SlideShare una empresa de Scribd logo

Implementing a Comprehensive Application Security Program

OWASP-Qatar Chapter
OWASP-Qatar Chapter

Presented in OWASP Qatar Chapter Meeting - December 2012

Tecnología
1 de 79
Descargar para leer sin conexión
www.niiconsulting.com Implementing a Comprehensive Application Security Program Taufiq Ali Manager – Security Assessment
www.niiconsulting.com Agenda  The Biggest Hack in History  How the Cookie Crumbles  Answers!  Technology Solutions  Strategies  Q&A
www.niiconsulting.com Information Security View from the Trenches
www.niiconsulting.com Recent News
www.niiconsulting.com Paradigm Shift – Part I APT & The Season of Hacks 6
www.niiconsulting.com What is APT APT = Advanced Persistent Threat APT is defined as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. Government and Commercial networks for years. The vast majority of APT activity observed has been linked to China. APT is a term coined by the U.S. Air Force in 2006 7
www.niiconsulting.com APT Objectives  Political  Includes suppression of their own population for stability  Economic  Theft of IP, to gain competitive advantage  Technical  Obtain source code for further exploit development  Military  Identifying weaknesses that allow inferior military forces to defeat superior military forces 8
www.niiconsulting.com Targeting and Exploitation Cycle
www.niiconsulting.com How RSA was hacked  RSA is one of the biggest security companies in the world  Rivest Shamir Adelman – iconic founders  Created a multi-billion $ enterprise 10
www.niiconsulting.com Initial Intrusion into the Network  Specific email IDs were discovered from public sources and social engineering  Spoofed email was sent  The email subject line read “2011 Recruitment Plan.”  The attachment was a backdoor Excel file, titled “2011 Recruitment plan.xls.  It exploited a 0-day vulnerability - Adobe Flash vulnerability (CVE-2011-0609)
www.niiconsulting.com Establish a Backdoor into the Network  Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network  The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.  The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.  Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect
www.niiconsulting.com Obtain User Credentials  The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse.  The attackers also obtain local credentials from compromised systems  The APT intruders access approximately 40 systems on a victim network using compromised credentials  Analysts have seen as few as 10 compromised systems to in excess of 150 compromised systems
www.niiconsulting.com Conclusion  The APT is everyone’s problem. No target is too small, or too obscure, or too well-known, or too vulnerable. Its’ not spy- vs.-spy, but spy-vs.- everyone.  This is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends.  They steal information to achieve economic, political and strategic advantage.  They establish and maintain an occupying force in their target’s environment.  They steal between $40 billion to $50 billion in intellectual property from U.S. organizations each year.
www.niiconsulting.com Conclusion  These are real and they are on a spree  Your applications and end points are key entry points for such attacks
www.niiconsulting.com THE BIGGEST HACK IN HISTORY
www.niiconsulting.com Gonzalez, TJX and Heart-break-land  >200 million credit card number stolen  Heartland Payment Systems, TJX, and 2 US national retailers hacked  Modus operandi  Visit retail stores to understand workings  Analyze websites for vulnerabilities  Hack in using SQL injection  Inject malware  Sniff for card numbers and details  Hide tracks
www.niiconsulting.com The hacker underground  Albert Gonzalez  a/k/a “segvec,”  a/k/a “soupnazi,”  a/k/a “j4guar17”  Malware, scripts and hacked data hosted on servers in:  Latvia  Netherlands  IRC chats  March 2007: Gonzalez “planning my second phase against Hannaford”  December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” Ukraine New Jersey California
www.niiconsulting.com Where does all this end up?  Commands used on IRC  !cardable  !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc
www.niiconsulting.com TJX direct costs $24 million to Mastercard $41 million to Visa $200 million in fines/penalties
www.niiconsulting.com How the Cookie Crumbles
www.niiconsulting.com OWASP TOP 10 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
www.niiconsulting.com Injection – 0wning the Enterprise  Identifying SQL Injections  Getting to all the data inside the database  Reading Sensitive data inside the database like system users, users, password etc.  But how do you own the enterprise  Cracking the password hashes  Running OS level commands  Escalating privileges  Adding the user with administrators role  Enterprise Owned!
www.niiconsulting.com Identifying SQL Injection Identifying SQL Injections [06:19:58] [INFO] TESTING FOR SQL INJECTION ON GET PARAMETER 'ID' [06:20:10] [INFO] target url appears to have 2 columns in query [06:20:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET PARAMETER 'ID' IS VULNERABLE. DO YOU WANT TO KEEP TESTING THE OTHERS (IF ANY)? [Y/N]
www.niiconsulting.com Database on the Web Server
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com What is Next?  Running OS level commands  Escalating privileges  Adding the user with administrators role  Taking remote access to the system
