中国IDC产业年度大典---OWASP-China-keynote-2010--上

Copyright©2010ForresterResearch.Inc应用安全:IT’STheWaveOfTheFutureChenxiWang,Ph.D.VicePresident&PrincipalAnalystForresterResearchInc.OWASPChinaSummit2010Copyright©2010ForresterResearch.Inc2Forrester:Market/TechnologyAnalystFirm•VicePresident&PrincipalAnalyst•Coveringapplicationsecurity,cloudsecurity,andcontentsecurity•FormerlyAssociateProfessoratCarnegieMellonUniversityCopyright©2010ForresterResearch.Inc应用安全•2010:92%的黑客入侵事故利用网络应用层漏洞**VerizonBusinessdatabreachreport2010AttachvectorbypercentofbreacheswithinhackingCopyright©2010ForresterResearch.Inc44Web2.0和移动应用加重了严重性•Web2.0应用更复杂–AJAX–Clientsidestates–Softwaremashups•移动应用进展迅速Copyright©2010ForresterResearch.Inc趋势:从边界防御到应用和数据安全EndpointProtectionFirewallsServerandSystemSecurityemail802.11WebP2P•由防火墙和防病毒产品构成的传统安全体系不能满足新的安全需求•应用安全和数据安全thenewfrontier3GCopyright©2010ForresterResearch.Inc6应用安全overview已部署的应用(Production)开发(SDLC)•威胁(Threat)modeling•应用层扫描(blackboxanalysis)•编程工具(staticanalysis)•应用测试工具(securitytesting,fuzzing)$600M+市场应用层防火墙(webapplicationfirewall)应用层扫描(blackboxanalysis)侵入测试(Penetrationtesting)•培训•咨询服务Copyright©2010ForresterResearch.IncForresterTechRadar™:ApplicationSecurity,Q3‘09July2009“TechRadar™ForSRMProfessionals:ApplicationSecurity,Q32009”侵入测试,应用层扫描arethemostpopularCopyright©2010ForresterResearch.Inc8应用扫描实例ANOMALYsentGET%x%n%s%s%s%s%s%s%s%s%sHTTP/1.1Accept:image/gif,image/x-xbitmap,image/jpeg,*/*Accept-Encoding:gzip,deflateAccept-Language:en-usConnection:Keep-AliveHTTP/1.1500InternalServerName:DanEllis,SSN:174623459Name:DanielEsten,SSN:134864567GMTServer:Content-Length:-1Content-Type:;charset=Connection:ANOMALOUSresponse•以上例子为一次典型输入验证错误攻击，并成功提取了机密数据(姓名和社会保障号SSN)Copyright©2010ForresterResearch.Inc9应用安全和PCI•支付卡行业(PCI)对于应用安全有着严格要求–PCIDS6.6•Forrester估计数据breach花费–每一个账号:$300•花旗银行有200million账号,每年应用安全花费$2million–It’sabigsaving!Copyright©2010ForresterResearch.Inc10网络应用安全主要覆盖风险•跨站脚本(CrossSiteScripting)•SQL注入(Injection)•输入验证的错误(Inputvalidationerrors)•缓冲区溢出(BufferOverflows)•会话攻击(SessionAttacks)•伪造跨站点请求(cross-requestforgery)•等等Copyright©2010ForresterResearch.Inc11案例分析:标准渣打银行网络漏洞管理•标准渣打银行(SCB)，全球6万名员工–非常复杂的网络环境，覆盖超过50个国家，包括多种平台和应用•网络扫描提供了准确的网络拓扑和资产清单–检测出超过一千个未被防火墙和IDS发现的漏洞•SCB迅速地按照优先级顺序进行纠正，并指导其更新和补丁管理流程•扫描也被用于监督服务和产品供应商遵循银行安全标准Copyright©2010ForresterResearch.Inc1212应用安全challenges已部署的应用(Production)开发(SDLC)•编程工具(staticanalysis)•应用测试工具(securitytesting,fuzzing)应用层扫描(blackboxanalysis)侵入测试(Penetrationtesting)应用层防火墙(webapplicationfirewall)Copyright©2010ForresterResearch.Inc这意味着…•应用层扫描和编程结合不紧•软件开发者不断生产出有漏洞的sofware•逐个纠正的代价maybehigh•OneCISOofabig银行–“应用层扫描给我们的软件开发组带来空前的麻烦:我们花很多时间追查应用层扫描报告的漏洞”Copyright©2010ForresterResearch.Inc纠正漏洞有不同的代价•Alargenetworkequipmentvendor–$30,000perdefectinthefield–$3,000duringunittest–$500duringdevelopment051015202530DevelopmentIntegrationAudit/testProductionCostfordefectfixesSource:NIST30x