Virtualizing Application Security:
Testing Production Applications
Lars Ewe, CTO / VP of Engineering
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Corporate Security
Web App Database
Client Firewall IDS/IPS
Server Server Server
Intrusion Detection
And Prevention
Internet
Ports 443 & 80
still open
Desktop and
Content Network Security Application Security
Security 1990s 2000s
1980s
Web app layer: 75% of
hacker attacks occur here
80 443
Application Security Drivers
75% of cyber attacks & Internet security violations are
generated through Internet applications.
Source: Gartner Group
87% of Websites are vulnerable to attack.
Source: SearchSecurity – January 2009
Malware on legitimate Websites has doubled in 6 months.
Source: IT PRO – 2008
$6.6 Million is the average cost of a data breach.
Source: Ponemon Institute – January 2009
400+ New Vulnerabilities a Month and Growing
The First Hacked Site
No One Wants To Be in the Press
“Who is responsible when a hack occurs?” “False sense of Security”
“Concerns with finding all vulnerabilities” “Worried”
Corporate Application Environment
1000+ applications
Mixture of internal & external
applications
Multiple BU’s in multiple
countries
In-Sourced & Out-Sourced
resources
Worldwide team with varying
degrees of expertise and
experience in Web app
security
Getting Control Over Security
C-Level
Will I get Hacked?
Information Security
Business Unit
Business Unit
Dev Dev Dev
Business Unit
QA QA QA
App 1 App 1 App 1
App 2 App 2 App 2
App 3 App 3 App 3
Pre-Production
Dev, QA, Staging
Production
Web Application Security
Optimization
Application Security is NOT a One Time Event
but a Discipline Over Time!
Application Development
Life Cycle
Design Build Deploy Operate Dispose
Identify Perform a risk Automated Continued Ensure that the
security analysis test for testing for disposed
issues up Automated vulnerabiliti new application
front test for es vulnerabilities doesn't have
Security vulnerabilities Ongoing and for any links or
training in Q.A. updates production backdoors into
Identify Benchmark applications active
security against Test new code applications
resources requirements Ongoing
– people Security updates
and tools training
The Application Challenge
Lots of Web applications
Most of them in over 1,000
production (80% or more) Web Applications
Fewer than 5% are being Less than 20%
tested against hacker in development
or in QA stage
attacks, and then only Dev
once QA
People aren’t testing.
Why?
• Fear of corrupting Ripe for
production apps Hackers!
• Resource constrained
• Lack of security expertise About 80% are in
• Too many groups involved production and
deployed
Risks to Testing Production
Applications
Risk Damage Likelihood Notes
Example: Spider/crawling of admin/privileged accounts
Corruption
High High (needed for Privilege Escalation SA). Solution: Avoid certain
of key data accounts and SmartAttacks.
Example: 100 fake sales inquiries. Can be caused by nearly
Junk shared Low-
High any assessment. Very difficult to avoid. Partial Solution:
data High Gentle ramp of injection attacks & tools to enable blacklisting.
Junk non-
Low High Example: Junk data in my test account that affects only me.
shared data
Example: Passing along attacks/junk data to business
Collateral
High Medium partners. Damage/alerts to connected backend systems –
damage potentially even at other companies.
Example: Delete entire table in database. SQL Disclosure and
Major loss
High Low Blind SQL SmartAttacks. Solution: Avoid these select attacks
of data and strings.
System Example: Attack corrupts backend system configuration.
Buffer Overflow, Format String and Application Exception &
non-re- High Very Low Spider of admin accounts. Partial Solution: Avoid these
startable attacks.
Risks to Testing Production
Applications (contd.)
Risk Damage Likelihood Notes
Example: All users unable to access for 5
minutes. Buffer Overflow, Format String and
System crash Medium Very Low Application Exception – or, almost any activity.
Partial Solution: Avoid these attacks.
Undesired Real Low - Example: Actually buying a stock. Solution: Avoid
High by fake data or by blacklisting.
Transactions High
Disclosure of High Example: Failure to use test data or to control
Varies access to assessment results.
confidential data
IPS Alarms / Low - Example: Some group of users locked out for
Medium hours (based on IP address).
Blockage Medium
Account
Low High Example: Test account locked out.
Lockouts
Example: System slow for all users until cause
Disruptive load
Low Low determined and attacks slowed. Solution: Can be
on system avoided by throttling.
How Can You Best
Test Production Apps?
80% or more of all the Web applications are actively
deployed and in use
Until recently, testing production applications for Web security
could affect or corrupt the database and/or the application
How can you continuously test your production environment
to stay ahead of “the hacker curve”?
¾ Solution #1: Safe Attacks
¾ Solution #2: Moderate Attacks
¾ Solution #3: Unsafe Attacks
¾ Solution #4: Virtualization via VMware
Testing Production Apps Directly
Production Apps
100
Soln #3
Unsafe Attacks
Depth Soln #2
(% checked Moderate Attacks
for Vuln)
Soln #1
Safe Attacks
0
0
Breadth 1,000+
(# of Apps)
Alternative #4: Test Production
Apps Using Virtualization
Development Quality Assurance Production
A Copy Applications
A A A
B Copy Applications
B B B
C Copy Applications
C C C
Virtualized
Applications Applications Virtualized
Production
Applications
Applications
A
Hailstorm Snapshot of
You can test your
Enterprise B Production
apps for Web ARC
security easily by Applications
Automated C
taking a virtual Continuous
snapshot Assessment
of the apps Detailed continuous assessment results
provided as both a dashboard and exportable
report format
Attaining Breadth & Depth
in Web Application Security
100
Virtualized
Application
Depth Dev / QA Testing
(% checked
Testing
for Vuln)
Safe Attacks
on All Apps
0
0
Breadth 1,000+
(# of Apps)
Cenzic Hailstorm ARC integrated
With VMware LabManager
ARC VMware Managed Servers
1. Enumerate Servers
library
1
2. Prepare to
test ARC
3. Request 3 4
2
deploy
4. Deploy 6
5. Assess
5
6. Request AEE
ESX ESX ESX
undeploy
VMware Lab Manager /
Virtual Center
Two choices for
virtualization
• VMware Lab
Manager
• VMware Virtual
Center
Settings screen for
VMware Lab Manager
• Applies to ARC
deployment
Cenzic Provides Solution Choices
Solution 1 – Virtualize
all apps including Production
production for testing
(most value) 3
Solution 2 – Virtualize
QA and Dev for 1
Pre-Production
testing
2
Solution 3 – Conduct
safe attacks on Dev, QA, Staging
production (least
value)
Application Security Best Practices
High
1 time test
Dev / QA
Risk
Continuous testing 1 time test
Dev / QA Dev / QA / Prod
(Safe Tests)
Continuous Testing
Low
Entire SDLC
Reactive Application Security Posture Proactive
Questions?
Lars Ewe, CTO / VP of Engineering
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)