Making the web secure by design

Similar documents
Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Copyright

OWASP Top 10 The Ten Most Critical Web Application Security Risks

5 IT security hot topics How safe are you?

Aguascalientes Local Chapter. Kickoff

CSWAE Certified Secure Web Application Engineer

SECURITY TESTING. Towards a safer web world

C1: Define Security Requirements

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Security Course. WebGoat Lab sessions

Professional Services Overview

Certified Secure Web Application Engineer

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Web Application Security. Philippe Bogaerts

eb Security Software Studio

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Exploiting and Defending: Common Web Application Vulnerabilities

Application. Security. on line training. Academy. by Appsec Labs

WebGoat Lab session overview

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Security. Web Programming.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Development*Process*for*Secure* So2ware

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Carbon Black PCI Compliance Mapping Checklist

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Mitigating Security Breaches in Retail Applications WHITE PAPER

How NOT To Get Hacked

Client Side Injection on Web Applications

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Web Application Attacks

Test Harness for Web Application Attacks

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Solutions Business Manager Web Application Security Assessment

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

HP 2012 Cyber Security Risk Report Overview

WebGoat& WebScarab. What is computer security for $1000 Alex?

Evaluating the Security Risks of Static vs. Dynamic Websites

CS 356 Operating System Security. Fall 2013

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

V Conference on Application Security and Modern Technologies

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

RiskSense Attack Surface Validation for Web Applications

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP TOP 10. By: Ilia

Shortcut guide to Web application firewall deployment

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Chrome Extension Security Architecture

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Application Security & Verification Requirements

The 3 Pillars of SharePoint Security

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Securing Your Company s Web Presence

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web Applications Penetration Testing

Web Application Threats and Remediation. Terry Labach, IST Security Team

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

John Coggeshall Copyright 2006, Zend Technologies Inc.

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

CS 161 Computer Security

Engineering Your Software For Attack

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

OWASP InfoSec Romania 2013

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

ANATOMY OF AN ATTACK!

Web Application Vulnerabilities: OWASP Top 10 Revisited

90% of data breaches are caused by software vulnerabilities.

The Honest Advantage

Is Your Web Application Really Secure? Ken Graf, Watchfire

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Web App Testing: RECON. MAPPING. ANALYSIS.

Product Security Program

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

E-Guide CLOUDS ARE MORE SECURE THAN TRADITIONAL IT SYSTEMS -- AND HERE S WHY

6 Critical Reasons for Office 365 Backup. The case for why organizations need to protect Office 365 data

Your Turn to Hack the OWASP Top 10!

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Transcription:

Making the web secure by design

Glenn ten Cate Security Engineer @Schuberg Philis Riccardo ten Cate Security Researcher

Agenda Why SKF What you will get/learn Stages of development Intro & how to Hands on - testing ASVS Getting involved Questions? 3

Why S.K.F. Missing security at design Missing defensive coding approach Missing security guidance Missing security requirements Security is hard Security information should be available for everybody 4

What you will get/learn Guide to secure programming Do security by design, not implementing security afterwards. Security awareness It ll inform you about threats even before you wrote a single line of code. Central place for security reference Provides information applicable for your specific needs on the spot. 5

Stages of development Pre development stage Here we detect threats before hand and we provide developers with secure development patterns as well as providing feedback and solutions on how to handle their threats. Post development stage By means of checklists we guide developers through a process where we harden their application infrastructure and functions by providing feedback and solutions 6

Demo: https://securityknowledgeframework.org/demo.php 7

Hands on - testing Visit the web application Check out this new web application developed by SloppyCode INC. Visit the website on http://192.168.8.133 Source of SloppyCode INC available at: https://github. com/blabla1337/skf-workshop Learn the hackers mindset In order to defend we first must think like an attacker. 8

Some hacking exercises Cross site scripting Reflective file download Directory/path traversal Identifier injection 9

Cross site scripting Attack vector: If you can imagine it, you can do it. Under the right conditions XSS can do almost anything. For example: http://beefproject.com/ Objective Due to the variety of attacks and encodings there are a lot of different possible attack strings to execute an XSS attack. For this exercise though you will only need a simple : <script>alert(1337); </script>. Now find the XSS injection in the application. 10

Reflective file download Attack vector: Reflective file download occurs whenever an attacker can "forge" a download through misconfigurations in your "disposition" and "content type" headers. This attack can lead to compromising the victim s entire workstation. Objective Try tamerping with the filenames and see if you can forge your own download on the web application. Try to make your attack access a local file on your machine. 11

Directory/path traversal Attack vector: A Path Traversal attack aims to access files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. By manipulating variables that reference files with dot-dot-slash (.. /); sequences and its variations, it may be possible to access arbitrary files and directories stored on file system. Objective Try to read the secrets.txt from the webserver by doing a path traversal attack. 12

Identifier injection Attack vector: An application uses parameters in order to process data. These parameters can also be used to assign certain roles and retrieve content corresponding with those parameters. Whenever these parameters are tampered with an attacker might gain access to other users data. Objective Watch the applications operation and look out for identifiers like user= or id= when you are searching for identifier injection. Let s see if we can read some user data not intended for our eyes. 13

OWASP ASVS ASVS lvl1 Opportunistic It adequately defends against application security vulnerabilities that are easy to discover. ASVS lvl2 Standard It adequately defends against prevalent application security vulnerabilities whose existence poses moderate-to-serious risk. ASVS lvl3 Advanced It adequately defends against all advanced application security vulnerabilities, and also demonstrates principles of good security design. 14

Getting involved? Website secureby.design Together we can make it big, strong and helpful! 15

Questions? 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback