Virtualizing Application Security:

Testing Production Applications

Lars Ewe, CTO / VP of Engineering

www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Corporate Security

Web App Database

Client Firewall IDS/IPS
Server Server Server

Intrusion Detection
And Prevention
Internet

Ports 443 & 80

still open

Desktop and
Content Network Security Application Security
Security 1990s 2000s
1980s
Web app layer: 75% of
hacker attacks occur here
80 443
Application Security Drivers

ƒ 75% of cyber attacks & Internet security violations are

generated through Internet applications.
Source: Gartner Group

ƒ 87% of Websites are vulnerable to attack.

Source: SearchSecurity – January 2009

ƒ Malware on legitimate Websites has doubled in 6 months.

Source: IT PRO – 2008

ƒ $6.6 Million is the average cost of a data breach.

Source: Ponemon Institute – January 2009

400+ New Vulnerabilities a Month and Growing

The First Hacked Site
 No One Wants To Be in the Press

“Who is responsible when a hack occurs?” “False sense of Security”

“Concerns with finding all vulnerabilities” “Worried”

Corporate Application Environment

ƒ 1000+ applications
ƒ Mixture of internal & external
applications
ƒ Multiple BU’s in multiple
countries
ƒ In-Sourced & Out-Sourced
resources
ƒ Worldwide team with varying
degrees of expertise and
experience in Web app
security
Getting Control Over Security

C-Level
Will I get Hacked?

Information Security

Business Unit

Business Unit
Dev Dev Dev

Business Unit
QA QA QA

App 1 App 1 App 1

App 2 App 2 App 2

App 3 App 3 App 3

Pre-Production

Dev, QA, Staging

Production
Web Application Security
Optimization

Application Security is NOT a One Time Event

but a Discipline Over Time!
Application Development
Life Cycle

Design Build Deploy Operate Dispose

ƒ Identify ƒ Perform a risk ƒ Automated ƒ Continued ƒ Ensure that the

security analysis test for testing for disposed
issues up ƒ Automated vulnerabiliti new application
front test for es vulnerabilities doesn't have
ƒ Security vulnerabilities ƒ Ongoing and for any links or
training in Q.A. updates production backdoors into
ƒ Identify ƒ Benchmark applications active
security against ƒ Test new code applications
resources requirements ƒ Ongoing
– people ƒ Security updates
and tools training
The Application Challenge

ƒ Lots of Web applications

ƒ Most of them in over 1,000
production (80% or more) Web Applications
ƒ Fewer than 5% are being Less than 20%
tested against hacker in development
or in QA stage
attacks, and then only Dev
once QA
ƒ People aren’t testing.
Why?
• Fear of corrupting Ripe for
production apps Hackers!
• Resource constrained
• Lack of security expertise About 80% are in
• Too many groups involved production and
deployed
Risks to Testing Production
Applications

Risk Damage Likelihood Notes

Example: Spider/crawling of admin/privileged accounts
Corruption
High High (needed for Privilege Escalation SA). Solution: Avoid certain
of key data accounts and SmartAttacks.
Example: 100 fake sales inquiries. Can be caused by nearly
Junk shared Low-
High any assessment. Very difficult to avoid. Partial Solution:
data High Gentle ramp of injection attacks & tools to enable blacklisting.

Junk non-
Low High Example: Junk data in my test account that affects only me.
shared data
Example: Passing along attacks/junk data to business
Collateral
High Medium partners. Damage/alerts to connected backend systems –
damage potentially even at other companies.
Example: Delete entire table in database. SQL Disclosure and
Major loss
High Low Blind SQL SmartAttacks. Solution: Avoid these select attacks
of data and strings.

System Example: Attack corrupts backend system configuration.

Buffer Overflow, Format String and Application Exception &
non-re- High Very Low Spider of admin accounts. Partial Solution: Avoid these
startable attacks.
Risks to Testing Production
Applications (contd.)
Risk Damage Likelihood Notes
Example: All users unable to access for 5
minutes. Buffer Overflow, Format String and
System crash Medium Very Low Application Exception – or, almost any activity.
Partial Solution: Avoid these attacks.

Undesired Real Low - Example: Actually buying a stock. Solution: Avoid

High by fake data or by blacklisting.
Transactions High

Disclosure of High Example: Failure to use test data or to control

Varies access to assessment results.
confidential data

IPS Alarms / Low - Example: Some group of users locked out for
Medium hours (based on IP address).
Blockage Medium
Account
Low High Example: Test account locked out.
Lockouts
Example: System slow for all users until cause
Disruptive load
Low Low determined and attacks slowed. Solution: Can be
on system avoided by throttling.
How Can You Best
Test Production Apps?

ƒ 80% or more of all the Web applications are actively

deployed and in use
ƒ Until recently, testing production applications for Web security
could affect or corrupt the database and/or the application
ƒ How can you continuously test your production environment
to stay ahead of “the hacker curve”?

¾ Solution #1: Safe Attacks

¾ Solution #2: Moderate Attacks
¾ Solution #3: Unsafe Attacks
¾ Solution #4: Virtualization via VMware
 Testing Production Apps Directly

Production Apps
100
Soln #3
Unsafe Attacks

Depth Soln #2
(% checked Moderate Attacks
for Vuln)

Soln #1
Safe Attacks
0
0
Breadth 1,000+
(# of Apps)
 Alternative #4: Test Production
Apps Using Virtualization

Development Quality Assurance Production

A Copy Applications
A A A
B Copy Applications
B B B
C Copy Applications
C C C

Virtualized
Applications Applications Virtualized
Production
Applications
Applications
A
Hailstorm Snapshot of
You can test your
Enterprise B Production
apps for Web ARC
security easily by Applications
Automated C
taking a virtual Continuous
snapshot Assessment
of the apps Detailed continuous assessment results
provided as both a dashboard and exportable
report format
Attaining Breadth & Depth
in Web Application Security

100

Virtualized
Application
Depth Dev / QA Testing
(% checked
Testing
for Vuln)

Safe Attacks
on All Apps
0
0
Breadth 1,000+
(# of Apps)
Cenzic Hailstorm ARC integrated
With VMware LabManager

ARC VMware Managed Servers

1. Enumerate Servers
library
1
2. Prepare to
test ARC

3. Request 3 4
2
deploy
4. Deploy 6
5. Assess
5
6. Request AEE
ESX ESX ESX
undeploy
VMware Lab Manager /
Virtual Center

ƒ Two choices for

virtualization
• VMware Lab
Manager
• VMware Virtual
Center
ƒ Settings screen for
VMware Lab Manager
• Applies to ARC
deployment
Cenzic Provides Solution Choices

ƒ Solution 1 – Virtualize
all apps including Production
production for testing
(most value) 3

ƒ Solution 2 – Virtualize
QA and Dev for 1
Pre-Production
testing
2
ƒ Solution 3 – Conduct
safe attacks on Dev, QA, Staging
production (least
value)
Application Security Best Practices

High

1 time test
Dev / QA
Risk
Continuous testing 1 time test
Dev / QA Dev / QA / Prod
(Safe Tests)

Continuous Testing
Low
Entire SDLC

Reactive Application Security Posture Proactive

Questions?
Lars Ewe, CTO / VP of Engineering
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)