Professional Documents
Culture Documents
Security Fundamentals
Definitions
from The American Heritage® Dictionary of the English Language, 4th Edition
• Assets
• Threats
• Vulnerabilities
• Attack
• Risk
Physical
• Computers
• Devices Employees
• Equipment
Information
• Intellectual Property
• Employee records
• Customer records Customers
• Availability
• Integrity
• Confidentiality
• Perimeters
• Backups
• Hashes / Checksums
• Encryption
• Access Control
• Assets
• Threats
• Vulnerabilities
• Attack
• Risk
• Competitors
• Criminals
• Bot nets
• Organizations
• Insiders
• Customers
• Partners
• Skill set
• Sponsorship
• Access
• Time
• Bragging rights
• Revenge / vengeance
• Business Intelligence
• Extortion
• Exploitation
• Business processes
• Networks
• Data stores
• Software?
• Why?
• There is a LOT more code to review
• More people are writing the code so the over-all systems knowledge is less
• Internet time means timelines are much tighter so we have less time to
think about problems
• With stiff competition there are no points for second to market
OWASP
• The Open Web Application Security Project (OWASP) is a worldwide
free and open community focused on improving the security of
application software
• Referenced from www.owasp.org
Reference: www.owasp.org/index.php/Top_10_2007
Attack:
The exploitation of a
Threats vulnerability by a threat
to reach an asset.
Vulnerabilities
Assets
IDS
Attacker (Threat)
Attacker Financial Data
Firewall Proxy Application Server
Firewall
IDS
Attacker Financial Data
Attacker Firewall
Firewall Proxy Proxy
Firewall
Web Server App
Application Server
Server
Attacker Application
Attacker App Server
Server
Risk analysis:
The expected loss
Vulnerabilities
when a specific asset is
compromised by a specific
threat.
Assets
• Besides application security, there are two other types of security, which need to
be considered
• Infrastructure
• Focuses on the development and maintenance of a secure environment for code
• Strategic
• Focuses on the development and maintenance of workflows, processes, and artifacts
surrounding the production of code
• Information Characteristics
– Confidentiality
– Integrity
– Availability
• Information States
– Transmission
– Storage
– Processing
• Security Measures
– Technology
– Policies & Practices
– Human Factors
Legacy App
Integration
Web Facing
Applications
Employee
Self-Service
Connectivity w/
Partners, Suppliers
• Methods include
• Network and Host Firewalls
• Patch Management
Riches Bank
Once inside, the hackers compromised the bank’s authentication and access
control to send fraudulent market advisories. Analysts estimate the combined
monetary and reputational damage caused by this attack will approach 1 billion
dollars.
victim receives
phishing email, seeing nothing
clicks on exploit, suspicious, logs
and logs in out from bank
+ 6 hours + 1 minute
victim receives
phishing email, seeing nothing
activates exploit, suspicious, logs
and logs in out from bank
+ 6 hours + 1 minute
victim receives
phishing email, seeing nothing
activates suspicious, logs
exploit, and logs out from bank
in
+ 6app
hours + 1 minute
victim receives
phishing email, seeing nothing
activates exploit, suspicious, logs
and logs in out from bank
+ 6 hours + 1 minute
receives “sell”
message and
sells all shares
of HSR right
away
+ 2 hours
receives “sell”
message and sells
all shares of HSR
right away
+ 2 hours
receives “sell”
message and sells
all shares of HSR
right away
+ 2 hours
• OWASP
• Regulation
• Education
• Penetration testing
• Manual review
•Laws are passed that force companies to comply with certain measures of security
• International Organization for Standardization (ISO)
• Payment Card Industry (PCI)
• HIPAA
• Often, the fines for not complying with such measures are small and not enforced
• Attempt at regulation often leave security specifications that are vague and fraught with
uncertainty
• Although compliance passes, the organization is often left with a false sense of security as the
standards are often set too low
•Automated hacking tools try to perform automatic penetration testing, but they are
• Inaccurate and
• Provide to many false positives and negatives
•Developers manually inspect source code of the given solution for security
vulnerabilities
• Extremely thorough, but high false negative rate
• Expensive and time consuming
•Automated scanning tools, which inspect source code for known security
vulnerabilities
• Although not all analyzers are equally effective, they are relatively easy to deploy
and execute
• Greatly reduce the probability of human error, which occurs in manual code reviews
• Provide thorough coverage of code
• PCI 6.6
• For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods
• Reviewing public-facing web applications via manual or automated application
vulnerability security assessment tools or methods, at least annually and after any
changes
• Installing a web-application firewall in front of public-facing web applications
PCI 11.3
• Perform penetration testing at least once a year and after any significant
infrastructure or application upgrade or modification (such as an operating system
upgrade, a sub-network added to the environment, or a Web server added to the
environment). These penetration tests must include the following:
• Network-layer penetration tests
• Industry Consortium
• Publishes Top Ten Vulnerabilities and latest trends
• Referenced by PCI and others emerging standards