SlideShare ist ein Scribd-Unternehmen logo

CSS 17: NYC - Protecting your Web Applications

Als PPTX, PDF herunterladen
Alert Logic
Alert Logic

Presentation from Alert Logic Chief Security Evangelist Stephen Coty at the Cloud Security Summit in NYC on April 26, 2017.

Technologie
1 von 31
WEB APPLICATION SECURITY: PROTECTING YOUR WEB APPLICATION
Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
Web Application Security sqli, 59% openvas, 13% apache_struts, 9% joomlaua, 4% pagerank, 2% havij, 2% magento_sqli, 2% sqli_error, 2% sqlmap, 1% tor, 1% sqli openvas apache_struts joomlaua pagerank havij magento_sqli sqli_error sqlmap tor Source: Alert Logic 2015 Customer Data
SQL Injection Last 60 Days - 041217
Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
HACKER RECON METHODS
Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
Open Forums – Example
Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
ATTACK METHODOLOGIES
Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
Targeted Attacks
FROM WEB APPS TO PRIVILEGED ACCESS
From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
REMEDIATION STRATEGIES
Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • AMI and Golden Images • Reference Architecture, Formation Templates
Understand Your Service Providers Security Model
Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • Data types (OS, CMS, DB, Web) • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic @StephenCoty @_PaulFletcher Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/
Thank you.

Empfohlen

CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 

Empfohlen

CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alAlert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 

Weitere ähnliche Inhalte

Was ist angesagt?

Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alAlert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 

Was ist angesagt? (20)

Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 

Ähnlich wie CSS 17: NYC - Protecting your Web Applications

Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 

Ähnlich wie CSS 17: NYC - Protecting your Web Applications (20)

Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Security testing
Security testingSecurity testing
Security testing
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 

Mehr von Alert Logic

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the CloudAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: PresidioAlert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: PresidioAlert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOpsAlert Logic
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanyAlert Logic
 

Mehr von Alert Logic (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 

Kürzlich hochgeladen

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

CSS 17: NYC - Protecting your Web Applications

  • 2. Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
  • 3. Web Application Security sqli, 59% openvas, 13% apache_struts, 9% joomlaua, 4% pagerank, 2% havij, 2% magento_sqli, 2% sqli_error, 2% sqlmap, 1% tor, 1% sqli openvas apache_struts joomlaua pagerank havij magento_sqli sqli_error sqlmap tor Source: Alert Logic 2015 Customer Data
  • 4. SQL Injection Last 60 Days - 041217
  • 5. Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 6. Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 7. Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 9. Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 10. Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
  • 11. Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
  • 12. Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
  • 13. Open Forums – Example
  • 14. Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
  • 16. Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
  • 17. Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
  • 18. Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
  • 20. FROM WEB APPS TO PRIVILEGED ACCESS
  • 21. From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
  • 22. From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
  • 23. From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
  • 25. Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
  • 26. Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
  • 27. Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • AMI and Golden Images • Reference Architecture, Formation Templates
  • 28. Understand Your Service Providers Security Model
  • 29. Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • Data types (OS, CMS, DB, Web) • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
  • 30. Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic @StephenCoty @_PaulFletcher Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/

Hinweis der Redaktion

  1. Why are web apps the #1 source of breaches? It starts with the complexity of your app and infrastructure stack. Applications are becoming more complex due to requirements for user and system interaction, the insatiable need for innovative capabilities, and usage of open source and 3rd party libraries. They are continually developed and deployed, and they are no longer ring fenced by traditional firewalls. Cloud-based applications gain the benefit of sitting within more hardened environments – a good thing for risk reduction. But as Cloud service providers are tightening, hardening, and integrating controls at the bottom of the stack, attackers are now capitalizing on the paths of least resistance – the more dynamic, more interconnected, more complex apps…that are inherently more exposed. And they are using more sophisticated methods that leverage multiple layers of the stack, and often times use methods that look like legitimate transactions. Why are these apps hard to protect from the swath of methods used to gain access? Wide range of attacks at every layer of the stack Rapidly changing codebase introduces unknown vulnerabilities Long tail of exposures inherited from 3rd party development tools Extreme shortage of cloud and application security expertise Discovery: (If app audience) Which of these components are in your application portfolio? How often are you scanning and patching vulnerabilities in your components/libraries? (if opps audience) How often do you assess your application portfolio for exposures in both code and configurations? Are you satisfied that development teams are continually assessing their code and patching/rewriting as new vulnerabilities are published? How are you protecting your applications today? How often are you releasing new code? What’s the outlook for your adding staff to secure your application workloads and web apps?
  2. Have portal to have technologies that link to each layer that we cover.
  3. The search results are dynamic, so they are always changing. When an attacker attempts to hack the vulnerable website it’s possible that the website has already installed the patch for this exploit. This is something that can be quickly identified and the hacker can easily move down the list of search results for the next target. It’s also possible that another hacker has already compromised that system and has locked other attackers (and administrators) out of the system. So a major challenge in the hacking community is not only whether they can exploit these vulnerabilities before they are patched, but also whether you can exploit the vulnerability before other hackers.
  4. Discussion behind motivations is important Risks of deploying Web Applications or using SaaS in the Cloud
  5. Use this slide to tee up Paul and tye an example with detection that matches these stages
  6. Video – This video is an example of a Word Press XML-RPC attack. Narrative – The attacker checks to see if XML-RPC is enabled (it’s on by default since WP 3.5). The attacker then opens MetaSploit, searches and finds the exploit to run. Runs the command on the target website and brute forces the admin account password, then gains privileged access to the website. Length – 2:23 Hacking a web application allows an attacker to compromise the functionality of the application, but that doesn’t mean they’ve compromised the system. How can a hacker gain privileged system access by exploiting web applications? This slide includes a video, for the full version to go: https://alertlogic-my.sharepoint.com/personal/scoty_alertlogic_com/_layouts/15/WopiFrame2.aspx?sourcedoc=%7Be9d0eb83-288d-494c-8fc0-60ee0ebbcf04%7D&action=default
  7. Privilege account information may be in plain text or may be listed in a hashed format. Information about privileged accounts may also be found using a simple web search or using software tools. If usernames and passwords are identified, but they are hashed/encrypted, then brute force software can be used to crack the encryption.
  8. Video – This video is an example of an attacker getting privileged access via remote shell. Narrative – The attacker starts by using WP Scan (highlights configuration info) to gather system data. The attacker then opens MetaSploit, searches and finds the exploit to run. Runs the command on the target website and brute forces the admin account password. The attacker now runs the exploit using the stolen credentials on the target website. Delivers the payload, finds the open TCP port to communicate with the target website. Starts the session, runs the exploit and gains privileged access using a remote shell. Length – 3:10 Session hijacking is the exploitation of a current and valid session to gain unauthorized access. There are many types of session hijacking techniques. This slide includes a video, for the full version to go: https://alertlogic-my.sharepoint.com/personal/scoty_alertlogic_com/_layouts/15/WopiFrame2.aspx?sourcedoc=%7Be9d0eb83-288d-494c-8fc0-60ee0ebbcf04%7D&action=default
  9. User account behavior, system account behavior, network traffic flow baseline