Qualys Blog

www.qualys.com
2 posts

Case Study: Cisco Group Bakes Security into Web App Dev Process

“To know what is right and not do it is the worst cowardice.”

That phrase was uttered by Confucius 2,500 years ago, but reflects the spirit behind a recent revamp of a Cisco web app development process that made it more effective and secure.

“This is important as we talk about the secure software development lifecycle, because we weren’t doing what we needed to do, even though we knew what was right,” said Robert Martin, security engineer in Cisco’s Government Trust and Technology Services group.

In a nutshell, the process had fallen into a vicious cycle that pleased no one: Little communication between developers and security pros, combined with late vulnerability scans, yielded buggy software that had to be belatedly fixed, leading to missed deployment deadlines.

“We were making the same mistakes over and over again, and we weren’t making any corrections,” Martin said.

Sound familiar? This is a scenario in which countless organizations have found themselves. After years of using a linear, siloed model for creating and releasing software, organizations discover that this approach doesn’t work well in the era of rapid, agile web development and deployment.

To the credit of Martin and his group, they did something about this, instead of simply plodding along and settling for the status quo.

Continue reading …

Add Pen Testing to Web App Scanning for More Security

While organizations increasingly adopt web applications to work and conduct business online, they often struggle to keep them secure and to protect critical business and customer data. Recent studies confirm that attackers are increasingly targeting web applications to breach the security defenses of organizations. The Verizon 2012 Data Breach Investigation report indicates that for large organizations, 54% of the hacking vectors for the investigated breaches were associated with web applications. But as the problem has grown, so too has the difficulty in hiring and retaining the highly skilled security professionals needed to ensure an organization has identified all the vulnerabilities that may be present in their mission critical web applications.

iViZ Security logoSome of this pressure has been absorbed by the emergence of highly automated web application vulnerability scanners such as QualysGuard WAS. These vulnerability scanners provide the ability to assess web applications in an automated way that reduces the need for trained security professionals and provides broad detection coverage of many of the most significant web application vulnerabilities, such as those identified by the Open Web Application Security Project (OWASP) Top 10 including Injection and Cross-Site Scripting (XSS). Automated scanning for these types of vulnerabilities is fast and accurate because the scanner is very good at injecting certain attack payloads and then checking for specific feedback in the application response. In the vast majority of cases, it is easy for the scanner to determine from the response if the application is vulnerable. Automated scanning is much more scalable and cost effective for identifying these security vulnerabilities than using trained security personnel, and as such it can also be used to provide continuous monitoring.

For high-risk applications, however, automated scanning may not be sufficient. There are a number of web application vulnerabilities and business logic security flaws that can only reliably be identified by a trained security professional. One example is access control testing. It is very difficult if not impossible for an automated scanner to identify when an application is vulnerable to vertical or horizontal privilege escalation. Vertical privilege escalation (or privilege elevation) allows a user who has a role with lower privileges to gain access to functionality that should be reserved for users with higher privileges. If an attacker can take advantage of a vulnerability to gain access to this higher privilege functionality, they have effectively moved up the vertical privilege ranking.

An example is an ordinary web commerce user who is able to gain access administrative access and lower prices on the web store. Horizontal privilege escalation is when a user who is in the same role as a second user may be able to access or act on data that should be not be available to the first user. In this case, the user has not gained access to additional functionality but may have acted on data that should not have been accessed. An example of this would be a web commerce user who accesses another user of the web store and orders products to be sent to his/her address of choice. Automated testing for these types of security flaws is difficult and can lead to an unreasonable number of false positives. The only effective way to test for these types of security vulnerabilities is to use trained web application security testers.

Unfortunately, hiring and retaining these security professionals is difficult and expensive.  Even if an organization has web application penetration testing staff, the uneven demand for testing makes management difficult. Spikes in the need for security assessments can easily overwhelm the staff, while at other times there may not be enough testing activity to keep these specialized professionals engaged. This makes it difficult for most organizations to retain this function over the long term.

To address these challenges, organizations need an approach that combines the fast, cost-effective automated vulnerability scanning with highly trained security professionals who are equipped with the best tools.  This gives organizations the best blend of cost-effective automated scanning for all applications with the additional depth of testing required for those mission critical applications that require an additional level of security assurance.

Pen Testing Steps
Fig 1: Penetration Testing Steps

To create this service, iViZ Security seamlessly integrated QualysGuard WAS into its cloud portal via the powerful WAS Application Programming Interface (API). The REST-based QualysGuard WAS API enables customers and partners to conduct all the activities needed to setup web application configurations, schedule scans, and retrieve scan results. iViZ incorporated the WAS automated scanning capability with the API and created a workflow that allows their trained security professionals to confirm identified vulnerabilities for the customer. iViZ also goes a step above by performing business logic testing, manual exploitation and proof of exploitation with their Premium service for web applications that require a higher level of assurance.

Negative Amount Transfer Vulnerability Report
Fig 2: Example Report Showing Penetration Testing Results

QualysGuard WAS has always been a great way for organizations to identify web application vulnerabilities through highly automated scanning. With the iViZ partnership, QualysGuard WAS can now also identify vulnerabilities for organizations that need the additional security assurance of a web application penetration test.