1 / 23

Snap Shot of the Presentation

Snap Shot of the Presentation. About Me Web Applications – The Challenge Why Web Applications are Vulnerable Top 10 Vulnerabilities Is Application Security a Tool Business ? Methodology Suggested Tools Whats Next ?. About Me.

Download Presentation

Snap Shot of the Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Snap Shot of the Presentation • About Me • Web Applications – The Challenge • Why Web Applications are Vulnerable • Top 10 Vulnerabilities • Is Application Security a Tool Business ? • Methodology • Suggested Tools • Whats Next ?

  2. About Me • Holds Doctor of Science in Internet Security Management • Have 15 years of experience in Information Technology & Information Security solutions • Vice President – QA (Security Testing) at Arsin Corporation • Actively involved in 10 different innovative information threat management projects with various universities across the globe.

  3. Web Applications – The challenge • The World Wide Web has evolved into a global environment delivering applications such as reservation systems, online shopping or auction sites, games, multimedia applications, calendars, maps, chat applications or data entry/display systems, and many more Web Application • Web applications are characterized by multiculturalism, continuous change, fast pace and competitiveness, high demands on user adaptivity, • Thus, the complexity of securing such Web applications has increased significantly Web Server Application Server Database Server

  4. Why is this important?

  5. Why Web Applications are Vulnerable Application attacks are the latest trend when it comes to hacking. On average, 90% of all dynamic content sites have vulnerabilities associated with them. No single web server and database server combination has been found to be immune! Current security solutions do not offer adequate protection Attacks pass through perimeter firewall security over port 80 (or 443 for SSL). Exploiting bugs and poor security programming practices in the software.

  6. Web Application Security is not: What is Web Application Security?

  7. Web Application Security is: What is Web Application Security?

  8. Data Flow example

  9. Vulnerability reports consistent report Web Applications with highest # of vulnerabilities. For example SANS @RISK Aug 2007 How Bad Is It? – Vulnerability Reports

  10. Story A Successful Hack

  11. What are the Top 10 Vulnerabilities ?

  12. A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Information Leakage & Improper Error Handling A7. Broken Authentication & Session Management A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access www.owasp.org OWASP 2007 Top Ten List

  13. Is Application Security A Tool Business??? Web applications can be tested in combination of tools. Typical Web Application Testing believes 30% Tool and 70 % Manual Effort Often tools throw false positive results Evaluation of the results of scanner and Analyzing Statement Of Applicability is a Key Tools may not have the “ Risk Based Approach” The Answer is NO.

  14. Story A Great Damage

  15. Methodology

  16. Recommend / Implement Solutions Re Test the Application Test Protocol Security Issues Deliver Final Reports Test Against OWASP 2007 Test Against OWASP 2004 Methodology – Web Application Penetration Testing Mapping of Technical vulnerabilities to Business Risks

  17. Methodology – Contd • Testing Against OWASP 2004: • Understand the Applications in detail. • Test against OWASP 2004 (Intrusive / Non Intrusive Methods) • Authorized User Test & Black Box Testing • Testing Against OWASP 2007 & Protocol Security Testing : • Test against OWASP 2007 (Intrusive / Non Intrusive Methods) & Implement fuzzing techniques for Protocol analysis • External Code Posture Analysis • Recommend or Implement Solutions: • Recommend appropriate solutions include CODE Snippet Design • If required, Arsin COE Security also helps in Implementing solutions. • Deliver Report • On successful completion of testing Arsin delivers the an Executive, Technical report with appropriate applicable Recommendations • Re Test the fixed Applications • Re Test the entire applications against OWASP 2004 & 2007 and Protocol issues. • Retesting process will continue till the bugs reduced to < 5% (Non Severe).

  18. Is there any suggested tools… • There are couple of industry standard commercial and open source tools like. • Rational Appscan from IBM • Web Scrap from OWASP • HP – Web Inspect etc.

  19. What’s Next ?

  20. Next ! • Generally web applications are tested against the “Application” only. • Web Applications must also undergo respective protocol security testing i.e • HTTP • HTTPS etc • It means, a security testing must upgrade to “Application Layer” to “Network Layer” • Web Services security testing will also plays an important role.

  21. Queries Dr. Ravi Kiran Raju Yerra ryerra@arsin.com IM – Yahoo : brightvaio Image References: Black Hat Briefings – & www.owasp.org

  22. Thank You For More Details Jonathan McClean jmcclean@arsin.com

More Related