How to Overcome the 5 Barriers to Production App Security Testing

How To Overcome the 5 Barriers To Production App

Security Testing

Chris Harget - Product Marketing

Sameer Dixit - Managed Services

Or…

5 Reasons You’re Not

Monitoring Production Apps For Vulnerabilities…

…and 7 Reasons You Really Should

3

Agenda

Cenzic, Inc. - Confidential, All Rights Reserved.

Why You’re Not Scanning

Why You Should

Overcoming Barriers

How Cenzic Managed Services Can

4

1. You Use SAST Tools In Development


• Good first step

• Efficient for some remediations

• Teaches Developers best practices

• Commonly accepted method

• Insufficient = False sense of security

5

2. Production Team Afraid of Down Time


• Production Team measured by up time

• If it’s not broke, don’t fix it

• Security Analyst needs Production Buy-In to actively monitor production environments

6

3. Production Team May Not Have Skill Set


• Depends on team • Mostly made up of guys who plan

and manage patches, maintain hardware, and rollout new systems.

• If they’re not comfortable…they will

resist

7

4. Confusion Over Whose Budget Pays


• Is this Developers’ budget? • They built it, unless it’s outsourced

• Is it Security Analysts’ budget?

• It’s security…and development and production…

• Is it Production budget? • They run it.

8

5. You Haven’t Gotten Around To it Yet


• Even if everyone agrees it should be done…it has to become a priority

• Like brushing teeth…you can skip it, but eventually there’ll be a hole.

• Gets deferred.

9

5 Barriers To Monitoring Production Apps


1. You use SAST tools in Development

2. Production team afraid of down time

3. Production team may not have skill

set

4. Confusion over whose budget pays

5. You haven’t gotten around to it yet

…And 7 Reasons You Really

Should

11

1. Some Vulnerabilities Can't Be Found by SAST


• Search Strings might miss them

• May only appear in run-time environment

• May be on web server or framework • QA & Production environment may not

be identical (especially DBs)

12

2. New Vulnerabilities Discovered Daily


• >5,200 Web app vulnerabilities discovered…so far

• ~1,090 discovered last year

• Odds are, hundreds more will be discovered while your apps are in production.

13 Cenzic, Inc. - Confidential, All Rights Reserved.

3. Production Apps Are The Biggest Risk

600+ Million Web Sites <10% of the

applications in

development

or in QA stage

>90%

applications are

in production

and deployed

At Greatest Risk!

Vulnerability Testing Must Monitor Run-Time Environments

14

4. Some Vulnerabilities Cause Downtime


• Buffer Overflow

• Downs app & can give shell access

• XSS

• Can insert javascript to the web server

100's of times for each user and

spread like a virus

• SQL injection

• Drop tables, remove users, dump

database

• About 110 other types of attacks that can

lead directly to production downtime

15

5. Effective Automated Attacks


• Blackbox testing + Cenzic experts • Designed to emulate what attackers do on your

site, but safer

• Cenzic has 10+ years helping enterprises

and SMB’s protect Production Apps

• Tools and services can find vulnerabilities with minimized risk to application uptime and data

16

6. Tightly Integrate WAF to Monitoring


• Cenzic integrates with leading Web App Firewalls

• As few as two-clicks to approve/enact a policy & virtually patch app vulnerability

• Faster remediation => More Secure

+

Identify Risk

Mitigate

Risk

=

=

17

7. Managed Services For Key Apps


• Production Team = Security Team

• Priority Apps deserve specialists

• Frees Production Team To: • Receive results • Manage patches (virtual or code

refresh) • Maximize uptime

18

Overcoming Barrier 1


1. You use SAST tools in Development

• But that’s not a complete solution

• Some vulnerabilities require real-

time scanning

• New vulnerabilities discovered all

the time

19



2. Production team afraid of down time

• …and vulnerable apps can increase

downtime.

• You patch other bugs in Production

• Monitoring can be done fairly safely

20



3. Production team may not have skill set

• Cenzic Managed Service can cover it

until your team gets the skills

• Cenzic takes care of F100 customers

for Production Monitoring

21



4. Confusion Over Who Pays

• Whoever has the most budget

• Production…probably

22



5. You haven’t Got Around To It Yet

• It’s important

• It’s relatively safe

• It’s easy

• Production can probably afford it

23

A Few…


24

What's Best Form Factor For You?


Low-Risk Apps High Priority Apps

Under-resourced,

broad-duties Security

Analysts

Cloud (self-service)

Production Scanning

Managed Service

Production Scanning

Sizeable, Focused

Security Analyst

Group

Cloud or Software

Production Scanning

Software or Managed

Service Production

Scanning

25

What's Important To Success


• Consistent Detection Accuracy • Erratic technicians or ad hoc tools

can mask changes in security posture

• Quality of Service • Production Teams benefit from

vulnerability monitoring managed services that meet high standards

26

Monitoring Available 24x7


• Frequent Assessments = shorter vulnerability windows

• Reports should include trend data and ranking of vulnerabilities for easy response

• Vulnerabilities should be time-stamped so you know report was actually run that week.

27

What's Important To Success?


• Options To Evolve • Managed Service might be great

way to start. Self-service Saas, software, or service/software hybrid might make sense in the long run.

• Scalability • Start with key apps, scale to all

apps

28

Choosing Vendor By References


• Services harder to rate than software. • (People)*(Software)= Results

• Talent doesn’t scale well • Look for best-in-class software

• Look for excellent customer survey results

29

Cenzic Can Help


• Cenzic is a leading provider of Web Application Production Scanning as a Managed Service. • 10+ Years • Leverages patented Hailstorm™

engine for more consistently accurate and efficient results

• Large and happy customers

30

How Cenzic Can Help


• We Do It All • Cenzic is the only vendor who

offers you excellent software, or excellent managed services leveraging our excellent solutions

• Evolve wherever you want with Cenzic

31

Customers Rate Cenzic Higher


• 2013 Gartner surveyed App Security Testing Customers

• ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction

• Cenzic provides the best services!

Managed Services Offerings – At-a-Glance


Bronze Silver Gold Platinum Industry Best-Practices for

Brochureware sites

Industry Best-Practices for forms and login protected

sites

Compliance for sites with user

data

Comprehensive scans for Mission

critical applications

Phishing X X X x

Light input validation X X X

x

Data Security X X X x

Session management X X

x

OWASP compliance X

x

PCI compliance X x

Business logic testing

x

Application logic testing

x

Manual penetration testing

x


Pre-production &

App Development Production

Partner /

Supply Chain

Enterprise Application Security

Complete Enterprise Security by Cenzic

34

Application Security for Web, Web Services & Mobile

How to Overcome the 5 Barriers to Production App Security Testing

Technology

production apps cenzic

production budget

development cenzic

sast cenzic

production monitoring

production downtime

production environments

skills cenzic