Don t Get Burned! Are you Leaving your Critical Applications Defenseless?
|
|
- Amice Lucas
- 8 years ago
- Views:
Transcription
1 Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER
2 Presentation Overview Applications Exposed The evolving application security threat Shortcomings of perimeter security Challenges faced Strategy for effective protection Securing Applications to Protect Data Design in vs. bolt on
3 Web-Based Applications Under Attack All the organizations covered by this year s survey experienced some Web site incidents» Source 2004 Computer Crime and Security Survey, Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad
4 Evolving Threat Application security mechanisms are generally the arbiter of data access Less reliance on network, operating system, and database controls Successful attacks more likely to result in access to valuable data/transactions More use of packaged applications, standardized development platforms Attackers can develop attacks with widespread utility Path of least resistance Applications are visible, accessible Many applications are not very well secured
5 Perimeter Controls What about perimeter controls? Largely block network vulnerabilities Example: HTTP requests are able to sail past firewalls, filters, platform hardening, and intrusion detection systems Attacks are inside legal HTTP requests Attacker can tamper with the URL, query string, headers, cookies, form fields, hidden fields to bypass security mechanisms Some of these attacks are buffer overflows, code injection, SQL injection, command insertion, cookie poisoning, hidden field manipulation, format string attacks, and cross site scripting Even SSL secured Websites accept the requests without scrutiny.
6 Perimeter Controls Application code is part of the security perimeter As number, size, and complexity of applications increase, so does perimeter exposure Case study demonstrates one organization that produces hundreds of applications per year Without a proper application security focus, perimeter security is extremely hampered Initial incident, weak access controls Zero traceability.
7 But I Have A Firewall Perimeter security devices do a good job stopping other things but are largely transparent to application attacks Application protocols (usually HTTP, HTTPS) are used for valid access, so are passed by the firewall Applications generally can be accessed from any source address Most applications encrypt sensitive transactions using SSL so firewall cannot see contents of transaction The nomenclature of application requests is not known by the firewall Request to log in remotely telnet://webserver.xyz.com STOP Firewall recognizes that telnet is the wrong protocol and blocks access
8 But I Have A Firewall Perimeter security devices do a good job stopping other things but are largely transparent to application attacks Application protocols (usually HTTP, HTTPS) are used for valid access, so are passed by the firewall Applications generally can be accessed from any source address Most applications encrypt sensitive transactions using SSL so firewall cannot see contents of transaction The nomenclature of application requests is not known by the firewall Request to application Firewall recognizes HTTPS as an approved protocol and allows access Details of request are encrypted with SSL Firewall cannot tell if request is valid or malicious
9 But I Have An Intrusion Prevention System These devices typically look for Attack Signatures Many web server attacks and some application attacks can be detected and blocked by IPS Attacks in an SSL connection are not visible to the IPS because they are still encrypted Web server attack common_attack_signature STOP IPS recognizes the attack signature and blocks access
10 But I Have An Intrusion Prevention System These devices typically look for Attack Signatures Many web server attacks and some application attacks can be detected and blocked by IPS Attacks in an SSL connection are not visible to the IPS because they are still encrypted Encrypted web server attack common_attack_signature Simply using SSL (HTTPS) causes attack to be invisible to IPS
11 Successful Attacks Can Yield Significant Damage SQL injection attacks one of the OWASP Top 10 can permit execution of arbitrary database queries Dumping the entire database is not uncommon Similar attacks can often bypass the login prompt Permits attacker to impersonate a valid user Most applications cannot detect these attacks Unauthorized access can continue over a long period The OWASP list ( is similar to the SANS/FBI Top Twenty List ( The SANS/FBI list is organized around network and infrastructure products. OWASP is focused on application security. While OWASP states a particular focus on Web application security, their recommendations are quite useful to application development vulnerabilities in general, as many of the same coding practices often carry over.
12 Successful Attacks Can Yield Significant Damage The OWASP Top Ten: Unvalidated Input Information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack backend components through a Web application Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users accounts, view sensitive files, or use unauthorized functions Note previously mentioned Case Study that referenced insignificant access control mechanisms. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities
13 Successful Attacks Can Yield Significant Damage The OWASP Top Ten: Cross Site Scripting (XSS) Flaws The Web application can be used as a mechanism to transport an attack to an end user s browser. A successful attack can disclose the end user s session token, attack the local machine, or spoof content to fool the user. Phishing attacks Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. An excellent reference for these types of attacks, as well as attacks on Unvalidated Input, and Injection Flaws (next) is The Shellcoder s Handbook by Koziol, Litchfield, Aitel, Anley, Eren, Mehta, and Hassell (Wiley Publishing, 2004)
14 Successful Attacks Can Yield Significant Damage The OWASP Top Ten: Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. In actuality, it is very difficult to test for all errors. This being said, it is then difficult to perform complete error handling.
15 Successful Attacks Can Yield Significant Damage The OWASP Top Ten: Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Case study: Cryptographic algorithm conversion Denial of Service Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. An excellent reference is How to Break Software Security, by Whittaker and Thompson (Pearson Education, 2004). Holodeck Written by faculty and students at Florida Tech Case study: Network fault injection denial of all ports vs. denial of network access
16 Successful Attacks Can Yield Significant Damage The OWASP Top Ten: Insecure Configuration Management Having a strong server configuration standard is critical to a secure Web application. These servers have many configuration options that affect security and are not secure out of the box. Case study: Medical devices and Web servers.
17 Comparison Factor How to Break Software Security (Wiley, 2004) Unanticipated Scenarios Blocking access to libraries Manipulating application registry values Forcing use of corrupt files Manipulation and replacement of files Environmental fault conditions (low memory, disk-space and network-availability conditions) Any of the above may result in a minimum of Denial of Service, to Broken Access Control
18 Comparison Factor How to Break Software Security (Wiley, 2004) User Interface Attacks Overflowing input buffers (Corresponds to Buffer Overflows) Examine all common switches and options Explore escape characters, character sets, and commands Note the similarity to OWASP s Injection Flaws and Unvalidated Input
19 Comparison Factor How to Break Software Security (Wiley, 2004) Design Attacks Default and test account names and passwords (Corresponds to Broken Access Control) Expose unprotected test APIs Connect to all ports Fake the source of data Create loop conditions in any application that interprets script, code, or other user-supplied logic (Corresponds to Injection Flaws, Unvalidated Input, Cross Site Scripting) Use alternate routes to accomplish the same task Force the system to reset values (Corresponds to Unvalidated Input)
20 Comparison Factor How to Break Software Security (Wiley, 2004) Implementation Attacks Get between time of check and time of use (Corresponds to Insecure Storage) Create files with the same name as those protected with a higher classification (Corresponds to Broken Access Control) Force all error messages (Corresponds to Improper Error Handling) Look for temporary files and screen their contents for sensitive information (Corresponds to Broken Access Control, and Broken Authentication and Session Management)
21 Successful Attacks Can Yield Significant Damage These issues are not new many have been around for decades Mistakes keep recurring No magic cure-all Requires a change in development culture, developer training, updated software processes, use of technology where appropriate
22 Challenges Faced Lack of true definition of application security gray area in understanding Some definitions, it relates only to custom application code Other definitions, it covers the entire application layer, which includes libraries, server configurations, and application layer protocols Organizational specificity Difficult to state relativity of specific vulnerabilities to individual organizations Individual organizations are the only ones qualified to assess their own risk levels in relation to specific types of vulnerabilities Example: Algorithmic vulnerabilities versus cross-site scripting
23 Challenges Faced Placement of application security into the SDLC Often gets placed into the cycle after code completion, as an afterthought Succeeds when built in from the start Most cost effective Consulting projects often see a change in attitude in the client from entry to departure. Entry, the client is bored, does not think that vulnerabilities will be found Departure, the client is overwhelmed at everything they must do to mitigate all the vulnerabilities that were found.
24 Strategy For Effective Protection Be deliberate Make security a priority item in application projects Adopt reliable, consistent application security processes Obtain specialized application security expertise Establish security standards for apps Use independent validation to monitor compliance
25 Designing Security In Design applications to be secure Analyze potential attacks/risks Establish security requirements for custom applications Evaluate security features in selection of off-the-shelf packages Build applications to be secure Mandate secure coding practices Test the security of applications Before acceptance, perform assurance testing Monitor applications to maintain security Monitor logs Validate security posture during operations Evaluate security impact of changes
26 What s Included? Typical Application Security Scope Authentication Authorization Session Context Control Audit Logging Intrusion Detection and Deterrence Data Cleansing Data Privacy and Integrity Back-end Communications Alternative Interfaces
27 Application Security Scope Authentication Mechanisms such as passwords or tokens that are used to authenticate the identity of the user, including an analysis of whether the login process can by bypassed Authorization Mechanisms for controlling what application functionality and data are accessible to each user, including an analysis of anonymous access restrictions (what users can see without logging into the application) Session Context Control Mechanisms to ensure the integrity and segregation of user sessions, including an analysis of whether it is possible to spoof or hijack another user s session
28 Application Security Scope Audit Logging Features to track and log user actions, especially unauthorized access attempts Intrusion Detection and Deterrence Mechanisms to detect and/or block unauthorized access attempts, including an analysis of the application s response to account and password guessing attacks and URL guessing/modification attacks Data Cleansing Mechanisms to detect bad user input, including an analysis of the application s reaction to null/missing data, extraneous data, and buffer overflow attacks in selected fields
29 Application Security Scope Data Privacy and Integrity Mechanisms to protect the privacy and integrity of data exchanged with the user during an application session, including encryption of passwords and sensitive data, and attempts to spoof or replay a user session Back-End Communications Mechanisms by which the application exchanges data with back-end databases or applications, including an analysis of the protocols used and means of authentication Alternative Interfaces Other application interfaces (Web or otherwise) that are used by administrators and maintainers to configure the application
30 Application Security Scope Importance is also on Policies and Procedures Policies and procedures should be present that surround the use and administration of the application Security should be built using a Security Development Life Cycle that mirrors the Software Development Life Cycle Security should be built into the application from the beginning, rather than retrofitted at the end.
