SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
Using 80/20 rule in Application
               Security Management


             Bikash Barai, Co-Founder & CEO



Jan 2013                © iViZ Security Inc   0
About iViZ
 • iViZ – Cloud based Application Penetration
   Testing
       – Zero False Positive Guarantee
       – Business Logic Testing with 100% WASC (Web Application
         Security Consortium) class coverage
 •    Funded by IDG Ventures
 •    30+ Zero Day Vulnerabilities discovered
 •    10+ Recognitions from Analysts and Industry
 •    300+ Customers
 •    Gartner Hype Cycle- DAST and Application
      Security as a Service

Jan 2013                       © iViZ Security Inc                1
Background: Application Security
               Statistics 2012




Jan 2013            © iViZ Security Inc   2
Application Security Statistics
                       2012
 • Based on real Application Security tests of iViZ
       – 300+ Customers
       – 5,000 + Application Security Tests
 • 99% of the Apps tested had at least 1 vulnerability
 • 82% of the web application had at least 1 High/Critical
   Vulnerability
 • Very low correlation between Security and Compliance
   (Correlation Coefficient: 0.2)
 • Average number of vulnerability per website: 35


Jan 2013                       © iViZ Security Inc           3
Average number of Vulnerabilities




Jan 2013        © iViZ Security Inc   4
Top 5 Application Flaws




           Percentage of websites containing the “Type of Vulnerability”
Jan 2013                             © iViZ Security Inc                   5
5 Common Business Logic Flaws
 •    Weak Password recovery
 •    Abusing Discount Logic/Coupons
 •    Denial of Service using Business Logic
 •    Price Manipulation during Transaction
 •    Insufficient Server Side Validation (One Time
      Password (OTP) bypass)



Jan 2013                 © iViZ Security Inc          6
Using 80/20 rule ..




Jan 2013         © iViZ Security Inc   7
80/20 Rule
 • 80% of the effects come from 20% of the causes
 • Pareto Principle, Law of Vital Few, 80/20 Rule
 • Examples
       – 80% of your profits come from 20% of your customers
       – 80% of your complaints come from 20% of your customers
       – 20% rules detect 80% Spams
 • Opposite may also be true in some situations
       – Long Tail



Jan 2013                     © iViZ Security Inc                  8
Top 7 Mistakes
 • Cheap Security (Cheap Lock = No Lock)
 • Lack of prioritization and all round investment:
   Building an Iron door but with thatched walls
 • Security initiative not introduced early on (design
   phase)
 • Lack of proper Appsec organization (roles, KRA,KPI)
 • Trying too many things at the same time OR Trying to
   do everything in-house
 • Not choosing the right vendor/products
 • Thinking Secure Seal = Real Security
Jan 2013                © iViZ Security Inc               9
80/20 Rule: Top 5 Steps
 • #1: Identify and Classify all Apps based on Business
   Criticality
 • #2: Regular Testing
 • #3: Implement efficient Patching Process
 • #4: Implement Secure SDLC/Secure Dev-Ops
 • #5: Implement WAF for Business Critical Apps




Jan 2013                 © iViZ Security Inc              10
#1: Identify and Classify




Jan 2013            © iViZ Security Inc   11
Identify and Classify your Apps
 • 90% of the organizations do not know
       – How many Apps they have?
       – Who owns each of the App?
       – Which Apps are business critical?
 • #1 Step: Identify your Apps
       – Use automated Application Discovery tools
       – Ask all your departments
 • #2 Step: Classify the Apps
       – Business Critical: Can cause revenue loss, reputation
         loss, legal implications
       – Non-Business Critical: Every thing else

Jan 2013                        © iViZ Security Inc              12
#2: Regular Security Testing




