: $3 trillion
• User endpoints are the target of most cyber attacks

6. Discovery time for cyber attacks worldwide (2013)
Hours, 9%
Days, 8%
Weeks, 16%
Months, 62%
Years, 5%
Source: Verizon

7. Cyber attacks against US companies (2014)
VIRUSES, WORMS, TROJANS
MALWARE
BOTNETS
WEB-BASED ATTACKS
MALICIOUS CODE
PHISHING AND SOCIAL ENGINEERING
MALICIOUS INSIDERS
STOLEN SERVICES
DENIAL OF SERVICE
100%
97%
76%
61%
46%
44%
41%
37%
34%
Source: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)

8. Lack of security professionals
• CISCO, 2014
• There are more than 1 million unfilled security jobs worldwide
• (ISC)² study, 2015
• A shortfall of 1.5 million security professionals is estimated by 2020
Sources:
http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html

9. “Mega-breaches” made public in 2016
• Myspace (2007-2012), 427 mil passwords
• Fling (2011), 40 mil passwords
• LinkedIn (2012), 164 mil passwords
• VK.com (2012), 100 mil passwords in cleartext
• Dropbox (2012), 68 mil passwords
• Tumblr (2013), 65 mil passwords
• Yahoo (2014), 500 mil users’ data
• FriendFinder (2016), 400 million accounts
More on https://haveibeenpwned.com/PwnedWebsites

10. The Browser Wars – Malware Detection
• Security study on 8 browsers from 2014
• 657 samples of socially engineered malware (SEM)
• Block rates ranged from 99.9% to 4.1%
Source: https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware

11. The Browser Wars – Pwn2Own
• Sandbox escapes or 3rd party code execution found in:
• Internet Explorer
• Microsoft Edge
• Mozilla Firefox
• Google Chrome
• Adobe Flash
• Adobe Reader XI
• Apple Safari on Mac OS X
• Windows
• OS X
• 2014 - $850.000 total prize money, paid to 8 entrants
• 2015 - $557.500 total prize money, paid to 6 entrants
• 2016 - $460.000 total prize money Sources:
http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204
http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws

12. Current state of web applications
• 55% of apps have at least one high-severity vulnerability
• Up 9% in 12 months
• Ex: XSS, SQL Injection
• 84% of apps have at least one medium-severity vulnerability
• Ex: CSRF
• Vulnerable JS libraries have more than doubled since 2015
• 95% of web app breaches were financially motivated
• 68% of funds lost as a result of a cyber attack were declared unrecoverable
• 35% of websites still rely on SHA-1
• Certificates with SHA-1 no longer issued after Jan 1st, 2016
• Certificates will trigger an error in browsers starting on Jan 1st, 2017 Sources:
http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522
http://www.acunetix.com/acunetix-web-application-vulnerability-report-2016/
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

13. Current state of web applications
• In 2013, it was estimated that nearly 30.000 websites were infected
with malware every day
• 45% of breaches exceed $500.000 in losses
• In 56% of cases of website data or system breach, no one was held
accountable
• Organizations with accountability – 33% remediation rate
• Organizations without accountability – 24% remediation rate
• There’s very little evidence of “best-practices” being used in web
application security
• Social engineering and insider attacks are on the rise
Sources:
http://www.forbes.com/sites/jameslyne/2013/09/06/30000-web-sites-hacked-a-day-how-do-you-host-yours/
https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf

14. Vulnerable web applications (%)
1
2
3
3
3
4
6
7
9
10
13
15
23
23
27
27
33
43
59
0 10 20 30 40 50 60 70
SERVER-SIDE REQUEST FORGERY
FILE INCLUSION
DIRECTORY TRAVERSAL
DNS RELATED VULNERABILITIES
MAIL RELATED VULNERABILITIES
WEAK PASSWORDS
CODE EXECUTION
OVERFLOW VULNERABILITIES
HOST HEADER INJECTION
SOURCE SCRIPT DISCLOSURE
SSH RELATED VULNERABILITIES
DIRECTORY LISTING
SQL INJECTION
TLS/SSL RELATED VULNERABILITIES
VULNERABLE JS LIBRARIES
SLOW HTTP DOS
CROSS-SITE SCRIPTING
DOS RELATED VULNERABILITIES
CROSS-SITE REQUEST FORGERY
Source: http://www.acunetix.com/acunetix-web-application-vulnerability-report-2016/

