Web Engineering Web Application Security Issues



Similar documents
Web Application Security

Where every interaction matters.

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

The Top Web Application Attacks: Are you vulnerable?

OWASP AND APPLICATION SECURITY

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Web Application Penetration Testing

Passing PCI Compliance How to Address the Application Security Mandates

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

05.0 Application Development

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Thick Client Application Security

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Overview of the Penetration Test Implementation and Service. Peter Kanters

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Rational AppScan & Ounce Products

Magento Security and Vulnerabilities. Roman Stepanov

What is Web Security? Motivation

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Table of Contents. Page 2/13

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

OWASP Top Ten Tools and Tactics

Protecting Your Organisation from Targeted Cyber Intrusion

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Secure Web Applications. The front line defense

Sitefinity Security and Best Practices

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Security Testing and Vulnerability Management Process. e-governance

How to Build a Trusted Application. John Dickson, CISSP

Adobe Systems Incorporated

Web Application Security

elearning for Secure Application Development

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Columbia University Web Security Standards and Practices. Objective and Scope

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

Strategic Information Security. Attacking and Defending Web Services

Web application security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Report

WEB APPLICATION SECURITY

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Web Application Firewall on SonicWALL SSL VPN

Web Application Report

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Application Security Vulnerabilities, Mitigation, and Consequences

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

IBM Managed Security Services Vulnerability Scanning:

Java Web Application Security

Application Security Best Practices. Wally LEE Principal Consultant

Using Free Tools To Test Web Application Security

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Web Application Security

Reducing Application Vulnerabilities by Security Engineering

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Essential IT Security Testing

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Secure Code Development

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

8070.S000 Application Security

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Penetration Test Report

Objectives. Security. Fixing Our JSTL Problem. Web Application Architecture. Web Security. A few lines of code can wreak more havoc than a bomb.

How to complete the Secure Internet Site Declaration (SISD) form

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Application Code Development Standards

Cloud Security:Threats & Mitgations

Web Application Vulnerability Testing with Nessus

Web Application Security Assessment and Vulnerability Mitigation Tests

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Keyword: Cloud computing, service model, deployment model, network layer security.

Cross-Site Scripting

External Supplier Control Requirements

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Transcription:

Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend Systems Web and Application servers 1

tion Layer er Applicat Network Laye APPLICATION ATTACK Firewall ccounts Finance Ac F Adm ministration Tran nsactions App Server Web Server Comm munication Know ledge Mgmt E-C Commerce Bus. Functions Custom Code Hardened OS Firewall Dat tabases Legac cy Systems Web Services Dir ectories Huma an Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, andssl cannotdetect or stop attacks inside HTTP requests. Security relies on signature databases Insider How likely is a successful web application attack? Consequences? Security is just as important as Network Security 2

Need for Securing Web Sites/Applications Defaced Sites Reported on the Internet Defacement reasons Application Vulnerability Site owner authored (accidental/intentional) Web Server Misconfiguration Corporate Security Interne t Server (Data) Workstations (Green Segment) Firewall!!!!!!!!!!!! Wild Wild West 3

Security at Network and Transport layer INTERNET Port 23 Port 139 Port 21 Port 80/8080 Securing traditionally was not enough Network Controls legitimate t traffic Above 70% attacks at the 12/7/2007 application level A web application is generally comprised of a collection of scripts, that reside on a web server and interact with a database and other sources of dynamic content. Runs generally at port 80/8080 Attacks Undetected Data as part of legitimate traffic on port 80/8080 go undetected. Conventional Network devices and Firewalls cannot distinguish bad data from the genuine data 4

Security Refers to the combination of People, Processes and Technology Identify, Measure and Manage the risks Presented by Open source and custom web applications Risks identified in applications A malicious user can log in without a valid account. An unauthorised user view, add, update, delete data. An authenticated user can Add/Update data as another user. A malicious user can upload malicious contents. t A malicious user can steal user credentials. 5

People Processes Technology Awareness Training Guidelines Secure Development Secure code Review Security Testing Secure Configuration Application Automated Firewalls Scanners Security Standards OWASP (Open Security Project) WASC ( Security Consortium) 6

OWASP The Open Security Project is a project dedicated to sharing knowledge and developing open source software that promotes understanding of web application security. For more info see http://www.owasp.org OWASP Top 10 WASC Is an international group of experts, practitioners and organizational representatives who produce open source and widely agreed upon best practice security standards for the world wide web. http://www.webappsec.org Web Hacking Incidents Database Web Security Threat classification 7

OWASP Top Ten Project It Provides a minimum standard for web application security. The OWASP top ten represents a broad consensus about what the most critical web applications vulnerabilities are. Adopter US Federal Trade commission, US DOD, VISA Other companies including Sprint, IBM etc.. OWASP Top Ten Most Critical A1 - Unvalidated Input Information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack backend components through a Web application. 8

OWASP Top Ten Most Critical A2 -Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. 17 OWASP Top Ten Most Critical A3 - Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. 18 9

OWASP Top Ten Most Critical A4 - Cross Site Scripting (XSS) Flaws The Web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user. 19 OWASP Top Ten Most Critical A5 - Buffer Overflow Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. 20 10

OWASP Top Ten Most Critical A6 - Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. 21 OWASP Top Ten Most Critical A7 - Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. 22 11

OWASP Top Ten Most Critical A8 - Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. OWASP Top Ten Most Critical A9 - Denial of Service Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. 24 12

OWASP Top Ten Most Critical A10 - Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. 25 Developers must: Work with solution architects and systems administrators to ensure application security Contribute to security by: Adopting good application security development practices Knowing where security vulnerabilities occur and how to avoid them Using secure programming techniques 13

Security must be considered at: All stages of a project Design Development Deployment All layers Network Host Application Security is only as good as the weakest link OWASP Top Ten Project http://www.owasp.org/index.php/category:owasp_top_ten_project UA s Best Practices http://confluence.ltc.arizona.edu/confluence/display/webpractices/web+altc edu/confluence/display/webpractices/web+a pplication+best+practices Security Consortium http://www.webappsec.org/ Microsoft Corporation http://www.microsoft.com/downloads/details.aspx?familyid=84b3aa98 A1E5 4A74 A56B 7ADDBDED79CC&displaylang=en UA Info Sec Office Webpage for Application Developer http://security.arizona.edu/appdev 14

Questions? 29 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information