SECURITY TESTING. Towards a safer web world

Similar documents
OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Copyright

Application Security Approach

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

Web Applications Penetration Testing

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Solutions Business Manager Web Application Security Assessment

GOING WHERE NO WAFS HAVE GONE BEFORE

CSWAE Certified Secure Web Application Engineer

Aguascalientes Local Chapter. Kickoff

V Conference on Application Security and Modern Technologies

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Certified Secure Web Application Engineer

Web Application Penetration Testing

The Top 6 WAF Essentials to Achieve Application Security Efficacy

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

An analysis of security in a web application development process

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Your Turn to Hack the OWASP Top 10!

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Penetration testing.

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Mitigating Security Breaches in Retail Applications WHITE PAPER

OWASP TOP OWASP TOP

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Web Application Vulnerabilities: OWASP Top 10 Revisited

Copyright

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Continuously Discover and Eliminate Security Risk in Production Apps

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

6 Vulnerabilities of the Retail Payment Ecosystem

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Domino Web Server Security

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Security Testing White Paper

Chapter 5: Vulnerability Analysis

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Bank Infrastructure - Video - 1

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

MOBILE THREAT LANDSCAPE. February 2018

Development*Process*for*Secure* So2ware

Building Trust in the Internet of Things

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

HP 2012 Cyber Security Risk Report Overview

5 IT security hot topics How safe are you?

OWASP TOP 10. By: Ilia

Secure Development Guide

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

COMP9321 Web Application Engineering

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Protecting your next investment: The importance of cybersecurity due diligence

Application. Security. on line training. Academy. by Appsec Labs

Web Application Whitepaper

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

eb Security Software Studio

Web Security. Web Programming.

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Under the hood testing - Code Reviews - - Harshvardhan Parmar

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Protect Your Organization from Cyber Attacks

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

F5 Application Security. Radovan Gibala Field Systems Engineer

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Managed Application Security trends and best practices in application security

Secure Coding, some simple steps help. OWASP EU Tour 2013

A Passage to Penetration Testing!

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Applications Security

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Threats and Remediation. Terry Labach, IST Security Team

EasyCrypt passes an independent security audit

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Secure Application Development. OWASP September 28, The OWASP Foundation

Curso: Ethical Hacking and Countermeasures

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

COMP9321 Web Application Engineering

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Security Solutions. Overview. Business Needs

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

MARCH Secure Software Development WHAT TO CONSIDER

Transcription:

SECURITY TESTING Towards a safer web world

AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS

ate: 2013-14 Few Security Breaches September 2016, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach. The attack compromised of 500 million users. Yahoo later disclosed an earlier breach that had compromised 1 billion accounts. mpact: 1.5 billion user accounts Date: May 2014 The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database Impact: 145 million user compromised

3 W S of Security Testing

WHAT IS SECURITY TESTING Security testing is the process to determine that an information system protects data and maintains functionality To check whether there is an information leakage To test the application whether it has unauthorised access and having the encoded security code To finding out all the potential loopholes and weakness of the system

Why Security Testing Web application security testing is a process that verifies that the information system protects the data and maintains its intended functionality. It involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.

WHEN TO START SECURITY TESTING 1. In general testing must start early to minimize defects of cost of quality 2. Should start right from requirements gathering phase to make sure that the quality of end product is high 3. This is to ensure that any intentional /unintentional unforeseen action does not halt or delay the system

Is the service and information safe from unauthorised prying eyes

Does the service provide only the correct information to the user

Is the person/package being truthful about their identity?

Is the person/package allowed to do this operation

Will the service do me good any time of the day

Did communication happen between two legitimate users

Security Testing Types Vulnerability scanning In this testing, whole system under test is scanned to find out the loopholes and vulnerable signatures. Penetration testing An attack from hacker is simulated on the system under test. Security testing is the one in which tester has to think of destroying the system while testing it Ethical hacking This is different from penetration testing since here system under test is attacked from within to expose all the security flaws and loopholes in the application or software. Risk assessment The assessment of risk involved with the security of system under test is done and then risks are classified as High, Medium and Low based on certain factors. Security scanning This scans the whole system under test and finds out the network weaknesses. Then they are studied in detail, analyzed and fixed. Security review Whether all the standards are followed and implemented properly are checked through gap analysis and code or design reviews.

OWASP TOP 10 RISKS A1 Injection Injection flaws are a set of security vulnerabilities which occur when suspicious data is inserted into an app as a command or query A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure When an application s functions are not implemented correctly, the attack surface is open for criminals to easily break in and compromise passwords, session IDs, and exploit other flaws using stolen credentials XSS allows attackers to inject client-side scripts into public facing web pages and, in many cases, can be used by attackers to work their way past access controls. Access control is meant to control what authorized users are allowed and not allowed to do within an app, and to establish proper access control, the app must ensure that it is performing solid authorization checks and that proper authentication is in place to tell which users are privileged and which are in fact random internet users. Proper configuration of an application s entire environment needs to be defined, implemented, and regulated or it may lead to severe security holes. Applications should ensure that access be authenticated and data be encrypted.

OWASP TOP 10 RISKS (Continued ) A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Underprotected APIs This category looks into how many apps and APIs today struggle to detect, prevent, and respond to both manual and automated attacks. The methods given include pentesting, vulnerability assessment, and using WAF or RASP as a means of detection and a quick and easy self-patch in response to an attack This is done when an attacker takes control of a victim s browser to generate requests the vulnerable app, which defines the actions as legitimate requests from the victim. Component, including libraries and frameworks, may be taken from the open source community and should be used with caution in case vulnerabilities are lurking APIs serve as a link between intricate client platforms and a batch of web applications or services. And while APIs may technically be web apps, securing them is not as simple as securing traditional web applications.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback