Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Security Strategy – Getting it Right!
K. K. Mookhey Rohit SalechaDirector Security Analyst
Network Intelligence India Pvt. [email protected]
30 Aug 2013
OWASP
Agenda
• Research Background & Objectives• Appsec Initiatives – Options • Case Studies• Lessons Learnt• Way Forward
OWASP
WAS Global Statistics
AKA
Standard FUD slides
OWASP
WAS Global Statistics
Vulnerability Population Trends for 2011-2012 as stated by Cenzic – 26% rise since 2011
Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application-Vulnerability-Trends-Report-2013.pdf
OWASP
Ponemon Application Security Report
Average cost of data breach in India
$1.3 Million
Average number of breached records26,586
Average amount due to lost business$283,341
Attacks in which web app issues were exploited86%
Security budget allocated to appsec!18%
OWASP
Existing Studies/Reports
WhiteHat Security – Annual Website Security Statistics Report
https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Coverity – Software Security Risk Report
http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf
Cenzic Application Vulnerability Trends Report
https://info.cenzic.com/2013-Application-Security-Trends-Report.html
Ponemon Application Security Report
https://www.barracuda.com/docs/white_papers/barracuda_web_app_firewall_wp_cenzic_exec_summary.pdf
OWASP Guide for CISOs
https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
OWASP
Outcomes
“The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.”
“The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?”
Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre-production security testing
OWASP
One size does not fit all!
• Surveys/Reports cover organizations across industries
• Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc.
• Do not take into account current level of maturity
• Try to draw general conclusions from average/sum of all data
OWASP
Appsec Options
OWASP
Appsec Program – Options
• Annual PT • On-going Assessments• Source Code Reviews• Secure Coding Training• Secure Coding Guidelines• Web Application Firewall• Security Scanning Tool• Application Security Framework• Security Design Review
OWASP
Burning questions
• What should we invest in? What works and what doesn’t?
• In what sequence?
• What is likely to give the most ROI in terms of significant improvements?
• Challenges with these initiatives – how to get them right?
OWASP
A popular dotcom
Case studies
OWASP
Background
• Working with them since 2004• Annual Grey-box Testing• No secure coding guidelines• No on-going Appsec reviews• Just recently procured a WAF
OWASP
Statistics – Number of Vulnerabilities
The # of vulnerabilities have gone up between 2012 and 2013
Jul-12 Mar-130
1
2
3
4
5
6
7
8
9
10
Sum of HighSum of Medium
OWASP
Statistics – Type of Vulnerabilities
The # of Business Logic Issues have gone up between 2012 and 2013
Jul-12 Mar-130
1
2
3
4
5
6
7
8
Business LogicInput ValidationsOthers
OWASP
Analysis
• Lots of new code going live every day. Multiple releases per day vs. one release per week previously
• Pen-testing skills have improved• More scope for testing – lot more
functionality on the sites• Increase in business-logic issues – as we
have thoroughly understood their workings now
OWASP
A BFSI Client
Case studies
OWASP
Background
• BFSI Company• Used to get periodic penetration tests done• Contracted us in 2011 to do on-going
appsec testing• We did 1 round of secure coding training as
well• We work closely with their development
teams to help address the issue• Development teams are largely outsourced
– though many working onsite
OWASP
Statistics
The # of vulnerabilities goes up and down – no significant trends emerge!
Why?
Dec-11
Jan-12
Feb-12
Mar-12
Apr-12
May-12
Jun-12
Jul-12
Sep-12
Oct-12
Nov-12
Dec-12
Jan-13
Feb-13
Apr-13
Jun-13
Jul-13
Aug-13
0
50
100
150
200
250
300
Sum of HighSum of Medium
OWASP
Analysis
• High turnover in the developer teams• Lessons imparted via training or daily
interactions become useless due to the above
• Reduction seen where metrics being used to penalize vendors
• Source Code Review is effective but has inherent challenges
OWASP
A Financial Products IT Company
Case studies
OWASP
Background
• Financial Products Company• Used to get annual penetration tests done• Implemented SCR solution in 2011• We did 1 round of training on secure
coding• Secure coding guidelines also developed• Development done largely by internal
teams
OWASP
Statistics
The # of vulnerabilities going downWhy?
