SlideShare una empresa de Scribd logo

Dallas websecuritygroup addressing-top-security-threats-v2

Descargar como PPTX, PDF
D
Dallas Web Security Group

Corrected some spelling errors from the February version found here: http://www.slideshare.net/DallasWebSecurityGroup/dallas-web-security-group-february-meeting-addressing-top-security-threats

1 de 34
Credera is a full-service management and Dallas Office Houston Office Austin Office Denver Office 15303 Dallas Parkway 800 Town & Country Blvd 9020 N Capital of Texas Hwy 5445 DTC Parkway technology consulting firm. Our clients range Suite 300 Suite 300 Suite 345 Suite 1040 from Fortune 1,000 companies to emerging Addison, TX 75001 Houston, TX 77024 Austin, TX 78759 Greenwood Village, CO 80111 industry leaders. We provide expert, objective advice to help solve complex business and 972.692.0010 Phone 713.496.0711 Phone 512.327.1112 Phone 303.623.1344 Phone technology challenges. 972.692.0019 Fax 713.401.9650 Fax 512.233.0844 Fax 303.484.4577 Fax
Addressing Top Security Threats in Web Applications Dallas, TX February 12, 2013 Dallas Web Security Group Inaugural Meeting Dustin Talk Josh Hamit Discussion document – Strictly Confidential & Proprietary
Agenda … Welcome to the Dallas Web Security User Group, where we will discuss all things related to web security • Introductions • Expectations and Objectives • Why is Security Important? • What are Common Security Issues? – The OWASP Top 10 • How Common are Security Vulnerabilities? – 2012 Research Findings • Looking at Some Examples – SQL Injection (SQLi) – Cross Site Scripting (XSS) – A Real Life Example • What Can I do? • Q&A Dallas Web Security Group 2/13/2013 3
Introductions Dallas Web Security Group 2/13/2013 4
Introductions… Dustin Talk and Josh Hamit (both not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Josh Hamit Joshua Hamit is a Consultant in the Custom Java Development Practice at Credera. He earned his B.B.A in Management Information Systems from Baylor University. Joshua has several years experience designing and implementing technology solutions utilizing a broad range of technologies while adhering to industry best practices. While at Credera, he has lead the design and implementation of multiple single sign-on authentication systems, enterprise integrations, complex UI solutions, analytic tracking pixels, and mobile web applications. Past Presentations: • Addressing Cross-Cutting Concerns with AOP • Functional Testing with Geb • Stripe’s Capture The Flag #2 • Effective Front-End Design with SASS Dallas Web Security Group 2/13/2013 5
Expectations and Objectives Dallas Web Security Group 2/13/2013 6
Expectations and Objectives … The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Focus on DFW Area • Provide Education to Seed Investigation • Learn more about Software / Infrastructure / etc… Dallas Web Security Group 2/13/2013 7
Why is Security Important? Dallas Web Security Group 2/13/2013 8
Why is Security Important? … Not limited to business, the web is a means to showcase capabilities and engage with others providing hackers with a variety of attack vectors to be defended The Importance of Security • Legal Risk: Many organizations are legally bound to protect privacy and security, this is often an integral part of application development – COPPA – HIPPA – Sarbanes-Oxley – PCI Compliance • Financial Risk: Computer security attacks cost $48 billion in 2011 – 2011 cost of individual data breach estimated to be $5.5 million – Organized hacking groups may be betterl funded than your IT department • Reputation Risk: Trust is a key component to customer adoption and retention – 20% of businesses that lost data, lost customers as a direct result – 40-80 people may be impacted as the result of a single angry customer • Doxing: Living in a digital information age allows others to know more about you than ever before – Expectation of privacy, when there may be none due to data leakage – Can be used to encroach on physical security *https://devcentral.f5.com/blogs/us/quantifying-reputation-loss-from-a-breach Dallas Web Security Group http://www.informationweek.com/security/attacks/data-breach-costs-drop/232602891 2/13/2013 9 http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/
Why is Security Important? … With constant code deployments and a steady stream of exploits released the organizational importance placed on web security does not vary The Importance of Security Website security is a moving target. New attacks techniques are frequently disclosed. New website launches are common. New Web technologies are made available every day. New application code is released constantly. Enterprises need timely information about how they can best defend their websites, gain visibility into their vulnerability lifecycle, measure the performance of their security programs, and determine how they compare to their industry peers. Establishing these metrics is crucial towards improving enterprise security. Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 10
What are Common Security Issues? Dallas Web Security Group 2/13/2013 11
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #1 – Injection Pro Tip: Let Google find these exploitable pages for you by searching for them (ex: “intext:SQL syntax & inurl:index.php?=id & inurl:edu” Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 12
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #2 – Cross Site Scripting (XSS) Occurs any time… •Raw data from attacker is sent to an innocent user’s browser Raw data… •Stored in database •Reflected from web input (form field, hidden field, URL, etc…) •Sent directly into rich JavaScript client Virtually every web application has this problem •Try this in your browser – javascript:alert(document.cookie) Typical Impact •Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site •Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites Pro Tip: Use a cheat sheet when penetration testing for this (http://ha.ckers.org/xsscalc.html) Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 13
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #3 – Broken Authentication and Session Management HTTP is a “stateless” protocol •Means credentials have to go with every request •Should use SSL for everything requiring authentication Session management flaws •SESSION ID used to track state since HTTP doesn’t •and it is just as good as credentials to an attacker •SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors •Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact •User accounts compromised or user sessions hijacked Pro Tip: Using tools like Cookie Cadger can quickly help check Session Management or hijacking issues Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 14
