A Network Administrator s Guide to Web App Security

Similar documents
The Top Web Application Attacks: Are you vulnerable?

Rational AppScan & Ounce Products

Enterprise-Grade Security from the Cloud

Where every interaction matters.

Introduction: 1. Daily 360 Website Scanning for Malware

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cutting the Cost of Application Security

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

The Web AppSec How-to: The Defenders Toolbox

10 Things Every Web Application Firewall Should Provide Share this ebook

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Penetration Testing Service. By Comsec Information Security Consulting

Detailed Description about course module wise:

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Application Security Testing

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web Application Security 101

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

End-to-End Application Security from the Cloud

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

New IBM Security Scanning Software Protects Businesses From Hackers

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Web Applications The Hacker s New Target

Powered by. Incapsula Cloud WAF

CMPT 471 Networking II

Web Application Penetration Testing

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

(WAPT) Web Application Penetration Testing

Hack Proof Your Webapps

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

Web Vulnerability Scanner by Using HTTP Method

2015 TRUSTWAVE GLOBAL SECURITY REPORT

CYBERTRON NETWORK SOLUTIONS

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Web application testing

Web Application Security

CRYPTUS DIPLOMA IN IT SECURITY

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Passing PCI Compliance How to Address the Application Security Mandates

Using Free Tools To Test Web Application Security

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Penetration Testing Workshop

Akamai to Incapsula Migration Guide

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

A Decision Maker s Guide to Securing an IT Infrastructure

FortiWeb 5.0, Web Application Firewall Course #251

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Client logo placeholder XXX REPORT. Page 1 of 37

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Web Application Security Considerations

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Security A to Z the most important terms

WEB APPLICATION SECURITY

ZNetLive Malware Monitoring

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Course Content: Session 1. Ethics & Hacking

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

Learning objectives for today s session

Shellshock. Oz Elisyan & Maxim Zavodchik

SAST, DAST and Vulnerability Assessments, = 4

IBM Protocol Analysis Module

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Security F5 SECURITY SOLUTION GUIDE

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Penetration Testing. Presented by

Global Web Application Firewall Market

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Defending your Web Applications from Attack: Presenter: Damira Pon, UAlbany. NYS Forum Web & Accessibility Workgroup Talk. NYS Forum Training Room

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Reducing Application Vulnerabilities by Security Engineering

Transcription:

A Network Administrator s Guide to Web App Security Speaker: Orion Cassetto, Product Marketing Manager, Incapsula Moderator: Rich Nass, OpenSystems Media

Agenda Housekeeping Presentation Questions and Answers Wrap-up

A Network Administrator s Guide to Web App Security Presented by: Orion Cassetto, Sr. Product Marketing Manager, Incapsula

Incapsula Webinar Thanks for joining! The webinar is about 30 minutes long Questions will be answered during and after the session Please submit your questions using the chat window 4

Speaker Bio Orion Cassetto Sr. Product Marketing Manager for Incapsula Previously held product marketing positions at Imperva and Armorize Technologies Experienced in Web app security, and SaaS security solutions Holds degrees in Asian Studies, and Chinese Language from Washington State University 5

Overview Recent web security events Web Applications Threats and Common Attack Types How to defend your website against Today s common Threats Automated tools to secure to help you simplify website security 6

Major Hacks of 2014 2014 has several enormous data breaches from hackers including:

Heartbleed the Epic SSL Crisis of 2014 Heartbleed is a security bug that was disclosed in April of 2014 It was present in the widely used Open SSL Cryptography When disclosed, around 17% of the Internet's secure web servers was vulnerable Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet. Joseph Steinberg Forbes 8

Shellshock Vulnerability What is it? 1. Shellshock is a vulnerability that affects Bash (a.k.a Bourne-again Shell), the most common command-line shell on Linux / Unix / Mac OS systems 2. Allows unauthenticated attacks to remotely execute code on affected machines What damage could this cause your website? Hackers remotely executing code on your systems can result in > Data theft > Malware injection > Server hijacking 9

Distributed Denial Of Service (DDoS) Attacks DDoS attack are attacks where many infected computers band together to attack a single target These attacks exhaust network connections and server resources causing website outages 10

Web App Threats and Common attack Types Incapsula, 11 Inc. / Proprietary and Confidential. All Rights Reserved.