www.niiconsulting.com Net Result Enterprise Owned!
www.niiconsulting.com XSS to 0wning the Enterprise  XSS is a client side attack  Attacking your client base  Browser bugs are most popular targets for compromising end point  Java and Adobe Flash  End points are entry into the network  So what happens when you find Zero day bug in most popular software’s like Java?
www.niiconsulting.com XSS to 0wning the Enterprise
www.niiconsulting.com Java Zeroday  This exploit has been tested successfully against multiple platforms,  Internet Explorer  Firefox  Safari  Chrome  Fully Patched operating systems  Windows  Ubuntu  OS X  Solaris
www.niiconsulting.com
www.niiconsulting.com It was raining shell’s
www.niiconsulting.com Chaining multiple issues How other OWASP can be lethal when put together
www.niiconsulting.com Death by thousand cuts (Rsnake Case Study)  #1 - webmail is easily located  #2 - easily discoverable and plentiful email addresses  #3 - forgotten passwords are sent in plain text  #4 - system will allow users to change email address to any email address they want (with no verification)  #5 - XSS vulnerabilities in the application  #6 - usernames are email addresses  #7 - recommendation engine sends custom emails  #8 - login redirection issue  #9 - function to detect valid users.  #10 - change email function is vulnerable to CSRF
www.niiconsulting.com Death by thousand cuts - Attack  Detect Valid user on the website (2#, 6# and 9#)  Now change my email address to one of the email addresses of a corporate user (#4) that's NOT a user on the system  Finding valid users using the change email function (#9)  Send an email to one of the valid users on the system (#2) using the recommendation engine (#7).
www.niiconsulting.com Death by thousand cuts - Attack  The link is a link to the login function (#8) that redirects the user to an XSS hole (#5).  Now the user has logged in and their browser is under our control.  Forward the user invisibly to the change email function and force them to change their email address through CSRF (#10) to another email address that we've got control over.  Then I have their browser submit the forgot password function (#3) which delivers their password to my inbox.
www.niiconsulting.com Take away..  Often minor issues are overlooked but even in some cases the smallest issues can mount into huge compromises in security  Even minor issues that are regularly dismissed in security assessments can be leveraged by a determined attacker to compromise a corporation
www.niiconsulting.com Other aspects
www.niiconsulting.com Problem Background Lack of Business Risk Perspective – US Department of Homeland Security: “Most penetration testing processes and tools do little, if anything, to substantively address the business risks... This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on... Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense. At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous. …the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/penetration/655- BSI.html Software Security – building security in, Chapter 6 on “Penetration Testing Today” “The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
www.niiconsulting.com The challenge “Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and come back as something else.” - Brian Chess, Co-Founder, Fortify Software
www.niiconsulting.com LET’S START AT THE BEGINNING Some theory
www.niiconsulting.com Approach  Pre-sales Approach  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”  Pre-sales approach evolved  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”
www.niiconsulting.com Traditional vs. Risk-based Security Testing Traditional Testing Risk-based Testing Focus is on technical vulnerabilities Focus is on business risks Requires strong technical know- how Requires both technical and business process know-how Having the right set of tools is critical Understanding the workings of the business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory environment is good Understanding the regulatory environment is mandatory
www.niiconsulting.com Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on technical parameters Severity levels are based on risk to the business Risk levels in report are assigned post facto Risk levels in report reflect the levels assigned prior to testing Test cases are build based on testing methodologies or generic testing processes Tests cases additionally build on risk scenarios Audience for the report is usually the IT and Security teams Audience for the report also includes the business process owners and heads of departments
www.niiconsulting.com Case study  Corporate Banking Platform – allows 3 logins  Maker who enters the transaction into the system  Verifier who checks the transaction data  Authorizer who authorizes the final payment  Each screen in the web application is different based on privilege level of logged in user  Security implemented by:  Restricting access to URLs that allow certain transactions  Parameters that trigger certain transactions
www.niiconsulting.com Case study  RA Phase  Understand business process  Understand business risks  Define test cases  Can maker do what verifier does  Can verifier do what authorizer does  Can client’s admin do what bank’s admin does  So forth  Pentesting discovers  http://www.bankPay.co.in/BankPayApp/authorizePaymentAction. action is available only to Authorizer  But what if Maker puts it in his browser?  Transaction still doesn’t get authorized  Further investigation reveals a parameter:  Filter=‘block’  When this value is changed to:  Filter=‘submitToPay’
