Application Security Cyber Risk Managed Services Cyber Risk Managed Services | Application Security

2 Application Security | Cyber Risk Managed Services

Contents

Cyber Risk Managed Services – Application Security 4 A Comprehensive Security Solution for Applications 5 Application Security – Lifecycle Approach 6 Securing Applications – At Every Stage 7 Application Security – A New Horizon 8 RASP Betters Traditional WAF Protection 9 What does a Managed Security Program bring to the table? 10 Managed Security Service Capabilities 13 Related Services 12 Contacts 14

3 Application Security | Cyber Risk Managed Services

Cyber Risk Managed Services – Application Security

Today’s Challenges Every organization reaches out to its consumers by all possible mediums. This Applications are easy targets includes Web and Mobile applications. “Internet facing applications are the However, most have inadequately secured easiest to attack; the latest trend their applications, leading to cyber attacks depicts the same.” we experience every day.

A fresh approach Complexity and volume of Given the complexity of today’s applications environment, the traditional approach “Today’s business deals with large of securing applications in silos is not an volumes in terms of size and effective way of handling security. There is complexity of applications.” a need for a much more radical approach which should be robust, scalable, and able Inherent vulnerabilities and gaps to connect with dynamics of application. “Inherent gaps in the coding Selecting the right tool sets that can standards adopted coupled with effectively identify the vulnerabilities is an volume of applications create a huge important component of this approach, challenge.” along with skilled resources who have the expertise to interpret and provide Risk Identification and Prioritization solutions. “These are dependent on the tools used, skill set of resources, and Managing risk – Where to begin? maturity of managing application Many organizations fail to prioritize vulnerabilities.” application security, leaving their entire environment at risk. With large Regulatory and Compliance organizations managing thousands of requirements applications, it is prudent to adopt a risk- “Every business is bound by based application security management. regulatory compliance requirements To begin with, we need to adopt a such as SOX, PCI DSS, and HIPAA.” framework that covers the following – •• Build an application inventory •• Identify business criticality and its impact •• Identify and prioritize vulnerabilities •• Action plan on remediation

4 Application Security | Cyber Risk Managed Services

A Comprehensive Security Solution for Applications

Securing applications is a multi-faceted activity that needs a thorough understanding of the application behavior and its various functionalities. More than half of all breaches involve web applications—yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production.

Stage 1: Protection during design and Stage 3: Protection at production development environment

Static Code Analysis (SAST) Dynamic Application Security Testing (DAST) •• Apart from protecting the applications from external attacks, it is essential to •• Dynamic application security testing look at the application’s software build to (DAST) helps identify security detect errors and defects. vulnerability in an application in its running state. •• Static code analysis should be done early in the development lifecycle and also •• It mimics real-world hacking techniques continuously used throughout the life of and attacks and provides comprehensive the application. dynamic analysis of complex web applications and services. Stage 2: Protection during pre- production Stage 4: Protection on-the-go

Interactive Application Security Runtime Application Self-Protection Testing (IAST) (RASP)

•• Interactive Application Security Testing •• RASP enables applications to protect combines the strengths of SAST and themselves against attack in run-time DAST and performs a behavioral •• It overcomes the shortcomings of assessment. legacy protection systems such as Web •• It leverages information from inside the Application Firewalls (WAF), Intrusion running application, including runtime Protection, and Detection Systems (IPS/ requests, data / control flow to find IDS). vulnerabilities accurately.

5 Application Security | Cyber Risk Managed Services

Application Security – Lifecycle Approach

With applications and software creating multiple layers of defence for development getting complex by the day, application protection we can no longer look at securing it by •• Helps in performing in-depth analysis utilizing a single solution. We need to look of threats and vulnerabilities which are at different phases of lifecycle that an being exploited at an application level application undergoes to build a solution that covers the entire gamut of application •• Enables early identification of security. vulnerabilities and thereby reduces the attack vector of an application Advantage of lifecyle approach •• Reduces overall cost of securing •• Covers end-to-end phases of an applications by effectively leveraging application build that includes design, protection mechanisms during the entire development, production, and run-time application development process

•• Provides an integrated solution thereby

nuous Assess Conti ment

Static Code Review

(SAST)

Application Coding

Runtime Application Self Protection (RASP) Web ApplicationReal Time4 1

g R

n e

i

m

k

r Protection at

e

a d

m every stage of i

a

h

t

c i

SDLC o

n

n

e B

Web Application 2 Dynamic Application Security 3 Prod Pre-Prod Testing (DAST) Web Application