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the ‘authorized’ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn’t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data Pro Tip: Using Google’s cache feature can tell hackers how a page’s form used to appear on a site Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 15
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details Pro Tip: HTML Image Tags can be easily used for CSRF as the ‘src’ element can be any HTTP location and does not have to be an image Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 16
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #6 – Security Misconfiguration Pro Tip: The Metasploit Framework provides a vast repository of tests for security misconfigurations Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 17
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined Pro Tip: Never hash passwords, use bcyrpt. In 3 days on old hardware we are able to reverse over 300,000 complex hashed passwords Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 18
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #8 – Avoiding URL Access Control Flaws For each URL, a site needs to do 3 things •Restrict access to authenticated users (if not public) •Enforce any user or role based permissions (if private) •Completely disallow requests to unauthorized page types (e.g., config files, log files, source files, etc.) Verify your architecture •Use a simple, positive model at every layer •Be sure you actually have a mechanism at every layer Verify the implementation •Forget automated analysis approaches •Verify that each URL in your application is protected by either •An external filter, like Java EE web.xml or a commercial product •Or internal checks in YOUR code – Use ESAPI’s isAuthorizedForURL() method •Verify the server configuration disallows requests to unauthorized file types •Use WebScarab or your browser to forge unauthorized requests Pro Tip: Using Google you can quickly find admin login url’s (ex: search for “inurl:admin/login.php”) Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 19
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined Pro Tip: While most servers attempt to promote a TLS connection, they will usually still accept a less secure SSL 2.0 connection Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 20
What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Pro Tip: Most firewalls attempt to prevent this by blocking the text “http://” in URLs, however using just “//” works in most browsers Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 21
How Common are Security Vulnerabilities? Dallas Web Security Group 2/13/2013 22
How Common are Security Vulnerabilities? … The reality of Web Application Security is that while total number of vulnerabilities are decreasing we are not out of the woods yet Vulnerabilities are Decreasing • Web Application Firewall Adoption has improved to mitigate 71% of vulnerabilities • Remediation Rates are increasing, fixed 38 days or faster in 2011 • Reduced Window of Exposure, from 233 days to 231 days • Scope of scans increased to include Energy and Non-Profit Dallas, TX is Vulnerable • Texas is the nations second largest Cyberstate • 456,500 High Tech Jobs *Figure and statistics from June 2012 WhiteHat Security Statistics Report Dallas Web Security Group http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/ 2/13/2013 23 http://www.techamericafoundation.org/cyberstates2011-texas
How Common are Security Vulnerabilities? … Despite the overall improvement of security vulnerabilities, the past year has been rough with millions of accounts exposed to hackers from the biggest sites A year in Security Breaches Dallas Web Security Group *Figure and statistics from Dashlane / Harris Interactive 2/13/2013 24
How Common are Security Vulnerabilities? … Despite a reduction in the number of vulnerabilities discovered on average, the possibility of a serious vulnerability remains high Serious Vulnerabilities • 55% of websites contain Cross Site Scripting Vulnerabilities • Over half of websites expose sensitive data, useful to intruders • More than 1/3 of websites allow for content spoofing (used in phishing or brand attacks) Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 25
How Common are Security Vulnerabilities? … Breaking down the data by industry accredits widely held beliefs about some industries but exposes others Industries Compared • Banking and Healthcare rank lower • Education in the middle • Retail and Insurance are the most exposed • IT is number three? A High Standard Deviation • Companies typically get it and invest in it, or they don’t Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 26
How Common are Security Vulnerabilities? … The time of exposure is directly related to the developer and executive support for information and application security Window of Exposure • Vulnerabilities can and will happen to every company • Significantly reduced risk is possible with organizational focus Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 27
How Common are Security Vulnerabilities? … The time to fix vulnerabilities may be inhibited by the complexity of an organization but the true time to fix involves a sense of Risk Management Average Time to Fix Vulnerabilities • 50% of Organizations required 38 days or less to remediate their serious vulnerabilities Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 28
How Common are Security Vulnerabilities? … Vulnerability remediation can take many forms and fixes performed at only one level, leave an opportunity for the issue to re-appear Vulnerability Reopen Rates The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%. Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 29
A Look at Some Examples (DEMO) Dallas Web Security Group 2/13/2013 30
A Look at Some Examples … Anyone can setup an exploit in a sandboxed environment, but these are real vulnerabilities live and in the wild A simple cross site scripting attack Dallas Web Security Group 2/13/2013 31
What Can I Do? Dallas Web Security Group 2/13/2013 32
What Can I do? … Attend More Meetings… What To Do Now • Develop Secure Code using Industry Best Practices • Review your Applications using an External Team What Not To Do • With the rate of attacks, don’t attract unwanted attention – http://www.youtube.com/watch?feature=player_detailpage&v=5gPt8HYMO7Q#t=69s Reference Materials • The Open Web Application Security Project – https://www.owasp.org/ Dallas Web Security Group 2/13/2013 33
Q&A Dallas Web Security Group 2/13/2013 34

