PRESENTED BY:

Similar documents

Copyright

Applications Security

Bank Infrastructure - Video - 1

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

ADC im Cloud - Zeitalter

Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

Web Application Penetration Testing

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Solutions Business Manager Web Application Security Assessment

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Aguascalientes Local Chapter. Kickoff

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

CSWAE Certified Secure Web Application Engineer

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

1 About Web Security. What is application security? So what can happen? see [?]

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Ethical Hacking and Prevention

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Curso: Ethical Hacking and Countermeasures

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Advanced Diploma on Information Security

Welcome to the OWASP TOP 10

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Application Layer Security

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Endpoint Security - what-if analysis 1

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP TOP OWASP TOP

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Integrity attacks (from data to code): Cross-site Scripting - XSS

Web Application Whitepaper

C1: Define Security Requirements

Pushed to the Limit! Network and Application Security Threat Landscape January 2018

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

OWASP TOP 10. By: Ilia

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Vulnerabilities in online banking applications

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

GOING WHERE NO WAFS HAVE GONE BEFORE

Managed Application Security trends and best practices in application security

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Sichere Software vom Java-Entwickler

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Host Website from Home Anonymously

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

RiskSense Attack Surface Validation for Web Applications

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Sichere Webanwendungen mit Java

Q Web Attack Analysis Report

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Ethical Hacker Foundation and Security Analysts Course Semester 2

Web Security. Web Programming.

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

RSA Web Threat Detection

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Secure Development Guide

SECURITY TESTING. Towards a safer web world

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

ShiftLeft. Real-World Runtime Protection Benchmarking

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

TIBCO Cloud Integration Security Overview

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Security and Authentication

Ethical Hacking. Content Outline: Session 1

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

eb Security Software Studio

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Network Security. Thierry Sans

Security Communications and Awareness

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

haltdos - Web Application Firewall

Transcription:

PRESENTED BY: scheff@f5.com

APPLICATIONS ARE The reason people use the Internet The business the target The gateway to DATA

765 Average # of Apps in use per enterprise 6 min before its scanned 1/3 If vulnerable, you could be PWND in Mission critical <2 hrs

Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware DNS Client Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle Network API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Key disclosure Protocol abuse Session hijacking Certificate spoofing App services Phishing Access TLS

Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware DNS Client Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle Network API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Key disclosure Protocol abuse Session hijacking Certificate spoofing App services Phishing Access TLS (2017 4 US states) 30% (10 years 26 countries) 53% (2017 4 US states) 26% (10 years 26 countries) 33%

Injection PHP & SQL Login Affiliates Admin Betablock Cart Comments Exchweb SQL PHP 1% 1% 2% 2% 3% 4% 6% 56% 58%

2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-site request forgery (CSRF) 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards 2017 OWASP Top 10 1. Injection 2. Broken authentication 3. Sensitive data exposure 4. XML external entities (XXE) 5. Broken access control 6. Security misconfiguration 7. Cross-site scripting (XSS) 8. Insecure deserialization 9. Using components with known vulnerabilities 10. Insufficient logging and monitoring

Access Attacks 5% 23% 34% 9% 26% 3%

Clients are phished malware installed Banking Trojans Fraud Trojans Fraud targets = any site with a login page

Affected Devices 74% Discovered in last 2 years CCTV DVRs SOHO routers ios WAPs Set-Top Boxes Media Center ICS Android IP Cameras Wireless Chipsets NVR Surveillance VoIP Devices Cable Modems Busybox Platforms Smart TVs Hydra Psyb0t Aidra 2Bots Darlloz Marcher Moon Gafgyt Family 3Bots Remaiten Crash override Mirai BigBrother Rediation 4Bots Hajime Trickbot IRC Telnet Annie Brickerbot 3Bots Satori Fam Amnesia Persirai 2Bots WireX Reaper 6Bots Masuta PureMasuta Hide N Seek JenX OMG DoubleDoor 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Thingbot Attack Type Shifting from primarily DDoS to multi-purpose DNS Hijack Crypto-miner DDoS PDoS Proxy Servers Unknown Rent-a-bot Credential Collector Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Hydra Psyb0t Aidra 2Bots Darlloz Marcher Moon Gafgyt Family 3Bots Remaiten Crash override Mirai BigBrother Rediation 4Bots Hajime Trickbot IRC Telnet Annie Brickerbot 3Bots Satori Fam Amnesia Persirai 2Bots WireX Reaper 6Bots Masuta PureMasuta Hide N Seek JenX OMG DoubleDoor 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper

2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper

2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper

CISO S #1 MISSION EVERYONE S #1 CHALLENGE 1 Understand Your Environment Prevent Downtime Visibility

Sub domains hosting other versions of the main application site Web service methods Server-side features such as search Cookies/state tracking mechanisms 2 Reduce Your Attack Surface Dynamic web page generators HTTP headers and cookies Data entry forms Events of the application triggered server-side code Web pages and directories Shells, Perl/PHP APIs Administrative and monitoring stubs and tools Data/active content pools the data that populates and drives pages Backend connections through the server (injection) Admin interfaces Apps/files linked to the app Helper apps on client (java, flash)

Every 9 hrs CRITICAL vulnerability is released Attackers are weaponizing VULNERABILITIES in <24 hrs Does it apply to you? Has a patch been released? WAF configuration Did you test it? Did you apply it? ATTACKED!

3 Prioritize Defenses Based on Attacks Focus OpEx & CapEx spend

Facebook LinkedIn Twitter Laptops HR Desktops Execs Accounting Phones Sys Admins Mis configurations Identities Company website People search engines

Articles Threat Blog CISO to CISO Thought Leadership Blog General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)

53% of breaches start here CLIENT INTEGRITY DEFENSE 33% of breaches start here 2018 F5 Networks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback