WIXLIB

Application SecurityJune 2018Risk Advisory

Cyber Risk Managed Services Application Security2

Application SecurityContentsCyber Risk Managed Services – Application Security4A Comprehensive Security Solution for Applications5Application Security – Lifecycle Approach6Securing Applications – At Every Stage7Application Security – A New Horizon8RASP Betters Traditional WAF Protection9What does a Managed Security Programbring to the table?10Managed Security Service Capabilities13Related Services12Contacts143

Application SecurityCyber Risk ManagedServices – ApplicationSecurityEvery organization reaches out to itsconsumers by all possible mediums. Thisincludes Web and Mobile applications.However, most have inadequately securedtheir applications, leading to cyber attackswe experience every day.A fresh approachGiven the complexity of today’senvironment, the traditional approachof securing applications in silos is not aneffective way of handling security. There isa need for a much more radical approachwhich should be robust, scalable, and ableto connect with dynamics of application.Selecting the right tool sets that caneffectively identify the vulnerabilities is animportant component of this approach,along with skilled resources who havethe expertise to interpret and providesolutions.Managing risk – Where to begin?Many organizations fail to prioritizeapplication security, leaving theirentire environment at risk. With largeorganizations managing thousands ofapplications, it is prudent to adopt a riskbased application security management.To begin with, we need to adopt aframework that covers the following – Build an application inventory Identify business criticality and its impact Identify and prioritize vulnerabilities Action plan on remediation4Today’s ChallengesApplications are easy targets“Internet facing applications are theeasiest to attack; the latest trenddepicts the same.”Complexity and volume ofapplications“Today’s business deals with largevolumes in terms of size andcomplexity of applications.”Inherent vulnerabilities and gaps“Inherent gaps in the codingstandards adopted coupled withvolume of applications create a hugechallenge.”Risk Identi cation and Prioritization“These are dependent on the toolsused, skill set of resources, andmaturity of managing applicationvulnerabilities.”Regulatory and Compliancerequirements“Every business is bound byregulatory compliance requirementssuch as SOX, PCI DSS, and HIPAA.”

Application SecurityA Comprehensive SecuritySolution for ApplicationsSecuring applications is a multi-faceted activity that needs a thorough understandingof the application behavior and its various functionalities. More than half of all breachesinvolve web applications—yet less than 10% of organizations ensure all critical applicationsare reviewed for security before and during production.Stage 1: Protection during design anddevelopmentStage 3: Protection at productionenvironmentStatic Code Analysis (SAST)Dynamic Application Security Testing(DAST) Apart from protecting the applicationsfrom external attacks, it is essential tolook at the application’s software build todetect errors and defects. Static code analysis should be done earlyin the development lifecycle and alsocontinuously used throughout the life ofthe application. Dynamic application security testing(DAST) helps identify securityvulnerability in an application in itsrunning state. It mimics real-world hacking techniquesand attacks and provides comprehensivedynamic analysis of complex webapplications and services.Stage 2: Protection during preproductionStage 4: Protection on-the-goInteractive Application SecurityTesting (IAST)Runtime Application Self-Protection(RASP) Interactive Application Security Testingcombines the strengths of SAST andDAST and performs a behavioralassessment. RASP enables applications to protectthemselves against attack in run-time It leverages information from inside therunning application, including runtimerequests, data / control flow to findvulnerabilities accurately. It overcomes the shortcomings oflegacy protection systems such as WebApplication Firewalls (WAF), IntrusionProtection, and Detection Systems (IPS/IDS).5

Application SecurityApplication Security –Lifecycle Approachcreating multiple layers of defence forapplication protectionWith applications and softwaredevelopment getting complex by the day,we can no longer look at securing it byutilizing a single solution. We need to lookat different phases of lifecycle that anapplication undergoes to build a solutionthat covers the entire gamut of applicationsecurity. Helps in performing in-depth analysisof threats and vulnerabilities which arebeing exploited at an application level Enables early identification ofvulnerabilities and thereby reduces theattack vector of an applicationAdvantage of lifecyle approach Reduces overall cost of securingapplications by effectively leveragingprotection mechanisms during the entireapplication development process Covers end-to-end phases of anapplication build that includes design,development, production, and run-time Provides an integrated solution therebyuoContinu s A s s e s sm eRSe untimlfPreot Apecptio licWn at ieb( R onASRe ApP)a l p li cT i atm ioe nStaAp4plic a1nCo(S deAS ReT)viewCodingritynyritcuti veTe Aps t p liin cag( I A t io nST Se)icATe ppstlin icatg(D ionA S SeT)cuacPr plico d atioterm23ApInnaWebWebPr Appe- licPr ato d ionProtection atevery stage ofSDLCDylator y CommplianceRegu6t iot icRemediationB e n c h m a r k in gnt

