SlideShare ist ein Scribd-Unternehmen logo

SPI Dynamics web application security 101

Als PPTX, PDF herunterladen
Wade Malone
Wade Malone

Web application security 101 explained by SPI Dynamics.

Technologie
1 von 19
Web Application Security
security. protection. intelligence. Q: Where Do Your Current Security Measures Fail? A: Your Proprietary, Custom written Web Applications
security. protection. intelligence. Today over 70% of attacks against a company‟s Web site or Web application come at the „Application Layer‟ not the Network or System layer. A complete security solution requires attention at each potential point of attack.
security. protection. intelligence. A: Enact policies requiring your developers to write secure code. Q: So how do we remedy this situation? •Verify all request parameters are in proper format (via through a standard library) •Any unknown or incorrect user data should be logged and terminated.
security. protection. intelligence. But if you instituted this policy, how would you effectively enforce it? What measures would you have in place to make sure that they comply? “A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”
security. protection. intelligence. Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities? A: No, and this is why.
security. protection. intelligence. Where Today’s Security Measures Fail
security. protection. intelligence. A: Because other Scanners are a security Broadsword, where ours is a Security Scalpel WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them. Q: How can SPI Dynamics do all of this and the others can’t?
security. protection. intelligence. How SPI Solves The Problem
security. protection. intelligence. WebInspectTM scans the whole site: Web server Web pages Scripts Proprietary applications Cookies Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
security. protection. intelligence. WebInspectTM Scans authentication codes Assesses security procedures Carves into confidential data … Just like a hacker would Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
security. protection. intelligence. WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems. WebInspect™
security. protection. intelligence. WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go. WebInspect™
security. protection. intelligence. WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation. WebInspect™
security. protection. intelligence. Features & Benefits of WebInspectTM Unique Focus: Your proprietary Web site or Web application Superior Scanning: Products codify our security expertise Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments Automated: Continuously maintain your security integrity Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature Simple & Cost Effective: Licensed per IP address or per consultant Risk-Free: Offered on a trial basis at no cost
security. protection. intelligence. How does WebInspectTM do this? Hidden Manipulation Parameter Tampering Cookie Poisoning Stealth Commanding Forceful Browsing Backdoor/Debug Options Configuration Subversion Vendor–Assisted Hacking
security. protection. intelligence. The SPI Works Product Suite Use WebInspectTM to assess current Web sites or Web applications. Use WebInspectTM to QA new applications during development prior to release into production. Available now Know your vulnerabilities Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application. Use LogAlertTM after you have been attacked for Web log forensic analysis. Available now Know if you have been attacked Use WebDefendTM to proactively stop Web site or Web application intrusions. Available Q2 2002 Proactively stop attacks WebInspect Application Assessment WebDefend Application Intrusion Protection LogAlert Application Log Audit TM TM TM
security. protection. intelligence. Our Company Founded in April 2000 by recognized Information Security industry experts Released WebInspectTM in April 2001 HQ in Atlanta, Georgia Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London SPI serves clients in each of the following vertical industries: HealthCare Insurance Financial Services Government Global Enterprise Consulting
security. protection. intelligence. SPI Dynamics is the leading provider of automated Web Application security products. SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code. The embedded “hacker logic” enables our software to think for the end-user, making their job easier.

Empfohlen

Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerPriyanka Aash
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagenwebwinkelvakdag
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek Ltd
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 

Empfohlen

Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerPriyanka Aash
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagenwebwinkelvakdag
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek Ltd
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008tswong
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Dmitriy Gumeniuk
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseKatherine Golovinova
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMSkycure
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Zoho Corporation
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008tswong
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Dmitriy Gumeniuk
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseKatherine Golovinova
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMSkycure
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Zoho Corporation
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 

Was ist angesagt? (20)

Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMM
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 

Ähnlich wie SPI Dynamics web application security 101

IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 

Ähnlich wie SPI Dynamics web application security 101 (20)

IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
IKare Vulnerability Scanner - Datasheet EN
IKare Vulnerability Scanner - Datasheet ENIKare Vulnerability Scanner - Datasheet EN
IKare Vulnerability Scanner - Datasheet EN
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

SPI Dynamics web application security 101

  • 2. security. protection. intelligence. Q: Where Do Your Current Security Measures Fail? A: Your Proprietary, Custom written Web Applications
  • 3. security. protection. intelligence. Today over 70% of attacks against a company‟s Web site or Web application come at the „Application Layer‟ not the Network or System layer. A complete security solution requires attention at each potential point of attack.
  • 4. security. protection. intelligence. A: Enact policies requiring your developers to write secure code. Q: So how do we remedy this situation? •Verify all request parameters are in proper format (via through a standard library) •Any unknown or incorrect user data should be logged and terminated.
  • 5. security. protection. intelligence. But if you instituted this policy, how would you effectively enforce it? What measures would you have in place to make sure that they comply? “A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”
  • 6. security. protection. intelligence. Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities? A: No, and this is why.
  • 7. security. protection. intelligence. Where Today’s Security Measures Fail
  • 8. security. protection. intelligence. A: Because other Scanners are a security Broadsword, where ours is a Security Scalpel WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them. Q: How can SPI Dynamics do all of this and the others can’t?
  • 10. security. protection. intelligence. WebInspectTM scans the whole site: Web server Web pages Scripts Proprietary applications Cookies Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
  • 11. security. protection. intelligence. WebInspectTM Scans authentication codes Assesses security procedures Carves into confidential data … Just like a hacker would Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
  • 12. security. protection. intelligence. WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems. WebInspect™
  • 13. security. protection. intelligence. WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go. WebInspect™
  • 14. security. protection. intelligence. WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation. WebInspect™
  • 15. security. protection. intelligence. Features & Benefits of WebInspectTM Unique Focus: Your proprietary Web site or Web application Superior Scanning: Products codify our security expertise Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments Automated: Continuously maintain your security integrity Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature Simple & Cost Effective: Licensed per IP address or per consultant Risk-Free: Offered on a trial basis at no cost
  • 16. security. protection. intelligence. How does WebInspectTM do this? Hidden Manipulation Parameter Tampering Cookie Poisoning Stealth Commanding Forceful Browsing Backdoor/Debug Options Configuration Subversion Vendor–Assisted Hacking
  • 17. security. protection. intelligence. The SPI Works Product Suite Use WebInspectTM to assess current Web sites or Web applications. Use WebInspectTM to QA new applications during development prior to release into production. Available now Know your vulnerabilities Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application. Use LogAlertTM after you have been attacked for Web log forensic analysis. Available now Know if you have been attacked Use WebDefendTM to proactively stop Web site or Web application intrusions. Available Q2 2002 Proactively stop attacks WebInspect Application Assessment WebDefend Application Intrusion Protection LogAlert Application Log Audit TM TM TM
  • 18. security. protection. intelligence. Our Company Founded in April 2000 by recognized Information Security industry experts Released WebInspectTM in April 2001 HQ in Atlanta, Georgia Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London SPI serves clients in each of the following vertical industries: HealthCare Insurance Financial Services Government Global Enterprise Consulting
  • 19. security. protection. intelligence. SPI Dynamics is the leading provider of automated Web Application security products. SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code. The embedded “hacker logic” enables our software to think for the end-user, making their job easier.