SlideShare ist ein Scribd-Unternehmen logo
1 von 15
Get ! best #t of y#r Web VAPT

                    Abhay Bhargav - CTO, we45 Solutions India Pvt.Ltd.




  Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Y#rs Truly...


         •     Co-author of ‘Secure Java For
               Web Application Development’

         •     Specialization in Web
               Vulnerability Assessment and
               Penetration Testing

         •     Trainer and Workshop Lead
               for Security Training
               Workshops

         •     My blog: http://
               citadelnotes.blogspot.com
    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
$e Web and its increasing footp%nt


         •     Web Applications extensively
               adopted by S - M and L entities

         •     E-Commerce, Social Networking

         •     Government is web-ifying
               everything

         •     Websites evolving into Apps

         •     Super Speciality Web Apps for
               highly specific tasks

         •     The rise of Web 2.0 and mashups
    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Current State of Web Secu%ty


       • Industry average of 70% of web apps - vulnerable to
               serious security issues. 80% from Personal Experience
       • Rise of Multi-tasking Application Driven Malware
       • Web 2.0 and RIA - Greater Attack Surface
       • Attack Vectors hidden and dangerous
       • Its is only getting easier.....
Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Why ! &sconnect?


       •       Management - Unable to understand and grapple with
               Web Security
       •       Developers - Largely unaware of Web Security issues
               and fixes
       •       No Security in the Lifecycle
       •       Non-secure Coding Practices

       • Poor Quality of Security Testing
Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Why y# need a solid Web VAPT


       • Web Applications - Box of Chocolates
       • Proof of Concept - A Powerful Motivator
       • Simulated to real-world environment
       • Efficient
       • Recognition
       • Business Case Simplicity
Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Why Web VAPTs lar'ly fail


         •     Web - new Paradigm, old
               testing techniques

         •     Management expectations -
               cloudy

         •     No Differentiation between a
               VA and a PT

         •     Business Logic = Un-Tested

         •     Over-reliance on Tools

    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Is it ! Web??




         •      Most Web VAPTs are not Web
                VAPTs

         •      Web 2.0 is ignored extensively

         •      Flash and Java applets are
                considered “Safe, Compiled
                Code”



    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Me(odology



         •     Consistent and Repeatable
               Methodology is all important

         •     What are the best practices
               they follow?

         •     Name Dropping is not a
               methodology




    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Dep(


         •     VA != PT - The difference is
               huge

         •     Search Engines and Social
               Networking - A Treasure Trove
               for attackers

         •     Web 2.0 coverage - 30-40%
               increase in attack surface

         •     Business Logic Testing is
               Logical

    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Pe%ls of Assembly Line



         •     Skills, not Tools matter

         •     All tools and no manual,
               maketh a surface-level test

         •     Tools cannot test Business
               Logic

         •     Hybrid Approach works best



    Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Analys* and Repo+ing


       •       Analysis for Web Apps is key - Custom Vulnerabilities
       •       Risk Ranking Vulnerabilities
       •       Threat Modeling
       •       Specific Recommendations
             •       Involvement with Developers
             •       Platform specific recommendations
             •       Risk Based Approach
             •       Compliance Requirements


Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
Research




       • The Web is changing everyday
       • Organizations doing VAPT need to have research
               capabilities




Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
O(er Best Practices


       • Rules of Engagement - Management sets them
       • Test Early and Test Often
       • Haste makes for a non-secure app
       • No Website too small, no Web App too large
       • Fix please!
       • Recognize the limitations
Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010
$ank Y#!!!

       • Email: abhay@we45.com
       • Micromessage: @abhaybhargav - Twitter
       • LinkedIn: http://www.linkedin.com/in/abhaybhargav
       • Website: www.we45.com
       • Blog: citadelnotes.blogspot.com
Copyright © we45 Solutions India Pvt. Ltd.
Tuesday, July 20, 2010

Weitere ähnliche Inhalte

Andere mochten auch

Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.cnetworks
 
Source code review - Usman Khan
Source code review - Usman Khan Source code review - Usman Khan
Source code review - Usman Khan Usman Khan
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentSirius
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 

Andere mochten auch (10)

Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Source code review - Usman Khan
Source code review - Usman Khan Source code review - Usman Khan
Source code review - Usman Khan
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 

Mehr von Abhay Bhargav

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case StudyAbhay Bhargav
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 

Mehr von Abhay Bhargav (8)

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 

Kürzlich hochgeladen

Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 

Kürzlich hochgeladen (20)

Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 

Get more from your Web VAPT

  • 1. Get ! best #t of y#r Web VAPT Abhay Bhargav - CTO, we45 Solutions India Pvt.Ltd. Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 2. Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • Specialization in Web Vulnerability Assessment and Penetration Testing • Trainer and Workshop Lead for Security Training Workshops • My blog: http:// citadelnotes.blogspot.com Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 3. $e Web and its increasing footp%nt • Web Applications extensively adopted by S - M and L entities • E-Commerce, Social Networking • Government is web-ifying everything • Websites evolving into Apps • Super Speciality Web Apps for highly specific tasks • The rise of Web 2.0 and mashups Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 4. Current State of Web Secu%ty • Industry average of 70% of web apps - vulnerable to serious security issues. 80% from Personal Experience • Rise of Multi-tasking Application Driven Malware • Web 2.0 and RIA - Greater Attack Surface • Attack Vectors hidden and dangerous • Its is only getting easier..... Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 5. Why ! &sconnect? • Management - Unable to understand and grapple with Web Security • Developers - Largely unaware of Web Security issues and fixes • No Security in the Lifecycle • Non-secure Coding Practices • Poor Quality of Security Testing Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 6. Why y# need a solid Web VAPT • Web Applications - Box of Chocolates • Proof of Concept - A Powerful Motivator • Simulated to real-world environment • Efficient • Recognition • Business Case Simplicity Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 7. Why Web VAPTs lar'ly fail • Web - new Paradigm, old testing techniques • Management expectations - cloudy • No Differentiation between a VA and a PT • Business Logic = Un-Tested • Over-reliance on Tools Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 8. Is it ! Web?? • Most Web VAPTs are not Web VAPTs • Web 2.0 is ignored extensively • Flash and Java applets are considered “Safe, Compiled Code” Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 9. Me(odology • Consistent and Repeatable Methodology is all important • What are the best practices they follow? • Name Dropping is not a methodology Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 10. Dep( • VA != PT - The difference is huge • Search Engines and Social Networking - A Treasure Trove for attackers • Web 2.0 coverage - 30-40% increase in attack surface • Business Logic Testing is Logical Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 11. Pe%ls of Assembly Line • Skills, not Tools matter • All tools and no manual, maketh a surface-level test • Tools cannot test Business Logic • Hybrid Approach works best Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 12. Analys* and Repo+ing • Analysis for Web Apps is key - Custom Vulnerabilities • Risk Ranking Vulnerabilities • Threat Modeling • Specific Recommendations • Involvement with Developers • Platform specific recommendations • Risk Based Approach • Compliance Requirements Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 13. Research • The Web is changing everyday • Organizations doing VAPT need to have research capabilities Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 14. O(er Best Practices • Rules of Engagement - Management sets them • Test Early and Test Often • Haste makes for a non-secure app • No Website too small, no Web App too large • Fix please! • Recognize the limitations Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  • 15. $ank Y#!!! • Email: abhay@we45.com • Micromessage: @abhaybhargav - Twitter • LinkedIn: http://www.linkedin.com/in/abhaybhargav • Website: www.we45.com • Blog: citadelnotes.blogspot.com Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010