Application Security: Safeguarding Data, Protecting Reputations

Application Security: Safeguarding Data, Protecting Reputations

• Cognizant 20-20 Insights Application Security: Safeguarding Data, Protecting Reputations Assessing IT systems and network vulnerabilities in today’s interconnected digital world is a daunting endeavor. By embracing penetration testing’s best practices and procedures, organizations can proactively and affordably address security loopholes before hackers undermine customer confidence, brand reputation and financial well-being. Executive Summary there is a grave concern about security, reinforced by recent events: In today’s connected digital ecosystem, applica- tions are center stage, influencing all the ways • In January 2016, a large Belgian bank was in which we interact and communicate. These attacked by cybercriminals that cost the bank applications contain sensitive data and deliver 70 million euros, although no customers were business-critical information services, and as affected by the breach. This type of attack is a result even the smallest security loophole is called a whaling attack or spear-phishing.2 exploited by cybercriminals looking to wreak havoc. While numerous cybercrime incidents have • In August 2015, the U.S. Internal Revenue occurred over the years that damaged customer Service reported that about 300,000 taxpayers’ confidence and brand reputation, solving inherent personal information was compromised when information security challenges remains a work in hackers cracked the agency’s multi-step progress for many organizations. authentication process and were able to make fraudulent claims for tax refunds using stolen The hacking challenge is so steep, that born- identities.3 digital companies Yahoo and Google recently 1 • In November 2015, a Switzerland-based partnered to create an encrypted e-mail system encrypted e-mail provider’s Internet connection that allegedly cannot be decrypted even by the was held for ransom by hackers in what could companies themselves. Clearly, our lives are be described as a distributed denial of service increasingly reliant on digital devices, many of (DDOS) attack.4 which are prone to security hacks. As a result, cognizant 20-20 insights | june 2016 • In October 2015, a UK phone and broadband While most organizations implement firewalls, provider’s website was hacked by cyber- SSL encryption and secure policies, every now criminals who may have pilfered confidential and then they still become victims of cyber- banking details and personal information. attacks. The aforementioned incidents are This type of attack could be described as a proof that cyberattacks are not specific to any sequential attack or SQL injection.5 industry and can cause business distruption or, • In February 2015, a large U.S. health insurer’s worse, undermine brand confidence or unleash database was breached, and sensitive informa- financial damage that could challenge the very tion that affected about 80 million customer existence of any company. Attacks involving the records was stolen. This was described as loss of customer data and/or theft of important a sophisticated advanced persistent threat company information begin with the realization (APT), where a malicious user gains access to that the enterprise has been penetrated, followed internal networks primarily to steal data.6 by concern over what the breach has actually damaged. By then, it is often too late for the This white paper talks about the importance of company to protect itself and its customers. penetration in the digital arena and the process involved in preventing it. It also talks about the Incorporating security testing early in the types of penetration testing, testing strategy and software development lifecycle can help orga- the costs involved in cybersecurity. nizations identify application and infrastruc- ture vulnerabilities before cybercriminals strike. Debunking Security Myths, Working Periodical penetration testing helps unravel the Proactively to Plug Vulnerabilities organization’s current security posture. Information plays a crucial role in every aspect of today’s modern digital world. Companies have Incorporating security testing launched more efficient ways to swiftly and safely early in the software development deliver information and application services to lifecycle can help organizations end users inside and outside their firewalls. Safe- guarding such high volumes of data from cyber- identify application and attacks is a cumbersome task for most organiza- infrastructure vulnerabilities before tions. Let’s start by debunking some myths that cybercriminals strike. surround the concept of security testing (see Figure 1 below). Myth 2 Myth 1 Myth 3 • Myth 2: Our applica- • Myth 1: We have tions are internal and • Myth 3: Secure firewalls in place, which thus are not exposed to sockets layer (SSL) can protect our digital the Internet. technology protects assets from threats. • Fact: Many orga- a website from Fact: Firewalls can nizations prioritize intruders. protect the system at protecting the corporate Fact: Implementing the network level to a information jewels SSL is not enough certain extent, but an from external attacks, to protect websites attack could permeate but insider attacks are, from hackers as these through the application sadly, more prevalent. can be exploited by layer which cannot be Insiders have authorized forcing the browser tackled by firewalls. system access and to use low-encryption are familiar with the algorithms and network architecture decrypt the traffic, and policies. which leads to a “man- in-the-middle attack.” Figure 1 cognizant 20-20 insights 2 Defining Penetration Testing • Comply with industry standards and regula- In simple terms, penetration testing is an tions by ensuring that applications comply with in-depth security assessment that identifies the industry standards such as ISO 27001, PCI DSS, security loopholes in a system, from applications NIST, FISMA HIPAA and Sarbanes-Oxley. through infrastructure, which hackers use to • Enable an organization to avoid penalties exploit the system. It is an attempt to examine for noncompliance by demonstrating a and evaluate by safely exploiting the vulner- commitment to security due diligence and abilities that may exist in operating systems, compliance. services and applications due to improper con- The Penetration Testing Process figuration management, insecure coding, weak design elements and incorrect implementation Our security assessment methodology covers the of security policies and procedures. following security assessment guidelines: Penetration testing helps • OWASP top 10 vulnerabilities. customers protect company assets • OWASP Application Security Verification from cyberattacks. Standard (ASVS). • SANS top 25. Once vulnerabilities have been successfully • OSTMM. exploited on a particular system, the compro- • Web Application Security Consortium (WASC) mised system can be used to launch attacks on the guidelines. interconnected infrastructure to achieve higher privileges and take down the remaining portions These standards define the process of penetra- of the network and related systems. Moreover, tion testing using the following steps: preventive measures taken by organizations to Hackers who can compromise safeguard assets against such occurrences are a hallmark of effective penetration testing. the security of Web applications would gain access not only to sensitive Penetration testing helps customers protect company assets from cyberattacks. It helps define data but gain the keys to the enterprise the vulnerabilities as identified by Open Web information architecture kingdom. Application Security Project (OWASP), SysAdmin, Audit, Network, and Security (SANS) and Open Source Security Testing Methodology Manual • Manual inspections and reviews. (OSSTM) standards. In addition, it allows business • Threat modeling: leaders to understand the impact of those vulner- > Breaking the application down into its com- abilities in the real world. ponents. Where Penetration Testing Fits > Classifying the assets protected/contained Today’s technology-intensive world pivots around by that application. applications that are complex to build, and that > Exploring vulnerabilities, threats and other must scale internally and externally to fit most issues. business needs. Though Web applications are Creating mitigating strategies. now the predominant means for delivering infor- > mation services to customers and internal users, • Source code review (static application security there are many layers between the users and the testing): database that house critical data. Hackers who > Manual and automated scans for trojan hors- can compromise the security of Web applications es, time bombs, backdoors, etc. would gain access not only to sensitive data but Procedures for deployment that may expose gain the keys to the enterprise information archi- > vulnerabilities. tecture kingdom. • Penetration testing: To prevent this from occurring, penetration Web application penetration testing (dynam- testing can be applied to: > ic application security testing). Identify security breaches that could result in • > Infrastructure penetration testing. business loss. cognizant 20-20 insights 3 Formulating an Effective Strategy • Worm, spyware and other malicious programs. A comprehensive security testing approach can • Vulnerabilities in existing software. help uncover systems and network vulnerabilities. • Accidental or otherwise sharing of data by • Understand the security architecture and test staff. the architecture rather than focusing on

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us