Security Best Practices. For DNN Websites

Similar documents
Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

C1: Define Security Requirements

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

SSL Implementation and Website Security Best Practices, Version 01

Solutions Business Manager Web Application Security Assessment

Copyright

epldt Web Builder Security March 2017

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Are You Avoiding These Top 10 File Transfer Risks?

Welcome to the OWASP TOP 10

How NOT To Get Hacked

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Comodo Certificate Manager

InterCall Virtual Environments and Webcasting

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Applications Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Application Layer Security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

10 FOCUS AREAS FOR BREACH PREVENTION

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Certified Secure Web Application Engineer

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

WHITEPAPER. Security overview. podio.com

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Web Application Vulnerabilities: OWASP Top 10 Revisited

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Copyright

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Village Software. Security Assessment Report

CSWAE Certified Secure Web Application Engineer

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

DreamFactory Security Guide

F5 Big-IP Application Security Manager v11

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Evaluating the Security Risks of Static vs. Dynamic Websites

Effective Strategies for Managing Cybersecurity Risks

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Secure Development Guide

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Let s Encrypt and DANE

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

John Coggeshall Copyright 2006, Zend Technologies Inc.

A (sample) computerized system for publishing the daily currency exchange rates

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Liferay Security Features Overview. How Liferay Approaches Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

The Top 6 WAF Essentials to Achieve Application Security Efficacy

BEST PRACTICES FOR PERSONAL Security

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Xerox Audio Documents App

Sichere Software vom Java-Entwickler

Security Communications and Awareness

V Conference on Application Security and Modern Technologies

Data Security and Privacy at Handshake

WHITE PAPER. Best Practices for Web Application Firewall Management

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Penetration testing.

Secure Application Development. OWASP September 28, The OWASP Foundation

Insurance Industry - PCI DSS

Overview of Akamai s Personal Data Processing Activities and Role

Risk Intelligence. Quick Start Guide - Data Breach Risk

Information Security. Gabriel Lawrence Director, IT Security UCSD

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Oracle Database Security Assessment Tool

GOING WHERE NO WAFS HAVE GONE BEFORE

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Configuring BIG-IP ASM v12.1 Application Security Manager

TEL2813/IS2820 Security Management

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

OWASP TOP 10. By: Ilia

CAN MICROSOFT HELP MEET THE GDPR

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

Keys to a more secure data environment

Oracle Eloqua Legacy Authenticated Microsites and Contact Users. Configuration Guide

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

June 2 nd, 2016 Security Awareness

Overview. Application security - the never-ending story

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Security Audit What Why

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Transcription:

Security Best Practices For DNN Websites

Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com Twitter: @MitchelSellers @iowacompgurus

All Links and Resources Don t worry! We ve provided a complete list of clickable links to all the free resources mentioned in this presentation including a copy of this slide deck and we ll make it available to you at the end of the presentation.

Agenda Welcome SSL Adoption User Impacts? SSL Types SSL Is Not Enough Protecting Your Application & Server Don t Get Caught Legal Considerations OWASP Top Ten 3 rd -Party Apps, Services, & Modules Security Resources

Welcome to the Privacy & Security Age From GDRP to Social Media, from Bots to Hacks, and from Ransomware to Network Attacks Data Protection and Website Security ARE the Next Big Thing

Secure Socket Layer an Overview SSL ENCRYPTION https://

SSL Adoption Recognizing that vast numbers of websites that were not employing SSL/TLS security the Internet Security Research Group (ISRG) adopted a mission to reduce the financial, technological, and educational barriers to secure communication over the internet. Their first major initiative is Let s Encrypt a free, automated, and open SSL certificate authority (CA). Google declared that by January 2017 websites not protected by basic SSL encryption would be penalized within Google Search by identifying them as non-secure. This move has put additional pressure on website owners to implement SSL. Suspecting that some older Symantec-issued SSL certificates were either not current or did not meet existing standards Google threatened to cease recognition of those certificates in their Chrome browser.

Messaging User Impact of Doing Nothing Trust

Types of SSL Certificates Domain Validation (DV) Validates a single domain, simplest, and automated validation, verifies that a single user has control. Organization Validation (OV) Validates the domain, but also validates the corporate entity that controls it. Extended Validation (EV) Similar to OV but validated by human processes (enhanced visual display). Wildcard Special DV certificates to cover any combination of sub-domains.

Installing SSL Is Not Enough Hard external URL links may no longer work properly, harming site traffic and SEO. Site visitors might see mixed content both secure and unsecure. Users attempting to access sites from more secure/corporate networks may be unable to do so because of firewall security rules. SEO asset value within search engine indexing may be damaged or lost. If your home page indicates SSL security, but not all pages or page elements are secured, the mismatch can create corporate liability.

