This document discusses common web security threats and how to defend against them. It begins by introducing common threats like injection attacks, authentication issues, and sensitive data exposure. It then details the OWASP Top 10 list of most critical web application security risks, which include injection, cross-site scripting, insecure object references, and more. The document recommends defenses like input validation, access control, encryption, and keeping systems up to date. It emphasizes that attacks usually combine multiple vulnerabilities and simplicity is key to security. Useful tools for analyzing threats are also presented.
27. 28
• Commercial proxy,
scanning, pentest tool
• Very capable free
version available
• Inspect traffic,
manipulate headers and
content, …
• Made in Knutsford!
BurpSuite
http://portswigger.net/burp
39. 40
40
Protect Valuable Information
Defence in depth – assume perimeter breach
• Encrypt messaging as standard
• Consider database encryption
• Consider file or filesystem encryption
However encryption complicates using the data
• Slows everything down
• Can you query while encrypted?
• Message routing on sensitive fields (in headers)
• How do you manage and rotate the keys?
• What about restore on disaster recovery?
http://getacoder.com
http://slate.com