Jan 2013              © iViZ Security Inc   13
Application Security Vulnerability
                 Management Model
 • Type of Test
       – Comprehensive Penetration Testing (Automated+Manual)
       – Automated Application Security Testing
 • Strategy for Business Critical Apps
       – Comprehensive Penetration Testing during every major
         release (OR at least once a quarter)
       – Automated Testing once a month
 • Strategy for Non-Business Critical Apps
       – 1 to 4 Automated Test per year (based on budget)
       – 1 Comprehensive Test per year (if Budget permits)

Jan 2013                     © iViZ Security Inc                14
DAST vs SAST
 • Dynamic Application Security Testing (DAST): Does
   not need Code
 • Static Application Security Testing (SAST): Needs
   code/binary
 • Should I choose DAST or SAST?
       – #1 Step: Conduct DAST.
           • This is low hanging fruit. Easy to adopt. Less Expensive. More
             mature.
       – #2 Step: Conduct SAST+DAST
           • Lower false negative, Better coverage, More costly, Higher
             overhead

Jan 2013                            © iViZ Security Inc                       15
Tools vs Consultant vs Cloud
 • Tools(License/On Demand)
       – Need in-house team to remove false positives and conduct
         business logic Tests
 • Consultants
       – Good quality, Costly, Cannot Scale
 • Cloud (with human intervention)
       – Good quality, Scalable, Vulnerability Data on Cloud




Jan 2013                       © iViZ Security Inc              16
Which option should I choose?
 • Cloud (with human augmentation)
       – Most optimal for 80% of cases. No license Cost. No People Cost. Cost
         Effective. Scalable.
 • Automated Tools/On Demand Tools
       – If you can hire and retain an application security testing team (less
         than 1% organization can do it)
 • Consultants
       – Non Standard and Complex Application; You do not have in-house
         team. More costly. High Quality




Jan 2013                            © iViZ Security Inc                          17
9 Questions to ask your consultant
 1.    Who (individual) will conduct the test?
 2.    How many Application Security Tests did he conduct before?
 3.    What are the contributions of the testers in security research
       (vulnerability discovery, research papers, tools, conference presentations
       etc)
 4.    What is the methodology of security testing?
 5.    How will he ensure coverage? Does he have a checklist? Can he share
       that or show that?
 6.    How will he conduct business logic testing?
 7.    Where will he store the data? How will the data be kept secure?
 8.    Can he test during non-business hours?
 9.    Can he meet up to your scalability requirements?
 •    Ask Yourself: Can you conduct adequate number of tests within your
      current budget using the consultant?
Jan 2013                            © iViZ Security Inc                             18
Top 5 metrics to benchmark a tool
 1.  What is the rate of false positive?
 2.  How many classes of vulnerabilities does it cover?
 3.  Which are the classes it does not cover?
 4.  How good is the coverage of the crawler? Is there
     any benchmark?
 5. How many scans can run in parallel?
 • If possible: benchmark the tools for False Positives
   and False Negatives


Jan 2013                 © iViZ Security Inc              19
#3: Efficient Remediation Process




Jan 2013            © iViZ Security Inc    20
Top Steps for Effective
              Remediation
 • Create awareness among the engineering team
      members
 • Create an effective communication channel
      (Spokesperson/internal wiki etc) between security
      testing and engineering team
 • Create effective process to raise tickets, manage and
      monitor them
 • Conduct re-validation testing
 • Average Vulnerability Closing Time should be part of
      KPI (internal team) or SLA (for outsourced
      development)
Jan 2013                    © iViZ Security Inc            21
#4: Secure SDLC




Jan 2013       © iViZ Security Inc   22
Top Application Security Principles
 • Validate Input data
 • Encode output data
 • Implement principle of least privilege, Fail securely by default
 • Protect sensitive transactions using anti-automation,
   challenge/response, re-authentication
 • Implement secure session management
       – Issue/reissue new session cookie for each login, Automatic session
         expiration etc
 • Implement strong known cryptographic storage. Only store
   data that you require.

