1 / 17

Why WebAppsec Matters

Why WebAppsec Matters. Module (to be combined). Education Project. What goes Wrong?. Public Health Warning. 3. XSS and CSRF have evolved Any website you visit could infect your browser An infected browser can do anything you can do An infected browser can scan, infect, spread

christmas
Download Presentation

Why WebAppsec Matters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why WebAppsec Matters Module (to be combined) Education Project

  2. What goes Wrong?

  3. Public Health Warning 3 • XSS and CSRF have evolved • Any website you visit could infect your browser • An infected browser can do anything you can do • An infected browser can scan, infect, spread • 70-90% of web applications are ‘carriers’

  4. Key Application Security Vulnerabilities http://www.owasp.org/index.php?title=Top_10_2007

  5. Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

  6. Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *GartnerGroup (2002 report)

  7. Myth Source: Jeremiah Grossman, BlackHat 2001

  8. Myth • Myth 2 - we are secure because we use SSL • only secures data in transit • does not solve vulnerabilities on: • Web server • Browser

  9. Myth Source: Jeremiah Grossman, BlackHat 2001

  10. Myth Your security “perimeter” has huge holes at the application layer Custom Developed Application Code Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATIONATTACK App Server Web Server Hardened OS Network Layer Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

  11. What is Web Application Security?

  12. Web Application Security • Combination of • People, • Processes, • and Technology • to identify, measure, and manage Risk • presented by COTS(*), open source, and custom web applications. (*) Commercial Of The Shelf

  13. People Processes Technology Training Awareness Guidelines Automated Testing Secure Development Application Firewalls Secure Code Review Security Testing Secure Configuration

  14. Web Application (in)Security Trends

  15. Trends • Business demands more bells and whistles • Internal applications get ‘web-enabled’ and are exposed to Intranet or Internet • Increasing complexity of software • Rush software out without adequate testing • Poor security training and awareness

  16. A1: Cross site scripting (XSS) A2: Injection flaws A3: Malicious file execution A4: Insecure direct object reference A5: Cross site request forgery (CSRF) A6: Information leakage and improper error handling A7: Broken authentication and session management A8: Insecure cryptographic storage A9: Insecure communications A10: Failure to restrict URL access Vulnerabilities: OWASP top 10 (v 2007)

  17. Attacks • Defacements • Phishing • Denial of Service • Credit Card Stealing • Bot Infection • ... See the Web Hacking Incidents Database on http://www.webappsec.org/projects/whid/

More Related