“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Web Application Security
Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
HTTP and Server Security James Walden Northern Kentucky University.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
A Framework for Automated Web Application Security Evaluation
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Application Security
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure Sockets Layer (SSL): Most common form of securing channels.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.
Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA How to Fail A Penetration Test Concepts in Securing a Network.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Network and Internet Security Prepared by Dr. Lamiaa Elshenawy
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
CompTIA Security+ Question Answer SY Detaille of CompTIA SY0-401 Pass4sure.. VENDOR COMPTIA EXAM NAME COMPTIA SECURITY+ EXAM CODE SY0-401 TOTAL.
Securing Information Systems
Chapter 6: Securing the Cloud
Web Application Vulnerabilities
Presentation by: Naga Sri Charan Pendyala
Secure Software Confidentiality Integrity Data Security Authentication
Finding and Fighting the Causes of Insecure Applications
Marking Scheme for Semantic-aware Web Application Security
Firewalls.
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Finding and Fighting the Causes of Insecure Applications
Presentation transcript:

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application Security Cleared? Dr. Ravi Kiran Raju Yerra Vice President – Security Testing Arsin Corporation

Documents> Security Services > Web Application Snap Shot of the Presentation About Me Web Applications – The Challenge Why Web Applications are Vulnerable Top 10 Vulnerabilities Is Application Security a Tool Business ? Methodology Suggested Tools Whats Next ?

Documents> Security Services > Web Application Holds Doctor of Science in Internet Security Management Have 15 years of experience in Information Technology & Information Security solutions Vice President – QA (Security Testing) at Arsin Corporation Actively involved in 10 different innovative information threat management projects with various universities across the globe. About Me

Documents> Security Services > Web Application Web Applications – The challenge Web Server Database Server Application Server Web Application The World Wide Web has evolved into a global environment delivering applications such as reservation systems, online shopping or auction sites, games, multimedia applications, calendars, maps, chat applications or data entry/display systems, and many more Web applications are characterized by multiculturalism, continuous change, fast pace and competitiveness, high demands on user adaptivity, Thus, the complexity of securing such Web applications has increased significantly

Documents> Security Services > Web Application Why is this important?

Documents> Security Services > Web Application Why Web Applications are Vulnerable Application attacks are the latest trend when it comes to hacking. On average, 90% of all dynamic content sites have vulnerabilities associated with them. No single web server and database server combination has been found to be immune! Current security solutions do not offer adequate protection Attacks pass through perimeter firewall security over port 80 (or 443 for SSL). Exploiting bugs and poor security programming practices in the software.

Documents> Security Services > Web Application 7 What is Web Application Security? Web Application Security is not: Traditional LayersTraditional Security Controls Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners Commercial and Open Source Applications Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners

Documents> Security Services > Web Application 8 What is Web Application Security? Web Application Security is: Traditional LayersTraditional Security Controls Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners Commercial and Open Source Applications Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners Custom Web Applications Architecture, Design and Code Reviews, Application Scanners, Testing with Malicious Input

Documents> Security Services > Web Application Data Flow example

Documents> Security Services > Web Application 10 How Bad Is It? – Vulnerability Reports Vulnerability reports consistent report Web Applications with highest # of vulnerabilities. For example Aug 2007 Aug /78/138/208/27 Total Microsoft Products Mac10124 Linux Unix, Solaris, etc Network Device Web Applications

Documents> Security Services > Web Application Story A Successful Hack

What are the Top 10 Vulnerabilities ?

13 OWASP 2007 Top Ten List A1.Cross-Site Scripting (XSS) A2.Injections Flaws A3.Malicious File Execution A4.Insecure Direct Object Reference A5.Cross Site Request Forgery (CSRF) A6.Information Leakage & Improper Error Handling A7.Broken Authentication & Session Management A8.Insecure Cryptographic Storage A9.Insecure Communications A10. Failure to Restrict URL Access

Documents> Security Services > Web Application Is Application Security A Tool Business??? Web applications can be tested in combination of tools. Typical Web Application Testing believes 30% Tool and 70 % Manual Effort Often tools throw false positive results Evaluation of the results of scanner and Analyzing Statement Of Applicability is a Key Tools may not have the “ Risk Based Approach” The Answer is NO.

Documents> Security Services > Web Application Story A Great Damage

Methodology

Methodology – Web Application Penetration Testing Test Against OWASP 2004 Test Against OWASP 2007 Deliver Final Reports Test Protocol Security Issues Recommend / Implement Solutions Re Test the Application Mapping of Technical vulnerabilities to Business Risks

Documents> Security Services > Web Application Testing Against OWASP 2004: Understand the Applications in detail. Test against OWASP 2004 (Intrusive / Non Intrusive Methods) Authorized User Test & Black Box Testing Testing Against OWASP 2007 & Protocol Security Testing : Test against OWASP 2007 (Intrusive / Non Intrusive Methods) & Implement fuzzing techniques for Protocol analysis External Code Posture Analysis Recommend or Implement Solutions: Recommend appropriate solutions include CODE Snippet Design If required, Arsin COE Security also helps in Implementing solutions. Re Test the fixed Applications Re Test the entire applications against OWASP 2004 & 2007 and Protocol issues. Retesting process will continue till the bugs reduced to < 5% (Non Severe). Deliver Report On successful completion of testing Arsin delivers the an Executive, Technical report with appropriate applicable Recommendations Methodology – Contd

Documents> Security Services > Web Application Is there any suggested tools… There are couple of industry standard commercial and open source tools like. Rational Appscan from IBM Web Scrap from OWASP HP – Web Inspect etc.

Documents> Security Services > Web Application What’s Next ?

Next ! Generally web applications are tested against the “Application” only. Web Applications must also undergo respective protocol security testing i.e HTTP HTTPS etc It means, a security testing must upgrade to “Application Layer” to “Network Layer” Web Services security testing will also plays an important role.

Documents> Security Services > Web Application Queries Dr. Ravi Kiran Raju Yerra IM – Yahoo : brightvaio Image References: Black Hat Briefings – &

Documents> Security Services > Web Application Thank You For More Details Jonathan McClean

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.