 • Details:Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referen
      ce_Guide_v2.pdf
Jan 2013                           © iViZ Security Inc                        23
Top Steps towards Secure SDLC
 • Phase 1: Create a minimal coding and designing guideline
       – Implement, Monitor and Measure
 • Phase 2: Create a more advanced coding and design guideline
 • People are resistant towards change and there is adoption
   overhead. Do not try everything in one go.
 • Select the top 20% of guidelines which will help you the most
   in phase 1
 • Consider Phase 2 as your goal. Phase 1 is your step towards
   achieving the goal.



Jan 2013                        © iViZ Security Inc                24
#5: Web Application Firewall (WAF)




Jan 2013           © iViZ Security Inc    25
WAF-pros and cons
 • Pros:
       – Protects applications with known simplistic and common flaws
       – Protection before even if flaws are patched in the application.
 • Cons:
       – Does not protect against new and advanced attacks/Business logic
         flaws.
       – May Reduce application performance
       – May block legitimate requests if configured too strictly (false positives)
       – Do not actually fix the flaws in the code, only protects against some
         attacks. WAF cannot be a substitute for secure development practices.




Jan 2013                             © iViZ Security Inc                          26
Recap: 80/20 Rule: Top 5 Steps
 • #1: Identify and Classify all Apps based on Business
   Criticality
 • #2: Regular Testing
 • #3: Implement efficient Patching Process
 • #4: Implement Secure SDLC/Secure Dev-Ops
 • #5: Implement WAF for Business Critical Apps




Jan 2013                 © iViZ Security Inc              27
Top Free Online Resources
 • OWASP Secure Coding Practices Quick Reference:
      Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referenc
      e_Guide_v2.pdf

 • OWASP Top 10:
      http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-
      %202010.pdf

 • OWASP Secure Code Review Guide:
      https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-
      V1_1.pdf

 • OWASP Projects Page:
      https://www.owasp.org/index.php/Category:OWASP_Project

Jan 2013                        © iViZ Security Inc                     28
Thank You
                     bikash@ivizsecurity.com
                         Blog: http://bikashbarai.blogspot.in
           Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669
                      Twitter: https://twitter.com/bikashbarai1




Jan 2013                           © iViZ Security Inc                   29

Contenu connexe

Tendances

Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to Cyberthreats4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to CyberthreatsIBM Security
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Derk Yntema
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationSymantec
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachSridhar Karnam
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteIBM Security
 

Tendances (20)

Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to Cyberthreats4 Ways to Build your Immunity to Cyberthreats
4 Ways to Build your Immunity to Cyberthreats
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
 
Chapter 15 Risk Mitigation
Chapter 15 Risk MitigationChapter 15 Risk Mitigation
Chapter 15 Risk Mitigation
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breach
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
 

Similaire à Using 80 20 rule in application security management

Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesDaveEdwards12
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Priyanka Aash
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Ivanti
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 

Similaire à Using 80 20 rule in application security management (20)

Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 

Plus de DaveEdwards12

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)DaveEdwards12
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security ProductsDaveEdwards12
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 

