dynamic website security · 2015-03-10 · © 2008 ibm corporation governance and risk management...
TRANSCRIPT
![Page 1: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/1.jpg)
© 2008 IBM Corporation
Governance and Risk Management
Your Web and ApplicationsThe Hacker’s New Target
Anthony LimMBA CISSP CSSLP FCITIL
Director, Security, Asia PacificRational Software
Social Engineering in the Business WorldJuly 9, 2009
Organized by:
![Page 2: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/2.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security2
Prolog: The Security Journey Continues• New, More, Bigger, Better …
• SYSTEMS• APPLICATIONS• SERVICES
•-> New Risks•-> New Vulnerabilities•-> New Hacking methods
•Viruses, Worms, RATS, Bots …
(Remote Access TROJANS = Spyware)
-> NEW: GOVERNANCE & COMPLIANCE! • Data Privacy
• Data LeakageCEP Points!
![Page 3: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/3.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security3
Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL II …
It is part of doing businessBusiness ContinuityAn environment of TRUST– For doing business– Ensure Orderliness in Internet
world– Promote Economic growth
More than justConfidentiality, Integrityand Availability
Privacy
3rd Party Customer Data
![Page 4: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/4.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security4
GOVERNANCEANDCOMPLIANCE
ILLEGAL TOSTEAL AND /ORMISUSEDATAINCLUDINGELECTRONICDATA
![Page 5: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/5.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security5
It Gets Worse• WAP, GPRS, EDGE, 3G• 802.1x• Broadband
A hacker no longer needs a big machine
![Page 6: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/6.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security6
The Security Equation Has Changed
How businesses look at security has changed– Security is now business driven not technology driven– Security is now defined through risk management and compliance
disciplines instead of threat and technology disciplines
The threat landscape has changed– Traditional operating system and native client application security
risks have become somewhat passé– Client threats are now all about the browser environment– Server threats are now all about web applications
![Page 7: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/7.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security7
The Security Landscape of the pastTraditional Infrastructure was easier to protect . . .Concrete entities that were easy to understandAttack surface and vectors were very well-definedApplication footprint very staticPerimeter defense was
king
![Page 8: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/8.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security8
Changing Security Landscape of Today
“Webification” has changed everything ...Infrastructure is more abstract and less definedEverything needs a web interfaceAgents and heavy clients are no longer acceptableTraditional defenses no
longer apply
Web Applications
![Page 9: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/9.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security9
We Use Network Vulnerability ScannersNeglect the security of the
software on the network/web server
The Myth: “Our Site Is Safe”
We Have Firewalls and IPS in Place
Port 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Use SSL EncryptionOnly protects data between site and user not the web
application itself
![Page 10: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/10.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security10
SO WHY ARE THESE HAPPENING?
![Page 11: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/11.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security11
![Page 12: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/12.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security12
![Page 13: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/13.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security13
May 7, 2009 CNet Tech NewsReport: Hackers broke into FAA air traffic control systems
![Page 14: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/14.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security14
![Page 15: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/15.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security15
Reality: Security and Spending Are Unbalanced
of All Attacks on Information Security are Directed to the Web Application Layer75%of All Web Applications are Vulnerable2/3 **Gartner
![Page 16: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/16.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security16
WHY DO HACKERS TODAY TARGET APPLICATIONS?Because they know you have firewalls– So its not very convenient to attack the network anymore– But they still want to attack ‘cos they still want to steal data …
Because firewalls do not protect against app attacks!– So the hackers are having a field day!– Very few people are actively aware of application security issues
Because web sites have a large footprint– No need to worry anymore about cumbersome IP addresses
Because they can!– It is difficult or impossible to write a comprehensively robust application
• Developers are yet to have secure coding as second nature• Developers think differently from hackers• Cheap, Fast, Good – choose two, you can’t have it all• It is also a nightmare to manually QA the application• “White-box” static code analyzers don’t test for inter-app relationships• Many companies today still do not have a software security QA policy or resource
![Page 17: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/17.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security17
Top Hack Attacks Today Target Web Applications
![Page 18: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/18.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security18
Web Application Hacks are a Business Issue
Misdirect customers to bogus site
Application Threat Negative Impact Potential Business Impact
Buffer overflow Denial of Service (DoS) Site Unavailable; Customers Gone
Cookie poisoning Session Hijacking Larceny, theft
Hidden fields Site Alteration Illegal transactions
Debug options Admin Access Unauthorized access, privacy liability, site compromised
Cross Site scripting Identity Theft Larceny, theft, customer mistrust
Stealth Commanding Access O/S and Application Access to non-public personal information, fraud, etc.
Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts
Forceful Browsing/SQL Injection
Unauthorized Site/Data Access Read/write access to customer databases
![Page 19: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/19.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security19
![Page 20: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/20.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security20
![Page 21: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/21.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security21
![Page 22: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/22.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security22
![Page 23: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/23.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security23
NOW WITH ANTI CROSS-SITE-SCRIPTING FILTER!