Use of Stolen Credentials Reigns Supreme Use of stolen authentication credentials by hackers is the number one threat of 2013 Once stolen hackers can use credentials at other websites to increase the impact of a breach Automated tools combined with stolen password lists become a dangerous combination Sources: Verizon Data Breach Report 2014 12

Websites Have Many Vulnerabilities 96% of web applications have vulnerabilities 96 % WEB APP 13 % 13% of websites can be compromised automatically Sources: Cenzic, Inc. Feb. 2014, Incapsula, Inc. 2013

SQL Injection What it is and why it matters What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: What happens if a hacker exploits this vulnerability? > They can access your database and it s data. Basic Rule 'OR = > If it is going into your database, clean it up first! The application was expecting my name, but I entered an SQL Statement 14

Cross Site Scripting (XSS) What it is and why it matters What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page Basic Rule > If user supplied data is going into your application, clean it up first! 1 3 Attacker gains control over user data or system via injected exploit Attacker inserts malicious unfiltered code into an application 2 User visits the web page and malicious code is returned with the web page 15

How DDoS Attacks Bring Down Websites DDoS attacks make your website completely inaccessible DDoS Traffic Legitimate Traffic Your ISP Your Internet Connection Your Site If website availability is important to you, then DDoS protection should be too Any application without a DDoS mitigation strategy is at risk 16

Automated Clients are the Majority of Web Traffic Over 61% of all website traffic is non-human. 61.5% Non-Human Traffic 1/2 of that is malicious. 38.5% Human Traffic 17

The Impact of Bots on Website Security Good Bots Search Engine Crawling Website Health Monitoring Vulnerability Scanning Bad Bots DDoS Site Scraping Comment Spam SEO Spam Fraud Vulnerability scanning 18

Incapsula, 19 Inc. / Proprietary and Confidential. All Rights Reserved. Defending your Websites and Applications

Use Multi-factor Authentication for Admin Areas Problem Lost or stolen passwords allow hackers to bypass your security measure Solution Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other 20

Identify Vulnerabilities White-box and Black-box tools Can you see inside the application (its code)? 21

The White-box Approach The white-box approach to finding vulnerabilities is to Review Application Code for vulnerabilities. Can be performed: Manually or Automatically Manual Code Review Source Code Analysis 22

The White-box Approach The Black-box approach to finding vulnerabilities is to Emulate Hacker Activity by probing a website for weaknesses. Can be performed: Manually or Automatically Penetration Testing Web Vulnerability Scanning 23

Remediating Vulnerabilities at a Code Level Manual White-box Manual Code Review Black-box Penetration Testing List of Automated Source Code Analysis Web Vulnerability Scanner Vulnerabilities Known vulnerabilities should be remediated What are the requirements for fixing vulnerabilities at the code level? > Access to application code > Coding expertise and knowledge in Security 24

Use a Web Application Firewall (WAF) WAFs provide similar protection as traditional network layer firewall but for a web application Using a WAF can protect website from application layer hacking attempts WAFs should be used in conjunction with traditional firewalls 25

Defend against DDoS attacks DDoS mitigation services are preferable to Mitigation Appliances Overprovisioning bandwidth is expensive DDoS Traffic DDoS Mitigation Appliance Legitimate Traffic Your Internet Connection Your ISP Your Site 26

DDoS Mitigation Requires Specialized Tools or Services DDoS mitigation services are preferable to Mitigation Appliances Overprovisioning bandwidth is expensive DDoS attacks should be mitigated close to their source (away from your network) DDoS Traffic Legitimate Traffic DDoS Mitigation Service Your Internet Connection Your ISP Your Site 27

Identify and Block Bad Bots Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF 28

When To Implement Various Security Tools PLANNING Security Requirements Design Architecture CODING Source Code Analysis Manual Code Review Password Security 2 Factor Authentication PRODUCTION Web App Firewall DDoS Mitigation Bot Mitigation Web Vulnerability Scanner 29

Finding the Right Tools WAF Web Vulnerability Scanner DDoS Mitigation Commercial Incapsula Imperva F5 Whitehat Security Nessus Acunetix Incapsula Prolexic Neustar Open Source / Free Mod Security Nikto Wapiti Qualys Not available / Not advised Source Code Analysis Fortify IBM Appscan Parasoft FindSecurityBugs 30

Website Security and Performance in Minutes with a Simple DNS Change By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Legitimate Traffic Incapsula Network Your Website For a Free Trial of Incapsula visit us at www.incapsula.com 31

Thank you Please send follow up questions to info@incapsula.com

Orion Cassetto, Product Marketing Manager, Incapsula Audience Q & A

Thanks for joining us Event archive available at: http://ecast.opensystemsmedia.com/ E-mail us at: clong@opensystemsmedia.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information