Recomendados

Mitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsMitigating Web 2.0 Threats
Mitigating Web 2.0 Threats
Kim Jensen
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
Kim Jensen
 
Case study
Case studyCase study
Case study
Shehrevar Davierwala
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
Mighty Guides, Inc.
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive Overview
Kim Jensen
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
Shariyaz Abdeen
 

Recomendados

Mitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsMitigating Web 2.0 Threats
Mitigating Web 2.0 Threats
Kim Jensen
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
Kim Jensen
 
Case study
Case studyCase study
Case study
Shehrevar Davierwala
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
Mighty Guides, Inc.
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive Overview
Kim Jensen
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
Shariyaz Abdeen
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
Dell EMC World
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
James Mulhern
 
A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges
Cybersecurity Education and Research Centre
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
CMR WORLD TECH
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian Lee
Ian Lee
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Katherine Duffy
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
anpapathanasiou
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
2015 Year to Date Security Trends
2015 Year to Date Security Trends2015 Year to Date Security Trends
2015 Year to Date Security Trends
Terra Verde
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
Giuseppe Paterno'
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
Alan Rudd
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12c
Inprise Group
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of Cryptography
Dallas Web Security Group
 

Más contenido relacionado

La actualidad más candente

Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian Lee
Ian Lee
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
Alan Rudd
 

La actualidad más candente (20)

MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
 
A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian Lee
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
2015 Year to Date Security Trends
2015 Year to Date Security Trends2015 Year to Date Security Trends
2015 Year to Date Security Trends
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12c
 

Destacado

1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13
LawDawg___7879
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health month
Megan Hart
 
Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findings
Cindy Joice
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate Introduction
Ankush Gupta
 

Destacado (7)

Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
 
Fundamentals of Cryptography
Fundamentals of CryptographyFundamentals of Cryptography
Fundamentals of Cryptography
 
