SlideShare ist ein Scribd-Unternehmen logo

Web Application Security

Als PPTX, PDF herunterladen
sudip pudasaini
sudip pudasaini
1 von 25
Basics Of Web Application Security Presented By: Sudip Pudasaini Date: 14th Oct, 2015
lIntroduction of Web Application Security lHistory of Security Flaws lVulnerability on Web Application lIntroduction to OWASP lOWASP Top Ten 2010 & 2013 lSecurity Testing Taxonomy lBenefits of Security Testing lQ & A Objectives
Overview: lWhat is Web Application Security? lNetwork Security & Web Security lWhy web application firewalls are not a complete web application security solutions? lHow to secure websites and web applications Web Application Security
Web Application Security
Web Application Security lInformation Security lSecurity of websites, web applications and web services lNetwork Security
Web Application Security Network Security: l Build perimeter defenses l Block unwanted traffic and activities l Allow legitimate traffic in Web Security: l Allow port 80 and port 443 traffic in l Hope everyone plays by the rules
Web Application Security lWhy web application firewalls are not a complete web application security solutions? Firewall does not analyze request parameter and traffic. Firewall does not check vulnerabilities in web application. Firewall won't fix security holes in web applications. Firewall is not immune to attacks. lBut What does it do? Analyze incoming web traffic. Allows legitimate traffics only. Delays attack. WAF was bypassed in 2009 by OWASP.
How to secure web application? lTrain developers to write secure code lDevelopers should be able to check their applications for security issues. lThorough application testing lOnce online, web application still need to be constantly checked for vulnerabilities. lBut constant check might be lengthy and expensive process. lTendency to miss I/p and parameters in manual testing. Web Application Security
lTitle – Short but explicit description of feature lNarrative – A short narrative describing who, what and why of feature. User story syntax is common: In order to add entries, as a user, I can add an entry. lScenario – Descriptions of specific cases for the narrative with following: lInitial condition that is true. lThe expected outcomes. lUse Given, When, and Then Identifiers Vulnerabilities on Web App
l History of Security Threats 1943 2009 2007 1979 2001 2011 French Computer experts Rene Carmille hacked punched card. The first computer WORM is created at xerox's Palo Alto Research Center. The code red WORM causes $2 billion in damage by infecting Microsoft windows NT and 2000 server software. The storm WORM virus (actually Trojan) is sent to unsuspecting Individuals via emails. The conficker (Downadup/Kido) WORM best known for stealing Technical data and passwords from web servers. The Ramnit virus is used to steal over 45000 passwords on Facebook.
OWASP Open Web Application Security Project Founded: December 2, 2001 Founders: Mark Curphey, Dennis Groves Not-for-profit charitable organization in the US Open community Core Values: OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
OWASP Top 10 2013
A1 - Injection The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A1 - Injection
A2 – Broken Authentication & Session Management User authentication credentials aren’t protected when stored using hashing or encryption. Credentials can be guessed or overwritten. Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs aren’t rotated after successful login. Passwords, session IDs, and other credentials are sent over unencrypted connections.
A3 – Cross Site Scripting XSS is the most prevalent web application security flaw. Attacker sends text-based attack scripts that exploit the interpreter in the browser. Impact: Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. e.g. <script>alert(document.cookie);</script>
A4 – Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
A5 – Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries, etc. Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)? Are default accounts and their passwords still enabled and unchanged?
A6 – Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. The most common flaw is simply not encrypting sensitive data. Are any old / weak cryptographic algorithms used?
A7 – Missing Function Level Access Control Are server side authentication or authorization checks missing? Anyone with network access can send your application a request. The attacker simply force browses to target URLs. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
A8 - CSRF Cross Site Request Forgery Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. Attackers can trick victims to performs undesired operations e.g., updating account details, making purchases, etc.
Security Testing Taxonomy
Benefits of Security Testing 1) Vulnerability Coverage 2) Code Coverage 3) Instant Feedback 4) Quality of Service 5) Manage Risk Properly 6) Increase Business Continuity 7) Minimize Attacks
Q & A 1) Any
Thank You ! 1) Have 2)a 3)Wonderful 4)Day

