This document discusses various security topics including application security, injection vulnerabilities, infrastructure security, and developing a security strategy and plan. It covers the Open Web Application Security Project (OWASP) top 10 risks, examples of SQL and OS injection vulnerabilities, mitigation techniques like input validation and web application firewalls, and approaches to infrastructure security like preventing DDoS attacks and unauthorized access. The importance of continuous improvement, monitoring, and prioritizing security is emphasized.
2. Why is security important ?
● Data security : protect users who use your website
● Network security : protect your infrastructure from DOS, Spyware & unintended
misuse.
Source : http://breachlevelindex.com/
3. Application Security
● What is OWASP top 10 ?
○ Open Web Application Security Project
○ Focus on making security visible
○ Help organizations can take informed decisions
○ Top 10 most critical application security risks
○ Available at http://www.owasp.org
4. How OWASP helps?
● Check if your application is vulnerable
● Sample attack patterns
● Prevention guidelines
● What is the Business impact?
○ sell it to your investors
Most critical vulnerability in 2017 : Injection
5. SQL / NoSQL injection
Query in code : String sql = "SELECT * FROM USERS WHERE
USERID='"+request.getParameter("id")+"'";
App url : http://mywebsite.com/app/userView?id='123' or '1'='1
Query which gets executed : "SELECT * FROM USERS WHERE USERID='123 or
'1'='1'";
What if someone is able to execute
"SELECT * FROM USERS WHERE USERID='123'; DROP TABLE USERS;"
6. OS Command injection
Code : delete.php
<?php
$file = $_GET['filename'];
system("rm $file");
?>
URL : http://mywebsite.com/delete.php?filename=abc;ls -l
What if the attacker runs :
URL : http://mywebsite.com/delete.php?filename=abc;cat dbconfig.php
8. Injection : Story
Vulnerabilities exploited
● file upload
● sql injections
Attacker uploaded webshell
get yours at https://github.com/JohnTroony/php-webshells.git
shell used : c99_locus7s.php
● what did the attacker get ?
● how was the attacker discovered ?
9. Mitigating injections
● Check user input
○ type check : string, int, float
○ format check : ip address, email
● Web application firewall
○ 3rd party tool
○ WAF by AWS / Akamai
10. Network / Infrasturcture security
● DDOS
○ Personal experience story
○ Letsbuy DDOS attack
■ SYN flooding
○ How was it mitigated ?
● Common solutions to DDOS
○ Reverse proxy
○ IP Blocking ?
○ Paid solutions - Akamai / AWS
13. Application security plan
● Keep a lookout on latest security vulnerabilities
○ OWASP top 10
● Collect and analyze all data
○ ELK ?
○ Know your users
○ Anomaly alerts based on Traffic / Database query
● Get WAF (specifically startups)
○ Progressive tuning required
● Black Box / gray box scanning
○ On premise tool : Acunetix web application vulnerability scanner
○ 3rd party black box scans at regular intervals
14. Infrastructure security plan
● DDOS prevention strategy
○ AWS / Firewall / Akamai
● DNS attacks
○ DNS DOS attack
○ SYN Flooding
○ DNS hijacking
● Protect your DNS
○ Use better DNS provider
○ Ultra DNS
○ Route 53
15. Can I handle phishing ?
● Replica websites
○ Have you received phishing mails of hdfc / icici bank ?
● Strategy to detect phishing
○ Honeypot
○ Logging / monitoring
16. Continuous improvement plan
● Change organization culture
● Code review : is this code secure ?
● Security roadmap
● Track progress at regular intervals
○ JIRA Epic
○ Prioritization