Dealing with Web Application Security,
Regulation Style
Andrew Weidenhamer
11/10/2010
Agenda
•
•
•
•
•
Why do we need Web Application Security
How does PCI address Web Application
Security
 shortcomings
How does HIPAA, GLBA, and SOX address
Web Application Security
 shortcomings
How does FISMA address Web Application
Security
 shortcomings
What about other industries?
Why do we need Web
Application Security?
After being edged out in 2008 as the most-used path of
intrusion, web applications now reign supreme in both the
number of breaches and the amount of data compromised
through this vector. Both Verizon and USSS cases show the
same trend. Web applications have the rather unfortunate
calling to be public-facing, dynamic, user-friendly, and secure
all at the same time. Needless to say, it’s a tough job.
- Verizon 2010 Data Breach Statistics Report
The Problem
•
•
•
•
Custom coded web applications are very
common
 Visual Studio, WebSphere, Eclipse, etc.
are *almost* point and click solutions
 ASP.NET, Java, PHP allow for powerful
web applications with minimal coding
Custom Coded = Human Error
75% of all external attacks occur at the
application layer
90% of web applications are vulnerable
•
•
•
•
•
•
No Windows Update for web
based applications – multiple
technologies involved
Lack of awareness of
application developers,
application owners, architects,
system administrators, etc.
Security not embedded into the
software development lifecycle
Estimated 60+% of testing is
production systems
Lack of awareness of
vendors/third party software
companies
Lack of awareness for
outsourced developers
Why Web Security? I have a
Firewall and IDS
•
Am I Safe with a Firewall? Many companies are filtering
their Internet connection (Block
ALL except 80 & 443)

• What is vulnerable at the Web and
Application layer?
 Financial Data
 PHI (Medical)
 Privacy
Port 80/443 – Permits
access to the Web Server
and Web Applications
• Intrusion Detection
Systems? – DETECT
Signatures and DON’T work on
custom coded applications.
• What about anti-virus
software?– Code RED
exploited by virus/worm –
Attacked Microsoft IIS Web
Server
How does PCI address Web
Application Security?
Requirement 6
•
•
•
•
•
6.3 Develop software applications (internal and external, and
including web-based administrative access to applications) in
accordance with PCI DSS (for example, secure authentication and
logging), and based on industry best practices. Incorporate
information security throughout the software development life cycle.
6.3.1 Removal of custom application accounts, user IDs, and
passwords before applications become active or are released to
customers
6.3.2 Review of custom code prior to release to production or
customers in order to identify any potential coding vulnerability.
6.4.1 Separate development/test and production environments
6.4.2 Separation of duties between development/test and production
environments
Requirement 6 – Cont’d
•
6.5 Develop applications based on secure coding guidelines. Prevent
common coding vulnerabilities in software development processes, to
include the following:
 6.5.1 Injection flaws, particularly SQL injection. Also consider OS
Command Injection, LDAP and XPath injection flaws as well as
other injection flaws
 6.5.2 Buffer overflow
 6.5.3 Insecure cryptographic storage
 6.5.4 Insecure communications
 6.5.5 Improper error handling
 6.5.6 All “High” vulnerabilities identified in the vulnerability
identification process
 Cross-site scripting
 Improper Access Control
 Cross-site request forgery
Requirement 6 – Cont’d
•
6.6 For public-facing web applications, address new threats and
vulnerabilities on an ongoing basis and ensure these applications
are protected against known attacks by either of the following
methods:
 Reviewing public-facing web applications via manual or
automated application vulnerability security assessment tools
or methods, at least annually and after any changes
 Installing a web-application firewall in front of public-facing web
applications
•
•
•
•
•
•
•
Shortcomings
Why give the client a choice between code review
and web application firewall?
You can’t scan for the OWASP Top 10
OWASP Top 10 is dynamic
Only requires scanning and code reviews for
publically facing applications.
Most ASV scanners do very little at the web
application layer
External Penetration Assessments can be
performed by internal resources
Level 3 and 4 merchants
PROOF!!!
How does HIPAA, GLBA, and
SOX address Web Application
Security?
HIPAA – Access Controls
•
•
Analyze
workloads and
operations to
identify the access
needs of all users
• Develop
access control
policy
• Establish an
emergency
access
procedure
Analyze
workloads and
operations to
identify the
access needs of
all users
• Implement
access control
procedures
using selected
hardware and
software
• Ensure that all
system users
have been
assigned a
unique identifier
• Review and
update user
access
• Terminate
access if it
is no longer
needed
HIPAA – Audit Controls
• Determine the
systems or
activities that
will be tracked
or audited
• Develop
appropriate
standard
operating
procedures
• Select the tools that
will be deployed for
auditing and system
activity reviews
• Develop and
deploy the
Information
System Activity
Review/Audit
Policy
• Implement the
audit/system
activity review
process
HIPAA – Integrity
• Identify all users
who have been
authorized to
access ePHI
• Implement
procedures to
address these
requirements
• Identify any possible
unauthorized
sources that may be
able to intercept the
information and
modify it
• Develop the
integrity policy
and requirements
• Establish a
monitoring
process to
assess how the
implemented
process is
working
HIPAA – Person or Entity
Authentication
• Determine
authentication
applicability to current
systems/applications
• Evaluate
authentication
options available
• Select and
implement
authentication
option
HIPAA – Transmission Security
• Identify any
possible
unauthorized
sources that may
be able to
intercept and/or
modify the
information
• Develop a
transmission
security
policy
• Implement procedures for
transmitting ePHI using
Hardware/Software if
needed
What did we notice about
HIPAA?
Web application security is not specifically called
out in the HIPAA Security Rule, however:
• A risk analysis and risk assessment is
required
• Depending on the risk rating, entities may
need to ensure proper security controls are in
place for web applications associated with
electronic protected health information (ePHI)
Shortcomings
PROOF!!!
PROOF #2!!!
GLBA – Safeguards Rule
• Denoting at least one employee to manage
the safeguards
• Constructing a thorough risk management
on each department handling the nonpublic
information
• Develop, monitor, and test a program to
secure the information and,
• Change the safeguards as needed with
changes in how information is collected,
stored and used.
GLBA - Guidance
• Section 501(b) of GLBA requires Federal Financial
Institutions Examination Council (FFIEC) member
regulators to establish standards and guidelines
for complying with the GLBA Safeguards Rule
• Accordingly, the regulators created the
Interagency Guidelines Establishing Information
Security Standards and the IT Examination
Information Security Handbook
• Both the Guidelines and Handbook require web
application security if appropriate to the size and
complexity of the financial institution
GLBA – Guidance (cont’d)
G. APPLICATION SECURITY (IT EXAMINATION
INFORMATION SECURITY HANDBOOK)
1. Determine whether software storage, including
program source, object libraries, and load
modules, are appropriately secured against
unauthorized access.
2. Determine whether user input is validated
appropriately (e.g. character set, length, etc).
3. Determine whether appropriate message
authentication takes place.
4. Determine whether access to sensitive
information and processes require appropriate
authentication and verification of authorized use
before access is granted.
5. Determine whether re-establishment of any
session after interruption requires normal user
identification, authentication, and authorization.
6. Determine whether appropriate warning banners
are displayed when applications are accessed.
7. Determine whether appropriate logs are
maintained and available to support incident
detection and response efforts.
GLBA – Guidance (cont’d)
H. SOFTWARE DEVELOPMENT (IT EXAMINATION
INFORMATION SECURITY HANDBOOK)
1. Inquire about how security control requirements are
determined for software, whether internally developed
or acquired from a vendor.
2. Determine whether management explicitly follows a
recognized security standard development process,
or adheres to widely recognized industry standards.
3. Determine whether the group or individual
establishing security control requirements has
appropriate credentials, background, and/or training.
4. Inquire about the method used to test the newly developed or acquired
software for vulnerabilities. For manual source code reviews, inquire
about standards used, the capabilities of the reviewers, and the
results of the reviews. If source code reviews are not performed,
inquire about alternate actions taken to test the software for covert
channels, backdoors, and other security issues.
5. Evaluate the process used to ascertain software trustworthiness.
Include in the evaluation management’s consideration of the:
Development process
Establishment of security requirements
Establishment of acceptance criterion
Use of secure coding standards
Compliance with security requirements
Code development and testing processes
Restrictions on developer access to production source code
Physical security over developer work areas
Source code review
Quality and functionality of security patches
•
•
•
•
•
•
•
•
•
•
Shortcomings
VAGUE!!!!
PROOF!!!
SOX
• Most corporate financial records are accessed
and maintained in electronic formats that often
have Web-based components, there is a
significant correlation between this information
and Web applications.
• Section 404 requires companies have in place
appropriate, enterprise-wide controls to
protect the integrity of financial data as well as
the systems that access the data
SOX - Guidance
The development controls with a SOX perspective
include:
1) Documented policy and procedures
2) Developers/ IT managers are trained on the
procedures
3) Standard controls such as business owners
approve the design,
4) Development is carried over as per standards,
functional specifications
5) Separate test environment for development/ test/
production / test plans
6) Segregation of duties ( The developer who
created and cannot pass his own test, cannot
promote the code to production etc)
7) Business owner’s testing and approval
before changes/ app goes into production
8) Good Version Control Program to ensure
that older versions are kept available
9) Source Code is properly secured
10) Built in user access controls for
authentication and prevention of fraud.
Shortcomings
Virtually no controls around Security
How does Federal
Information Security
Management Act (FISMA)
address Web Application
Security?
•
•
•
•
FISMA
Requires each federal agency to develop, document,
and implement an agency-wide program to provide
information security for the information and
information systems that support the operations and
assets of the agency, including those provided or
managed by another agency, contractor, or other
source.
NIST 800-30 used to perform a risk analysis
NIST 800-53 controls will be required based on an
agencies data risk classifications.
NIST 800-53 control areas such as System and
Communications Protection are applicable to web
applications.
FISMA – System and
Information Integrity
• Security Assessments
• Vulnerability Scanning
• Policies and Procedures
• Information Input Validation
• Error Handling
• Information Output Handling and Retention
Shortcomings
Good..But not as prescriptive as PCI
What about other industries?
Privacy??
• Legal
• Manufacturing
• Retail
• Business Services
Thank you for your time!
QUESTIONS
ANSWERS
E: aweidenhamer@securestate.com