SSL Delivers Delivers end-to-end encryption, mitigating 3 rd -party threats to data in transit. Consumer awareness is growing the value of privacy and security are being recognized. Due to actions by Google, ASRG, and others SSL now has become both a Security AND Marketing imperative. Time to Protect Your End Point (Application & Server)

Known High-Risk Vectors and What You Can Do PROTECTING YOUR APPLICATION & SERVER

Don t Get Caught With Your Guard Down

Legal Considerations Compliance HIPPA Medical Information PCI-DSS Credit Card/Payment Information GDPR EU Data Protection FFEIC Financial Institutions Business Risks Recovery Costs Civil Liability Best Practices Mitigate Civil Risk Reputation Management

OWASP Top Ten Threats Open Wed Application Security Project (OWASP) OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. 1) SQL Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML External Entities 5) Broken Access Control 6) Security Mis-configuration 7) Cross-site Scripting 8) Insecure Deserialization 9) Using Vulnerable Components 10)Insufficient Logging & Monitoring

OWASP Top 10 - #2 Broken Authentication Common Issues Permits automated login attacks Allows default user passwords Uses weak/insecure recovery processes (Security Question is considered weak ) Uses Plain-Text, Encrypted, or Weak encryption for passwords Exposes the sessionid in URL Prevention Consider Multi-Factor Authentication Don t use defaults Check against common passwords Ensure integrity in password requirements Login, Lockout, Failure messages should be the same Limit brute-force logins, and notify admins when suspected

OWASP Top 10 - #2 (DNN Specific) Default DNN covers some, but not all aspects Older Installations Validate password formats Validate & Update Password recovery New Installations Multi-Factor not supported Lockout Notifications (Turn on, or store longer term) Complexity Requirements No known password list

OWASP Top 10 - #5 Broken Access Control Risks Similar to risk in #1 Situations where the URL could be modified to change access protocols Missing authentication on child methods assuming that if you can see that by default you cannot see the rest. CORS Misconfiguration Allowing other clients Prevention Log misuse, notify if excessive Rate Limit API s Invalidate tokens at logout

Risks OWASP Top 10 - #6 Security Misconfiguration Forgetting to remove defaults. (Ex sample project, Module, File) Unnecessary features/ports (FTP, Utility Modules, etc) Patching not followed Prevention Documented and repeatable hardening process (Install/Config) Minimize platform, use custom install options Automated validated of configuration (Trust but verify)

OWASP Top 10 - #9 Using Vulnerable Components Not patching DNN to deal with security center issues Not patching third-party modules with known issues Not patching Windows Using older FTP software/protocols Etc.

OWASP Top 10 - #10 Insufficient Logging & Monitoring Logging is great, but what do you do with it? Monitoring/Alerting is often overlooked, until it is a problem Activity logging should be repeatable/detailed for high-risk transactions. (Delete, etc.) Establish a response protocol

DNN Specific Examples Known vs. User Supplied Values UserId PortalId ModuleId Querystring Parameters Store/Update Data based on the combination of values Delete Require both the ItemId and the ModuleId in the SQL, prevent random delete Edit Require ModuleId and ItemId when retrieving to validate it is that module

Third-Party Apps, Services, & Modules Do they follow these practices? Just because you can t see it, doesn t mean it isn t there Review & Patching notifications Are they GDPR Compliant? Your Website Is Only As Safe As The Least Secure Part

iowacomputergurus.com/security SSL and Security Resources SSL Implementation and Website Security Best Practices White Paper Free SSL Community Supported Let s Encrypt Blog Post Webserver Hardening Best Practices White Paper Vulnerability and Exploit Response Best Practices White Paper GDPR Resources Navigating the GDPR Blog Post Summary Microsoft General GDPR Recommendations GDPR and DNN What You Need to Do Now Blog Post OWASP Top 10 Threats 2017

About ICG Who We Are Founded in 2006 Ankeny, Iowa Custom solutions provider Customer-service Oriented Microsoft Silver Certified BBB A+ rated and Accredited What We Do Internet Websites Intranets & Portals Platform Development Mobile & Responsive Deployment Hosting & Cloud Performance & Scalability Security and Accessibility Compliance Applications & Architectures Superior Support

About ICG Our Team Mitchel Sellers, CEO 9-time Microsoft MVP ASP Insider DNN MVP Published Technology Author Dedicated Team of Ten+ Full time & Contract Professionals Consistent Communication Peer Review/Quality Assurance

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback