SlideShare ist ein Scribd-Unternehmen logo

So Your Company Hired A Pentester

Als PPTX, PDF herunterladen
N
NorthBayWeb
Technologie
1 von 20
 The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
No Really! Don‟t Panic!
Facebook WordPress
• The Internet is BIG • No, no no The Internet is REALLY REALLY BIG • To go along with this really big internet we have a really big Codebase • To add to this really big codebase, just like we learned in our first programming class there are a thousand ways to do just about anything . • Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation. • Now you must be thinking what's a low hanging fruit?
• OWASP top Ten • OWASP is the open Web Application Security Project. • Every few years they put out a report of the top ten vulnerabilities found on the internet. • They Also have some great tools for testing your Web Applications. • If you want an Idea of how to prepare for a Security Audit OWASP is a great resource.
Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
 Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures),  Bind variables allow the interpreter to distinguish between code and data 3. Encode all user input before passing it to the interpreter  Always perform „white list‟ input validation on all user supplied input  Always minimize database privileges to reduce the impact of a flaw
Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
 Recommendations  Eliminate Flaw  Don‟t include user supplied input in the output page  Defend Against the Flaw  Primary Recommendation: Output encode all user supplied input  Perform „white list‟ input validation on all user input to be included in page  For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
Web applications rely on a secure foundation •Everywhere from the OS up through the App Server •Don‟t forget all the libraries you are using!! Is your source code a secret? •Think of all the places your source code goes •Security should not require secret source code CM must extend to all parts of the application •All credentials should change in production Typical Impact •Install backdoor through missing OS or server patch •XSS flaw exploits due to missing application framework patches •Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
 Verify your system‟s configuration management  Secure configuration “hardening” guideline  Automation is REALLY USEFUL here  Must cover entire platform and application  Keep up with patches for ALL components  This includes software libraries, not just OS and Server applications  Analyze security effects of changes  Can you “dump” the application configuration  Build reporting into your process  If you can‟t verify it, it isn‟t secure  Verify the implementation  Scanning finds generic configuration and missing patch problems
PKI VPN SSH/SFTP SSL
Does •Third Party Authentication •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
Does •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
Does •PKI encryption •Connects to your server for quick secure file management •Allows you to issue commands to your server Does Not •Help the Client •Provide any code sanitization What It Replaces •FTP •God forbid Telnet When You Should Use It. •Anytime you connect to your server •All File transfer for source code •Editing any source on host
Email: carlton.sue@fishnetsecurity.com Twitter: @iamcobolt Web: http://www.fishnetsecurity.com/Blogs Personal: http://www.carlsue.com • https://www.owasp.org • Web Application Hackers Handbook • The Tangled Web – No Starch Press • SQL Injection Attacks and Defense Thanks For Having Me!

Empfohlen

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 

Empfohlen

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzzChristopher Frenz
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter EvasionNipun Jaswal
 
Software compliance
Software complianceSoftware compliance
Software complianceS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile PaymentsNorthBayWeb
 
Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineDataWorks Summit
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPNMindfire Solutions
 

Weitere ähnliche Inhalte

Was ist angesagt?

When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter EvasionNipun Jaswal
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 

Was ist angesagt? (19)

When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser Attacks
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter Evasion
 
Software compliance
Software complianceSoftware compliance
Software compliance
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 

Andere mochten auch

Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineDataWorks Summit
 
Evolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupEvolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupDeepak Nadig
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajH2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajSri Ambati
 
Legal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceLegal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceMahyuddin Khalid
 
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenH2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenSri Ambati
 
Tabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsTabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsFitri Ishak
 
PayPal Real Time Analytics
PayPal Real Time AnalyticsPayPal Real Time Analytics
PayPal Real Time AnalyticsAnil Madan
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopDataWorks Summit
 
Ctu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingCtu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingNor Ila Che Man
 
MongoDB at eBay
MongoDB at eBayMongoDB at eBay
MongoDB at eBayMongoDB
 
PayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyPayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyShalee Blackmer
 
The Analysis of Alipay
The Analysis of AlipayThe Analysis of Alipay
The Analysis of Alipayabby0531
 
Framework of islamic financial system
Framework of islamic financial systemFramework of islamic financial system
Framework of islamic financial systemAdy Ismail
 
Alipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesAlipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesL'Atelier BNP Paribas
 
Paytm auto taxi training ppt
Paytm auto taxi training pptPaytm auto taxi training ppt
Paytm auto taxi training pptOyster Learning
 
Online Security and Payment System - PayPal
Online Security and Payment System - PayPalOnline Security and Payment System - PayPal
Online Security and Payment System - PayPalgaschan
 

Andere mochten auch (20)

Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
 
Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data Pipeline
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
Evolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupEvolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API Meetup
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajH2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
 
Legal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceLegal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and Finance
 
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenH2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
 
Tabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsTabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial Institutions
 
PayPal Real Time Analytics
PayPal Real Time AnalyticsPayPal Real Time Analytics
PayPal Real Time Analytics
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using Hadoop
 
Ctu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingCtu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic banking
 
MongoDB at eBay
MongoDB at eBayMongoDB at eBay
MongoDB at eBay
 
PayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyPayPal Digital Marketing Strategy
PayPal Digital Marketing Strategy
 
The Analysis of Alipay
The Analysis of AlipayThe Analysis of Alipay
The Analysis of Alipay
 
