This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
“The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.”
“The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged?”
Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre-production security testing
OWASP
One size does not fit all!
• Surveys/Reports cover organizations across industries
• Do not take into account nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc.
• Do not take into account current level of maturity
• Try to draw general conclusions from average/sum of all data
• May not support your coding platform• Not able to handle large codebases
• Positives• Can scan incrementally• Allows custom sanitization functions to be configured• Allows false positives to be marked• Exports data into Excel for easy tracking• Has extensive knowledge base• Pin-points exact location
OWASP
A Telco
Case studies
OWASP
Background
• Large Telco• On-going Appsec assessments• On-going SCR• Periodic penetration tests• Development done by vendors• WAF Implemented since a year, but…
OWASP
Statistics
Sep-12 Jan-13 May-13 Jun-13 Aug-130
50
100
150
200
250
300
350
400
Sum of HighSum of Medium
The # of vulnerabilities are stable – no significant trends emerge!Why?
Note, this is a vulnerability tracker, so issues are open issues, not rediscovered issues
OWASP
Analysis
• Vendor delays in fixing the issues • Multiple reassessments leads to the
issues remaining open and overlapped in subsequent assessments
• High level of exposure on the Internet• Multiple approaches adopted and strong
focus on appsec in recent times• WAF implementation remains a challenge
OWASP
WAF Challenges
OWASP
WAF Right Approach
• Understanding of the Applications that will be integrated with WAF
• Enabling the right security policies for the application
• Testing the alerts and violations for identifying the false positives
• Involvement of the development team to verify on the URL’s learnt, alerts, violations, update on the mitigation, update on application changes and broken links & references
OWASP
WAF Implementation Mistakes
• Not changing the default error page of WAF
• Not informing about the changes that happen in the application code
• Not checking the broken link and broken references
• Not fine-tuning the web directory and Web URL’s
• Keeping the WAF in the Monitoring Mode, without defined plan for migration to Block Mode.
OWASP
Summary of the Options Exercised
Option Dotcom BFSI IT Telco
Annual VAPT
Round-the-clock Assessments
SCR – Tool
SC Guidelines
Threat Modeling
WAF
SC Training
Appsec Tools
Security Frameworks in use
Vulnerability Management
OWASP
So…
Where do we go now?
OWASP
Strategic Options / 1
If you have all your development done in-house
If your team is relatively stable Then:
Embed security into the SDLC by beginning with on-going assessments
Source code reviews Have someone manage the SCR Tool output Training Development of secure coding guidelines Development/Embedding of a security
framework
OWASP
Strategic Options / 2
If you have many complex, heterogeneous systems, some from vendors, some in-house
Then Same strategy as #1, plus… Strong vendor management processes for
meeting security objectives WAF
OWASP
Strategic Options / 3
If all your applications are from vendors And if you have limited budgets
On-going assessments But eventually…
OWASP
Strategic Options / 4
If you are a vendor Then:
Do everything! Seriously, is that even a question? Pre-hiring checks Training – after hiring and periodically thereafter Secure coding guidelines Security frameworks Threat modeling Grey-box assessments Source code reviews – embed SCR into IDE Include # of security bugs in developer appraisals Incentivize security innovation Internal & external marketing, nay, evangelism!
# of issues per application – trend over time # of issues by vendor Time taken to fix issues # of issues by source (grey-box, external PT, source code
review, etc.) See what works and what doesn’t for your organization
Vendor Management SLAs for fixing security bugs Service credits for bugs found Enforcing security assessments by the vendor Enforcing adoption of SDL by the vendor
OWASP
Open Questions…
• Outsource vs. In-house Security Assessment
• Legacy Apps – Orphaned • Level of enforcement at the vendor’s end• Procure tool vs. Security as a Service• Business Logic Issues• Bug Bounty Program
OWASP
Any Questions?
Thank You!
Take the Survey!http://niiconsulting.com/surveys/wass/index.php