Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Web Application Security Strategies --OWASP Taiwan 2008

Yen-Ming ChenDirector of Consulting, NorthwestFoundstone, A Division of McAfee

Yen-Ming.Chen@Foundstone.Com

OWASP

Agenda

Security Problems and StatisticsAnalysisStrategic PlanningConclusion

2

OWASP

Yen-Ming Chen

Director of Consulting, Northwest.Joined Foundstone in 2000 4 Contributing authorships: HE 3rd edition, HE of Web App, Win XP professional Security and HackNote Web securityDozens of articles in SecurityFocus, DevX, SysAdmin, PCWeek, CNET Taiwan, ITHome and other mediasInvited speaker for world wide security conferencesMSIN from C.M.U. Information Networking Institute (1999)

OWASP

SECURITY PROBLEMS

Thus do many calculations lead to victory, and few calculations to defeat

4

OWASP

Current Status

Security MaturityAttack Target ShiftSecurity EcosystemSQL InjectionWhy You Still Can’t Rely on Automated Tools

5

OWASP

Information Security Maturity: 1996

OWASP

Information Security Maturity: 2000

OWASP

Information Security Maturity: 2004

OWASP

Information Security Maturity: 2008

OWASP

Attack Target Shift

From server to application; from corporate network to every user.

10

OWASP

Google Search Trend

11

OWASP

Hacking Evolved

OWASP

Security EcoSystem

Government

Corporate/Organization The Bad Guys

General Public

Attack

Attack

AttackReg

ulate

Monitor/Catch

Reg

ulat

e Monitor

Monitor/Sell

Monitor

Monito

r/Sell

OWASP

SQL Injection

RFP (Rain Forest Puppy) identified the problem in Phrack 54 (December 1998)

http://www.phrack.org/issues.html?issue=54&id=8#articleIn 2005, Cardsystem lost 40 million credit card infoIn 2008, an automated mass attack of 500,000 (estimated) web servers

Yes, using SQL Injection! Exploits of a mom (http://xkcd.com/327/):

14

OWASP

Why You Still Can’t Rely on Automated Tools?

North Carolina News 13Web-based “closings” ticker for schools/businesses

Submit info Human approval Stack messages

http://tinyurl.com/pwpec

OWASP

This is What You See…

OWASP

UAL vs. Google

An old article about UAL's 2002 bankruptcy-court filing resurfaced Sep 8, 2008 as an apparently fresh report on Google's news service. Stock in the parent company of United Airlines quickly dropped to $3 a share from nearly $12.50 before the Nasdaq Stock Market halted trading and UAL issued a statement denying any fresh Chapter 11 filing.UAL's stock price ended Tuesday's session at $10.60, ...

OWASP

UAL vs. Google

18

$1.1 Billion market value disappeared in a few hours!!!

OWASP

Some Survey Data

OWASP

McGraw Touchpoint Secure SDLC

OWASP

Microsoft SDL

21

OWASP

Where are things going?

Penetration testing is still how a lot of companies are going to assess their security

Frameworks/libraries/etc are going to make shooting yourself in the foot harder (xss, SQLi, etc)

“Silver Bullet” devices/technologies are always going to be around

SDL is starting to show proven results

OWASP 23

OWASP

What’s Next?

Security research is chasing after new technologiesNew vulns on different products will happen dailyBetter accuracies from security productsSlower to see new paradigm shift

Integrate security into your daily lifeCorporate M&ANeed better management on executionNew technologies to make it harder to make unsecure web applications

Learn from other fieldsKnowledge Discovery, Data Mining & Information RetrievalBiology, Physics, Social Science and others

24

OWASP

WEB APPLICATION SECURITY

Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight

25

OWASP

2007-2008 Analysis

Collected 77 Applications in 5 industriesPicked 27 out of them and did further studyArranged findings based on

Foundstone Security Framework, Overall risk level and Root cause in SDLC phases

26

OWASP

Foundstone Security Framework

27

OWASP

Financial Services – 15 Apps

28

OWASP

Healthcare – 12 Apps

29

OWASP

Insurance – 27 Apps

30

OWASP

Retail – 17 Apps

31

OWASP

Utility – 6 Apps

32

OWASP

27 Applications

13 on Unix; 13 on Windows; 1 on NovellTotal 421 findings

33

OWASP

Findings by Framework and Risk Level

34

OWASP

High and Medium Risk Findings

35

OWASP

Findings by Percentage

36

OWASP

Findings by SDLC Phases

37

OWASP

White Box vs. Black Box

OWASP

10 Things To Secure Your Web App

AuthenticationPassword policy

Reset password function, history, complexity and account lockout

AuthorizationRole/privilege mapping and enforcementWorkflow/business logic authorization enforcement

Data ValidationDo your validation on the server-side both on output and input!

Session ManagementUse random session ID and maintain the state on server-side. Do not depend on any state information on the client

Data ProtectionProtect your important data in storage and transitChoose your data protection solution wisely

Configuration ManagementSecure server configuration and patch it well!

Exception ManagementHandle all exception and return generic error messages

Logging and AuditingWhat to log and how/when to audit?

39

OWASP

STRATEGIC PLANNING

If you know the enemy and know yourself, you need not fear the result of a hundred battles

40

OWASP

Six Sigma Tactical Steps

Define MeasureAnalyzeImproveControl

OWASP

What is Process Sigma?

Defects per Unit and Opportunities

3.4 defects per 1 million opportunities is Six Sigma

Number of Defects

Number of units × Number of opps.

× 1,000,000

OWASP

Balanced Scorecard

43

OWASP

Methodology

44

Root Cause

Analysis

Root Cause

Analysis

Solution Mappin

g

Solution Mappin

g

Strategic

Planning

Strategic

Planning

OWASP

Solution

45

OWASP

Capability

46

OWASP

Action Items

47

OWASP

CONCLUSIONIn order to carry out an attack, we must have means available

48

OWASP

Summary

We reviewed:Current security statusWeb application security statisticsStrategic planning to keep your web application secure

Security is an on-going process that also requires people and technology to play important roles.

49

OWASP

No Silver Bullets or Easy Button!

OWASP

If Toyota Builds Your Web Applications…

Modularization, Automation and Just-In-TimeReduce cost, maintain highest customer satisfactionImplementation phase will be automated and modularizedDevelopers won’t be able to use any insecure implementation techniquesWeb applications will be stick to the known best practice with high quality in security. When there is a serious flaw there will be a recall.

51

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Thank You

Yen-Ming ChenDirector of Consulting,Foundstone, A Division of McAfeeYen-ming.chen@foundstone.com

52