Testing (IAST)

Interactive Application Security

R

e

e

g

c

u

n

l a a i l t o p r y m

C m o

6 Application Security | Cyber Risk Managed Services

Securing Applications – At Every Stage

Security should be embedded in every •• Application Testing phase needs phase of application development to adequate protection to the application. provide protection in its true sense. To Interactive Application Security accomplish this, we need to understand Testing (IAST) provides the necessary the complete lifecycle of application information that helps the developer to development and incorporate security best make the security-related modifications practices that connects with its individual while the application is being built. stages. •• Application in production environment is what the world sees. Adding security at Multi-faceted Approach this phase is a must as it provides insight Any application development starts by to the visibility that the attacker is likely gathering the requirement and perform to have. analysis followed by design, code, testing, and deployment into production •• Run-time protection is the ongoing environment and finally provides ongoing mechanism to safeguard the application maintenance support. To look at this from external attacks. It is imperative lifecycle holistically, we need to incorporate as any leakage of sensitive data leads security at strategic phases that will help to financial loss and negatively impacts identify gaps and vulnerabilities early on brand value. and also provide layered protection.

•• Application design and development is where it all begins to materialize and provide shape to an application. It is important to adopt secure coding practice to build a secure application. Static code review will help achieve the objective of identifying and mitigating the vulnerabilities at code level.

7 Application Security | Cyber Risk Managed Services

Application Security – A New Horizon

Protection on-the-go Prevention of attacks The protection capabilities of the •• Blocks Zero Day attacks such as traditional perimeter devices such as Shellshock Web Application Firewall (WAF), Intrusion Prevention/Detection Systems (IPS/IDS) can •• Major OWASP top 10 vulnerabilities be insufficient, because they lack insight such as SQL Injection, Cross Site Scripting into application logic and configuration. (XSS), Path Traversal Run-time Application Self Protection •• Block automated attacks with bot (RASP) operates within the application, blocker technology that automatically developing application context and using blocks malicious bots that to provide accurate attack visibility and blocking without accidentally stopping •• Virtual patching prevents vulnerabilities legitimate request that looks similar to an from being exploited until they can be attack. permanently remediated

How does RASP work? Key Benefits

•• RASP embeds security into the running •• Out-of-the-box protection via application where it resides on the server. preconfigured vulnerability detection It then intercepts all calls to the system to rules ensure they are secure. •• Continuous security monitoring of •• RASP can be applied to Web and non- actual attacks and protection against web applications and doesn't affect the vulnerabilities application design. •• Real-time analysis of application logic •• Safeguards applications by effectively and data flows to see threats invisible to leveraging protection mechanisms during network security the entire application development •• Accurately distinguish between an actual process attack and a legitimate request

•• Integrated monitoring capabilities with Deloitte’s Managed Threat and Vulnerability Management Services

8 Application Security | Cyber Risk Managed Services

RASP Betters Traditional WAF Protection

Limitations of Web Application Firewall application residing behind the WAF layer (WAF) with ease. Organizations have understood Web Application Firewall were once touted this serious limitation of WAF and are now to be the most intelligent defence layer beginning to migrate to RASP which offers sitting at the perimeter. It has become application intelligence and thereby does a irrelevant in the current scenario as WAF better job. has a major drawback – the inablility to understand application behavior. This To help you understand more, here is the leads to easy bypass of WAF protection comparative study between RASP and WAF and the attackers are able to exploit the Services -

Criteria Deloitte’s Runtime Web Application Firewall Application Self Protection (WAF) Deployments (RASP) Service

Accuracy Detection of malicious input Detection is based on naïve only when passed to library pattern matching, without calls where exploitation would considering whether the input occur. Monitors inbound and data would be passed to outbound data and logic flows vulnerable code

Time to Value No need to know locations Requires extensive testing and of existing vulnerabilities in configration to adequately cover application code; can act the application. It also involves as a virtual patch against a fine tuning vulnerability

Reliability Will not fail open under Single point of failure; likely high load–code is always to fail open under high load, instrumented, regardless of leaving the web application servers load vulnerable

Platforms Any instrumented application All types of Web applicattion

Visibility Provides detailed feedback Offers no detailed insight into to developers to show how to the application remediate code vulnerabilities

Network Protocol agnostic; handles HTTP, Must be able to understad the Protocols HTTPS, AJAX, SQL and SOAP application’s netwotk language with equal ease type

Maintenance Automatically understands Can gain application context changes to the application through training only

