Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Similar documents
The Top 6 WAF Essentials to Achieve Application Security Efficacy

Solutions Business Manager Web Application Security Assessment

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

F5 Application Security. Radovan Gibala Field Systems Engineer

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Certified Secure Web Application Engineer

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Securing Your Company s Web Presence

Copyright

ShiftLeft. Real-World Runtime Protection Benchmarking

Application security : going quicker

CSWAE Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

SECURITY TESTING. Towards a safer web world

F5 Big-IP Application Security Manager v11

Your Turn to Hack the OWASP Top 10!

Evaluation Criteria for Web Application Firewalls

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

THUNDER WEB APPLICATION FIREWALL

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

RiskSense Attack Surface Validation for Web Applications

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Threats and Remediation. Terry Labach, IST Security Team

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

HP 2012 Cyber Security Risk Report Overview

WAPPLES Introduction & the Future

MIS Training Institute Page 1

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Secure Coding, some simple steps help. OWASP EU Tour 2013

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Security Statistics Project 2007

How were the Credit Card Numbers Published on the Web? February 19, 2004

Security Solutions. Overview. Business Needs

Application Security Approach

OWASP Top 10 The Ten Most Critical Web Application Security Risks

TIBCO Cloud Integration Security Overview

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Curso: Ethical Hacking and Countermeasures

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

EasyCrypt passes an independent security audit

CoreMax Consulting s Cyber Security Roadmap

epldt Web Builder Security March 2017

Web Application Penetration Testing

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

GOING WHERE NO WAFS HAVE GONE BEFORE

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

An analysis of security in a web application development process

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Application Firewall

Imperva Incapsula Website Security

Managed Application Security trends and best practices in application security

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

OWASP TOP 10. By: Ilia

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Web Applications Penetration Testing

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

OWASP TOP OWASP TOP

INNOV-09 How to Keep Hackers Out of your Web Application

Bypassing Web Application Firewalls

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

1 About Web Security. What is application security? So what can happen? see [?]

Overview. Application security - the never-ending story

CS 356 Operating System Security. Fall 2013

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web Application Vulnerabilities: OWASP Top 10 Revisited

Shortcut guide to Web application firewall deployment

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Hacking 102 Integrating Web Application Security Testing into Development

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Web Application Security GVSAGE Theater

Total Security Management PCI DSS Compliance Guide

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Transcription:

Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1

Agenda Current scenario in Web Application Security Defenses Pros and Cons Web Application Firewall Detection Techniques Protection Techniques DEMO 2

Real life cases

Real life Cases 2.0 20 Source: The Web Hacking Incidents Database [http://webappsec.org/projects/whid/] / t / hid/]

My.BarackObama.com Infects Visitors With Trojan Source: cyberinsecure.com 5

The Most Prevalent Vulnerabilities Source: Web Application Security Consortium (WASC) 6

OWASP Top 10 Vulnerabilities 2007 No. Vulnerability 1 Cross Site Scripting (XSS) 2 Injection Flaws 3 Malicious File Execution 4 Insecure Direct Object Reference 5 Cross Site Request Forgery (CSRF) 6 Information Leakage and Improper Error Handling 7 Broken Authentication and Session Management 8 Insecure Cryptographic Storage 9 Insecure Communications 10 Failure to Restrict URL Access 7

Where is the Web Application? Web Applications Web Server Operating System Network Protocol 8

Perimeter Security Perimeter Firewall Web Server Application Server DB 9

Protection to Web Applications Web Application Attacks Web Applications Attacks: Network, OS, Web Server Attacks Web Server Operating System Network Protocol Security Devices (Firewall / IPS) 10

How to secure Web Applications? Secure coding Developers must be educated on writing secure code that implements proper validations, boundary checks and sanitizes data Testing applications for vulnerabilities Black box and white box testing ti Secure configuration The web server and applications must be securely configured with proper access control and hardening pp Filtering malicious data or restricting legitimate traffic to and from web applications Web Application Firewall

Secure Coding Secure coding is the best way to avoid vulnerabilities in applications However, it will still not be possible to write 100% secure applications Each developer will have to be updated with the newer methods of attacking applications One developer misses a single check and unknowingly creates a vulnerability in the application which may lead to compromise of the entire database

