8. Cost Increases Later in the Lifecycle Security is Addressed Cost to Fix dramatically increases the longer you wait to test
9. Web Application Vulnerabilities Without any protection, holes and backdoors exist at every layer waiting to be exploited Web Server User Interface Code Frontend Application Backend Application Database Data Invalid Data can exploit weakness in the application acting as escape holes resulting in access to unauthorized accounts, O/S network, sensitive data and may result in an application denial of service Valid Input HTML/HTTP Browser Invalid Input HTML/HTTP
10. Types of Application Hacks Through a browser, a hacker can use the smallest bug or backdoor to change, or pervert, the intent of the application Application Attack Types Negative Outcome Examples Form field: collect data Buffer overflow Crash servers/close business Online shopping Hidden fields eShoplifting Text Field: collect data Cross Site scripting eHijacking - Get account info Front end Apps 3 rd Party Misconfiquration Admin access Backend Apps Stealth Commanding Site defacement Sloppy code Backdoors/Debug options Download proprietary database Customer account Cookie poisoning Identity theft/illegal transactions Database Parameter Tampering/SQL injection Fraud Web Server Published Vulnerabilities Crash site Web Server Forceful Browsing Access sensitive data
11. 10 Types of Attacks: Development Lifecycle APP. BUFFER OVERFLOW COOKIE POISONING CROSS SITE SCRIPTING HIDDEN MANIPULATION STEALTH COMMANDING 3 RD PARTY MISCONFIG. KNOWN VULNERABILITIES PARAMETER TAMPERING BACKDOORS & DEBUG OPT. FORCEFUL BROWSING Development Operations 3 rd party SW
22. Press this link to get to your bank Underlying link: http://www.mybank.com?a=<evil javascript> The JavaScript program collects and sends user names and passwords Enter your login information Cross Site Scripting - Example 1 2 Username Password 3
STEVE ORRIN: We all know that there are pressures on the application lifecycle. Let’s review the facts: Time to market demands are ever increasing – bringing new apps up quickly while not compromising their usability and ‘cool factor’ is imperative. Budgets are tight in today’s economic environment and expenses are closely monitored. Unfortunately, this doesn’t translate into a lessening of the market’s expectation for new applications. At the end of the day, the question facing most development teams is ‘How do we meet the functional specification on time with the resources available?” Application complexity is growing – as applications grow in size complexity is added at every step. Businesses and the market expect new applications to perform, meet the functional spec, deploy quickly – and to be secure. And while the deployment pace speeds up, so does the scale and complexity of the sites the new applications are being deployed on. This increases the number and type of potential points of failure within an application --- any one of which could be the source of an enormous problem for the enterprise. Increasing Business Risks Driven by Security Defects. As more business gets done on the web, the risks posed by security defects in deployed applications are accelerating. Hackers are increasingly active and sophisticated about how they choose and target their victims. Dealing with this threat effectively is not trivial. Growing government scrutiny and regulations, including GLBA and HIPAA. With the increase in the value of information and assets accessible through the Web, governments around the world are creating laws and regulations to protect consumers from online fraud and theft. Compliance to U.S. laws like HIPAA and GLBA are for the first time putting the issue of application security into the CEO’s office and board rooms of the largest enterprises in the world. Failure to comply can come at an enormous cost. And finally, recent court activity relating to liability protection for bad software has added new areas of risk for all businesses. Simply put, it doesn’t look like Caveat Emptor (buyer beware) will be sufficient to protect companies from liability claims and class action lawsuits. Enterprises must take systematic and significant measures to ensure that the applications under their domain do not directly or indirectly lead to harm of the customer or the shareholders. Add to this the fact that cost escalates dramatically the longer you wait to find and fix defects, and it is clear things need to change (NEXT SLIDE)
STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
As you can see from this slide the relative costs associated with waiting to detect and fix defects increases at a staggering rate from one stage to the next. By the time an application has been deployed, a defect found in it can cost as much as 100X as much to fix than if it had been caught during the development and testing process. This is measured in terms of lost time, resources and lost business as the result of the application being down.
Each layer of the application has its own unique vulnerabilities. A vulnerability fixed at one layer may still be exploited at another layer. An exploit at any layer of the application effects the integrity and behavior for the entire application The bottom line, Code and Content Change every day – and contain bugs and backdoors at every layer (NEXT SLIDE)
In the Web application layer, we see 10 major types of application level hacks that can occur with varying degreed of impact on the business ranging from site defacement to eHijacking to downloading the company’s proprietary database. For example, in a text field used to collect data from a customer, a hacker may be able to insert a script that eHijacks customer information from the site through a vulnerability called cross site scripting. (HIGHLIGHT A FEW EXAMPLES)
Also could be an example of 3rd party missconfiguration