www.niiconsulting.com Vertical Privilege Escalation
www.niiconsulting.com Authorization controls broken
www.niiconsulting.com Submission to pay – not allowed
www.niiconsulting.com Changing the parameter…
www.niiconsulting.com Understanding the business  Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?  What applications do they use?  What data do they access through these applications?  What are the risks if any of these actors turns bad?  What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
www.niiconsulting.com Regulations that drive webapp testing  PCI DSS  For all credit card processing merchants  Quarterly, semi-annual, annual network scans and penetration tests  Focus on web application security  Requires high-level of protection of credit card data  There are no fines for non-compliance but breaches of security could put you out of business  HIPAA  For healthcare and pharma providers  Requires high-level of protection for patient records and medical history  Fines for non-compliance are usually high  Breaches could put you out of practice/business
www.niiconsulting.com Answers!
www.niiconsulting.com Technology Solutions  Web Application Firewalls  Privileged Identity Management Suites  Application-Aware Firewalls  Application-Aware SIEMS  Database Access Management Solutions
www.niiconsulting.com Before we get to the technology…
www.niiconsulting.com Design Develop/ Manage Test Train Application Security – Holistic Solution
www.niiconsulting.com Secure Design  Secure Designing Models  Client Inputs  Client Education  Threat Modeling  Vulnerability Classification – STRIDE  Risk Classification – DREAD
www.niiconsulting.com Microsoft’s Threat Modeling Tool
www.niiconsulting.com Secure Coding Overview Secure coding isn’t taught in school  Homeland Security's Build Security In Maturity Model (BSIMM)  Microsoft's Security Development Lifecycle (SDL)  OpenSAMM (Software Assurance Maturity Model)  OWASP Secure Coding Guides
www.niiconsulting.com Vendor Management  Big names != Good security  Contractual weaknesses  Lack of vendor oversight  No penalties for blatantly buggy code!
www.niiconsulting.com Secure Hosting  Web Security  Secured web server  Secured application server – all components  Web application firewalls  Database Security  Security Patches  Users and Roles  Access Control  Logging  Password Security  Database Table Encryption  Data Masking  OS Security  Security Patches  Users and Groups  Access Control  Security Policies  Secured Login  Logging
www.niiconsulting.com Secure Testing  Security testing options  Blackbox  Greybox  Whitebox  Source Code Review  OWASP Top Ten (www.owasp.org)  OWASP Testing Guide
www.niiconsulting.com Training  Back to basics  Natural thought process  Look at larger picture  Make it fun  Giving back to the community
www.niiconsulting.com Ground Realities!
www.niiconsulting.com Ground realities  Business priorities  Expand, grow, market share!!  Developer illiteracy  Unaware of security implications  Shortcut fixes  Vendor apathy  Problem re-enforced by weak contracts  Unclear budgets  Lip service by management towards information security  CISO left fighting the battle alone without adequate resources
www.niiconsulting.com Strategize! Use Triage
www.niiconsulting.com Applications’ Triage / 1  Application Risk Assessment  Regulatory  PCI DSS  DOT  HIPAA/SOX/etc.  Legal  Contractual  Business Impact  Reputation Impact
www.niiconsulting.com Applications’ Triage / 2  Nature of the Application  Internal  External  Mixed  Number of registered users  Revenue generating / Business process supporting / Back-office / Reporting  Data that it deals with  Financial  PII  Corporate  Other
www.niiconsulting.com Applications Triage / 3  Developed In-house  Currently being supported  Developers have moved on  Outsourced  Within the country  Externally  Commercial Off the Shelf  High Level of Customization  No Customization  Vendor Leverage  Code/Libraries in Escrow  Existing Vendor Relationship  Dormant/Dead Vendor Relationship
www.niiconsulting.com Application Classification
www.niiconsulting.com Sample Strategies / A FINPRO Financial Processing – Accessible over Internet COTSE – Heavily Customized Isolate System in the Data Center Vendor Relationship - Dormant Revive Vendor Relationship Implement PIM & WAF Determine Alternatives
www.niiconsulting.com Sample Strategies / B ATLAS Claims Processing – Agents Access Over Internet In-house Developed Implement & Enforce Internal SLAs Active Development Team Regular Secure Coding Training Emphasis on Secure Coding Libraries Secure Hosting
www.niiconsulting.com Take-Aways  Application security has a long way to go for most large organizations  The threat is ever-present and sustained  Not all applications can be dealt with in the same manner  Strategizing helps direct limited resources towards high-risk problems  Vendors, business units, and information security have to co-ordinate efforts, and stop the blame-game
www.niiconsulting.com Ensure – this never happens!
www.niiconsulting.com Thank you! Questions? taufiq.ali@niiconsulting.com Information Security Consulting Services Institute of Information Security

