Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Common security threats and hacking.

Published byNeal Button Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security Common security threats and hacking."— Presentation transcript:

1 Web Security Common security threats and hacking

2 The OWASP Foundation http://www.owasp.org Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Twitter:@nahidupa Writing code for fun and food. And security enthusiastic

3 The OWASP Foundation http://www.owasp.org Shahee Mirza # Certified Ethical Hacker (C|EH). # Microsoft® Certified Systems Administrator. #Information Security Consultant, Nexus IT Zone. http://www.shaheemirza.com FB: shaheemirzaTwitter: @shaheemirza

4 Why should we care?

5 5

6 6 Most sites are not secure! Attacker can access unauthorized data! They use your web site to attack your users!

7 7 Historically the web wasn’t designed to be secure Built for static, read only pages Almost no intrinsic security A few security features were “bolted-on” later

8 8 What does that mean? Cookie based sessions can be hijacked No separation of logic and data All client supplied data cannot be trusted

9 9 The vast majority of web applications have serious security vulnerabilities! Most developers not aware of the issues.

10 10

11 11

12 Web Application threat surface 12 XSS CSRF Click jacking Parameter tempering /sniffing FORGED TOKEN Directory Traversal DIRECT OBJECT REFERENCE SQL Injection XML Injection

13 13 Ajax Flash Silverlight Applets The attack surface is growing!

14 Some incident example 14

15 INSECURE-Mag-31 http://www.dnaindia.com/mumbai/report_cyber-crime-costs-india-rs34110-crore-per-year_1588917 Study: Global cybercrime costs more than illegal drugs Global drug trade—about $288 billion

16 Common question is I’m inocent why should I will be target? 16 I don’t have any sensitive data. I’m not even serve any important data. I have no enemy

17 Answer is You have resource... May be a Multi-core processor...Bandwidth Attacker weaponize your pc to attack other or use you resource... 17 Turn your pc to zombie

18 Botnet-Just in brief 18

19 19 This is a problem

20 Network security and others 20

21 But developers 21

22 22

23 Quick Resource Guide 23

24 About OWASP OWASP’s mission is “to make application security visible, so that people and organizations can make informed decisions about true application” Attacker not use black art to exploit your application

25 220 Chapters 25

26 The OWASP Foundation http://www.owasp.org OWASP Bangladesh Chapter Bangladeshi community of Security professional Globally recognized Open for all Free for all What do we have to offer? Monthly Meetings Mailing List Presentations & Groups Open Forums for Discussion Vendor Neutral Environments

27 (2010 Edition) OWASP Top 10 Web Application Security Risks (2010 Edition) http://www.owasp.org/index.php/Top_10

28 Application Developers 28 New attacks/ defense guideline Cheat Sheets Web Goat-emulator-designed to teach web application security lessons

29 The OWASP Enterprise Security API 29 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

30 Application Testers and Quality Assurance 30 Tools Testing guide/pentester Application Security Verification Standard Project

31 OWASP ZAP Proxy/ WebScarab 31

32 OWASP CSRFTester 32

33 Application Project Management and Staff 33 Define the process SDLC Code Review

34 OWASP Code Review Project Code review tool http://codecrawler.codeplex.com/Release/ProjectReleases.aspx http://orizon.sourceforge.net

35 OWASP Testing Framework 4.2 Information Gathering 4.3 Configuration Management Testing 4.4 Business logic testing 4.5 Authentication Testing 4.6 Authorization Testing 4.7 Session Management Testing 4.8 Data Validation Testing 4.9 Testing for Denial of Service 4.10 Web Services Testing 4.11 Ajax Testing http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

36 36 Myth- “The developer will provide me with a secure solution without me asking”

37 Download Get OWASP Books

38 38 Coolest Jobs in Information Security #1 Information Security Crime Investigator/Forensics Expert #2 System, Network, and/or Web Penetration Tester #3 Forensic Analyst #4 Incident Responder #5 Security Architect #6 Malware Analyst #7 Network Security Engineer #8 Security Analyst #9 Computer Crime Investigator #10 CISO/ISO or Director of Security #11 Application Penetration Tester #12 Security Operations Center Analyst #13 Prosecutor Specializing in Information Security Crime #14 Technical Director and Deputy CISO #15 Intrusion Analyst #16 Vulnerability Researcher/ Exploit Developer #17 Security Auditor #18 Security-savvy Software Developer #19 Security Maven in an Application Developer Organization #20 Disaster Recovery/Business Continuity Analyst/Manager

39 39 Subscribe mailing list https://www.owasp.org/index.php/Bangladesh https://www.facebook.com/OWASP.Bangladesh Keep up to date! Twitter:@nahidupa Twitter:@owaspbangladesh

Download ppt "Web Security Common security threats and hacking."

Similar presentations

OWASP Application Security Verification Standard 2009

OWASP Application Security Verification Standard 2009
1

1
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.

Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
40 Tips Leveraging the New APICS.org to the Benefit of Your Organization, Members, and Customers! 1.

40 Tips Leveraging the New APICS.org to the Benefit of Your Organization, Members, and Customers! 1.

Similar presentations

Ads by Google