Web Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad



Similar documents
6. Exercise: Writing Security Advisories

Professional Services Overview

Common Vulnerability Scoring System v3.0: Specification Document

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Is Penetration Testing recommended for Industrial Control Systems?

3 Web Services Threats, Vulnerabilities, and Countermeasures

SECURITY METRICS FOR ENTERPRISE INFORMATION SYSTEMS

Enterprise Software Management Systems by Using Security Metrics

Software Security. Group project: application security verification using OWASP ASVS

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Software Vulnerability Assessment

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Looking at the SANS 20 Critical Security Controls

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Q: What is CVSS? Q: Who developed CVSS?

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Information Security Office

A Complete Guide to the Common Vulnerability Scoring System Version 2.0

Software Security. Group project: application security verification using OWASP ASVS

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

CDM Vulnerability Management (VUL) Capability

McAfee Vulnerability Manager 7.0.2

PCI Compliance Considerations

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

SQL Injection January 23, 2013

Automatic vs. Manual Code Analysis

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Common Criteria Web Application Security Scoring CCWAPSS

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

How To Protect A Web Application From Attack From A Trusted Environment

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Towards Unifying Vulnerability Information for Attack Graph Construction

How To Monitor Your Entire It Environment

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Payment Card Industry (PCI) Executive Report 08/04/2014

How To Use A Policy Auditor (Macafee) To Check For Security Issues

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Passing PCI Compliance How to Address the Application Security Mandates

Security Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

What is Web Security? Motivation

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

ISSECO Syllabus Public Version v1.0

How To Evaluate Watchguard And Fireware V11.5.1

VRDA Vulnerability Response Decision Assistance

Vulnerability Management

Information Security Services

Mobile Application Threat Analysis

elearning for Secure Application Development

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

SWAT PRODUCT BROCHURE

BMC Client Management - SCAP Implementation Statement. Version 12.0

Patch and Vulnerability Management Program

PCI DSS Overview and Solutions. Anwar McEntee

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Protecting Your Organisation from Targeted Cyber Intrusion

Criteria for web application security check. Version

IoT & SCADA Cyber Security Services

User Documentation Web Traffic Security. University of Stavanger

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

SANS Top 20 Critical Controls for Effective Cyber Defense

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

HTTPParameter Pollution. ChrysostomosDaniel

NERC Alert System Overview

CESG Certification of Cyber Security Training Courses

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Overcoming PCI Compliance Challenges

Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)

Manage Vulnerabilities (VULN) Capability Data Sheet

Facilitated Self-Evaluation v1.0

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Enterprise Security Tactical Plan

Best Practices for Vulnerability Management

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Analyzing HTTP/HTTPS Traffic Logs

Critical Controls for Cyber Security.

Transcription:

Web Application Security Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad

Take away Why web application security is very important Understanding web application security How to test the security of web applications Introduction to OWASP Application Security Verification Standard (ASVS) Introduction to Common Vulnerability Scoring System (CVSS) Vulnerability Reference Method Vulnerability Database 1

Why web application security is very important 2

Understanding web application security User Defines a! Query using the! Query interface Query interface sends the query to a server-side processing agent! Server-side agent respond to the query using some data source or other backend service!!! User Client-Side Interface Server-Side Processor Data Source Query results are displayed to the user Server-side agent returns query result Data Source returns query result 3

How to test the security of web applications Structured Methodologies Private Methodologies Public Methodologies OWASP Application Security Verification Standard (ASVS) WASC ISO/IEC 29119 Unstructured Methodologies 4

OWASP Application Security Verification Standard (ASVS) OWASP Application Security Verification Standard (ASVS) Introduction Goals Verification levels Cursory Opportunistic Standard Advanced Detailed verification requirements 5

ASVS Introduction What is ASVS Application Security Verification Standard Provides a basis for testing a web application's technical security controls Provides developers with a list of requirements for secure development Goals Performing Web application security verification Commercially-workable open standard Establishing levels of confidentiality in the security of Web applications Use as a metric Use as guidance Use during procurement 6

Verification levels 7

Level 0: Cursory Primary verification Defined by the organization Not a prerequisite for other levels 8

Level 1: Opportunistic Scan easy-to-find vulnerabilities Threats from attackers using simple techniques and tools Roadmap for more thorough inspections in the future 9

Level 2: Standard Prevalent security vulnerabilities with moderate-to-serious risk Threats from attackers using custom-tools and manual techniques Industry standard for many business applications 10

Level 3: Advanced Advanced and hard-to-exploit vulnerabilities Requires inspection of the application's design Threats from determined attackers focusing on specific targets Critical applications and infrastructure 11

Detailed verification requirements Authentication Session Management Access Control Malicious Input Handling Malicious Controls Business Logic File and Resource Mobile Cryptography at Rest Error Handling and Logging Data Protection Communications HTTP 12

Common Vulnerability Scoring System (CVSS) Open industry standard for assessing Attempts to assign severity scores to vulnerabilities Allows responders to prioritize responses and resources according to threat Scores are calculated based on a formula that depends on several metrics Ease of exploitation Impact of exploitation Scores range from 0 to 10 (10 being the most severe) CVSS is used to determine: Base Score (Severity) Temporal Environmental 13

Base Score (Severity) Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality (C) Integrity (I) Availability (A) 14

Temporal Score Exploit Code Maturity (E) Remediation Level (RL) Report Confidence (RC) 15

Environmental Score Confidentiality Requirement (CR) Integrity Requirement (IR) Availability Requirement (AR) Modified Attack Vector (MAV) Modified Attack Complexity (MAC) Modified Privileges Required (MPR) Modified User Interaction (MUI) Modified Scope (MS) Modified Confidentiality (MC) Modified Integrity (MI) Modified Availability (MA) 16

Vector String 17

Vulnerability Reference Method CVE identifier Funding by the National Cyber Security Division of the United States Department of Homeland Security Used by the Security Content Automation Protocol Identifiers for publicly known information-security vulnerabilities in publicly released software packages CVEs are assigned by a CVE Numbering Authority (CNA) Syntax CVE prefix + Year + Arbitrary Digits CVE-2014-4424 OSVDB identifier Independent and open-source identifier Other 18

Vulnerability Database National Institute of Standards and Technologies (nist.gov) MITRE Corporation (mitre.org) United States Computer Emergency Readiness Team (us-cert.gov) Vulnerability Notes Database (cert.org) Open Source Vulnerability Database (osvdb.org) Security Focus (SecurityFocus.com) 19

Security Bulletins and Advisories 20

Vulnerability Specification 21

Question?! 22

References http://www.hackmageddon.com/2016/01/11/2015-cyber-attacks-statistics/ https://www.owasp.org/index.php/category:owasp_application_security_v erification_standard_project https://www.first.org/cvss https://cve.mitre.org/ https://support.apple.com/en-us/ht203111 https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4424 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information