Download
1 / 32
320 likes | 599 Views
Session Overview. Web Application SecurityThe Myth and The FactsExamples of Web Application Vulnerabilities Web Application Auditing
E N D
1. Web Application Security
Presented by:
Colin English
Zerflow
3. The Myth “Our site is safe”:
We have firewalls in place
We encrypt our data
We have a privacy policy
4. Worldwide problemWorldwide problem
5. Pressures on the Application Lifecycle Time-to-Market
Bringing new applications to market quickly
Complexity is Growing
Increasing application lifecycle complexity
Increasing Business Risks Driven by Security Defects
Hacker activity increasing
Government scrutiny and regulation increasing
Liability precedents for security defects
Costs Escalate Dramatically the longer you wait to Find and Fix
Bad software costs the economy $59.5 billion a year- cost of breakdowns and repairs (Nat. Institute of Standards & Technology, May 2002) STEVE ORRIN:
We all know that there are pressures on the application lifecycle. Let’s review the facts:
Time to market demands are ever increasing – bringing new apps up quickly while not compromising their usability and ‘cool factor’ is imperative. Budgets are tight in today’s economic environment and expenses are closely monitored. Unfortunately, this doesn’t translate into a lessening of the market’s expectation for new applications. At the end of the day, the question facing most development teams is ‘How do we meet the functional specification on time with the resources available?”
Application complexity is growing – as applications grow in size complexity is added at every step. Businesses and the market expect new applications to perform, meet the functional spec, deploy quickly – and to be secure. And while the deployment pace speeds up, so does the scale and complexity of the sites the new applications are being deployed on. This increases the number and type of potential points of failure within an application --- any one of which could be the source of an enormous problem for the enterprise.
Increasing Business Risks Driven by Security Defects. As more business gets done on the web, the risks posed by security defects in deployed applications are accelerating. Hackers are increasingly active and sophisticated about how they choose and target their victims. Dealing with this threat effectively is not trivial.
Growing government scrutiny and regulations, including GLBA and HIPAA. With the increase in the value of information and assets accessible through the Web, governments around the world are creating laws and regulations to protect consumers from online fraud and theft. Compliance to U.S. laws like HIPAA and GLBA are for the first time putting the issue of application security into the CEO’s office and board rooms of the largest enterprises in the world. Failure to comply can come at an enormous cost.
And finally, recent court activity relating to liability protection for bad software has added new areas of risk for all businesses. Simply put, it doesn’t look like Caveat Emptor (buyer beware) will be sufficient to protect companies from liability claims and class action lawsuits. Enterprises must take systematic and significant measures to ensure that the applications under their domain do not directly or indirectly lead to harm of the customer or the shareholders.
Add to this the fact that cost escalates dramatically the longer you wait to find and fix defects, and it is clear things need to change
(NEXT SLIDE)
STEVE ORRIN:
We all know that there are pressures on the application lifecycle. Let’s review the facts:
Time to market demands are ever increasing – bringing new apps up quickly while not compromising their usability and ‘cool factor’ is imperative. Budgets are tight in today’s economic environment and expenses are closely monitored. Unfortunately, this doesn’t translate into a lessening of the market’s expectation for new applications. At the end of the day, the question facing most development teams is ‘How do we meet the functional specification on time with the resources available?”
Application complexity is growing – as applications grow in size complexity is added at every step. Businesses and the market expect new applications to perform, meet the functional spec, deploy quickly – and to be secure. And while the deployment pace speeds up, so does the scale and complexity of the sites the new applications are being deployed on. This increases the number and type of potential points of failure within an application --- any one of which could be the source of an enormous problem for the enterprise.
Increasing Business Risks Driven by Security Defects. As more business gets done on the web, the risks posed by security defects in deployed applications are accelerating. Hackers are increasingly active and sophisticated about how they choose and target their victims. Dealing with this threat effectively is not trivial.
Growing government scrutiny and regulations, including GLBA and HIPAA. With the increase in the value of information and assets accessible through the Web, governments around the world are creating laws and regulations to protect consumers from online fraud and theft. Compliance to U.S. laws like HIPAA and GLBA are for the first time putting the issue of application security into the CEO’s office and board rooms of the largest enterprises in the world. Failure to comply can come at an enormous cost.
And finally, recent court activity relating to liability protection for bad software has added new areas of risk for all businesses. Simply put, it doesn’t look like Caveat Emptor (buyer beware) will be sufficient to protect companies from liability claims and class action lawsuits. Enterprises must take systematic and significant measures to ensure that the applications under their domain do not directly or indirectly lead to harm of the customer or the shareholders.
Add to this the fact that cost escalates dramatically the longer you wait to find and fix defects, and it is clear things need to change
(NEXT SLIDE)
7. Application Security Defects Frequent
3 out of 4 business websites are vulnerable to attack (Gartner)
Pervasive
75% of hacks occur at the Application level (Gartner)
Undetected
QA testing tools not designed to detect security defects in applications
Manual patching - reactive, time consuming and expensive
Dangerous
When exploited, security defects destroy company value and customer trust
STEVE ORRIN:
All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points:
Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited;
The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify.
The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications
Finally, the attacks are growing more dangerous, and they usually go undetected.
When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems.
Next slide
STEVE ORRIN:
All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points:
Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited;
The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify.
The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications
Finally, the attacks are growing more dangerous, and they usually go undetected.
When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems.
Next slide
