Presentation is loading. Please wait.

Presentation is loading. Please wait.

A snapshot into current Web Application vulnerabilities

Published byประมนต์ พันธุเมธา Modified over 5 years ago

Similar presentations

Presentation on theme: "A snapshot into current Web Application vulnerabilities"— Presentation transcript:

1 A snapshot into current Web Application vulnerabilities

2 Willem Mouton willemm@senseofsecurity.com.au @w_m__
Introduction Willem

3 Why we like numbers (and WebApps)
Unpacking the numbers Digging a bit deeper Dealing with the root cause Closing thoughts Q&A

4 Why we like numbers (and WebApps)
Improves our internal processes and quality Provides (somewhat of) a measurement against industry Helps answer some of your most burning questions

5 Unpacking the numbers

6 Unpacking the numbers Data collected from 175 reports reviewed*
3670 findings analysed** Average of 21 findings per report Roughly 40% of our projects

7 Unpacking the numbers Sense of Security Risk Matrix

8 Unpacking the numbers Top 10 issues identified in 2018
(irrespective of risk level)

9 Unpacking the numbers Top 10 issues identified in 2018
(irrespective of risk level) We’ll get back to these

10 Unpacking the numbers SOS Top 10 categories vs OWASP Top 10
(and why they differ on paper)

11 Unpacking the numbers Large vs Small (on average across all reports)

12 Unpacking the numbers Private sector vs Government
(on average across all reports)

13 Digging deeper

14 Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

15 Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

16 Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

17 Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

18 Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate

19 Digging deeper Data validation remains a massive problem
Cross-Site Scripting 31% of all applications tested had at least one instance More complicated, but can be more damaging

20 Digging deeper Data validation remains a massive problem
Cross-Site Scripting 31% of all applications tested had at least one or more instances More complicated, but can be more damaging

21 Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies

22 Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies

23 Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies

24 Digging deeper 88% of all applications tested had SSL/TLS issues
Certificate issues Protocol issues Cipher / Configuration issues Known attacks Standardisation lacking

25 Digging deeper Some honourable mentions
XML external entity vulnerabilities Serialization issues Server-side request forgery (SSRF)

26 Root cause Configuration Design Implementation

27 Root cause Configuration Design Implementation

28 A quick Segway Consider the eco system your web application live in
Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting

29 A quick Segway Consider the eco system your web application live in
Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting

30 Closing thoughts

31 Closing thoughts Changing the next years report
Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training

32 Closing thoughts Changing the next years report
Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training

33 Questions?

34 A snapshot into current Web Application vulnerabilities

Download ppt "A snapshot into current Web Application vulnerabilities"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Similar presentations

Ads by Google