31 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production Support Timely and relevant security input at each stage of application development Reference: NIST Special Publication , Security Considerations in the System Development Life Cycle Incident Handling
32 Life Cycle Considerations Time Line Requirement/Specification Set requirements for security features/functions Design Development Test Documentation Post-production support Incident Handling
33 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production support Detailed design Choose security products/mechanisms Trade-offs between security and other criteria Incident Handling
34 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Implement security features Training Secure coding guidelines Post-production support Incident Handling
35 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production support Incident Handling Security Compliance testing Ensure the application security features meet the design requirements Penetration testing Ensure the application is resistant to hostile acts
36 Spectrum of Assurance Testing Automated External Network Scan Network Penetration Testing Network, Host, and App Testing Compliance Testing Customized Testing of All Components In-depth S/W and H/W Trust Evaluation Low Typical Choices Commercial Gov t Non-DoD DoD/Intel High
37 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production support Incident Handling Risk evaluation Assurance evidence as a decision aid for the business unit in accepting the security risks associated with the application Compliance evaluation Document how application meets security and privacy regulations
38 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production Support Incident Handling Establish operational procedures to monitor/maintain security Review and test any software changes that affect security Periodic verification of the security posture of applications
39 Life Cycle Considerations Time Line Requirement/Specification Design Development Test Documentation Post-production support Procedures and resources for Incident analysis Investigation Damage control Reporting Incident Handling
40 What About Risks In Existing Applications? Assessment Testing Decision Support for Risk Acceptance Decisions Certification Testing Incident Handling Recommendations for Enhancements Implementation of Enhancements
41 Risks in Existing Applications May perform a triage to decide critical applications Organization should perform a formal application security assessment Factors involved will include tradeoffs in security versus consequences to the business. This is not the pretty picture, but it is the reality. Case study: Low-end medical device and small hospital Organizations have only so much time, and so much money. When assessing existing application security risks, not all risks may be mitigated. This, again, supports the argument that it is better to add application security to the design/build process from the beginning.
42 California SB 1386 Information Practices Act If you store personal information on one or more California residents, you must notify them if their data have (or may have) been accessed illegally Disclosure no longer a PR decision Stated goal: minimize damage from identity theft Expeditious notification of possible misuse is imperative Encryption of data is critical but not sufficient Law only applies to unencrypted personal information But what if data is decrypted as part of the breach? Affects all companies who do business with California residents Outsourcing companies Data processing and storage companies Similar legislation being introduced elsewhere
43 Q&A and thanks!
Web Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationSecurity in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References
ITIS 4166/5166 Network Based Application Development Security in Network-Based Applications Anita Raja Spring 2006 Agenda Network Security. Application Security. Web Services Security. References Open
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationApplication Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant
Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationApplication Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com
Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationCYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore
CYBER TRENDS & INDUSTRY PENETRATION TESTING Technology Risk Supervision Division Monetary Authority of Singapore A NEW DAWN New Services / Mobile Application, NFC, FAST Technology / Biometrics, Big Data,
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationMIGRATIONWIZ SECURITY OVERVIEW
MIGRATIONWIZ SECURITY OVERVIEW Table of Contents Introduction... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Database Level Security... 4 Network Security...
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationSecuring Enterprise Web Applications at the Source: An Application Security Perspective
Securing Enterprise Web Applications at the Source: An Application Security Perspective Author: Eugene Lebanidze eugene.lebanidze@gmail.com EXECUTIVE SUMMARY Purpose: This paper considers a variety of
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationSample Report. Security Test Plan. Prepared by Security Innovation
Sample Report Security Test Plan Prepared by Security Innovation Table of Contents 1.0 Executive Summary... 3 2.0 Introduction... 3 3.0 Strategy... 4 4.0 Deliverables... 4 5.0 Test Cases... 5 Automation...
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More information