Plus de DaveEdwards12 (8)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 

Dernier

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 

Dernier (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 

Using 80 20 rule in application security management

  • 1. Using 80/20 rule in Application Security Management Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
  • 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
  • 3. Background: Application Security Statistics 2012 Jan 2013 © iViZ Security Inc 2
  • 4. Application Security Statistics 2012 • Based on real Application Security tests of iViZ – 300+ Customers – 5,000 + Application Security Tests • 99% of the Apps tested had at least 1 vulnerability • 82% of the web application had at least 1 High/Critical Vulnerability • Very low correlation between Security and Compliance (Correlation Coefficient: 0.2) • Average number of vulnerability per website: 35 Jan 2013 © iViZ Security Inc 3
  • 5. Average number of Vulnerabilities Jan 2013 © iViZ Security Inc 4
  • 6. Top 5 Application Flaws Percentage of websites containing the “Type of Vulnerability” Jan 2013 © iViZ Security Inc 5
  • 7. 5 Common Business Logic Flaws • Weak Password recovery • Abusing Discount Logic/Coupons • Denial of Service using Business Logic • Price Manipulation during Transaction • Insufficient Server Side Validation (One Time Password (OTP) bypass) Jan 2013 © iViZ Security Inc 6
  • 8. Using 80/20 rule .. Jan 2013 © iViZ Security Inc 7
  • 9. 80/20 Rule • 80% of the effects come from 20% of the causes • Pareto Principle, Law of Vital Few, 80/20 Rule • Examples – 80% of your profits come from 20% of your customers – 80% of your complaints come from 20% of your customers – 20% rules detect 80% Spams • Opposite may also be true in some situations – Long Tail Jan 2013 © iViZ Security Inc 8
  • 10. Top 7 Mistakes • Cheap Security (Cheap Lock = No Lock) • Lack of prioritization and all round investment: Building an Iron door but with thatched walls • Security initiative not introduced early on (design phase) • Lack of proper Appsec organization (roles, KRA,KPI) • Trying too many things at the same time OR Trying to do everything in-house • Not choosing the right vendor/products • Thinking Secure Seal = Real Security Jan 2013 © iViZ Security Inc 9
  • 11. 80/20 Rule: Top 5 Steps • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • #3: Implement efficient Patching Process • #4: Implement Secure SDLC/Secure Dev-Ops • #5: Implement WAF for Business Critical Apps Jan 2013 © iViZ Security Inc 10
  • 12. #1: Identify and Classify Jan 2013 © iViZ Security Inc 11
  • 13. Identify and Classify your Apps • 90% of the organizations do not know – How many Apps they have? – Who owns each of the App? – Which Apps are business critical? • #1 Step: Identify your Apps – Use automated Application Discovery tools – Ask all your departments • #2 Step: Classify the Apps – Business Critical: Can cause revenue loss, reputation loss, legal implications – Non-Business Critical: Every thing else Jan 2013 © iViZ Security Inc 12
  • 14. #2: Regular Security Testing Jan 2013 © iViZ Security Inc 13
  • 15. Application Security Vulnerability Management Model • Type of Test – Comprehensive Penetration Testing (Automated+Manual) – Automated Application Security Testing • Strategy for Business Critical Apps – Comprehensive Penetration Testing during every major release (OR at least once a quarter) – Automated Testing once a month • Strategy for Non-Business Critical Apps – 1 to 4 Automated Test per year (based on budget) – 1 Comprehensive Test per year (if Budget permits) Jan 2013 © iViZ Security Inc 14
  • 16. DAST vs SAST • Dynamic Application Security Testing (DAST): Does not need Code • Static Application Security Testing (SAST): Needs code/binary • Should I choose DAST or SAST? – #1 Step: Conduct DAST. • This is low hanging fruit. Easy to adopt. Less Expensive. More mature. – #2 Step: Conduct SAST+DAST • Lower false negative, Better coverage, More costly, Higher overhead Jan 2013 © iViZ Security Inc 15
  • 17. Tools vs Consultant vs Cloud • Tools(License/On Demand) – Need in-house team to remove false positives and conduct business logic Tests • Consultants – Good quality, Costly, Cannot Scale • Cloud (with human intervention) – Good quality, Scalable, Vulnerability Data on Cloud Jan 2013 © iViZ Security Inc 16