Empfohlen

2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Think Like a Hacker
Think Like a HackerThink Like a Hacker
Think Like a HackerNormShield, Inc.
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!NormShield, Inc.
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield, Inc.
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)eLearning Consortium 電子學習聯盟
 

Empfohlen

2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Think Like a Hacker
Think Like a HackerThink Like a Hacker
Think Like a HackerNormShield, Inc.
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!NormShield, Inc.
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
NormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield Cyber Threat & Vulnerability Orchestration Overview
NormShield Cyber Threat & Vulnerability Orchestration OverviewNormShield, Inc.
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)eLearning Consortium 電子學習聯盟
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security EngineeringMd. Hasan Basri (Angel)
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Cristian Garcia G.
 
Code protection
Code protectionCode protection
Code protectionwhitecryption
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Spyware
SpywareSpyware
SpywareKardan university, kabul , Afghanistan
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Spyware
SpywareSpyware
SpywareFarheen Naaz
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catch8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catchiYogi
 
Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeSplunk
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Sigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - ReetoSigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - ReetoReetobrata Basu
 
Security_Bootcamp_Intro
Security_Bootcamp_IntroSecurity_Bootcamp_Intro
Security_Bootcamp_Introsudip pudasaini
 

Weitere ähnliche Inhalte

Was ist angesagt?

Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Cristian Garcia G.
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catch8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catchiYogi
 
Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeSplunk
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 

Was ist angesagt? (20)

Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
 
Code protection
Code protectionCode protection
Code protection
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Spyware
SpywareSpyware
Spyware
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Spyware
SpywareSpyware
Spyware
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catch8 threats that even antivirus cannot catch
8 threats that even antivirus cannot catch
 
Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEye
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 

Andere mochten auch

Sigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - ReetoSigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - ReetoReetobrata Basu
 
Passionate Programmer
Passionate ProgrammerPassionate Programmer
Passionate ProgrammerMagmaConf
 
Oop design magma rails 2011
Oop design magma rails 2011Oop design magma rails 2011
Oop design magma rails 2011MagmaConf
 
Mike ramsey rexburg iwmm presentation
Mike ramsey rexburg iwmm presentationMike ramsey rexburg iwmm presentation
Mike ramsey rexburg iwmm presentationIWMM
 

Andere mochten auch (8)

Sigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - ReetoSigma Xi Research Showcase 2013 - Reeto
Sigma Xi Research Showcase 2013 - Reeto
 
Security_Bootcamp_Intro
Security_Bootcamp_IntroSecurity_Bootcamp_Intro
Security_Bootcamp_Intro
 
Passionate Programmer
Passionate ProgrammerPassionate Programmer
Passionate Programmer
 
Oop design magma rails 2011
Oop design magma rails 2011Oop design magma rails 2011
Oop design magma rails 2011
 
BDD
BDDBDD
BDD
 
Corruption in India
Corruption in IndiaCorruption in India
Corruption in India
 
Mike ramsey rexburg iwmm presentation
Mike ramsey rexburg iwmm presentationMike ramsey rexburg iwmm presentation
Mike ramsey rexburg iwmm presentation
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecture
 

Ähnlich wie Web Application Security

Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxjuliennehar
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]AngelGomezRomero
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdfBelayet Hossain
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Symptai Consulting Limited
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?TechSoup
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersJaime Manteiga
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015RapidSSLOnline.com
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 

Ähnlich wie Web Application Security (20)

Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docx
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

