Application Security Testing. Jesper Kråkhede

(1)

Application

Security

(2)

(3)

Others call it security and try to avoid it

I call it passion and dive right into it

Rules are great…for others

Jesper Kråkhede



Worked as a security consultant

for 17 years



Into security since I was 8 years

old and started to pick locks



Director Cybersecurity at Sogeti

with a passion for security

architecture



Work globally with compliance

frameworks



CISSP and Member of Mensa

(4)

What challenges are enterprises facing?

120%

increase in

breaches

reported in 2014

1

_{1 in 8}

legitimate

websites have

a critical

vulnerability

3 O

ver

500M

identities

were exposed via

breaches in 2013

2 Web-based

attacks:

80%

of attacks

4

68 %

increase in mobile application

vulnerability disclosures

(5)

Hacking is Al Capone´s new gun

Failing to understand who is threatening you will make you underestimate the

attack and instead you´ll be yet a victim

• The costs for cyber crime annually is

over €400Bn

• Fraud, extortion, sabotage, industrial

espionage, information theft etc.

• Our adversaries are not 15 year old

boys but seasoned and skilled

professionals or foreign military

(6)

They took control of a network of banks undetected and

transferred money when the wanted

All automated detection patterns have thresholds; identifying and staying below

them marks the skills of the hacker

• An ATM started giving out money

uncontrolled

• A security company started to investigate

the issue

• They found a set of command and control

software installed all over the network of

banks

• Money was transferred between accounts

just below the radar

(7)

The hackers spent two months following senior

management to learn all processes for money transfer

By utilising vulnerabilities in many systems it was possible for the hackers to gain

control of the systems they needed

• They followed everything senior

management did for two months to learn

how the banks worked

• By identifying the processes and

thresholds for money transfer they could

initiate a long series of money transfers

that was not detected

(8)

They had 100% control of support and could block clients

from see when money was stolen from the accounts

With this total control the banks have lost all control of the money

• When money was started to be

siphoned away from accounts the

customers called the banks

• The hackers took the calls and blamed a

technical glitch and moved money from

other accounts into the customers’

accounts

(9)

All ATMs were under their control and money was

dispensed at their convenience

Even the video surveillance were under the hackers control making the possibility

to identify the culprits slim at best

• With total access to operate the ATMs,

money was dispensed when an

accomplish where in place to collect the

money from the ATM

• Millions and millions of € where stolen

using hacked ATMs

(10)

What´s the current situation?



56% of organisations have been hacked

Attackers are targeting applications rather than networks and hardware

84% of breaches occur at the application layer (Gartner, 2013)



By identifying vulnerabilities in applications we are minimising the attack

surface and safeguard the information and systems

(11)

HP 2013 Mobile Application Security Study of over 2,000

mobile application from 600+ companies

(12)

Sogeti Security Gate

Deploy

Code

Test

Contract/Outsource

Procure

Security Testing Service

Security Gate

Secure ALL your applications

before deployment

• Web, Facebook, Mobile

(13)

How it works

Customer uploads software

or dynamic access data

directly from his portal

Dynamic, static and/or

mobile testing

Expert review of the results,

help remediate

and prioritize fixes.

(14)

Comprehensive and accurate testing

Static Analysis

Powered by HP Fortify SCA

Dynamic Analysis

Powered by HP WebInspect

• Enterprise proven

technology

• 100% code coverage

• Support for 21 development

languages

• Production safe

• Three testing levels

• QA or production

environments

Manual Review

• Security expert review

• Reduce false positives

(15)

Multiple levels of testing based on application risk

Low

Medium

High



Marketing Site



Credit card/ SSN

information



Business critical



Personally

identifiable

information



Business useful

Basic

assessment

Standard

assessment

Premium

assessment

(16)

(17)

(18)

(19)

The security tester has a specific set of skills

Operating systems

Networking

Security tools

Programming

Scripting

Databases

Curiosity

(20)

Want to become a security tester or specialist?

(21)

But what if I don´t bother about security testing?

You will be found!

You will be hacked!

You will lose!

(22)

Got any

mor-r-r-e

questions?

Q & A



Contact information:



Jesper Kråkhede



[email protected]



+46 725 27 65 87