Testing Applications Testing for security vulnerabilities in applications can be done using automated tools and manual assessment methodologies White Box testing can be done to find vulnerabilities in the source code Black Box testing can be done to find vulnerabilities in running applications 13

Testing Applications Vulnerabilities detected in applications testing can be reported to development teams for rectification The time required to test, report and get the problem rectified is very long 14

Automated Tools Assessment Tools Rational Appscan IBM NTOSpider NT Objectives WebInspect HP Hil Hailstorm Cenzic Source Code Analysis AppCodeScan Blueinfy Fortify Fortify Ounce Ounce Labs 15

Secure Configuration Server on which the applications are deployed must be configured securely so that no unauthorized person can access the restricted areas, read the source files or execute commands with root privileges A misconfiguration may weaken the security of a well written secure application 16

Web Application Firewall A Web Application Firewall can compliment a network firewall to further inspect the application traffic and filter out unwanted or malicious data It can work as a virtual patch to vulnerabilities yet to be patched by the developers of an application Attempts to exploit applications can be monitored Can be deployed very quickly and easily 17

Without Application Security Perimeter Firewall Application Server Web Server DB 18

Web Application Firewall Inline Perimeter Firewall Web Application Firewall Application Server Web Server DB 19

Web Application Firewall Out of Line Perimeter Firewall Web Server Application Server Web Application Firewall DB 20

Web Application Firewall Embedded Perimeter Firewall Embedded Web Application Firewall Application Server Web Server DB 21

Some Application Firewalls WebDefend - Breach Security Big-IP - F5 Networks NetScalar Application Firewall - Citrix SecureSphere WAF Imperva Web Application Gateway Barracuda ModSecurity - OpenSource 22

Why WAF? Protecting an application from attacks requires complete knowledge of application communication Firewalls and IDS/IPS s with deep inspection capabilities can understand d the protocols and state information To protect applications it is required for the device to interpret HTML data and session context 23

WAF Detections Positive Security Model Negative Security Model SSL Decryption 24

Security Model Negative Security Model Signatures / Rules are defined to look for and prevent malicious i transactionsti Good for known attacks but needs to be updated whenever a new attack pattern is discovered Easy to configure and out-of-box protection available Allows most applications to run without and customization 25

Security Model Positive Security Model Rules defined for valid and safe transactions Any transaction not matching a rule will be denied Understanding of the application is needed Good for unknown attacks Updates may not be required for newer attacks but changes to applications might require changes to rules 26

SSL Decryption A WAF must be able to inspect the data protected by SSL An embedded d WAF will receive data in cleartext Other types of WAF will require to decrypt the traffic by either Terminating the SSL session on the WAF OR Passively decrypt the traffic using the web server s private key 27

Protection Techniques Brute-Force Protection Detect manual or automated brute force attacks and block or slow down Cookie Protections Sign, encrypt or hide cookies Hidden Form Field Protection Protect from changing Session Management Virtualize session management 28

WAF Vendor Provided Technologies / Features Out-of-box rulesets for OWASP Top 10, PCI- DSS Compliance etc. Application i Profiling / Learning Defect Detection Cloaking 29

Out-of of-box Rulesets Some WAF vendors provide pre-packaged packaged rulesets like: PCI DSS Security rules for complying with the PCI DSS standards OWASP Top 10 Protects applications for the top 10 vulnerabilities as published by OWASP 30

Application Profiling / Learning An application profiling system automatically builds a customized, positive security model for each application to understand its acceptable behaviour The system maps all levels l of application behaviour Learns of any changes made to the application and adjusts the profile 31

Defect Detection A WAF may be able to detect application security defects like: Improper request handling Missing hyperlinks Missing images 32

Cloaking Web servers and applications often leak a lot of information by means of error messages Cloaking gprevents this kind of information leakage by: Translating URLs Re-writing HTTP headers Concealing error messages 33

DEMO Following concerns will be addressed: Buffer Overflows Cross-Site Scripting SQL Injection Other Injections Information Leakage Directory Traversal Protocol Violations 34

Questions Kishin Fatnani Email: kishin@ksecure.net Blog: kishinf.blogspot.com Training enquiry: info@ksecure.net 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback