A presentation is given by K.K.Mookhey & Rohit Salecha at OWASP India 2013.
- 1.Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Web Application Security Strategy Getting it Right! K. K. Mookhey Rohit Salecha Director Security Analyst Network Intelligence India Pvt. Ltd. email@example.com Rohit.firstname.lastname@example.org 30 Aug 2013
2. OWASP Agenda Research Background & Objectives Appsec Initiatives Options Case Studies Lessons Learnt Way Forward 3. OWASP WAS Global Statistics AKA Standard FUD slides 4. OWASP WAS Global Statistics Vulnerability Population Trends for 2011-2012 as stated by Cenzic 26% rise since 2011 Source: http://info.cenzic.com/rs/cenzic/images/Cenzic-Application- Vulnerability-Trends-Report-2013.pdf 5. OWASP Ponemon Application Security Report Average cost of data breach in India $1.3 Million Average number of breached records 26,586 Average amount due to lost business $283,341 Attacks in which web app issues were exploited 86% Security budget allocated to appsec! 18% 6. OWASP Existing Studies/Reports WhiteHat Security Annual Website Security Statistics Report https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf Coverity Software Security Risk Report http://www.coverity.com/library/pdf/the-software-security-risk-report.pdf Cenzic Application Vulnerability Trends Report https://info.cenzic.com/2013-Application-Security-Trends-Report.html Ponemon Application Security Report https://www.barracuda.com/docs/white_papers/barracuda_web_app_firew all_wp_cenzic_exec_summary.pdf OWASP Guide for CISOs https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs 7. OWASP Outcomes The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined. The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged? Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre- production security testing 8. OWASP One size does not fit all! Surveys/Reports cover organizations across industries Do not take into account nature of the organizations current web app situation vendor, in-house, legacy, COTSE, etc. Do not take into account current level of maturity Try to draw general conclusions from average/sum of all data 9. OWASP Appsec Options 10. OWASP Appsec Program Options Annual PT On-going Assessments Source Code Reviews Secure Coding Training Secure Coding Guidelines Web Application Firewall Security Scanning Tool Application Security Framework Security Design Review 11. OWASP Burning questions What should we invest in? What works and what doesnt? In what sequence? What is likely to give the most ROI in terms of significant improvements? Challenges with these initiatives how to get them right? 12. OWASP A popular dotcom Case studies 13. OWASP Background Working with them since 2004 Annual Grey-box Testing No secure coding guidelines No on-going Appsec reviews Just recently procured a WAF 14. OWASP Statistics Number of Vulnerabilities The # of vulnerabilities have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 9 10 Jul-12 Mar-13 Sum of High Sum of Medium 15. OWASP Statistics Type of Vulnerabilities The # of Business Logic Issues have gone up between 2012 and 2013 0 1 2 3 4 5 6 7 8 Jul-12 Mar-13 Business Logic Input Validations Others 16. OWASP Analysis Lots of new code going live every day. Multiple releases per day vs. one release per week previously Pen-testing skills have improved More scope for testing lot more functionality on the sites Increase in business-logic issues as we have thoroughly understood their workings now 17. OWASP A BFSI Client Case studies 18. OWASP Background BFSI Company Used to get periodic penetration tests done Contracted us in 2011 to do on-going appsec testing We did 1 round of secure coding training as well We work closely with their development teams to help address the issue Development teams are largely outsourced though many working onsite 19. OWASP Statistics The # of vulnerabilities goes up and down no significant trends emerge! Why? 0 50 100 150 200 250 300 Sum of High Sum of Medium 20. OWASP Analysis High turnover in the developer teams Lessons imparted via training or daily interactions become useless due to the above Reduction seen where metrics being used to penalize vendors Source Code Review is effective but has inherent challenges 21. OWASP A Financial Products IT Company Case studies 22. OWASP Background Financial Products Company Used to get annual penetration tests done Implemented SCR solution in 2011 We did 1 round of training on secure coding Secure coding guidelines also developed Development done largely by internal teams 23. OWASP