9 Application Security | Cyber Risk Managed Services

What does a Managed Security Program bring to the table? Deloitte leverages its Cyber Intelligence tailored service that enables them to fully Centre to deliver the above mentioned understand their cyber risks and adopt services to its clients across the globe. proportionate responses in an increasingly The Deloitte Cyber Intelligence Centre digital and interconnected business (CIC) combines deep cyber intelligence environment. We do this by providing them with broad business intelligence to deliver with improved visibility of threats and relevant, tailored, and actionable insights assets, based on highly relevant intelligence to inform business decision-making. that reflects their specific business, market, The CIC fuses a number of services and industry context. together to provide our clients with a truly

Service Offering Basic Advance Premium

Static Code Review (SAST) ✓ ✓ ✓ Interactive Application Security Testing (IAST) ✓ ✓ ✓ Dynamic Application Security Testing (DAST) ✓ ✓ ✓ Run-Time Application Self Protection(RASP) ✓ ✓ ✓ Integration with Incident Management (SIEM) ✓ ✓ Integration with Vulnerability Management ✓ ✓ Integration with Threat Intelligence ✓

10 Application Security | Cyber Risk Managed Services

Managed Security Service Capabilities

•• Robust Capability: Cyber Intelligence technology that facilitates quick response Center (CIC) is the backbone of Managed coupled with corrective measure to Application Security Service. It offers mitigate the incident at the earliest. state-of-the-art facility that has advanced •• Dashboard view: Deloitte provides security tools to run the service unique access to its customers to view effectively. their application security status via •• Deep Expertise: Deloitte has a team of its highly intuitive and customizable highly skilled application security experts dashboard. with the merit of holding international •• Service Integration and Advance certifications. They are equipped with Analytics: Threats and vulnerabilities security incident handing capabilities are no longer isolated incidents. They along with niche skillset in managing must be considered interlinked entities adverse attacks and breaches. with reference to Threat Intelligence and •• Swift response: Threat and SIEM. Deloitte can help you in providing vulnerabilities don’t wait for us to Managed Threat Service and Incident respond. They are likely to have a Response with advance analytics catastrophic impact if not dealt properly. capability. CIC has the rich blend resources and

11 Application Security | Cyber Risk Managed Services

Related Services Deloitte provides additional services that are related to Application Security that deliver immense value in managing threats and vulnerabilities effectively.

•• Managed Threat Intelligence Service: Application Security Management, Deloitte provides industry-specific provides complete coverage to all threat information using its commercial vital infrastructure components of an feeds which is a vital component of organization. application security risk mitigation. •• Managed Threat Services: Deloitte This proactive information can help the offers extensive Incident Management organization address its application capabilities with security analytics vulnerabilities before it gets exploited. capability or managed SIEM solution. •• Managed Vulnerability Service: When this is integrated with Application Deloitte’s Managed Vulnerability Service Security Service, it provides a provides comprehensive solution to its structured mechanism to handle customers in identifying and managing security incidents and helps the vulnerabilities in their environment. organization in mitigating it effectively. This service, when coupled with

12 12 CyberApplication Risk Managed Security Services | Cyber Risk| Application Managed SecurityServices

13 Application Security | Cyber Risk Managed Services

Key Contacts:

National

Amry Junaideen Shree Parthasarathy President Partner – Risk Advisory National Leader – Risk Advisory National Leader – Cyber Risk Services [email protected] [email protected] Mumbai Gurgaon

Regional

A.K. Viswanathan Priti Ray Partner – Risk Advisory Partner – Risk Advisory Cyber Risk Services Cyber Risk Services Mumbai Mumbai & Kolkata

Abhijit Katkar Maninder Bharadwaj Partner – Risk Advisory Partner – Risk Advisory Cyber Risk Services Cyber Risk Services Mumbai Bangalore

Ramu Narsapuram Ashish Sharma Partner – Risk Advisory Partner – Risk Advisory Cyber Risk Services Cyber Risk Services Hyderabad Pune

Ravi Veeraraghavan Partner – Risk Advisory Chennai

National Cyber CoE

Anand Prakash Achal Gangwani Director – Risk Advisory Senior Manager – Risk Advisory Solution Architect Solution Lead Cyber - Managed Risk Services Cyber - Managed Risk Services [email protected] [email protected]

To discuss your unique challenges and how Deloitte can help you, contact us at [email protected].

14

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material and the information contained herein prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP) is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.

©2016 Deloitte Touche Tohmatsu India LLP.