Web Application Security

  • 1. Basics Of Web Application Security Presented By: Sudip Pudasaini Date: 14th Oct, 2015
  • 2. lIntroduction of Web Application Security lHistory of Security Flaws lVulnerability on Web Application lIntroduction to OWASP lOWASP Top Ten 2010 & 2013 lSecurity Testing Taxonomy lBenefits of Security Testing lQ & A Objectives
  • 3. Overview: lWhat is Web Application Security? lNetwork Security & Web Security lWhy web application firewalls are not a complete web application security solutions? lHow to secure websites and web applications Web Application Security
  • 5. Web Application Security lInformation Security lSecurity of websites, web applications and web services lNetwork Security
  • 6. Web Application Security Network Security: l Build perimeter defenses l Block unwanted traffic and activities l Allow legitimate traffic in Web Security: l Allow port 80 and port 443 traffic in l Hope everyone plays by the rules
  • 7. Web Application Security lWhy web application firewalls are not a complete web application security solutions? Firewall does not analyze request parameter and traffic. Firewall does not check vulnerabilities in web application. Firewall won't fix security holes in web applications. Firewall is not immune to attacks. lBut What does it do? Analyze incoming web traffic. Allows legitimate traffics only. Delays attack. WAF was bypassed in 2009 by OWASP.
  • 8. How to secure web application? lTrain developers to write secure code lDevelopers should be able to check their applications for security issues. lThorough application testing lOnce online, web application still need to be constantly checked for vulnerabilities. lBut constant check might be lengthy and expensive process. lTendency to miss I/p and parameters in manual testing. Web Application Security
  • 9. lTitle – Short but explicit description of feature lNarrative – A short narrative describing who, what and why of feature. User story syntax is common: In order to add entries, as a user, I can add an entry. lScenario – Descriptions of specific cases for the narrative with following: lInitial condition that is true. lThe expected outcomes. lUse Given, When, and Then Identifiers Vulnerabilities on Web App
  • 10. l History of Security Threats 1943 2009 2007 1979 2001 2011 French Computer experts Rene Carmille hacked punched card. The first computer WORM is created at xerox's Palo Alto Research Center. The code red WORM causes $2 billion in damage by infecting Microsoft windows NT and 2000 server software. The storm WORM virus (actually Trojan) is sent to unsuspecting Individuals via emails. The conficker (Downadup/Kido) WORM best known for stealing Technical data and passwords from web servers. The Ramnit virus is used to steal over 45000 passwords on Facebook.
  • 11. OWASP Open Web Application Security Project Founded: December 2, 2001 Founders: Mark Curphey, Dennis Groves Not-for-profit charitable organization in the US Open community Core Values: OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
  • 12. OWASP Top 10 2013
  • 13. A1 - Injection The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 15. A2 – Broken Authentication & Session Management User authentication credentials aren’t protected when stored using hashing or encryption. Credentials can be guessed or overwritten. Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs aren’t rotated after successful login. Passwords, session IDs, and other credentials are sent over unencrypted connections.
  • 16. A3 – Cross Site Scripting XSS is the most prevalent web application security flaw. Attacker sends text-based attack scripts that exploit the interpreter in the browser. Impact: Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. e.g. <script>alert(document.cookie);</script>
  • 17. A4 – Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
  • 18. A5 – Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries, etc. Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)? Are default accounts and their passwords still enabled and unchanged?
  • 19. A6 – Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. The most common flaw is simply not encrypting sensitive data. Are any old / weak cryptographic algorithms used?
  • 20. A7 – Missing Function Level Access Control Are server side authentication or authorization checks missing? Anyone with network access can send your application a request. The attacker simply force browses to target URLs. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
  • 21. A8 - CSRF Cross Site Request Forgery Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. Attackers can trick victims to performs undesired operations e.g., updating account details, making purchases, etc.
  • 23. Benefits of Security Testing 1) Vulnerability Coverage 2) Code Coverage 3) Instant Feedback 4) Quality of Service 5) Manage Risk Properly 6) Increase Business Continuity 7) Minimize Attacks
  • 24. Q & A 1) Any
  • 25. Thank You ! 1) Have 2)a 3)Wonderful 4)Day