Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byJonas Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org/ In the Line of Fire: Defending Highly Visible Targets Jeremy Poteet, CISSP Chief Security Officer, appDefense jpoteet@appdefense.com 636.294.2774

2 OWASP AppSec DC 2005 2 Introduction  What is a highly visible application?  Begin at the beginning  Stories from the trenches  Hope - it can be done  OWASP

3 OWASP AppSec DC 2005 3 You might be a highly visible site if …  … the press shows up for the deployment of your app  … any error message shows up in hundreds of blogs  … you can’t count the number of sites whose sole purpose is to list attack plans and provide tools for breaking into your application  … every hacker, security want-to-be and activist would love to use your site to make a statement  … CNN displays when your site is sluggish on their tickertape

4 OWASP AppSec DC 2005 4 What makes a highly visible site  Crown Jewels  Money  Data  Notoriety  What it Represents  Making a Statement  Users + Focus

5 OWASP AppSec DC 2005 5 Signature of a highly visible site  Complex Systems  Multiples  Technologies  Developers  Servers  Applications  Highly volatile  Something to lose

6 OWASP AppSec DC 2005 6 Highly visible is the same  Still web applications  Same issues still apply  In ideal world, it doesn’t matter  Applications don’t always start as highly visible  Best practices still apply

7 OWASP AppSec DC 2005 7 Highly visible is different  Time to Impact  Coordination  Number of Cooks  External Visibility  Cascading

8 OWASP AppSec DC 2005 8 Begin at the Beginning  Learn from the past  Only as strong as the foundation  Know what is expected  Information is your best friend  Prepare for failure

9 OWASP AppSec DC 2005 9 Dealing With Application Complexity  Team based system  Geographic systems  Custom PDF Generation  File Upload and Downloads  Memory Leak, Scalability or DOS?  Powerful apps = High promotion  Quick resolution to issues

10 OWASP AppSec DC 2005 10 The Debates  Highest volume  Visibility  Outward - Press  Outward - Voters  Inward - Staff  Large volume of data  Real time responses  Debate timeline changes

11 OWASP AppSec DC 2005 11 Walling off failure  Isolating Systems From Impacting Each Other  Database Segregation  Application Separation  Access Toggling  Additional Monitoring  Scalability

12 OWASP AppSec DC 2005 12 Volume of Attacks  High Volume usage goes with High Volume attacks  Cover  Visibility  Assist in attacks  Convention/Debate/Elections  Maximum Impact

13 OWASP AppSec DC 2005 13 Caching  Minimize data access and processing  Bleed over  Client vs. Server  Shifting of responsibility  Level of Control

14 OWASP AppSec DC 2005 14 Complete Architecture Shift  Rapid Switch  Rules Reset  Configure Rather than Recode  Assume Nothing  Contingency Plan

15 OWASP AppSec DC 2005 15 Perception  Worst Case Scenario  Rising Visibility  Increased and Focused Attacks  Gut Check  Perception is Everything

16 OWASP AppSec DC 2005 16 No site is an island  Branding  Integrated Tools  Integrated Sites  Feeds  Applications are wide ranging  Perception and reality must meet

17 OWASP AppSec DC 2005 17 Beneath the noise  Constant Attacks  High Volume Pages  Concentrated Volume  Sub-Pages - Understanding how the application functions  Coordinated Attacks

18 OWASP AppSec DC 2005 18 Out of Your Control  Emails from application systematically spammed  Data is the system  Pandora’s Box  Containment  Damage Control

19 OWASP AppSec DC 2005 19 Data Mines  Elaborate system of mines  Access  Mechanism Used  Timestamp  Monitoring  Tracking  Allows the weak link to be located quickly

20 OWASP AppSec DC 2005 20 Hope - It Can Be Done  No Silver Bullet  Requires  Creativity  Commitment  Diligence  Begin With the Basics  Information is Key

21 OWASP AppSec DC 2005 21 OWASP  Guide  Top 10  Specific Tools  Put Back In  Take the Advantage

22 Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org/ In the Line of Fire: Defending Highly Visible Targets Jeremy Poteet, CISSP Chief Security Officer, appDefense jpoteet@appdefense.com 636.294.2774

Download ppt "Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Connecting Patients with the Right Physician

Connecting Patients with the Right Physician
Presentation Prepared For:. Secure user Login provides access to specific ship-to addresses, customer catalog, order processing rules, and other account-based.

Presentation Prepared For:. Secure user Login provides access to specific ship-to addresses, customer catalog, order processing rules, and other account-based.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 1 11 Copyright © 2008 Prentice-Hall. All rights reserved. Committed to Shaping the Next.

Copyright © 2008 Pearson Prentice Hall. All rights reserved Copyright © 2008 Prentice-Hall. All rights reserved. Committed to Shaping the Next.
Copyright 2002: LIIF Technology Architecture Review Database Application Architecture Database Application Architecture Collaborative Workgroup Architecture.

Copyright 2002: LIIF Technology Architecture Review Database Application Architecture Database Application Architecture Collaborative Workgroup Architecture.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
The FI-WARE Project – Base Platform for Future Service Infrastructures OCTOBER 2011 Presentation at proposers day.

The FI-WARE Project – Base Platform for Future Service Infrastructures OCTOBER 2011 Presentation at proposers day.
Virtual Collaboration with SharePoint Instructor: Michael Curry.

Virtual Collaboration with SharePoint Instructor: Michael Curry.
Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.

Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
2007.02.11 The Dr ü G Book: An Intro to Drupal The Dr ü G Book: An Intro to Drupal (Dr ü G: Drupal User ’ s Group - users, not developers) This is an introduction.

The Dr ü G Book: An Intro to Drupal The Dr ü G Book: An Intro to Drupal (Dr ü G: Drupal User ’ s Group - users, not developers) This is an introduction.
Welcome to the Minnesota SharePoint User Group. Quick Intro Announcements Personalization in SharePoint Configuring User Profiles Configuring Audiences.

Welcome to the Minnesota SharePoint User Group. Quick Intro Announcements Personalization in SharePoint Configuring User Profiles Configuring Audiences.
Front Page …..is an Asset Management tool designed to record and aid the analysis of activities affecting Production capability and costs. …..promotes.

Front Page …..is an Asset Management tool designed to record and aid the analysis of activities affecting Production capability and costs. …..promotes.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google