Más contenido relacionado Similar a sumnevaSERT Presentation (20) sumnevaSERT Presentation2. AGENDA
• Overview
• Demonstration
• Summary
2 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
3. Overview
3 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
4. INSECURITIES
• We live in a time where the security
of data is the most emphasized
yet least practiced thing
• WikiLeaks
• HBGary
• Epsilon
• Unfortunately, adding security to our
applications is almost always event
driven or reactive
4 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
5. CUSTOMER DEMAND
• Despite this, we’re all tasked with quickly
developing applications for our customers/
clients
• Often times, we take
shortcuts and leave
out things, like security
• Not because we want to,
because we have to
5 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
6. EXCUSES, EXCUSES...
• We make many, many excuses to ourselves as to
why we didn’t adequately secure our applications:
• Not enough time
• No one cares about the
data/application
• It’s “internal only”
• Our users are not smart
enough to do anything
malicious
• False sense of security
6 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
7. RECIPE FOR DISASTER
• Given:
• The stresses of getting our applications released quickly
• The lack of time we have to do so
• Our applications - APEX & otherwise - are likely to
have potential security vulnerabilities that
we could easily fix
• If we only knew what they were and had the time...
7 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
8. SUMNEVASERT
• sumnevaSERT: Security Evaluation & Review Tool
• APEX application designed to evaluate and
identify potential security issues in other
APEX applications
• Supports APEX 4.0+
• Runs on any edition of the
database
• Can be easily customized to
meet your specific security and/or
QA requirements
8 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
9. HOW IT WORKS
• sumnevaSERT uses a simple scoring & red light/
green light approach to evaluate your application
based on a number of pre-defined criteria
• Each application gets a score based on the result of
evaluating an attribute
• Percentage as well as X of Y points
• Each attribute evaluated either passes or fails
• Pass yields a point; failure yields none
9 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
10. HOW IT WORKS
An authorization scheme was
expected, but not found. Thus, this
attribute failed.
The developer can click on Fix
and see step-by-step instructions.
10 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
11. WHAT IT LOOKS FOR
• sumnevaSERT ships with a set of attributes that
inspect APEX applications for the following:
• Application Settings • Session State Protection
• Session Timeout • Unrestricted Items
• Security Attributes • Encrypted Items
• Schema Properties • Page Access
• SQL Injection • Form Autocomplete
• Cross Site Scripting • Authorization Schemes
11 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
12. ONE SIZE DOESN’T FIT ALL
• If you need additional attributes inspected,
you can customize sumnevaSERT as much as you like
• sumnevaSERT supports a number of rule types:
• NULL/NOT NULL
• List of Valid Values
• Less Than/Greater Than
• PL/SQL
12 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
13. MULTI-PURPOSE
• Thus, you can create your own attribute set(s) for
specific purposes, for example:
• General Security Attributes
• General set of attributes that must be met
and a minimal score must be achieved
• Application with Sensitive Data
• Look for specific columns in reports and
flag for follow-up
• Minimal Configuration Signature
• Applications must use a specific
authentication scheme, etc.
13 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
14. sumnevaSERT
D E M O N S T R A T I O N
14 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
15. Summary
15 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
16. THE REALITY
• sumnevaSERT will identify most security exploits that
hackers and malicious users alike look for in APEX applications
and provide step-by-step solutions to fix them
• But it will not secure everything
• There’s no such thing as a silver bullet of any sort...
• You still need a strong overall security policy
• Strong Passwords
• Physical access control
• Code Audits
• Best Practices
16 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
17. AVAILABILITY
• Initial release in Beta now
• Still accepting beta customers - contact us for details
• Targeted release of June 2011
• Will support APEX 4.0+
17 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
18. LICENSING
• Per instance of APEX
• Can run on as many applications as you like in as many
workspaces as you like in a single instance of APEX
• Contact us for details & pricing
• sales@sumneva.com
• +1 (703) 879-4615
• http://www.sumneva.com/sert
18 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com
19. http://sumneva.com
19 Copyright © 2010 Sumneva - All Rights Reserved - http://sumneva.com - info@sumneva.com