WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Similar documents
Where every interaction matters.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Cloud Security:Threats & Mitgations

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SSL BEST PRACTICES OVERVIEW

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Adobe Systems Incorporated

Passing PCI Compliance How to Address the Application Security Mandates

What is Web Security? Motivation

Sitefinity Security and Best Practices

From the Bottom to the Top: The Evolution of Application Monitoring

Reducing Application Vulnerabilities by Security Engineering

OWASP Top Ten Tools and Tactics

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Magento Security and Vulnerabilities. Roman Stepanov

Protecting Your Organisation from Targeted Cyber Intrusion

Overview of the Penetration Test Implementation and Service. Peter Kanters

Penta Security 3rd Generation Web Application Firewall No Signature Required.

How To Understand And Understand The Security Of A Web Browser (For Web Users)

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

How to complete the Secure Internet Site Declaration (SISD) form

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Strategic Information Security. Attacking and Defending Web Services

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

External Supplier Control Requirements

Addressing Cyber Security in Oracle Utilities Applications

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

SECURITY ASPECTS OF OPEN SOURCE

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

CYBERTRON NETWORK SOLUTIONS

A Network Administrator s Guide to Web App Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Akamai Security Products

Development Processes (Lecture outline)

Web Application Vulnerability Testing with Nessus

Load Balancing Security Gateways WHITE PAPER

The Hillstone and Trend Micro Joint Solution

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Rational AppScan & Ounce Products

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

PCI DSS 3.0 Compliance

IJMIE Volume 2, Issue 9 ISSN:

IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

Achieving PCI Compliance Using F5 Products

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Web Application Report

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Architecture of a new DDoS and Web attack Mitigation System for Data Center

Barracuda Web Site Firewall Ensures PCI DSS Compliance

DMZ Gateways: Secret Weapons for Data Security

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

The Top Web Application Attacks: Are you vulnerable?

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Ethical Hacking as a Professional Penetration Testing Technique

05.0 Application Development

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Network Test Labs (NTL) Software Testing Services for igaming

BlackRidge Technology Transport Access Control: Overview

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Thick Client Application Security

Concierge SIEM Reporting Overview

SERENA SOFTWARE Serena Service Manager Security

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Insecurity breeds at home

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

(WAPT) Web Application Penetration Testing

NSFOCUS Web Application Firewall

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Web Application Firewall on SonicWALL SSL VPN

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Security Assessment through Google Tools -Focusing on the Korea University Website

Inspection of Encrypted HTTPS Traffic

Topics in Network Security

Recommended IP Telephony Architecture

PCI Compliance Updates

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Table of Contents. Page 2/13

Information Security. Training

Module 4 Protection of Information Systems Infrastructure and Information Assets. Chapter 6: Network Security

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

Transcription:

WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1

SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating Web Site Security o One of the biggest obstacles facing public cloud computing is security 1 1 -SP-800-144 - Guidelines on Security and Privacy in Public Cloud Computing - 2012

WHO IS ATTACKING THE WEB?

WHAT ARE WE SEEING? Evolving Threat Landscape o Increasingly multi-vector attacks o DDoS attacks rampant Better Reconnaissance Better Targeting Smarter Attacks More/Larger Attacks

HOW EASY IS IT TO ATTACK?

HOW EASY IS IT TO HIDE? Sources o TOR (The Onion Router) o Amazon Web Services o VPN proxies o Web Proxies

HEARTBLEED o A serious vulnerability in the popular OpenSSL cryptographic software library o Allows stealing information protected by SSL/TLS encryption o Permits anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL

SHELLSHOCK A family of security bugs in the widely used Unix GNU Bash shell o Can allow an attacker to gain unauthorized access to a computer system Attackers exploited Shellshock within hours o Created botnets on compromised computers to perform distributed DoS attacks and vulnerability scanning Potential to be used to compromise millions of unpatched servers and other systems.

POODLE POODLE (Padding Oracle On Downgraded Legacy Encryption) o Designed to take advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 o Creates an opportunity to decrypt select content within the SSL session

WEB SITE SECURITY

WEB SITE SECURITY Best place is in the Cloud o Function as 1st layer of defense o Easy operation CNAME change o Implement an integrated solution o Best architecture for addressing network-layer DDoS attacks o Concerns about availability not an issue o Enable customers to focus technical & financial resources on other needs

DOMAIN NAME SYSTEM (DNS) Can Your Web Site Be Found? Requirements o Function as Managed (Primary) or Secondary DNS - Administer DNS zones and associated records - Run Health Checks - Define load balancing and failover configurations - Comply with DNS specification - Restful API

ANTI-DDoS Is Your Web Site Available? Requirements o Protect at both the network and application layers o Handle malicious traffic at edge - Reverse proxy architecture - Port lockdown - Identification and remediation of malicious traffic o Ensure that customer Web site is always available DDoS Protection

WEB APPLICATION FIREWALL Are Your Origin & Web Applications Secure? Requirements o Provide an additional set of protections at Application Layer - Increase security by monitoring, detecting and preventing attacks against web applications

THE OWASP TOP 10 o A1 Injection o A2 Broken Authentication and Session Management o A3 Cross-Site Scripting (XSS) o A4 Insecure Direct Object References o A5 Security Misconfiguration o A6 Sensitive Data Exposure o A7 Missing Function Level Access Control o A8 Cross-Site Request Forgery (CSRF) o A9 Using Components with Known Vulnerabilities o A10 Un-validated Redirects and Forwards https://www.owasp.org/index.php/top10#owasp_top_10_for_2013

ORIGIN CLOAKING Are Your Origin & Web Applications Secure? Requirements o Protect against Direct-to-Origin Attacks - Used to apply additional security by firewalling the origin so that only authorized vendor IP addresses are allowed to contact the customer origin

ENCRYPTION Is Your Content Protected? Requirements o SSL certificates used to protect content - Hosted Subject Alternative Name (SAN) - Custom SSL - Customer supplied certificates o OCSP Stapling - Addresses many of the inherent challenges with OCSP including performance (can be >35% faster)

WEB SITE SECURITY Bringing The Pieces Together

Questions? THANK YOU!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information