Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

Published byRandell Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher."— Presentation transcript:

1 The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher

2 Ryan Barnett - Background Trustwave SpiderLabs Research Team Web application firewall research/development ModSecurity Community Manager Interface with the community on public mail-list Steer the internal development of ModSecurity Author “Preventing Web Attacks with Apache”

3 Community Projects Open Web Application Security Project (OWASP) Project Leader, ModSecurity Core Rule Set Project Contributor, OWASP Top 10 Project Contributor, AppSensor Web Application Security Consortium (WASC) Project Leader, Web Hacking Incident Database Project Leader, Distributed Web Honeypots Project Contributor, Web Application Firewall Evaluation Criteria Project Contributor, Threat Classification The SANS Institute Courseware Developer/Certified Instructor Project Contributor, CWE/SANS Top 25 Worst Programming Errors

4 Session Outline OWASP Risk Rating Methodology The Challenge of Risk Analysis for Web Applications WASC Web Hacking Incident Database (WHID) Overview 2010 Status Report Top Trends Comparing the OWASP Top 10 vs. the WHID Top 10

5 OWASP Risk Rating Methodology #Step 1: Identifying a Risk #Step 2: Factors for Estimating Likelihood #Step 3: Factors for Estimating Impact #Step 4: Determining Severity of the Risk #Step 5: Deciding What to Fix #Step 6: Customizing Your Risk Rating Model http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

6 OWASP Risk Rating Methodology

7 The Challenge of Risk Analysis for Web Applications: Analyzing Public Incidents

8 Risk Rating Problem Instead of being concerned about what CAN happen (theoretical scenarios), perhaps we should first be dealing with what IS happening (analysis of real-world web compromises)…

9 Publicly Quantifying Web Incidents is Challenging Incidents are not detected ~156 day lapse between compromise and detection* Vast majority of cases the merchant did not identify the intrusion – a 3rd party did based on fraud detection (card brands and banks)* Logging Issues - poor logging and/or no one reviewing them for signs of compromise https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf

10

11 Publicly Quantifying Web Incidents is Challenging Victims hide breaches Defacement (visible) and information leakage (regulated) are publicized more than other breaches Example - Banks are not forced to disclose when individual customer funds are stolen

12 Web Hacking Incident Database (WHID)

13 WASC Web Hacking Incident Database (WHID) http://projects.webappsec.org/Web-Hacking-Incident-Database

14 Tracking Public Web Compromises

15 WHID Goals Raise awareness of real-world, web application security incidents Provide data for the following Risk Rating steps: #Step 2: Factors for Estimating Likelihood What application weaknesses are actively being targeted? #Step 3: Factors for Estimating Impact What outcome are you worried about? #Step 5: Deciding What to Fix Prioritized listing of remediation issues #Step 6: Customizing Your Risk Rating Model Customized view based on your vertical-market

16 WHID Data Data Samples (statistically insignificant) Focus on % rather than raw numbers Inclusion Criteria Only publicly disclosed, web related incidents Incidents of interest Defacements of “High Profile” sites are included Ensure quality and correctness of incidents Severely limits the number of incidents that get in

17 WHID Data: Community Submittal Form Community incident submission leverages crowdsourcing Project team validation ensures quality http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident

18 WHID Database Content ~216 incidents for 2010 Incidents since 1999 Each incident is classified Attack type Application Weakness Outcome Country of organization attacked Industry segment of organization attacked Country of origin of the attack (if known) Vulnerable Software Additional information: A unique identifier: WHID 200x-yy Dates of occurrence and reporting Description Internet references

19 Real-Time Statistics http://projects.webappsec.org/Web-Hacking-Incident-Database Browse real-time data Drill down in to incident details Pivot on key variables (year/vertical market)

20 Real-time, Searchable DB WHID data is available year-round Useful for application developers and researchers Search by Attack method Outcome Source geography and many more… http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase

21 Geographic Views

22 Monitoring WHID Updates http://projects.webappsec.org/Web-Hacking-Incident- Database#RSSFeed @wascwhid

23 WHID 2010 Status Report

24 What Vertical Markets are Attacked Most Often?

25 What are the Goals for Web Hacking?

26 What Attack Methods do Hackers Use?

27 Which Application Weaknesses are Exploited?

28 Top Trends

29 Denial of Service

30 Banking Trojans

31 #Step 5: Deciding What to Fix Prioritized listing of remediation issues

32 OWASP vs. WHID Top 10 OWASP Top 10WHID Top 10 1InjectionInsufficient Anti-Automation (Brute Force and DoS) 2Cross-site Scripting (XSS) Improper Output Handling (XSS and Planting of Malware) 3 Broken Authentication and Session Management Improper Input Handling (SQL Injection) 4Insecure Direct Object Reference Insufficient Authentication (Stolen Credentials/Banking Trojans) 5CSRF Application Misconfiguration (Detailed error messages) 6Security Misconfiguration Insufficient Process Validation (CSRF and DNS Hijacking) 7Insecure Cryptographic Storage Insufficient Authorization (Predictable Resource Location/Forceful Browsing) 8Failure to Restrict URL AccessAbuse of Functionality (CSRF/Click-Fraud) 9Insecure Transport Layer ProtectionInsufficient Password Recovery (Brute Force) 1010 Unvalidated Redirects and ForwardsImproper Filesystem Permissions (info Leakages)

33 Questions? WASC WHID Project Site http://projects.webappsec.org/w/page/W eb-Hacking-Incident-Database Email – Ryan.Barnett@owasp.orgRyan.Barnett@owasp.org Twitter - @ryancbarnett

Download ppt "The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher."

Similar presentations

Webgoat.

Webgoat.
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security on Web 2.0 Krasznay Csaba. Google Search Trends.

Security on Web 2.0 Krasznay Csaba. Google Search Trends.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security

Introduction to Web Application Security
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google