© 2007 IBM Corporation Anthony Lim MBA CISSP FCITIL Director Asia Pacific, Watchfire IBM Rational, Singapore www.watchfire.com WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE
© 2007 IBM Corporation
Anthony Lim MBA CISSP FCITIL
Director Asia Pacific, Watchfire
IBM Rational, Singapore www.watchfire.com
WEB APPLICATION Q.A.- Ensuring Secure & Compliant Web Services
- YOUR LAST LINE OF DEFENSE
© 2007 IBM Corporation IBM Confidential
Prolog: Watchfire – Situation of the world today
� HIGH DEPENDENCE ON INTERNET and WEB SERVICES TODAY
– For work, leisure and communications
– Intranets, Extranets, SOA
• B2B, SCM, CRM, ERP, membership portals, e-Government services
– B2C, C2C (Yahoo, Amazon, EBay) – shopping and transactions
• Internet banking, E*Trade, theater tickets, travel reservations, web mail, gaming…
– Community Portals / Social Networking – Google, MySpace, YouTube, BLOGS!
� NO TANGIBLE PROTECTION FOR WEB APPLICATIONS TODAY
– Firewalls, IPS, SSL and other network security devices do not stop Web Traffic
– Hackers specifically target web services / applications / sessions today to try and steal or
compromise information and databases
� SECURITY PEOPLE DO NOT USUALLY HAVE SDLC EXPERIENCE
– Software developers do not usually want to have anything to do with security
© 2007 IBM Corporation IBM Confidential
State of the Application Security Market
BJ's Settles Case with FTC over Customer Data
JUNE 17, 2005 -- After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed
FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions
July 19, 2005 -- Visa USA Inc. and American Express Co. are cutting ties with the payment-processing company that left 40 million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data
Visa, Amex Cut Ties with CardSystems
Jan 18, 2007
Massive Security Breach Reveals Credit Card DataThe TJX Companies, a large retailer that operates more than 2,000 retail stores under brands
such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday
that it suffered a massive computer breach on a portion of its network that handles credit card,
debit card, check and merchandise transactions in the United States and abroad.
CNBC's Easy MoneyBusinessWeek uncovers that the cable channel's own design flaw
may be behind the investigation into its million-dollar stock-picking contest
USDA admits data breach, thousands of social security numbers revealedThursday, 17 April 2007 (AXcess News) Washington - The US Department of Agriculture (USDA) admitted that a security breach allowed social security and other personal information of over 63,000 recipients of federal farm loans be made available on a public website in violation of Federal privacy laws.
© 2007 IBM Corporation IBM Confidential
The Security Journey Continues
• New and More …
• Applications
• Services
• Systems
-> Vulnerabilities
-> Hacking methods
-> Viruses, Worms, RATS
(Trojans, Spyware)
-> GOVERNANCE &
COMPLIANCE!
NEW AREAS
OF IT SECURITY
WEAKNESS
ARISE ALL THE TIME
© 2007 IBM Corporation IBM Confidential
Sheer Volume of Applications Keeps You
From Getting Ahead of the Problems
Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555
Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444
Catching Problems Late in the CycleCatching Problems Late in the Cycle333
Lack of Control and VisibilityLack of Control and Visibility222
Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111
Have to do more with less, still; Risk is high, accountability
is prevalent
© 2007 IBM Corporation IBM Confidential
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web
server
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web
server
The Myth: “Our Site Is Safe”
We Have Firewalls in Place
Port 80 & 443 are open for the right reasons
We Have Firewalls in Place
Port 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Use SSL Encryption
Only protects data between site and user not the web
application itself
We Use SSL Encryption
Only protects data between site and user not the web
application itself
© 2007 IBM Corporation IBM Confidential
SO WHY ARE THESE HAPPENING?Don’t they already have firewalls etc?
© 2007 IBM Corporation IBM Confidential
Real Example : Parameter TamperingReading another user’s transaction – insufficient authorization
Another customer’s transaction slip is revealed, including the email address
© 2007 IBM Corporation IBM Confidential
Parameter Tampering - Reading another user’s invoice
The same customer invoice that reveals the address and contact number
© 2007 IBM Corporation IBM Confidential
The Fact: Attacks targetted at a new area
Sources: Gartner, IDC, Watchfire
Network Server
WebApplications
% of Attacks % of Dollars
75%
10%
25%
90%
Security Spending
& infrastructure
& services
In an organization, IT Security people and developers are poles apart
© 2007 IBM Corporation IBM Confidential
Web Application Hacks are a Business Issue
Misdirect customers to bogus site
Read/write access to customer databases
Unauthorized Site/Data Access
Forceful Browsing/SQL Injection
Alter distributions and transfer accounts
Fraud, Data TheftParameter Tampering
Access to non-public personal information, fraud, etc.
