Protecting your Applications and Data in anEvolving risk Environment

Motaz AlturayefHead of Engineering, KSA and North Africa

F5 Networks

What is anApplication?

Web ApplicationAttacks

What HappensWhen Apps AreAttacked?

Agenda

ProtectingApplications

haveibeenpwned.com

2%

17%

20%

24%

25%

50%

63%

68%

Other

Cross-site Request Forgery

Clickjack

SQL Injection

Cross-site Scripting

Web Fraud

DDoS

Cred Theft

F5 Ponemon Survey

Applicationsare the

business

Applicationsare the

gateway toyour data

Sub domains hostingother versions of the main

application site

Dynamic webpage

generators

HTTPheaders

and cookies

Admininterfaces Apps/files linked

to the app

Web servicemethods

Helper appson client

(java, flash)

Server-side featuressuch as search

How AreApplicationsTargeted?

Web pagesand directories

Shells,Perl/PHP

Data entryforms

Administrative andmonitoring stubs

and toolsEvents of theapplication—

triggeredserver-side code

Backend connectionsthrough the server

(injection)

APIs

Cookies/statetracking

mechanisms

Data/active content pools—the data that populates and

drives pages

SERVICES

ACCESS

TLS/SSL

DNS

NETWORK

How Can WeOrganize ThisBetter?

Sub domains hostingother versions of the main

application site

Dynamic webpage

generators

HTTPheaders

and cookies

Admininterfaces Apps/files linked

to the app

Web servicemethods

Helper appson client

(java, flash)

Server-side featuressuch as search

Web pagesand directories

Shells,Perl/PHP

Data entryforms

Administrative andmonitoring stubs

and toolsEvents of theapplication—

triggeredserver-side code

Backend connectionsthrough the server

(injection)

APIs

Cookies/statetracking

mechanisms

Data/active content pools—the data that populates and

drives pages

Public cloudPrivate cloud

SaaS

Co-location

On-premises

Containers

Containers

ContainersContainers

of web appsconsideredmission critical

AppsImportance 34% 760 9.93

web appsin use in anorganization

web appenvironments/frameworksin use

How does thismatch up with yourorganization?

1%6%

9%13%

16%32%

51%57%

62%74%

81%

OtherNone of the Above

Project ManagementDeveloper Tools

Financial Apps (Banking/eCommerce)Social Apps

Backup and StorageOffice Suites

Document Management and CollaborationRemote Access

Communication Apps (Email/Texting)

F5 Ponemon Survey

$6.56

$7.18

$8.53

$9.07Leakage of Confidentialor Sensitive Information

Tampering and UnauthorizedModifications to Apps

The Hack Resulted in the Failure to AccessData and/or Apps

Leakage of Personally-Identifiable InformationAbout Customers, Consumers or Employees

F5 Ponemon Survey

2%

7%

10%

12%

13%

13%

14%

30%

Insider Attack

Point-of-Sale Attacks

Physical Breach

Malware

Credential Theft

Accidental Breach

Phishing

F5 & Whatcom CC

Web Attacks

Web Attacks

F5 & Whatcom CC

Card-StealingWeb Injection

70%WebsiteHacking

26%DatabaseHacking

4%

Web Attacks

Stolen data exfiltratedvia HTTPS to a

drop server

Card Stealing Web Injects

Targeted SiteMaliciousPHP Code

Payment CardInfo Breached

Injects usually due toweak input filters common

in PHP, JS, CMS sysCan add fakefields to page

InjectionsContinuingto MakeHeadlines

https://devcentral.f5.com/articles/anatomy-of-code-injection

2013 OWASP Top 101. Injection

2. Broken authentication and sessionmanagement

3. Cross-site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross-site request forgery (CSRF)

9. Using components with knownvulnerabilities

10. Unvalidated redirects and forwards

2017 OWASP Top 101. Injection

2. Broken authentication

3. Sensitive data exposure

4. XML external entities (XXE)

5. Broken access control

6. Security misconfiguration

7. Cross-site scripting (XSS)

8. Insecure deserialization

9. Using components with knownvulnerabilities

10. Insufficient loggingand monitoring

2013 OWASP Top 101. Injection

2. Broken authentication and sessionmanagement

3. Cross-site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross-site request forgery (CSRF)

9. Using components with knownvulnerabilities

10. Unvalidated redirects and forwards

2017 OWASP Top 101. Injection

2. Broken authentication

3. Sensitive data exposure

4. XML external entities (XXE)

5. Broken access control

6. Security misconfiguration

7. Cross-site scripting (XSS)

8. Insecure deserialization

9. Using components with knownvulnerabilities

10. Insufficient loggingand monitoring

In the last 8 years more than7.1 billion identities have beenexposed in data breaches

70MILLIONaccounts

427MILLIONaccounts

150MILLIONaccounts

3BILLIONaccounts

117MILLIONaccounts

1. Symantec Internet Security Threat Report, April 20172. https://www.entrepreneur.com/article/246902#

Nearly 3 out of 4 consumersuse duplicate passwords,many of which have not beenchanged in five years or more.

3 out of 4

Credential Stuffing

USERNAME Credit CardData

USERNAME IntellectualProperty

USERNAME HealthcareData

USERNAME PassportData

USERNAME FinancialData

USERNAME USERNAME

USERNAME USERNAME

USERNAME USERNAME

USERNAME USERNAME

USERNAME USERNAME

USERNAME USERNAME

USERNAME USERNAME

https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization

A PHP forum uses PHP object serialization to save a “super” cookie,containing the user’s user ID, role, password hash, and other state

a:4:{i:0;i:132;i:1;s:7: “Bob”;1:2;s:4:“ “use ”;i:3;s:32:b6a8b3bea87fe0e05022f8f3c88bc960”;}

Deserialization

An attacker changes the serialized objectto give themselves admin privileges:

useradmin

3

1 12 2

32

13

2007 2008 2009 2010 2013 2014 2015 2016 2017

Published Deserialization Exploits

0

16%22% 24%

38%

Very Confident Confident Somewhat Confident No Confidence

F5 Ponemon Survey

2%

3%

4%

5%

6%

7%

8%

19%

20%

28%

Other Network Security Controls

Next-Generation Firewall

Web Fraud Detection

Traditional Network Firewall

Intrusion Prevention System (IPS)

Anti-DDoS

Anti-Malware Software

Application Scanning

Penetration Testing

Web App Firewall (WAF)

F5 Ponemon Survey

PrioritizeDefensesBased onAttacks

ReduceYour AttackSurface

UnderstandYourEnvironment

SelectFlexible andIntegratedDefenseTools

IntegrateSecurity intoDevelopment

1 2 3 4 5

Analysis ofUS Attorney BreachData Records

Analysis of Exploit DB

12 months of web appsecurity vulnerabilitydata (DAST & SAST)

12 months of globalattack web app data

App Security survey of3,135 IT sec pros

US, Canada, UnitedKingdom, Brazil, China,Germany, India

Across 14 industries

Additional Research

Articles Threat BlogCISO to CISOThought Leadership Blog

General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)