1 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-131 id and fort riley weekly news update 2 8-13
1 id and fort riley weekly news update 2 8-13
 
National pet dental health month
National pet dental health monthNational pet dental health month
National pet dental health month
 
Employee engagement overview of findings
Employee engagement overview of findingsEmployee engagement overview of findings
Employee engagement overview of findings
 
Digility Corporate Introduction
Digility Corporate IntroductionDigility Corporate Introduction
Digility Corporate Introduction
 
Flores
FloresFlores
Flores
 

Similar a Dallas websecuritygroup addressing-top-security-threats-v2

Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
Dashti Abdullah
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own DevicesForrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Information Security
Information SecurityInformation Security
Information Security
Mohit8780
 

Similar a Dallas websecuritygroup addressing-top-security-threats-v2 (20)

Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
Adam R. Moore Security Architect Resume
Adam R. Moore Security Architect ResumeAdam R. Moore Security Architect Resume
Adam R. Moore Security Architect Resume
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own DevicesForrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Ethernautics, Inc - Database Cyber Security Threats
Ethernautics, Inc - Database Cyber Security ThreatsEthernautics, Inc - Database Cyber Security Threats
Ethernautics, Inc - Database Cyber Security Threats
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Information Security
Information SecurityInformation Security
Information Security
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 

Dallas websecuritygroup addressing-top-security-threats-v2

  • 1. Credera is a full-service management and Dallas Office Houston Office Austin Office Denver Office 15303 Dallas Parkway 800 Town & Country Blvd 9020 N Capital of Texas Hwy 5445 DTC Parkway technology consulting firm. Our clients range Suite 300 Suite 300 Suite 345 Suite 1040 from Fortune 1,000 companies to emerging Addison, TX 75001 Houston, TX 77024 Austin, TX 78759 Greenwood Village, CO 80111 industry leaders. We provide expert, objective advice to help solve complex business and 972.692.0010 Phone 713.496.0711 Phone 512.327.1112 Phone 303.623.1344 Phone technology challenges. 972.692.0019 Fax 713.401.9650 Fax 512.233.0844 Fax 303.484.4577 Fax
  • 2. Addressing Top Security Threats in Web Applications Dallas, TX February 12, 2013 Dallas Web Security Group Inaugural Meeting Dustin Talk Josh Hamit Discussion document – Strictly Confidential & Proprietary
  • 3. Agenda … Welcome to the Dallas Web Security User Group, where we will discuss all things related to web security • Introductions • Expectations and Objectives • Why is Security Important? • What are Common Security Issues? – The OWASP Top 10 • How Common are Security Vulnerabilities? – 2012 Research Findings • Looking at Some Examples – SQL Injection (SQLi) – Cross Site Scripting (XSS) – A Real Life Example • What Can I do? • Q&A Dallas Web Security Group 2/13/2013 3
  • 4. Introductions Dallas Web Security Group 2/13/2013 4
  • 5. Introductions… Dustin Talk and Josh Hamit (both not Anonymous) Dustin Talk Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts. Past Presentations: • OWASP Top 10 - Live Exploits by Example • Stripe’s Capture The Flag #2 • OAuth 1.0 / 2.0 • OpenID Josh Hamit Joshua Hamit is a Consultant in the Custom Java Development Practice at Credera. He earned his B.B.A in Management Information Systems from Baylor University. Joshua has several years experience designing and implementing technology solutions utilizing a broad range of technologies while adhering to industry best practices. While at Credera, he has lead the design and implementation of multiple single sign-on authentication systems, enterprise integrations, complex UI solutions, analytic tracking pixels, and mobile web applications. Past Presentations: • Addressing Cross-Cutting Concerns with AOP • Functional Testing with Geb • Stripe’s Capture The Flag #2 • Effective Front-End Design with SASS Dallas Web Security Group 2/13/2013 5
  • 6. Expectations and Objectives Dallas Web Security Group 2/13/2013 6
  • 7. Expectations and Objectives … The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz) Participant Expectations • Focus on DFW Area • Provide Education to Seed Investigation • Learn more about Software / Infrastructure / etc… Dallas Web Security Group 2/13/2013 7
  • 8. Why is Security Important? Dallas Web Security Group 2/13/2013 8
