Upload
vocong
View
221
Download
0
Embed Size (px)
Citation preview
© 2009 IBM Corporation
IBM Software Group
An IBM Proof of Technology
Web Applications –
The Hacker’s New Target
Hacking 102: Integrating Web Application Security Testing into Development 1
Ross TangIBM Rational Software
© 2009 IBM Corporation
IBM Software Group
Are you phished?
2
http://www.myfoxny.com/dpp/your_money/consumer/090304_Facebook_Security_Breaches
© 2009 IBM Corporation
IBM Software Group
Facebook Worm
3
© 2009 IBM Corporation
IBM Software Group
Hacking 102: Integrating Web Application Security Testing into Development 4
© 2009 IBM Corporation
IBM Software Group
Hacking 102: Integrating Web Application Security Testing into Development 5
© 2009 IBM Corporation
IBM Software Group
http://www.marketwatch.com/investing/stock/STAN?countrycode=UK
6
© 2009 IBM Corporation
IBM Software Group
http://www.marketwatch.com/tools/quotes/lookup.asp?lookup=_Funny_Behaviour_&country=us
7
© 2009 IBM Corporation
IBM Software Group
http://www.marketwatch.com/investing/stock/UK:STAN?countrycode=
UK
8
© 2009 IBM Corporation
IBM Software Group
Hacking 102: Integrating Web Application Security Testing into Development 9
© 2009 IBM Corporation
IBM Software Group
10
We Use Network Vulnerability Scanners Neglect the security of the
software on the network/web server
We Use Network Vulnerability ScannersNeglect the security of the
software on the network/web server
The Myth: “Our Site Is Safe”
We Have Firewalls in Place
Port 80 & 443 are open for the right reasons
We Have Firewalls in Place
Port 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
SecuritySecurity
We Use SSL EncryptionOnly protects data between site and user not the web
application itself
We Use SSL EncryptionOnly protects data between site and user not the web
application itself
© 2009 IBM Corporation
IBM Software Group
11
Desktop Firewall IDS/IPS Web Applications
Manual Patchingand Code Review
The WEAKEST Link: Web Application –
last layer of defense
SQL Injection
Cross Site Scripting
Pattern- based Attack
Web Server Known
Vulnerabilities
Parameter Tampering
Cookie Poisoning
Port Scanning
DoS
Anti- spoofing
© 2009 IBM Corporation
IBM Software Group
12
Network Server
WebApplications
The Reality: Security and Spending Are Unbalanced
% of Attacks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Security Spending
of All Attacks on Information Security Are Directed to the Web Application Layer
75%75%of All Web Applications Are Vulnerable2/32/3
•Buffer Overflow•Cookie Poisoning
•Hidden Fields•Cross Site Scripting•Stealth Commanding•Parameter Tampering
•Forceful Browsing•SQL Injection
•Etc…
© 2009 IBM Corporation
IBM Software Group
Black-box (Discovering SQL Injection)
13
‘
******
SELECT * from tUsers where userid=‘’’ AND password=‘foobar’
© 2009 IBM Corporation
IBM Software Group
14
Example : Cross Site Scripting –
The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’scookie and session
information without the user’s consent or knowledge
5) Evil.org uses stolensession information to
impersonate user
© 2009 IBM Corporation
IBM Software Group
IBM Rational AppScan End-to-End Application Security
REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD SECURITYSECURITY PRODUCTIONPRODUCTIONQAQA
AppScan StandardAppScan Tester
Security Requirements Definition
AppScan onDemand (SaaS)
AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting)
Security / compliance testing incorporated into
testing & remediation workflows
Security requirements defined
before design & implementation
Outsourced testing for security audits &
production site monitoring
Security & Compliance
Testing, oversight, control, policy,
audits
Build security testing into the IDE
Application Security Best Practices
Automate Security / Compliance testing in the Build Process
AppScan Source
© 2009 IBM Corporation
IBM Software Group
How Internet Banking is secure
Hacking 102: Integrating Web Application Security Testing into Development 16
© 2009 IBM Corporation
IBM Software Group
17
Nearly 1000 Companies Depend On Watchfire
8 of the Top 108 of the Top 10TechnologyTechnology
BrandsBrands
7 of the Top 107 of the Top 10Pharma / ClinicalPharma / Clinical
CompaniesCompanies
Multiple LargeMultiple LargeGovernmentGovernment
AgenciesAgencies
9 of the Top 10 9 of the Top 10 Largest U.S. RetailLargest U.S. Retail
BanksBanks
Veteran’s Affairs
NavyArmy
Air Force Marines
Large, Complex Web Sites Extensive Customer DataHighly Regulated High User Volume
© 2009 IBM Corporation
IBM Software Group
18
Security Industry Leaders Use and/or work with Watchfire solutions in their work
Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies
More …EDS
_______________________________________
© 2009 IBM Corporation
IBM Software Group
Trojan Software cost $99
●Constructor/Turko jan
●V.4 New featuresRemote DesktopWebcam StreamingAudio StreamingRemote passwordsMSN SnifferRemote ShellAdvanced File ManagerOnline & Offline keyloggerInformation about remote computerEtc..