15. Top 10 threats in web app breaches
Hacking - use of stolen creds
Hacking - use of backdoor or C2
Social - Phising
Malware - Spyware/Keylogger
Malware - C2
Malware - Export Data
Hacking - SQLi
Malware - Backdoor
Hacking - RFI
Brute Force
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

16. How much time does security get?
An attacker has 24x7x365 to attack you
Attacker Schedule
Time
The defender has 20 (?) man days per year to detect and defend
Who has the edge? 
Scheduled
Pen-Test
Scheduled
Pen-Test

17. Two weeks of
ethical hacking
Ten man-years of
development
Business
Logic Flaws
Code
Flaws
Security
Errors
An inconvenient truth

18. Software in a Perfect World
Intended
Functionality
Actual
Functionality

19. Software in the Real World
Intended
Functionality
Actual
Functionality
Unintended
And Undocumented
Functionality
Built
Features
Bugs

20. Implementing Security within SDL
Design
Governance
•Policy & Compliance
•Education and Guidance
•Strategy and Metrics
Intelligence
•Attack Models
•Threat Assessment
•Security Requirements
•Security Architecture
Implementation
Security Features and
Design
Architecture Analysis
Coding Standards
Verification
Attack Surface Review
Code Review
Security Testing
Deployment
Software Environment
Configuration Management
Vulnerability Management
Operation
Environment Hardening
Operational Compliance
Enablement

21. “Prevent Breach” approach – obsolete?
• In today’s world, when dealing with a cybersecurity breach,
there’s 4 essential questions you need to be able to answer:
• What did the attack do?
• How did it get here?
• Where did it spread?
• What’s the risk to me, my company and my customers?
• Trying to do this retroactively is unproductive, it takes time,
and significantly affects your company

22. Prevent & Assume Breach
Prevent Breach – A methodical Secure Development
Lifecycle and Operational Security minimizes probability of
exposure
Assume Breach – Identifies & addresses potential gaps in
security:
• Ongoing live site testing of security response plans
improves mean time to detection and recovery
• Bug bounty program encourages security researchers in
the industry to discover and report vulnerabilities
• Reduce exposure to internal attack (once inside,
attackers do not have broad access)
• Latest threat intelligence to prevent breaches and to
test security response plans
• State of the art security monitoring and response
Security monitoring and response
Prevent breach
• Secure Development Lifecycle
• Operational Security
Assume breach
• Bug Bounty Program
• War game exercises
• Live site penetration testing
Threat intelligence

23. Assume Breach - a change in mindset
• We have to stop focusing on preventing a data breach and
start assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response, and
effective recovery
• Start thinking about the time when a breach will (almost inevitably)
occur in your infrastructure
• Be prepared for that!

24. • MTTC – Mean Time to Compromise
• MTTP – Mean Time to Privilege Escalation or “Pwnage”
• MTTD - Mean Time to Detection
• MTTR - Mean Time to Recovery
Red Team vs. Blue Team
Gather Detect Alert Triage Context Plan Execute
Recon Delivery Foothold Persist Move Elevate Exfiltrate

25. What did we learn?
• Security breaches take months to be detected
• All companies are being attacked, whether they know it or not
• There’s a severe lack of security professionals worldwide
• Current security issues are not known or simply ignored
• 50-80% of web apps have serious security issues
• Investments in security are quite rare and low in value
• Trying to prevent a data breach is no longer enough

26. What to do next?
• Implement a Secure Development Lifecycle
• Security in Design, Coding, Testing/QA, Deployment, Operation
• Invest more in Operational Security
• Create a bug bounty program
• Run wargame exercises (Red vs Blue)
• Do live site penetration testing
• Invest in security monitoring, detection and response
• Tap into existing industry threat intelligence
• e.g. http://map.norsecorp.com/

27. Tudor Damian
• Executive Manager @ Avaelgo
• IT Advisory Services
• Microsoft Gold Cloud Platform Partner
• Consulting, Software Development, Tech Support, Security, Training
• Co-founder @ ITCamp & ITCamp Community
• Cloud and Datacenter Management MVP (Microsoft)
• Certified Ethical Hacker (EC-Council)
• Certified Security Professional (CQURE)
• Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel