Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Slides:



Advertisements
Similar presentations
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Advertisements

OWASP Web Vulnerabilities and Auditing
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Security
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Introduction to Application Penetration Testing
OWASP Zed Attack Proxy Project Lead
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
BUSINESS B1 Information Security.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
1 Cover Your Applications: Top 5 Things You Can Do Nov 8, 2006 Ambarish Malpani CTO/VP Eng Cenzic, Inc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Deconstructing API Security
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Securing Information Systems
Web Application Vulnerabilities
Intro to Web Application Security
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
Secure Software Confidentiality Integrity Data Security Authentication
Penetration Testing following OWASP
Chapter 5 Electronic Commerce | Security
E-commerce Application Security
Securing Information Systems
Chapter 5 Electronic Commerce | Security
Lecture 2 - SQL Injection
Active Man in the Middle Attacks
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Evolving Threats

Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Databases Backend Server Application Servers Info Security Landscape

Hackers Exploit Unintended Functionality to Attack Apps Unintended Functionality Actual Functionality Intended Functionality

The OWASP Top 10 Application ThreatNegative ImpactExample Impact Cross Site scriptingIdentity Theft, Sensitive Information Leakage, …Hackers can impersonate legitimate users, and control their accounts. Injection FlawsAttacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Malicious File ExecutionExecute shell commands on server, up to full controlSite modified to transfer all interactions to the hacker. Insecure Direct Object ReferenceAttacker can access sensitive files and resourcesWeb application returns contents of sensitive file (instead of harmless one) Cross-Site Request ForgeryAttacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Information Leakage and Improper Error Handling Attackers can gain detailed system informationMalicious system reconnaissance may assist in developing further attacks Broken Authentication & Session ManagementSession tokens not guarded or invalidated properlyHacker can “force” session token on victim; session tokens can be stolen after logout Insecure Cryptographic StorageWeak encryption techniques may lead to broken encryptionConfidential information (SSN, Credit Cards) can be decrypted by malicious users Insecure CommunicationsSensitive info sent unencrypted over insecure channelUnencrypted credentials “sniffed” and used by hacker to impersonate user Failure to Restrict URL AccessHacker can access unauthorized resourcesHacker can forcefully browse and access a page past the login page

Common Web Application Vulnerabilities

Contd..

Where Do These Problems Exist? Type: Customer facing services Partner portals Employee intranets Source: Applications you buy Applications you build internally Applications you outsource

How common are these issues ? 80% of Websites and applications are vulnerable to these attacks – Watchfire Research

Motives Behind Application Hacking Incidents Source: Breach/WASC Web Hacking Incident Annual Report

Web Hacking Incidents by Industry

What is the Root Cause? Developers not trained in security Most computer science curricula have no security courses Under investment from security teams Lack of tools, policies, process, etc. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc Number one focus by hackers 75% of attacks focused on applications - Gartner Result: Application security incidents and lost data on the rise

Building Security Into the Development Process Test existing deployed apps Eliminate security exposure in live applications Production Test apps before going to production Deploy secure web applications Deploy Test apps for security issues in QA organization along with performance and functional testing Test Test apps for security issues in Development identifying issues at their earliest point Realize optimum security testing efficiencies (cost reduction) Development Security requirements, architecture, threat modeling, etc Define/Design

Security Testing Within the Software Lifecycle Build Developers SDLC CodingQASecurityProduction Application Security Testing Maturity

Other Vector for Attack Network Cloud LAN/WAN Network Devices Database Processed information of Financial data People Private Information Government's Confidential data

Resources Sans.org Nist.gov Tools Nikto Burp Zap Proxy W3af Nmap shodan