Statistics The # of vulnerabilities going down Why? 0 2 4 6 8 10 12 May-11 Oct-12 Sum of High Sum of Medium 24. OWASP Analysis Low turnover in developer team Team leads have been with them since past 6-7 years SCR tool faced lot of resistance, but gradually acceptability has grown Developers have written custom sanitization functions and configured these in SCR No code is uploaded without running it through SCR Lessons learnt from pen-tests have also been incorporated into secure coding guidelines 25. OWASP SCR Tool Challenges Does not identify business logic issues Large number of false positives 60,000 vulnerable lines, 2nd - 25,000, 3rd - 18,000, 4th - 13,000. May not support your coding platform Not able to handle large codebases Positives Can scan incrementally Allows custom sanitization functions to be configured Allows false positives to be marked Exports data into Excel for easy tracking Has extensive knowledge base Pin-points exact location 26. OWASP A Telco Case studies 27. OWASP Background Large Telco On-going Appsec assessments On-going SCR Periodic penetration tests Development done by vendors WAF Implemented since a year, but 28. OWASP Statistics 0 50 100 150 200 250 300 350 400 Sep-12 Jan-13 May-13 Jun-13 Aug-13 Sum of High Sum of Medium The # of vulnerabilities are stable no significant trends emerge! Why? Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues 29. OWASP Analysis Vendor delays in fixing the issues Multiple reassessments leads to the issues remaining open and overlapped in subsequent assessments High level of exposure on the Internet Multiple approaches adopted and strong focus on appsec in recent times WAF implementation remains a challenge 30. OWASP WAF Challenges 31. OWASP WAF Right Approach Understanding of the Applications that will be integrated with WAF Enabling the right security policies for the application Testing the alerts and violations for identifying the false positives Involvement of the development team to verify on the URLs learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references 32. OWASP WAF Implementation Mistakes Not changing the default error page of WAF Not informing about the changes that happen in the application code Not checking the broken link and broken references Not fine-tuning the web directory and Web URLs Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode. 33. OWASP Summary of the Options Exercised Option Dotcom BFSI IT Telco Annual VAPT Round-the-clock Assessments SCR Tool SC Guidelines Threat Modeling WAF SC Training Appsec Tools Security Frameworks in use Vulnerability Management 34. OWASP So Where do we go now? 35. OWASP Strategic Options / 1 If you have all your development done in-house If your team is relatively stable Then: Embed security into the SDLC by beginning with on- going assessments Source code reviews Have someone manage the SCR Tool output Training Development of secure coding guidelines Development/Embedding of a security framework 36. OWASP Strategic Options / 2 If you have many complex, heterogeneous systems, some from vendors, some in-house Then Same strategy as #1, plus Strong vendor management processes for meeting security objectives WAF 37. OWASP Strategic Options / 3 If all your applications are from vendors And if you have limited budgets On-going assessments But eventually 38. OWASP Strategic Options / 4 If you are a vendor Then: Do everything! Seriously, is that even a question? Pre-hiring checks Training after hiring and periodically thereafter Secure coding guidelines Security frameworks Threat modeling Grey-box assessments Source code reviews embed SCR into IDE Include # of security bugs in developer appraisals Incentivize security innovation Internal & external marketing, nay, evangelism! 39. OWASP Common Elements of any Strategy Management Commitment Prioritized Approach Measurement & Metrics # of issues per application trend over time # of issues by vendor Time taken to fix issues # of issues by source (grey-box, external PT, source code review, etc.) See what works and what doesnt for your organization Vendor Management SLAs for fixing security bugs Service credits for bugs found Enforcing security assessments by the vendor Enforcing adoption of SDL by the vendor 40. OWASP Open Questions Outsource vs. In-house Security Assessment Legacy Apps Orphaned Level of enforcement at the vendors end Procure tool vs. Security as a Service Business Logic Issues Bug Bounty Program 41. OWASP Any Questions? Thank You! Take the Survey! http://niiconsulting.com/surveys/wass/index.php