Documente Academic
Documente Profesional
Documente Cultură
Roadmap
Joe White
joe@cyberlocksmith.com
Cyberlocksmith
April 2008
Version 0.9
Background
• Web application security is still very much in it’s infancy.
• You have been assigned ownership of web application security and you
are wrestling with prioritizing and scoping the challenges ahead of
you.
• Let you know that you are not alone and that many other security
professionals are wrestling with similar web application security
concerns and issues.
• Offer a roadmap for your next steps that will build the confidence of
your peers and management in your abilities to manage web
application security risk.
• Ensure that you understand the current industry ‘best practices’ for
securing web applications.
Build a foundation
• Address Web Application vulnerabilities
• Monitor/detect Web Application compromise attempts
• Decide upon threat classification framework and scoring model
• Develop Web Application Incident Response plan
______________________________________________________
• Scope/prioritize internal Web Application specific projects
Internal projects
• Proactively increase security awareness
• Threat Modeling (TM) and Data Flow Diagrams (DFDs)
• Manual Code Review (outside expert)
• Other possible Roadmap items to consider
Find Web Application vulnerabilities
• Automated component
• Choose the automated web application security assessment tool that works
best with your web application technology.
• Make sure you are addressing all internet facing web application exposure.
• Deploy Static Source code analysis tool to scan for security vulnerabilities
within the source code.
• Manual component
• Manual web application security assessment is required to compliment the
automated assessment above.
• Work to better educate manual assessment teams of the way your web
application functions so they can better detect logic flaws and other pieces
likely to be missed by automated scans.
• Integrate both peer code review and manual review of the static source
code analysis results into your development life cycle.
Build a foundation
Find Web Application vulnerabilities - 2
Build a foundation
Find Web Application vulnerabilities - 3
Build a foundation
Address Web Application vulnerabilities
Build a foundation
Address Web Application vulnerabilities - 2
Honorable mention
• Fortify Real-Time Analysis (RTA) (Formerly called Fortify Defender)
(www.fortifysoftware.com)
Build a foundation
Address Web Application vulnerabilities - 3
Build a foundation
Detect Web Application compromise attempts
• Deploy Web Application Firewall (WAF)
Build a foundation
What is a Web Application Firewall?
Build a foundation
Where Web Application Firewall fits into traditional deployment architecture.
Build a foundation
Traditional network layer security is blind to application layer threats
Build a foundation
Web Application Firewall Use Cases
(Ivan Ristic’s Blog, ModSecurity author)
http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html
Build a foundation
Detect Web Application compromise attempts
• Deploy Web Application Firewall (WAF)
• You cannot protect what you cannot see.
Build a foundation
Detect Web Application compromise attempts
• Deploy Web Application Firewall (WAF)
• You cannot protect what you cannot see.
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Build a foundation
Detect Web Application compromise attempts
• Deploy Web Application Firewall (WAF)
• You cannot protect what you cannot see.
• You will need greater visibility into application layer traffic.
• This is usually the piece that traditional operations security folks do not
understand.
• WAF should monitor and detect application anomalies and compromise
attempts from users.
• WAF offers greater visibility into application security events.
• As WAF market matures, you can expect the WAF to be fed real-time
vulnerabilities by your web application security assessment tool in order to
proactively block newly discovered attacks.
• The tricky part here is that you will likely need the help of the traditional
operations security guys in order to successfully deploy your WAF into
production environment.
Build a foundation
Decide upon threat classification framework
Build a foundation
Develop Web Application Incident Response plan
Build a foundation
Scope/prioritize internal Web Application
specific projects
Ideally, you should try to build the general foundation for web application
security as referenced in the prior slides before addressing the sample internal
projects listed below.
If necessary you can do them concurrently but understand that you will need to
build a strong web application security foundation as soon as possible in order to
be successful.
Internal projects
Increase security awareness
• Developer Training
• Java black belt (http://www.javablackbelt.com/)
• Online development courses
• Recurring Presentations/events
Internal projects
Threat Modeling and Data Flow Diagrams
Threat Modeling
• Understand all entry and exit points into the web application
• Understand threat scenarios
• Understand ‘trust boundaries’ in the application
• Understand most likely data to be targeted by attackers
• Know your ‘crown jewels’
Internal projects
Manual code review (outside expert)
• Manual line-by-line code review for all application code by a Subject Matter
Expert (SME) in your application technology.
Internal projects
Other possible Roadmap items to consider
• Anti-Phishing
• Companies/Services offer focused defense against targeted phishing and
other attacks at your organization’s brand name.
• These brand protection services are great to have in advance but can
usually be ramped up quickly after targeted attacks are discovered.
• Security Center
• Reporting features of WAF should be available for users to increase
security awareness and proactively address security weaknesses.
Internal projects
Just remember this, …