Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007.

Published byDwain Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007."— Presentation transcript:

1 Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007

2 Web Application Security Implementation - © 2007 GIAC Introduction Website vulnerability used to copy customer data to foreign host. Senior management to acquire services of penetration team. Not available for immediate needs. Post incident,we are tasked with creation of a web application security assessment program, to implement within a few days.

3 Web Application Security Implementation - © 2007 GIAC Web Assessment Process Inventory Automated Vulnerability Scan Manual Web Server Audit Manual Web Application Audit Conduct Interviews Report Findings

4 Web Application Security Implementation - © 2007 GIAC Web Service Inventory Need to know what is legitimate and necessary. (Programs, services, ports) Need to know where the data lives and how it is accessed. Rate assets (web servers/services) to focus resources and set priorities.

5 Web Application Security Implementation - © 2007 GIAC Performing Automated Scans Verify the inventory by confirming the existence of services. Identify additional, unneeded processes and check for common vulnerabilities and misconfigurations for both the necessary and unnecessary processes and services. Quickly identify the low hanging fruit.

6 Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Server Security Review if best practices are followed –Is defense in depth employed? –Configuration of web server and web development frameworks –User and service accounts and rights –Error messages, other information leakage –Do log files store appropriate information? Review change processes for ports and services through interviews

7 Web Application Security Implementation - © 2007 GIAC Manual Audit of Web Applications Based on inventory, focus on potentially vulnerable code Specific tests to be performed against each dynamic page Interview developers to determine if processes prevent new vulnerabilities

8 Web Application Security Implementation - © 2007 GIAC Deliverables for the Senior Management Team Reports and recommendations delivered within days. Results of inventory, scans, and manual audits used to provide action items that can be given to implementation team. Additional recommendations from tiger team to management to minimize reoccurrences.

Download ppt "Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007."

Similar presentations

Agile Software Distribution

Agile Software Distribution
Overview and Demonstration of declarative workflows in SharePoint using Microsoft SharePoint Designer 2007 Kevin Hughes MCT, MCITP, MCSA, MCTS, MCP, Network+,

Overview and Demonstration of declarative workflows in SharePoint using Microsoft SharePoint Designer 2007 Kevin Hughes MCT, MCITP, MCSA, MCTS, MCP, Network+,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ITS Customer Work Request & Triage Process. Work Request & Triage Process – what is it? Some new terminology: Work Request: A request for support from.

ITS Customer Work Request & Triage Process. Work Request & Triage Process – what is it? Some new terminology: Work Request: A request for support from.
Presented by: Virginia Hendricks Information Audit.

Presented by: Virginia Hendricks Information Audit.
The Islamic University of Gaza

The Islamic University of Gaza
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.

Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.

1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Chapter 17 Acquiring and Implementing Accounting Information Systems

Chapter 17 Acquiring and Implementing Accounting Information Systems
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.

PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

Similar presentations

Ads by Google