中国IDC产业年度大典---OWASP-China-keynote-2010--下

Copyright©2010ForresterResearch.Inc应用安全:IT’STheWaveOfTheFutureChenxiWang,Ph.D.VicePresident&PrincipalAnalystForresterResearchInc.OWASPChinaSummit2010Copyright©2010ForresterResearch.Inc2Whatweneedisthis…已部署的应用(Production)开发(SDLC)•Usemore编程工具(staticanalysis)和应用测试工具(fuzzing)•综合的(Integrated)编程工具和扫描•Morewidelydeploy应用层防火墙Copyright©2010ForresterResearch.Inc2011prediction:应用安全编程工具销售额会迅速增长Copyright©2010ForresterResearch.IncTwoproblemsremainWedon’tknowthesecurityqualityofthecode外包,开源软件“Ourprogrammakes$8000/minute.Thereisnowaywe’dtakeitdownto纠正漏洞”Legacy软件Copyright©2010ForresterResearch.Inc5SoftwareDevelopmentTodayYOURCOMPANYSoftwareApplication开源软件内部开发软件外包软件商业软件(3rdparty)CodeObligationsCopyright©2010ForresterResearch.Inc6外包和开源软件的安全性能•2009Veracode-Forresterstudy–50%的公司不测试开源软件–62%的公司不测试外包软件•Veracode2010stateofsoftwarestudy–“开源软件的安全性能总的来说不比内部开发软件更高”Copyright©2010ForresterResearch.IncWhatyouneedtodowith外包,开源,商业软件•Perform严格的测试•测试开源(e.g.,Blackduck,Palamida)•测试外包和商业软件–第三方二进制码测试(e.g.,Veracode,HP/Fortify)–应用层扫描–侵入测试Copyright©2010ForresterResearch.Inc案例分析:外包和商业软件漏洞管理•巴克莱银行:(总部伦敦,营业额180亿英镑)–要求在采购前应用供应商必须经过巴克莱银行认可的第三方应用扫描–供应商必须获得A以上评级方可签署合同•Colonialbank:价值240亿的金融服务企业，拥有320个分行–最早部署网络银行的机构之一–将大量Web应用开发外包–注重使用应用扫描技术验证外包开发应用的安全性–成功地防止了主要的安全事故•美国银行业的应用安全策略–许多银行要求供应商提供的应用必须通过银行认可的第三方的扫描和认证–同时在企业内部持续应用自动的应用安全扫描Copyright©2010ForresterResearch.Inc9Webapplicationfirewall(WAF)consideredimportant•Webapplicationfirewall–可保持服务器免受攻击–对终端用户的可用性–Performvirtualpatching–确保进出数据中心的流量不受危害严重性Copyright©2010ForresterResearch.IncToday’ssoftwaresecuritytechnologies•技术很复杂–“6monthstostabilizeastaticanalysisproductonasinglecodeproject“–CISOofalargefinancialfirm•WAFtechnologiesarenotquiteplug-n-play•综合的编程和扫描工具仍不存在•可创新的空间很大!Copyright©2010ForresterResearch.Inc11ApplicationsecurityremainsnearthebottomofITspendingForevery$1spentonapplicationsecurity,~$10arespentoninfrastructuresecurityIt’sagrowthfield!Copyright©2010ForresterResearch.Inc12Buildyour应用安全的成熟模型•Mature,end-to-endSDLCprogram•Centralizedmanagementoftheprogram•Systematictraining•Clearlydefinedsuccessmetrics•Establishedself-evaluationprocess•Predominatelyreactivemeasures:fixvulnerabilitiesifexploited•LittleSDLCcapabilities•Adhocandmanualsecuritytesting被动(纯反应)•Systematicsecuritytestingforselectiveprojects•Establishedsecurecodingguidelines•Adhocdeveloper/testertraining卓越中心•Standardizedapplicationsecurityprocessthroughout•EstablishedSDLCpractice•Integratedremediationprocesses•Internalcompliancepoliciesestablished主动熟练Copyright©2010ForresterResearch.Inc从被动防御到主动保护,应用安全是关键-Intodevelopmentprocess-Deploysecurerun-timemechanisms推广应用安全需要community&developertraining-GetinvolvedwithOWASP!SummaryCopyright©2010ForresterResearch.Inc14Applicationsecuritywillbethefocusofenterprisesecurityinthenext5years