25-27 FEB 2009, GOLD COAST, AUSTRALIA
![Page 24: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/24.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security24
![Page 25: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/25.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security25
Now there’s Web “Man-in-the Middle” Attacks
First presented atOWASP APConferenceMar 09 Brisbane
![Page 26: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/26.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security2626
Malware on Web Applications
Malware can be delivered in many ways:
– E-mail, IM, network vulnerabilities…
Today, Malware is primarily delivered via Web Applications:
– Aims to infect those browsing the site– Installed via Client-Side (e.g. Browser) Vulnerabilities &
Social Engineering
Malicious content can be downloaded:
– From the web application itself– Through frames & images leading to other websites– Through links leading to malicious destinations
Legitimate Sites Hijacked to distribute Malware!
– McAfee, Asus, US Govt Staff Travel Site, Wordpress.org, SuperBowl, …
http://evil.org
http://host.com
<script src=file.js>
Image (host.com)
IFrame (ads.com)
![Page 27: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/27.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security27
Real Example: Online Travel Reservation Portal
Change the reserID to 2001200
![Page 28: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/28.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security28
Real Example : Parameter TamperingReading another user’s transaction – insufficient authorization
Another customer’s transaction slip is revealed, including the email address
![Page 29: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/29.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security29
Parameter Tampering Reading another user’s invoice
The same customer invoice that reveals the address and contact number
![Page 30: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/30.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security30
Attacks Sophistication vs. Intruder Knowledge
1980 1985 1990 1995 2000 2005 Today
High
Low AttackSophistication
IntruderKnowledge Tools
![Page 31: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/31.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security31
DON’T TRY THIS AT HOME!
![Page 32: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/32.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security32
NEW GOOGLE CHROME WEB BROWSER
![Page 33: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/33.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security33
![Page 34: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/34.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security34
![Page 35: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/35.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security35
GOOGLE CHROME – ‘’VIEW PAGE SOURCE
![Page 36: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/36.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security36
WHY DO APPLICATION SECURITY PROBLEMS EXIST?
IT security solutions and professionals are normally from the network /infrastructure /sysadmin side– They usually have little or no experience in application development– And developers typically don’t know or don’t care about security or
networking
Most companies today still do not have an application security QA policy or resource– IT security staff are focused on other things and are swarmed
• App Sec is their job but they don’t understand it and don’t want to deal with it• Developers think its not their job or problem to have security in coding• People who outsource expect the 3rd party to security-QA for them
It is cultural currently to not associate security with coding– “Buffer Overflow” has been around for 25 years!– “Input Validation” is still often overlooked.
![Page 37: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/37.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security37
SECURITY TESTING IS PART OF SDLC QUALITY TESTING
TEAM SERVER
ManageTest Lab
CreatePlan
BuildTests
ReportResults
Collaborative Application Lifecycle Management
FunctionalTesting Performance
TestingWeb Service
QualityCode
Quality
Security andCompliance
Test Management and Execution
SDLC Quality AssuranceQuality Dashboard
Open Lifecycle Service Integrations
DefectManagement
RequirementsManagement
Best Practice Processes
homegrown
Open Platform
JavaSystem z, iSAP
.NET
![Page 38: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/38.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security38
Building security & compliance into the SDLC – further back
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise on detection and
remediation ability
Ensure vulnerabilities are addressed before applications are put into production
![Page 39: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/39.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security39
You need a professional solution to
Identify Vulnerabilities
![Page 40: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/40.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security40
With Rich Report Options44 Regulatory Compliance Standards, for Executive, Security, Developers.
![Page 41: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/41.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security41
And Most Important :
Actionable Fix Recommendations
![Page 42: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/42.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security42
THE NEED FOR SECURITY IN SOFTWARE DEVELOPMENTHAS COME OF AGE …
1. Secure Software Concepts2. Secure Software
Requirements3. Secure Software Design4. Secure Software Coding
and Implementation5. Secure Software Testing6. Software Acceptance7. Software Deployment,
Operations, Maintenance and Disposal
![Page 43: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/43.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security43
Conclusion: Application QA for Security
The Application Must Defend Itself– You cannot depend on firewall or infrastructure security to do so
Bridging the GAP between Software development and Information Security
QA Testing for Security must now be integrated and strategic
We need to move security QA testing back to earlier in the SDLC– at production or pre-production stage is late and expensive to fix– Developers need to learn to write code defensively and securely
Lower Compliance & Security Costs by:• Ensuring Security Quality in the Application up front• Not having to do a lot of rework after production
![Page 44: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/44.jpg)
© 2008 IBM Corporation
Governance & Risk Management
IBM Security44
SDLC QA - YOUR LAST LINE OF DEFENSE
![Page 45: Dynamic Website Security · 2015-03-10 · © 2008 IBM Corporation Governance and Risk Management Your Web and Applications. The Hacker’s New Target. Anthony Lim. MBA CISSP CSSLP](https://reader034.vdocuments.site/reader034/viewer/2022050422/5f91ab2159cc376f2e7d1555/html5/thumbnails/45.jpg)
© 2008 IBM Corporation
Governance and Risk Management
Thank You
WEB APPLICATION SECURITYYOUR LAST LINE OF DEFENSE
Anthony LIM MBA CISSP CSSLP FCITIL