Rapid7

1
Rapid7

• David Precopio
• VP Product Management

Web applications continue to be the most
exploited area because most applications cannot
adequately protect sensitive data. InfoSecurity
Priorities 2008
2
What You Will Learn Today

• Security Maturity Model
• How and why Security Managers should scan Web
  Applications and all their moving parts
• Targeted attacks are increasing and they cost
  companies millions
• Why vulnerability management is imperative
• Web 2.0
• Do not rely on developers
• Rapid7 NeXpose

3
Business Drivers

• Maintain availability of revenue generating and
  customer facing Web Applications
• Ensure corporate and customer data such as credit
  card, social security numbers and account
  information is secure from exploits
• Adhere to compliance issues like Sarbanes-Oxley,
  HIPAA, and PCI

4
The Center of Attention

• IT security administrators are responsible for
  protecting their networks and everything that
  runs on them, including Web and Web 2.0
  applications
• When there is a breach or an exploit, the
  security team (or person) becomes the center of
  attention
• In 2007 alone, security breaches cost United
  States companies over 4 billion

5
Security Maturity Model
6
Network and Application Levels Merging

• Vulnerability management has focused on the
  network or operating system level 
• Such analysis has included the use of traditional
  manual penetration testing as well as automated
  security testing tools (from both proprietary and
  open sources).  
• Trends are leaning towards merging the ability to
  scan for network vulnerabilities and
  application-level vulnerabilities
• The current trend is to merge the ability of
  network scanners with the toolkits for the web
  application security space

Four of the top five vulnerabilities are found
in Web Applications
7
Web Application Vulnerabilities
8
Do Not Rely On Developers For Security

• Intense time-to-market pressure
• Developers have to rush to deliver an application
  which means that security considerations are
  often ignored.
• Even if developers have a web scanner tool, if
  they don't have time to run it properly and
  regularly every time the application code is
  modified, it will provide little to no value.
• In-house applications are subjected to less
  scrutiny and QA than "shrink-wrap" software
  because the software isn't sold as a product
• Web applications tend to be tested on developer's
  workstations and/or staging servers
• Production testing by developers almost never
  happens because production application servers
  tend to be managed by the I.T. team and not the
  development team

9
Web Scanners

• The Good
• Created for developers to scan single
  applications
• The Bad
• Limited Scanning Web scanners only scan the Web
  Application. Web Applications have many moving
  parts including network devices, databases,
  operating systems and third party applications
  and data stores
• The Ugly
• Unable to recognize and parse Web 2.0
  functionality When tested in multiple lab
  scenarios, Web scanners failed to recognize AJAX,
  Flash, Flex and other Web 2.0 technologies
• High level of false positives -False positives
  can be difficult for all security professional to
  identify. They can cause difficulties by
  weakening the credibility of the security team
  with application developers

10
Web 2.0
Hackers Start Young
11
Web 2.0 -three categories

• Technology consisting of the infrastructure of
  the Web and the concept of Web platforms.
  Examples of specific technologies include AJAX,
  ASP, Flash, Flex and .NET
• Social networks - communities and individuals
  share content through wikis and other
  collaborative content models.
• Business process - Web services-enabled business
  models that include a Web site or Web application
  that combines content from more than one source

12
How AJAX Works
13
How is AJAX Vulnerable?

• Dom Based XSS
• Interface which allows you to program and
  manipulate the contents of a web page or document
• Multiple scattered end points and hidden calls
• Scattered End Points makes it tough for
  Developers to handle and tends to induce sloppy
  coding
• Potential Ajax calls are scattered all over the
  browser page and can be invoked by respective
  events.
• Validation confusion
• Web 2.0 applications use bridges, mashups, feeds,
  etc. In many cases it is assumed that the other
  party has implemented validation and this
  confusion leads to neither party implementing
  proper validation control.

14
More Vulnerabilities

• Data serialization
• Browsers can invoke an Ajax call and perform data
  serialization.
• If any of these serialization blocks can be
  intercepted and manipulated, the browser can be
  forced to execute malicious scripts
• Dynamic script construction execution
• Ajax opens up a backend channel and fetches
  information from the server and passes it to the
  DOM.
• The consequence of not validating content or of
  making an insecure call can range from a session
  compromise to the execution of malicious content.

15
(No Transcript)
16
Unified Vulnerability Management
17
Multi-Layer Scanning
NeXpose
18
Securing Web Applications
Web Application
Client/ Browser
Server
Web page
OS
Database
3rd party
19
Rapid7 and Web Applications

• Browser-base scanning - Web and Web 2.0
  Applications are made for users, scanners need to
  scan web applications from the user perspective
• Web 2.0 Applications Scanning - AJAX, JavaScript,
  Flash, Flex, ActionScript, ASP.NET 2.0 (Atlas)
  and .NET
• End-to-end Web application Security Scans from
  the browser to the database, including
  third-party applications and data stores
• Vulnerability pass-through scanning - Detects
  more vulnerabilities than traditional web
  scanners -, NeXpose detects and remediates
  vulnerabilities that lie under the surface.

20
Things to Remember

• Where are you in the Security Maturity Model
• Security Managers should scan Web Applications
  and all their moving parts
• Targeted attacks are increasing and they cost
  companies millions
• Vulnerability management is imperative
• Web 2.0
• Do not rely on developers
• Let Rapid7 NeXpose help you!!
• www.rapid7.com

21
(No Transcript)