Application SecuritySecuring Applications –At Every StageSecurity should be embedded in everyphase of application development toprovide protection in its true sense. Toaccomplish this, we need to understandthe complete lifecycle of applicationdevelopment and incorporate security bestpractices that connects with its individualstages.Multi-faceted ApproachAny application development starts bygathering the requirement and performanalysis followed by design, code,testing, and deployment into productionenvironment and finally provides ongoingmaintenance support. To look at thislifecycle holistically, we need to incorporatesecurity at strategic phases that will helpidentify gaps and vulnerabilities early onand also provide layered protection. Application Testing phase needsadequate protection to the application.Interactive Application SecurityTesting (IAST) provides the necessaryinformation that helps the developer tomake the security-related modificationswhile the application is being built. Application in production environmentis what the world sees. Adding security atthis phase is a must as it provides insightto the visibility that the attacker is likelyto have. Run-time protection is the ongoingmechanism to safeguard the applicationfrom external attacks. It is imperativeas any leakage of sensitive data leadsto financial loss and negatively impactsbrand value. Application design and developmentis where it all begins to materializeand provide shape to an application.It is important to adopt secure codingpractice to build a secure application.Static code review will help achieve theobjective of identifying and mitigating thevulnerabilities at code level.7

Application SecurityApplication Security –A New HorizonProtection on-the-goThe protection capabilities of thetraditional perimeter devices such asWeb Application Firewall (WAF), IntrusionPrevention/Detection Systems (IPS/IDS) canbe insufficient, because they lack insightinto application logic and configuration.Run-time Application Self Protection(RASP) operates within the application,developing application context and usingthat to provide accurate attack visibilityand blocking without accidentally stoppinglegitimate request that looks similar to anattack.Prevention of attacksHow does RASP work?Key Benefits RASP embeds security into the runningapplication where it resides on the server.It then intercepts all calls to the system toensure they are secure. Out-of-the-box protection viapreconfigured vulnerability detectionrules RASP can be applied to Web and nonweb applications and doesn't affect theapplication design. Safeguards applications by effectivelyleveraging protection mechanisms duringthe entire application developmentprocess Blocks Zero Day attacks such asShellshock Major OWASP top 10 vulnerabilitiessuch as SQL Injection, Cross Site Scripting(XSS), Path Traversal Block automated attacks with botblocker technology that automaticallyblocks malicious bots Virtual patching prevents vulnerabilitiesfrom being exploited until they can bepermanently remediated Continuous security monitoring ofactual attacks and protection againstvulnerabilities Real-time analysis of application logicand data flows to see threats invisible tonetwork security Accurately distinguish between an actualattack and a legitimate request Integrated monitoring capabilitieswith Deloitte’s Managed Threat andVulnerability Management Services8

Application SecurityRASP Betters TraditionalWAF ProtectionLimitations of Web Application Firewall(WAF)Web Application Firewall were once toutedto be the most intelligent defence layersitting at the perimeter. It has becomeirrelevant in the current scenario as WAFhas a major drawback – the inablility tounderstand application behavior. Thisleads to easy bypass of WAF protectionand the attackers are able to exploit theapplication residing behind the WAF layerwith ease. Organizations have understoodthis serious limitation of WAF and are nowbeginning to migrate to RASP which offersapplication intelligence and thereby does abetter job.To help you understand more, here is thecomparative study between RASP and WAFServices -CriteriaDeloitte’s RuntimeApplication Self Protection(RASP) ServiceWeb Application Firewall(WAF) DeploymentsAccuracyDetection of malicious inputonly when passed to librarycalls where exploitation wouldoccur. Monitors inbound andoutbound data and logic flowsDetection is based on naïvepattern matching, withoutconsidering whether the inputdata would be passed tovulnerable codeTime to ValueNo need to know locationsof existing vulnerabilities inapplication code; can actas a virtual patch against avulnerabilityRequires extensive testing andconfigration to adequately coverthe application. It also involvesfine tuningReliabilityWill not fail open underhigh load–code is alwaysinstrumented, regardless ofservers loadSingle point of failure; likelyto fail open under high load,leaving the web applicationvulnerablePlatformsAny instrumented applicationAll types of Web applicattionVisibilityProvides detailed feedbackto developers to show how toremediate code vulnerabilitiesOffers no detailed insight intothe applicationNetworkProtocolsProtocol agnostic; handles HTTP,HTTPS, AJAX, SQL and SOAPwith equal easeMust be able to understad theapplication’s netwotk languagetypeMaintenanceAutomatically understandschanges to the applicationCan gain application contextthrough training only9