SEEKER - Quotium
Download
Report
Transcript SEEKER - Quotium
Ofer MAOR
Application
Performance
Monitoring
Infosec 2012
CTO
Infosec 2012 | 25/4/12
Introduction
• Application Security vs. Data Security
• Current Application Security Approach
– Vulnerability vs. Risk
– Technique vs. Goal
• Challenges of Existing Application Security
Solutions
• New Approach for Application Data Security
Infosec 2012 | 25/4/12
About Myself
• 16 years in information/application security
(Over 10 years hands on penetration testing)
• Research, Development, Enhancement
– Attack & Defense Techniques
– WAF / AppSec Testing Products
• Regular Speaker in Security Conferences
• OWASP Global Membership Committee &
Chairman of OWASP Israel
Infosec 2012 | 25/4/12
The Problem
•
•
•
•
•
•
Application Security – Goal or Mean?
Importance of Protecting Persistent Data
DB Security Solutions – Is It Enough?
Influence of App Vulns on Data Security
AppSec As a Mean for Data Protection
AppSec As Integrate Part of R&D?
Infosec 2012 | 25/4/12
Current Approach
• Approach Too Technical
• Focus on Technical Aspects
– Examine it from the vulnerability perspective
– Focus on injections & technical problems
– Analysis of code, rather than application
– Ignoring application data
• Focus on technology instead of risk
• Hard to fit into the development lifecycle
Infosec 2012 | 25/4/12
Too Many Vulnerabilities…
Flow Bypassing URL Encoding Cross Site Request Forgery
SQL Injection Buffer Overflow Session Hijacking
LDAP Injection
No SSL
Session
Riding
Director Listing
Session Fixation
File Inclusion
OS Commanding
Directory Traversal
Forceful Browsing
Cookie Poisoning
CRLF Injection
Information Leakage
Unauthenticated Access
XPath Injection No User Lockout Cross Site Scripting
Insecure Password Storage
Misconfiguration
Parameter Tampering
Detailed Error Messages
Insecure Redirect
Hidden Field Manipulation
HTTP Response Splitting
Infosec 2012 | 25/4/12
Going Back to the Roots
• Risk Based Approach
• CIA
– Confidentiality
– Integrity (+ Non Repudiation)
– Availability
• Assess Application Vulnerabilities Based
on Data Risk
Infosec 2012 | 25/4/12
Data Oriented Approach
• Taking a Data-Oriented Approach to
Application Security Testing
• Logical vs Technical
• Business Impact
• Level of Exploitability
• Risk, Risk, Risk
Infosec 2012 | 25/4/12
Example:
Unauthorized Data Modification
• The Attack is Data Modification
• Can be performed in various ways:
– Parameter Tampering
– Flow Bypassing
– SQL Injection
– Cross Site Scripting
– Cross Site Request Forgery
Infosec 2012 | 25/4/12
The Problem – Take II
• Existing Solutions – Too Technical
• No One Used Data Oriented Approach
– DAST (Scanners)
• Analyze Request/Responses – No Data Access
• Focused on Technical Vulnerabilities
– SAST (Static Analyzers)
• Only Static Code – No Data Access
• Focused on Technical Vulnerabilities
– Pentesters – Better, But Still Mostly Technical
Infosec 2012 | 25/4/12
The Problem – Take II
• Result – Low Security ROI
– €€€ spent on solutions not focused on data risk
– €€€ spent on professional services trying to
sort through the thousands of results
– €€€ spent on R&D hours of fixing unnecessary
fixes
• High Costs, Unfocused Efforts, Inefficient.
Infosec 2012 | 25/4/12
The Solution:
Data Centric Application Security
• Analysis of Actual Data Handling in System
• Automatic Data Classification
– Sensitivity
– Ownership
– Accessibility
– etc.
• Identifying Vulns Which Pose Real Risk
• Verification of Actual Risk Level
Infosec 2012 | 25/4/12
Advantages
• Focus on Real Vulnerabilities
• Holistic Approach (Application, not Code)
• Support for Business Transactions
– Multi Tier, Multi Step Components, etc.
• Identify Vulnerabilities Otherwise Unidentified
• Identify Potential Data Breaches
• Easy to Integrate into R&D
Infosec 2012 | 25/4/12
The Data Centric Approach
More REAL Vulnerabilities
No IRRELEVANT Vulnerabilities
Efficient, Practical, Focused
Fits R&D Security Program
Provides High Security ROI
Infosec 2012 | 25/4/12
About Quotium
• New Generation Application Security
• Data Oriented Approach
• Utilizes new Runtime Analysis Engine
– Analysis of application data and code
– Exploit verification to classify risk.
• Intuitive & Easy to Use
• Adaptive to the Development Process
Infosec 2012 | 25/4/12
Ofer Maor
[email protected]
Application
Performance
Monitoring
Come Visit Us!
Booth #F51
Infosec 2012 | 25/4/12