Recomendados

Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defenseDATA SECURITY SOLUTIONS
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 

Recomendados

Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defenseDATA SECURITY SOLUTIONS
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
black hat deephish
black hat deephishblack hat deephish
black hat deephishAlejandro Correa Bahnsen, PhD
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceMehrdad Jingoism
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecurityPriyanka Aash
 
Cyber security[1118]
Cyber security[1118]Cyber security[1118]
Cyber security[1118]MeeraNairJ
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET Journal
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z Cheng Olayvar
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Ethical hacking interview questions and answers
Ethical hacking interview questions and answersEthical hacking interview questions and answers
Ethical hacking interview questions and answersShivamSharma909
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Secureview 3
Secureview 3Secureview 3
Secureview 3Felipe Prado
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 

Más contenido relacionado

La actualidad más candente

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceMehrdad Jingoism
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecurityPriyanka Aash
 
Cyber security[1118]
Cyber security[1118]Cyber security[1118]
Cyber security[1118]MeeraNairJ
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET Journal
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Ethical hacking interview questions and answers
Ethical hacking interview questions and answersEthical hacking interview questions and answers
Ethical hacking interview questions and answersShivamSharma909
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 

La actualidad más candente (20)

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
black hat deephish
black hat deephishblack hat deephish
black hat deephish
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissance
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
 
Cyber security[1118]
Cyber security[1118]Cyber security[1118]
Cyber security[1118]
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshare
 
IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Ethical hacking interview questions and answers
Ethical hacking interview questions and answersEthical hacking interview questions and answers
Ethical hacking interview questions and answers
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 

Destacado

Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 
Secure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaSecure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaOWASP-Qatar Chapter
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamOWASP-Qatar Chapter
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 

Destacado (8)

Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry Sans
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay Jamaan
 
Secure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaSecure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir Abdulla
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 

Similar a Implementing a Comprehensive Application Security Program

Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfinfosec train
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxjuliennehar
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersJaime Manteiga
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxInfosectrain3
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfShivamSharma909
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelEoin Keary
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 

Similar a Implementing a Comprehensive Application Security Program (20)

Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdf
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docx
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptx
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 

Último

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Implementing a Comprehensive Application Security Program