May-11 Oct-120
2
4
6
8
10
12
Sum of HighSum of Medium
OWASP
Analysis
• Low turnover in developer team• Team leads have been with them since past 6-
7 years• SCR tool faced lot of resistance, but gradually
acceptability has grown• Developers have written custom sanitization
functions and configured these in SCR• No code is uploaded without running it
through SCR• Lessons learnt from pen-tests have also been
incorporated into secure coding guidelines
OWASP
SCR Tool
• Challenges• Does not identify business logic issues• Large number of false positives
“60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000.”
• May not support your coding platform• Not able to handle large codebases
• Positives• Can scan incrementally• Allows custom sanitization functions to be configured• Allows false positives to be marked• Exports data into Excel for easy tracking• Has extensive knowledge base• Pin-points exact location
OWASP
A Telco
Case studies
OWASP
Background
• Large Telco• On-going Appsec assessments• On-going SCR• Periodic penetration tests• Development done by vendors• WAF Implemented since a year, but…
OWASP
Statistics
Sep-12 Jan-13 May-13 Jun-13 Aug-130
50
100
150
200
250
300
350
400
Sum of HighSum of Medium
The # of vulnerabilities are stable – no significant trends emerge!Why?
Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues
OWASP
Analysis
• Vendor delays in fixing the issues • Multiple reassessments leads to the
issues remaining open and overlapped in subsequent assessments
• High level of exposure on the Internet• Multiple approaches adopted and strong
focus on appsec in recent times• WAF implementation remains a challenge
OWASP
WAF Challenges
OWASP
WAF Right Approach
• Understanding of the Applications that will be integrated with WAF
• Enabling the right security policies for the application
• Testing the alerts and violations for identifying the false positives
• Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references
OWASP
WAF Implementation Mistakes
• Not changing the default error page of WAF
• Not informing about the changes that happen in the application code
• Not checking the broken link and broken references
• Not fine-tuning the web directory and Web URL’s
• Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.
OWASP
Summary of the Options Exercised
Option Dotcom BFSI IT Telco
Annual VAPT
Round-the-clock Assessments
SCR – Tool
SC Guidelines
Threat Modeling
WAF
SC Training
Appsec Tools
Security Frameworks in use
Vulnerability Management
OWASP
So…
Where do we go now?
OWASP
Strategic Options / 1
If you have all your development done in-house
If your team is relatively stable Then:
Embed security into the SDLC by beginning with on-going assessments
Source code reviews Have someone manage the SCR Tool output Training Development of secure coding guidelines Development/Embedding of a security
framework
OWASP
Strategic Options / 2
If you have many complex, heterogeneous systems, some from vendors, some in-house
Then Same strategy as #1, plus… Strong vendor management processes for
meeting security objectives WAF
OWASP
Strategic Options / 3
If all your applications are from vendors And if you have limited budgets
On-going assessments But eventually…
OWASP
Strategic Options / 4
If you are a vendor Then:
Do everything! Seriously, is that even a question? Pre-hiring checks Training – after hiring and periodically thereafter Secure coding guidelines Security frameworks Threat modeling Grey-box assessments Source code reviews – embed SCR into IDE Include # of security bugs in developer appraisals Incentivize security innovation Internal & external marketing, nay, evangelism!
OWASP
Common Elements of any Strategy
Management Commitment Prioritized Approach Measurement & Metrics
# of issues per application – trend over time # of issues by vendor Time taken to fix issues # of issues by source (grey-box, external PT, source code
review, etc.) See what works and what doesn’t for your organization
Vendor Management SLAs for fixing security bugs Service credits for bugs found Enforcing security assessments by the vendor Enforcing adoption of SDL by the vendor
OWASP
Open Questions…
• Outsource vs. In-house Security Assessment
• Legacy Apps – Orphaned • Level of enforcement at the vendor’s end• Procure tool vs. Security as a Service• Business Logic Issues• Bug Bounty Program
OWASP
Any Questions?
Thank You!
Take the Survey!http://niiconsulting.com/surveys/wass/index.php
Recommended