  • 18. Which option should I choose? • Cloud (with human augmentation) – Most optimal for 80% of cases. No license Cost. No People Cost. Cost Effective. Scalable. • Automated Tools/On Demand Tools – If you can hire and retain an application security testing team (less than 1% organization can do it) • Consultants – Non Standard and Complex Application; You do not have in-house team. More costly. High Quality Jan 2013 © iViZ Security Inc 17
  • 19. 9 Questions to ask your consultant 1. Who (individual) will conduct the test? 2. How many Application Security Tests did he conduct before? 3. What are the contributions of the testers in security research (vulnerability discovery, research papers, tools, conference presentations etc) 4. What is the methodology of security testing? 5. How will he ensure coverage? Does he have a checklist? Can he share that or show that? 6. How will he conduct business logic testing? 7. Where will he store the data? How will the data be kept secure? 8. Can he test during non-business hours? 9. Can he meet up to your scalability requirements? • Ask Yourself: Can you conduct adequate number of tests within your current budget using the consultant? Jan 2013 © iViZ Security Inc 18
  • 20. Top 5 metrics to benchmark a tool 1. What is the rate of false positive? 2. How many classes of vulnerabilities does it cover? 3. Which are the classes it does not cover? 4. How good is the coverage of the crawler? Is there any benchmark? 5. How many scans can run in parallel? • If possible: benchmark the tools for False Positives and False Negatives Jan 2013 © iViZ Security Inc 19
  • 21. #3: Efficient Remediation Process Jan 2013 © iViZ Security Inc 20
  • 22. Top Steps for Effective Remediation • Create awareness among the engineering team members • Create an effective communication channel (Spokesperson/internal wiki etc) between security testing and engineering team • Create effective process to raise tickets, manage and monitor them • Conduct re-validation testing • Average Vulnerability Closing Time should be part of KPI (internal team) or SLA (for outsourced development) Jan 2013 © iViZ Security Inc 21
  • 23. #4: Secure SDLC Jan 2013 © iViZ Security Inc 22
  • 24. Top Application Security Principles • Validate Input data • Encode output data • Implement principle of least privilege, Fail securely by default • Protect sensitive transactions using anti-automation, challenge/response, re-authentication • Implement secure session management – Issue/reissue new session cookie for each login, Automatic session expiration etc • Implement strong known cryptographic storage. Only store data that you require. • Details:Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referen ce_Guide_v2.pdf Jan 2013 © iViZ Security Inc 23
  • 25. Top Steps towards Secure SDLC • Phase 1: Create a minimal coding and designing guideline – Implement, Monitor and Measure • Phase 2: Create a more advanced coding and design guideline • People are resistant towards change and there is adoption overhead. Do not try everything in one go. • Select the top 20% of guidelines which will help you the most in phase 1 • Consider Phase 2 as your goal. Phase 1 is your step towards achieving the goal. Jan 2013 © iViZ Security Inc 24
  • 26. #5: Web Application Firewall (WAF) Jan 2013 © iViZ Security Inc 25
  • 27. WAF-pros and cons • Pros: – Protects applications with known simplistic and common flaws – Protection before even if flaws are patched in the application. • Cons: – Does not protect against new and advanced attacks/Business logic flaws. – May Reduce application performance – May block legitimate requests if configured too strictly (false positives) – Do not actually fix the flaws in the code, only protects against some attacks. WAF cannot be a substitute for secure development practices. Jan 2013 © iViZ Security Inc 26
  • 28. Recap: 80/20 Rule: Top 5 Steps • #1: Identify and Classify all Apps based on Business Criticality • #2: Regular Testing • #3: Implement efficient Patching Process • #4: Implement Secure SDLC/Secure Dev-Ops • #5: Implement WAF for Business Critical Apps Jan 2013 © iViZ Security Inc 27
  • 29. Top Free Online Resources • OWASP Secure Coding Practices Quick Reference: Guidehttps://www.owasp.org/images/0/08/OWASP_SCP_Quick_Referenc e_Guide_v2.pdf • OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20- %202010.pdf • OWASP Secure Code Review Guide: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide- V1_1.pdf • OWASP Projects Page: https://www.owasp.org/index.php/Category:OWASP_Project Jan 2013 © iViZ Security Inc 28
  • 30. Thank You bikash@ivizsecurity.com Blog: http://bikashbarai.blogspot.in Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 29