Framework of islamic financial system
Framework of islamic financial systemFramework of islamic financial system
Framework of islamic financial system
 
Alipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesAlipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's stores
 
Lecture 7 financial_engineering
Lecture 7 financial_engineeringLecture 7 financial_engineering
Lecture 7 financial_engineering
 
Paytm auto taxi training ppt
Paytm auto taxi training pptPaytm auto taxi training ppt
Paytm auto taxi training ppt
 
Online Security and Payment System - PayPal
Online Security and Payment System - PayPalOnline Security and Payment System - PayPal
Online Security and Payment System - PayPal
 

Ähnlich wie So Your Company Hired A Pentester

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 

Ähnlich wie So Your Company Hired A Pentester (20)

Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 

Mehr von NorthBayWeb

The laws & the internets, Chris Stoll
The laws & the internets, Chris StollThe laws & the internets, Chris Stoll
The laws & the internets, Chris StollNorthBayWeb
 
Content Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesContent Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesNorthBayWeb
 
Michael Slater Mobile Opportunity
Michael Slater Mobile OpportunityMichael Slater Mobile Opportunity
Michael Slater Mobile OpportunityNorthBayWeb
 
Modern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekModern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekNorthBayWeb
 
Michael Slater High Technology
Michael Slater High TechnologyMichael Slater High Technology
Michael Slater High TechnologyNorthBayWeb
 
Melissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationMelissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationNorthBayWeb
 
Cole Geissinger Development Talk
Cole Geissinger Development TalkCole Geissinger Development Talk
Cole Geissinger Development TalkNorthBayWeb
 
Cole melissa - design & development
Cole melissa - design & developmentCole melissa - design & development
Cole melissa - design & developmentNorthBayWeb
 

Mehr von NorthBayWeb (8)

The laws & the internets, Chris Stoll
The laws & the internets, Chris StollThe laws & the internets, Chris Stoll
The laws & the internets, Chris Stoll
 
Content Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesContent Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better Websites
 
Michael Slater Mobile Opportunity
Michael Slater Mobile OpportunityMichael Slater Mobile Opportunity
Michael Slater Mobile Opportunity
 
Modern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekModern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben Klocek
 
Michael Slater High Technology
Michael Slater High TechnologyMichael Slater High Technology
Michael Slater High Technology
 
Melissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationMelissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of Inspiration
 
Cole Geissinger Development Talk
Cole Geissinger Development TalkCole Geissinger Development Talk
Cole Geissinger Development Talk
 
Cole melissa - design & development
Cole melissa - design & developmentCole melissa - design & development
Cole melissa - design & development
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

So Your Company Hired A Pentester

  • 1.
  • 2. The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
  • 3. No Really! Don‟t Panic!
  • 4.
  • 5. Facebook WordPress
  • 6. • The Internet is BIG • No, no no The Internet is REALLY REALLY BIG • To go along with this really big internet we have a really big Codebase • To add to this really big codebase, just like we learned in our first programming class there are a thousand ways to do just about anything . • Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation. • Now you must be thinking what's a low hanging fruit?
  • 7. • OWASP top Ten • OWASP is the open Web Application Security Project. • Every few years they put out a report of the top ten vulnerabilities found on the internet. • They Also have some great tools for testing your Web Applications. • If you want an Idea of how to prepare for a Security Audit OWASP is a great resource.
  • 8.
  • 9. Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
  • 10.  Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures),  Bind variables allow the interpreter to distinguish between code and data 3. Encode all user input before passing it to the interpreter  Always perform „white list‟ input validation on all user supplied input  Always minimize database privileges to reduce the impact of a flaw
  • 11. Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
  • 12.  Recommendations  Eliminate Flaw  Don‟t include user supplied input in the output page  Defend Against the Flaw  Primary Recommendation: Output encode all user supplied input  Perform „white list‟ input validation on all user input to be included in page  For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
  • 13. Web applications rely on a secure foundation •Everywhere from the OS up through the App Server •Don‟t forget all the libraries you are using!! Is your source code a secret? •Think of all the places your source code goes •Security should not require secret source code CM must extend to all parts of the application •All credentials should change in production Typical Impact •Install backdoor through missing OS or server patch •XSS flaw exploits due to missing application framework patches •Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
  • 14.  Verify your system‟s configuration management  Secure configuration “hardening” guideline  Automation is REALLY USEFUL here  Must cover entire platform and application  Keep up with patches for ALL components  This includes software libraries, not just OS and Server applications  Analyze security effects of changes  Can you “dump” the application configuration  Build reporting into your process  If you can‟t verify it, it isn‟t secure  Verify the implementation  Scanning finds generic configuration and missing patch problems
  • 15. PKI VPN SSH/SFTP SSL
  • 16.
  • 17. Does •Third Party Authentication •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
  • 18. Does •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
  • 19. Does •PKI encryption •Connects to your server for quick secure file management •Allows you to issue commands to your server Does Not •Help the Client •Provide any code sanitization What It Replaces •FTP •God forbid Telnet When You Should Use It. •Anytime you connect to your server •All File transfer for source code •Editing any source on host
  • 20. Email: carlton.sue@fishnetsecurity.com Twitter: @iamcobolt Web: http://www.fishnetsecurity.com/Blogs Personal: http://www.carlsue.com • https://www.owasp.org • Web Application Hackers Handbook • The Tangled Web – No Starch Press • SQL Injection Attacks and Defense Thanks For Having Me!