  • 9. Why is Security Important? … Not limited to business, the web is a means to showcase capabilities and engage with others providing hackers with a variety of attack vectors to be defended The Importance of Security • Legal Risk: Many organizations are legally bound to protect privacy and security, this is often an integral part of application development – COPPA – HIPPA – Sarbanes-Oxley – PCI Compliance • Financial Risk: Computer security attacks cost $48 billion in 2011 – 2011 cost of individual data breach estimated to be $5.5 million – Organized hacking groups may be betterl funded than your IT department • Reputation Risk: Trust is a key component to customer adoption and retention – 20% of businesses that lost data, lost customers as a direct result – 40-80 people may be impacted as the result of a single angry customer • Doxing: Living in a digital information age allows others to know more about you than ever before – Expectation of privacy, when there may be none due to data leakage – Can be used to encroach on physical security *https://devcentral.f5.com/blogs/us/quantifying-reputation-loss-from-a-breach Dallas Web Security Group http://www.informationweek.com/security/attacks/data-breach-costs-drop/232602891 2/13/2013 9 http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/
  • 10. Why is Security Important? … With constant code deployments and a steady stream of exploits released the organizational importance placed on web security does not vary The Importance of Security Website security is a moving target. New attacks techniques are frequently disclosed. New website launches are common. New Web technologies are made available every day. New application code is released constantly. Enterprises need timely information about how they can best defend their websites, gain visibility into their vulnerability lifecycle, measure the performance of their security programs, and determine how they compare to their industry peers. Establishing these metrics is crucial towards improving enterprise security. Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 10
  • 11. What are Common Security Issues? Dallas Web Security Group 2/13/2013 11
  • 12. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #1 – Injection Pro Tip: Let Google find these exploitable pages for you by searching for them (ex: “intext:SQL syntax & inurl:index.php?=id & inurl:edu” Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 12
  • 13. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #2 – Cross Site Scripting (XSS) Occurs any time… •Raw data from attacker is sent to an innocent user’s browser Raw data… •Stored in database •Reflected from web input (form field, hidden field, URL, etc…) •Sent directly into rich JavaScript client Virtually every web application has this problem •Try this in your browser – javascript:alert(document.cookie) Typical Impact •Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site •Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites Pro Tip: Use a cheat sheet when penetration testing for this (http://ha.ckers.org/xsscalc.html) Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 13
  • 14. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #3 – Broken Authentication and Session Management HTTP is a “stateless” protocol •Means credentials have to go with every request •Should use SSL for everything requiring authentication Session management flaws •SESSION ID used to track state since HTTP doesn’t •and it is just as good as credentials to an attacker •SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors •Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact •User accounts compromised or user sessions hijacked Pro Tip: Using tools like Cookie Cadger can quickly help check Session Management or hijacking issues Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 14
  • 15. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the ‘authorized’ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn’t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data Pro Tip: Using Google’s cache feature can tell hackers how a page’s form used to appear on a site Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 15
  • 16. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details Pro Tip: HTML Image Tags can be easily used for CSRF as the ‘src’ element can be any HTTP location and does not have to be an image Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 16
  • 17. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #6 – Security Misconfiguration Pro Tip: The Metasploit Framework provides a vast repository of tests for security misconfigurations Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 17
  • 18. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined Pro Tip: Never hash passwords, use bcyrpt. In 3 days on old hardware we are able to reverse over 300,000 complex hashed passwords Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 18
  • 19. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #8 – Avoiding URL Access Control Flaws For each URL, a site needs to do 3 things •Restrict access to authenticated users (if not public) •Enforce any user or role based permissions (if private) •Completely disallow requests to unauthorized page types (e.g., config files, log files, source files, etc.) Verify your architecture •Use a simple, positive model at every layer •Be sure you actually have a mechanism at every layer Verify the implementation •Forget automated analysis approaches •Verify that each URL in your application is protected by either •An external filter, like Java EE web.xml or a commercial product •Or internal checks in YOUR code – Use ESAPI’s isAuthorizedForURL() method •Verify the server configuration disallows requests to unauthorized file types •Use WebScarab or your browser to forge unauthorized requests Pro Tip: Using Google you can quickly find admin login url’s (ex: search for “inurl:admin/login.php”) Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 19
