Скачать презентацию PROTECTING YOUR DATA FROM APPLICATION ATTACKS Ofer MAOR Скачать презентацию PROTECTING YOUR DATA FROM APPLICATION ATTACKS Ofer MAOR

0bd288cd9a0ec5e41cfe2f46d7bc0f11.ppt

  • Количество слайдов: 16

PROTECTING YOUR DATA FROM APPLICATION ATTACKS Ofer MAOR Application Performance Monitoring Infosec 2012 CTO PROTECTING YOUR DATA FROM APPLICATION ATTACKS Ofer MAOR Application Performance Monitoring Infosec 2012 CTO Infosec 2012 | 25/4/12

Introduction • Application Security vs. Data Security • Current Application Security Approach – Vulnerability Introduction • Application Security vs. Data Security • Current Application Security Approach – Vulnerability vs. Risk – Technique vs. Goal • Challenges of Existing Application Security Solutions • New Approach for Application Data Security Infosec 2012 | 25/4/12

About Myself • 16 years in information/application security (Over 10 years hands on penetration About Myself • 16 years in information/application security (Over 10 years hands on penetration testing) • Research, Development, Enhancement – Attack & Defense Techniques – WAF / App. Sec Testing Products • Regular Speaker in Security Conferences • OWASP Global Membership Committee & Chairman of OWASP Israel Infosec 2012 | 25/4/12

The Problem • • • Application Security – Goal or Mean? Importance of Protecting The Problem • • • Application Security – Goal or Mean? Importance of Protecting Persistent Data DB Security Solutions – Is It Enough? Influence of App Vulns on Data Security App. Sec As a Mean for Data Protection App. Sec As Integrate Part of R&D? Infosec 2012 | 25/4/12

Current Approach • Approach Too Technical • Focus on Technical Aspects – Examine it Current Approach • Approach Too Technical • Focus on Technical Aspects – Examine it from the vulnerability perspective – Focus on injections & technical problems – Analysis of code, rather than application – Ignoring application data • Focus on technology instead of risk • Hard to fit into the development lifecycle Infosec 2012 | 25/4/12

Too Many Vulnerabilities… Flow Bypassing URL Encoding Cross Site Request Forgery SQL Injection Buffer Too Many Vulnerabilities… Flow Bypassing URL Encoding Cross Site Request Forgery SQL Injection Buffer Overflow Session Hijacking LDAP Injection No Session Riding Session Fixation SSL Director Listing File Inclusion OS Commanding Directory Traversal Forceful Browsing Cookie Poisoning CRLF Injection Information Leakage Unauthenticated Access XPath Injection No User Lockout Cross Site Scripting Insecure Password Storage Misconfiguration Parameter Tampering Detailed Error Messages Insecure Redirect Hidden Field Manipulation HTTP Response Splitting Infosec 2012 | 25/4/12

Going Back to the Roots • Risk Based Approach • CIA – Confidentiality – Going Back to the Roots • Risk Based Approach • CIA – Confidentiality – Integrity (+ Non Repudiation) – Availability • Assess Application Vulnerabilities Based on Data Risk Infosec 2012 | 25/4/12

Data Oriented Approach • Taking a Data-Oriented Approach to Application Security Testing • Logical Data Oriented Approach • Taking a Data-Oriented Approach to Application Security Testing • Logical vs Technical • Business Impact • Level of Exploitability • Risk, Risk Infosec 2012 | 25/4/12

Example: Unauthorized Data Modification • The Attack is Data Modification • Can be performed Example: Unauthorized Data Modification • The Attack is Data Modification • Can be performed in various ways: – Parameter Tampering – Flow Bypassing – SQL Injection – Cross Site Scripting – Cross Site Request Forgery Infosec 2012 | 25/4/12

The Problem – Take II • Existing Solutions – Too Technical • No One The Problem – Take II • Existing Solutions – Too Technical • No One Used Data Oriented Approach – DAST (Scanners) • Analyze Request/Responses – No Data Access • Focused on Technical Vulnerabilities – SAST (Static Analyzers) • Only Static Code – No Data Access • Focused on Technical Vulnerabilities – Pentesters – Better, But Still Mostly Technical Infosec 2012 | 25/4/12

The Problem – Take II • Result – Low Security ROI – €€€ spent The Problem – Take II • Result – Low Security ROI – €€€ spent on solutions not focused on data risk – €€€ spent on professional services trying to sort through the thousands of results – €€€ spent on R&D hours of fixing unnecessary fixes • High Costs, Unfocused Efforts, Inefficient. Infosec 2012 | 25/4/12

The Solution: Data Centric Application Security • Analysis of Actual Data Handling in System The Solution: Data Centric Application Security • Analysis of Actual Data Handling in System • Automatic Data Classification – Sensitivity – Ownership – Accessibility – etc. • Identifying Vulns Which Pose Real Risk • Verification of Actual Risk Level Infosec 2012 | 25/4/12

Advantages • Focus on Real Vulnerabilities • Holistic Approach (Application, not Code) • Support Advantages • Focus on Real Vulnerabilities • Holistic Approach (Application, not Code) • Support for Business Transactions – Multi Tier, Multi Step Components, etc. • Identify Vulnerabilities Otherwise Unidentified • Identify Potential Data Breaches • Easy to Integrate into R&D Infosec 2012 | 25/4/12

The Data Centric Approach More REAL Vulnerabilities No IRRELEVANT Vulnerabilities Efficient, Practical, Focused Fits The Data Centric Approach More REAL Vulnerabilities No IRRELEVANT Vulnerabilities Efficient, Practical, Focused Fits R&D Security Program Provides High Security ROI Infosec 2012 | 25/4/12

About Quotium • New Generation Application Security • Data Oriented Approach • Utilizes new About Quotium • New Generation Application Security • Data Oriented Approach • Utilizes new Runtime Analysis Engine – Analysis of application data and code – Exploit verification to classify risk. • Intuitive & Easy to Use • Adaptive to the Development Process Infosec 2012 | 25/4/12

THANK YOU! QUESTIONS? Ofer Maor ofer@quotium. com Application Performance Monitoring Come Visit Us! Booth THANK YOU! QUESTIONS? Ofer Maor ofer@quotium. com Application Performance Monitoring Come Visit Us! Booth #F 51 Infosec 2012 | 25/4/12