Access O/S and Application
Stealth Commanding
Larceny, theft, customer mistrust
Identity TheftCross Site scripting
Unauthorized access, privacy liability, site compromised
Admin AccessDebug options
Illegal transactionsSite AlterationHidden fields
Larceny, theftSession HijackingCookie poisoning
Site Unavailable; Customers Gone
Denial of Service (DoS)Buffer overflow
Potential Business ImpactNegative ImpactApplication Threat
© 2007 IBM Corporation IBM Confidential
Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL
II …
� It is part of doing business
� Business Continuity
� An environment of TRUST
– For doing business
– Ensure Orderliness in Internet world
– Promote Economic growth
� More than just
Confidentiality, Integrity
and Availability
� Privacy
3rd Party Customer Data
© 2007 IBM Corporation IBM Confidential
Governance addresses Web Application SecurityExample: PCI – BEST PRACTICE BECOMES STANDARD BECOMES LAW (BY 06-2008)
� Visa’s PABP, Payment Application Best Practices – a list of auditable statements regarding the secure development, deployment, and documentation of cardholder
data processing software – is being converted to a new PCI security standard
- PASS, Payment Application Security Standard.
� Requirement 11.2 : Run internal and external vulnerability scans
– At least quarterly
– After any significant change in network
� Requirement 11.3 : Perform penetration testing at least once a year
– 11.3.1 Network-layer penetration tests
– 11.3.2 Application-layer penetration tests
� Requirement 6 : Develop and maintain secure systems and applications
– Requirement 6.6 :Ensure that all web-facing applications are protected against known attacks by having all custom application code reviewed
for common vulnerabilities by an organization that specializes in application security
VISAMASTER
AMEX
© 2007 IBM Corporation IBM Confidential
Search
Why would anyone want to attack a web site?
anthony
****
© 2007 IBM Corporation IBM Confidential
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /Advanced
Routers
Application Security
Firewall
Web Servers
Databases
BackendServer
ApplicationServers
Info Security LandscapeInfo Security Landscape
Web Applications
© 2007 IBM Corporation IBM Confidential
Security Testing Within the Software Lifecycle
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
© 2007 IBM Corporation IBM Confidential
Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.
We are strengthening the IBM security management portfolio by
acquiring an industry leading provider of application security and
compliance testing solutions to offer a complete end-to-end security solution across Rational, Tivoli and Global Services
Watchfire Acquisition Rationale
� 75% of the cyber attacks today are at the application level with only 10% of security spend1
� 80% of organizations will experience an application security incident by 20102
� Internal security attacks cost US business $400 Billion per³
� 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection4.
1,2 Watchfire analysis with analysts support
3 CSI/FBI Survey 2005
4IBM Service Management Market Needs Study, March 2006
© 2007 IBM Corporation IBM Confidential
IBM Rational & Watchfire Product Synergy
Build
SDLCSDLC
QA Security ComplianceCodeRequirements Design
Watchfire
IBM Rational
WebXMPrivacy, Quality,
Accessibility
AppScan & AppScan Enterprise
AppScan QA & ASE Integration
ASE QuickScan
Requisite Pro
ROSE, RAM,
Software Architect
RAD ClearCase, Build Forge
CQ, CQTM, RFT, RPT
© 2007 IBM Corporation IBM Confidential
Rational Software Quality Solutions
Developer Test Functional Test
Automated Manual
Rational RequisitePro Rational ClearQuest Rational ClearQuest
Defects
Project Dashboards Detailed Test Results Quality Reports
Performance Test
SOFTWARE QUALITY SOLUTIONS
Test and Change Management
Test Automation
Quality Metrics
DE
VE
LO
PM
EN
T
OP
ER
AT
OIN
S
BUSINESS
Rational ClearQuest
Requirements Test Change
Rational PurifyPlus
Rational Test RealTime
Rational Functional Tester Plus
Rational Functional Tester
Rational Robot
Rational Manual Tester
Rational Performance Tester
Security and Compliance Test
AppScan
WebXM
© 2007 IBM Corporation IBM Confidential
Watchfire Company Overview
� Who are we:
– IDC & Gartner : market leader in application
security for 2005 and 2006
– Provider of application security and compliance software and services
– Nearly 1000 companies rely on Watchfire
� Background:
– 200 employees, headquarters- Boston, MA
– Created the first commercially-packaged application security testing product
– Products include:
• Application security solutions – AppScan
• Privacy, quality and compliance solutions – WebXM
#1 in Market Share for Application
Security – Gartner & IDC
* Twice *
#1 in Market Share #1 in Market Share
for Application for Application
Security Security – Gartner & IDC
* Twice *
Best Security Company
© 2007 IBM Corporation IBM Confidential
Nearly 1000 Companies Depend On Watchfire
8 of the Top 108 of the Top 10
TechnologyTechnology
BrandsBrands
7 of the Top 107 of the Top 10
Pharma / ClinicalPharma / Clinical
CompaniesCompanies
Multiple LargeMultiple Large
GovernmentGovernment
AgenciesAgencies
9 of the Top 10 9 of the Top 10
Largest U.S. RetailLargest U.S. Retail
BanksBanks
Veteran’s Affairs
NavyArmy
Air Force Marines
Large, Complex Web Sites Extensive Customer Data
Highly Regulated High User Volume
© 2007 IBM Corporation IBM Confidential
Security Industry Leaders Use and/or work with Watchfire solutions in their work
Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies
More …
EDS
© 2007 IBM Corporation IBM Confidential
Conclusion: Application QA for Security
� The Application Must Defend Itself
– You cannot depend on firewall or infrastructure security to do so
� Bridging the GAP between Software development and Information Security
� Never before was QA Testing for Security integrated and strategic, until now
� We need to move security QA testing back to earlier in the SDLC
– at production or pre-production stage is late and expensive to fix