Application Security Lessons from the Pro’s How leading US online banks secured their applications Software isn’t complete unless its secure Rob Rachwald August 2007
Download ReportTranscript Application Security Lessons from the Pro’s How leading US online banks secured their applications Software isn’t complete unless its secure Rob Rachwald August 2007
Application Security Lessons from the Pro’s How leading US online banks secured their applications Software isn’t complete unless its secure Rob Rachwald August 2007 Wii Olympics & Free Beer (Boxing and Tennis) Fortify & Watchfire Tonight: 5 PM Maryland Room B & C Prizes include Wii iPod Shuffles Evidence Strong Growth Total online banking customers at the top 10 online banks surpasses Internet growth with 44M users. Less Hacking Only 8% top of US banks reported external hacks against their systems yet 2006 was the worst year for web application hacking in history. (Gartner 2007) New Forms of Attacks Required 60% of banks report suffering from phishing attacks— security burden is on authentication and fraud detection. (Gartner 2007) Weaker Banks Targeted Hackers are targeting smaller banks with few resources with hacking and phishing schemes. (Gartner 2007) Better Perception 68 percent of respondents believe that their financial institutions’ websites are more secure. (Comscore Networks, April 2007) (Comscore Networks, April 2007) Banking Online is Safer than Banking Offline? Around 75% of Fraud is Offline Less than 15% of Fraud is Online Can You Trust Your Mom? Can You Trust Your Mom? I want your password The Hackers “Oceans 1100” Followers (thousands and growing) Hacker Economics “The potential gain from even one successful computer intrusion makes [hacking] an attractive, relatively lowrisk option… and the risk to sensitive information on US computer systems will increase.” —US Defense Security Service, 2007 Defensive Economics “If the bear continues biting you long after you assume a defensive posture, it likely is a predatory attack. Fight back vigorously.” Online Banking Defensive Economics Don’t Run Fast, Just Faster Complex Code Applications addressing Personal banking Retirement accounts Stocks Loans Credit cards Lots more BIG: Online banking apps often 10 million lines of code Lots of Java and .NET Large attack surface Hundreds of applications Thousands of entry points Other Top Hacks Cross-Site Scripting Biggest avenue for phishing. SQL Injection Large attack surface and obtaining bits of customer data are critical in executing attacks. Privilege Escalation Horizontal or vertical escalations are especially pernicious. Authentication and fraud detection technologies are critical. OWASP Top 10 They never go out of style. The Software Security Problem "Since most security for Web applications can be implemented by a system administrator, application developers need not pay attention to the details of securing the application…" – BEA WebLogic Server Security Documentation Stage 1: Reactionary Code Developed Description Unit Tests Functional Tests Production Mature SDLC for delivering functional requirements. Security=cryptography, authentication systems, etc. Obstacles Security knew production would get hacked successfully—had a difficult time getting executive mindshare. Approach Security and Incident Response teams conduct emergency meetings with developers, sys admins, and executives to create a tactical solution to solve the immediate threat. Cost Most expensive security solution Loss of revenue from system downtime Damage to brand Unscheduled development time Stage 2: Apply band aids Code Developed Unit Tests Functional Tests Pen Test Production Description Put in mitigating solutions before the hackers succeed. Obstacles Pen testing did add value, but was it enough (the badness-ometer)? Is there a clear indication of risk exposure? Is the application fundamentally more secure? Solving the illness or just treating the symptoms? Where is the application broken? How many areas are truly at risk? Approach Security and Incident Response teams conduct pen tests, executives paying attention, but not fully involved. Cost Still reactive and very expensive Constantly putting out fires Pagers going off constantly at 2 AM Low team morale Stage 3: Beyond the badness-ometer Code Developed Description Obstacles Approach Cost Unit Tests Code Reviews Functional Tests Pen Test Production Manual code reviews to look for problems. Finds useful issues, but doesn’t scale. Incomplete coverage Miss complex issues Developers finally given exact areas within the code base to fix and provided an opportunity to remediate the root cause of the vulnerabilities. Implement a gate model, secure strong executive support Expensive, still had to put out fires, but much more manageable Reduced the amount of vulnerabilities discovered by pen testing Stage 4: Teach a Man to Fish Functional Tests Code Developed Static Analysis Description Continued to produce vulnerabilities, only catching them earlier. Not sustainable. Obstacles Education needed: fewer bugs are produced by smarter developers. Introduced training focused on developing software securely This differs from training on developing security software Developers embraced the knowledge and rarely produced the same errors. Approach Moved the software scanning earlier in the development cycle. Cost Still expensive because still producing vulnerabilities. Unit Tests Code Reviews Pen Test Production Stage 5: Homo securus Devs Trained Code Developed Static Analysis Unit Tests Code Reviews Pen & Functional Production Description The target SDLC was a self-sustaining system with C-level executive support. Approach Security team moves on to: Oversee the secure SDLC process Conduct periodic reviews Perform in-depth, detailed analysis of projects No longer distracted by “low-hanging fruit” issues Cost Zero S1 vulnerabilities in the system. Overhead from application security significantly reduced Challenges Remain New Web 2.0, SOA=Same problems all over again Hacker sophistication continues to rise, especially phishing attacks Keeping developer mindshare Ensuring 3rd party code is secure (remember BEA?) Lessons Security requires executive initiative Security is a programming problem Security is a process: Define a Secure Development Lifecycle (SDL) and implement it Don’t forget the whitepaper Rob Rachwald [email protected] (650) 213-5683 Fortify Within the Secure Software Lifecycle Fortify Manager Central reporting and management of software security across the enterprise Fortify SCA Fortify SCA Dev Security Ops Team Fortify Defender Management Developers Proactive security with targeted, accurate analysis tuned for low false positives Monitors and measures web applications in production FPR Security Testers Fortify Tracer Makes every black box security test measurable and actionable Fortify Tracer & Watchfire AppScan Thorough black box application security testing Fortify SCA Build Server Analyzes code comprehensively and accurately Security Leads / Auditors Wii Olympics & Free Beer (Boxing and Tennis) Fortify & Watchfire Tonight: 5 PM Maryland Room B & C Prizes include Wii iPod Shuffles Thanks Software isn’t complete unless its secure