Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Introduction to PHP Sergey Gorstka Fastw3b. What does PHP stand for? Partnership for Peace People Helping People Power Hybrid Package Hypertext Processor.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Security Issues Steve Lovaas, ACNS IAC, 22 April 2008 Colorado State University1.

Computer Security and Penetration Testing

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Prevent Cross-Site Scripting (XSS) attack

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Application Security Testing A practitioner’s rambling advice & musings.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Building Secure Web Applications With ASP.Net MVC.

Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Evil Code and how to defend against it CSCI 4300

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Web Application Security

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Security: Exploits & Countermeasures

Security: Exploits & Countermeasures

Example – SQL Injection

Cross-Site Forgery

Riding Someone Else’s Wave with CSRF

Prepared By : Binay Tiwari

INFORMATION SYSTEMS SECURITY and CONTROL

Security: Exploits & Countermeasures

Security: Exploits & Countermeasures

Security: Exploits & Countermeasures

Security: Attacks & Countermeasures

Presentation transcript:

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b

What is security? Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. Computer security is a branch of computer technology known as Information Security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Security Concepts Assurance Countermeasure Defense in depth Exploit Risk Threat Vulnerability

Methodology Knowing your threats. Securing the network, host and application. Incorporating security into your software development process.

Top 5 Extensions Vulnerabilities Cross-site scripting (XSS) attacks. SQL injection Cross-site Request Forgery (XSRF) File inclusion PHP file upload

How to keep your extension secure Process (secure) the input Cast the types Use tokens TEST! TEST! TEST!

General Security Notes Validate input boxes Check HTML editors Hide/remove release notes Use SEF links Set server settings Set file permissions

Choosing secure extension How complex is the extension? Does the extension read or write files to your server? Does the extension interact with other programs on your system? Does the extension validate all user input, such as in form fields and in the URL? When was the last version released? What kind of release is it? (Stable, Release Candidate (RC), Beta, Alpha) Does the extension have a history of good security practices? Is there a support community for this extension? Is the extension generally bug free?

Thank you for your attention! Special thanks to Fastw3b team You can always reach me at Please send your questions/comments/ideas!