  • 20. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined Pro Tip: While most servers attempt to promote a TLS connection, they will usually still accept a less secure SSL 2.0 connection Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 20
  • 21. What are Common Security Issues? … OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts #10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Pro Tip: Most firewalls attempt to prevent this by blocking the text “http://” in URLs, however using just “//” works in most browsers Dallas Web Security Group *Data provided by the Open Web Application Security Project 2/13/2013 21
  • 22. How Common are Security Vulnerabilities? Dallas Web Security Group 2/13/2013 22
  • 23. How Common are Security Vulnerabilities? … The reality of Web Application Security is that while total number of vulnerabilities are decreasing we are not out of the woods yet Vulnerabilities are Decreasing • Web Application Firewall Adoption has improved to mitigate 71% of vulnerabilities • Remediation Rates are increasing, fixed 38 days or faster in 2011 • Reduced Window of Exposure, from 233 days to 231 days • Scope of scans increased to include Energy and Non-Profit Dallas, TX is Vulnerable • Texas is the nations second largest Cyberstate • 456,500 High Tech Jobs *Figure and statistics from June 2012 WhiteHat Security Statistics Report Dallas Web Security Group http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/ 2/13/2013 23 http://www.techamericafoundation.org/cyberstates2011-texas
  • 24. How Common are Security Vulnerabilities? … Despite the overall improvement of security vulnerabilities, the past year has been rough with millions of accounts exposed to hackers from the biggest sites A year in Security Breaches Dallas Web Security Group *Figure and statistics from Dashlane / Harris Interactive 2/13/2013 24
  • 25. How Common are Security Vulnerabilities? … Despite a reduction in the number of vulnerabilities discovered on average, the possibility of a serious vulnerability remains high Serious Vulnerabilities • 55% of websites contain Cross Site Scripting Vulnerabilities • Over half of websites expose sensitive data, useful to intruders • More than 1/3 of websites allow for content spoofing (used in phishing or brand attacks) Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 25
  • 26. How Common are Security Vulnerabilities? … Breaking down the data by industry accredits widely held beliefs about some industries but exposes others Industries Compared • Banking and Healthcare rank lower • Education in the middle • Retail and Insurance are the most exposed • IT is number three? A High Standard Deviation • Companies typically get it and invest in it, or they don’t Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 26
  • 27. How Common are Security Vulnerabilities? … The time of exposure is directly related to the developer and executive support for information and application security Window of Exposure • Vulnerabilities can and will happen to every company • Significantly reduced risk is possible with organizational focus Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 27
  • 28. How Common are Security Vulnerabilities? … The time to fix vulnerabilities may be inhibited by the complexity of an organization but the true time to fix involves a sense of Risk Management Average Time to Fix Vulnerabilities • 50% of Organizations required 38 days or less to remediate their serious vulnerabilities Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 28
  • 29. How Common are Security Vulnerabilities? … Vulnerability remediation can take many forms and fixes performed at only one level, leave an opportunity for the issue to re-appear Vulnerability Reopen Rates The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%. Dallas Web Security Group *Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 29
  • 30. A Look at Some Examples (DEMO) Dallas Web Security Group 2/13/2013 30
  • 31. A Look at Some Examples … Anyone can setup an exploit in a sandboxed environment, but these are real vulnerabilities live and in the wild A simple cross site scripting attack Dallas Web Security Group 2/13/2013 31
  • 32. What Can I Do? Dallas Web Security Group 2/13/2013 32
  • 33. What Can I do? … Attend More Meetings… What To Do Now • Develop Secure Code using Industry Best Practices • Review your Applications using an External Team What Not To Do • With the rate of attacks, don’t attract unwanted attention – http://www.youtube.com/watch?feature=player_detailpage&v=5gPt8HYMO7Q#t=69s Reference Materials • The Open Web Application Security Project – https://www.owasp.org/ Dallas Web Security Group 2/13/2013 33
  • 34. Q&A Dallas Web Security Group 2/13/2013 34