  • 1. www.niiconsulting.com Implementing a Comprehensive Application Security Program Taufiq Ali Manager – Security Assessment
  • 2. www.niiconsulting.com Agenda  The Biggest Hack in History  How the Cookie Crumbles  Answers!  Technology Solutions  Strategies  Q&A
  • 5. www.niiconsulting.com Paradigm Shift – Part I APT & The Season of Hacks 6
  • 6. www.niiconsulting.com What is APT APT = Advanced Persistent Threat APT is defined as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. Government and Commercial networks for years. The vast majority of APT activity observed has been linked to China. APT is a term coined by the U.S. Air Force in 2006 7
  • 7. www.niiconsulting.com APT Objectives  Political  Includes suppression of their own population for stability  Economic  Theft of IP, to gain competitive advantage  Technical  Obtain source code for further exploit development  Military  Identifying weaknesses that allow inferior military forces to defeat superior military forces 8
  • 9. www.niiconsulting.com How RSA was hacked  RSA is one of the biggest security companies in the world  Rivest Shamir Adelman – iconic founders  Created a multi-billion $ enterprise 10
  • 10. www.niiconsulting.com Initial Intrusion into the Network  Specific email IDs were discovered from public sources and social engineering  Spoofed email was sent  The email subject line read “2011 Recruitment Plan.”  The attachment was a backdoor Excel file, titled “2011 Recruitment plan.xls.  It exploited a 0-day vulnerability - Adobe Flash vulnerability (CVE-2011-0609)
  • 11. www.niiconsulting.com Establish a Backdoor into the Network  Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network  The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.  The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.  Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect
  • 12. www.niiconsulting.com Obtain User Credentials  The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse.  The attackers also obtain local credentials from compromised systems  The APT intruders access approximately 40 systems on a victim network using compromised credentials  Analysts have seen as few as 10 compromised systems to in excess of 150 compromised systems
  • 13. www.niiconsulting.com Conclusion  The APT is everyone’s problem. No target is too small, or too obscure, or too well-known, or too vulnerable. Its’ not spy- vs.-spy, but spy-vs.- everyone.  This is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends.  They steal information to achieve economic, political and strategic advantage.  They establish and maintain an occupying force in their target’s environment.  They steal between $40 billion to $50 billion in intellectual property from U.S. organizations each year.
  • 14. www.niiconsulting.com Conclusion  These are real and they are on a spree  Your applications and end points are key entry points for such attacks
  • 16. www.niiconsulting.com Gonzalez, TJX and Heart-break-land  >200 million credit card number stolen  Heartland Payment Systems, TJX, and 2 US national retailers hacked  Modus operandi  Visit retail stores to understand workings  Analyze websites for vulnerabilities  Hack in using SQL injection  Inject malware  Sniff for card numbers and details  Hide tracks
  • 17. www.niiconsulting.com The hacker underground  Albert Gonzalez  a/k/a “segvec,”  a/k/a “soupnazi,”  a/k/a “j4guar17”  Malware, scripts and hacked data hosted on servers in:  Latvia  Netherlands  IRC chats  March 2007: Gonzalez “planning my second phase against Hannaford”  December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” Ukraine New Jersey California
  • 18. www.niiconsulting.com Where does all this end up?  Commands used on IRC  !cardable  !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc
  • 19. www.niiconsulting.com TJX direct costs $24 million to Mastercard $41 million to Visa $200 million in fines/penalties
  • 21. www.niiconsulting.com OWASP TOP 10 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
  • 22. www.niiconsulting.com Injection – 0wning the Enterprise  Identifying SQL Injections  Getting to all the data inside the database  Reading Sensitive data inside the database like system users, users, password etc.  But how do you own the enterprise  Cracking the password hashes  Running OS level commands  Escalating privileges  Adding the user with administrators role  Enterprise Owned!
  • 23. www.niiconsulting.com Identifying SQL Injection Identifying SQL Injections [06:19:58] [INFO] TESTING FOR SQL INJECTION ON GET PARAMETER 'ID' [06:20:10] [INFO] target url appears to have 2 columns in query [06:20:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET PARAMETER 'ID' IS VULNERABLE. DO YOU WANT TO KEEP TESTING THE OTHERS (IF ANY)? [Y/N]
  • 30. www.niiconsulting.com What is Next?  Running OS level commands  Escalating privileges  Adding the user with administrators role  Taking remote access to the system
  • 32. www.niiconsulting.com XSS to 0wning the Enterprise  XSS is a client side attack  Attacking your client base  Browser bugs are most popular targets for compromising end point  Java and Adobe Flash  End points are entry into the network  So what happens when you find Zero day bug in most popular software’s like Java?
  • 34. www.niiconsulting.com Java Zeroday  This exploit has been tested successfully against multiple platforms,  Internet Explorer  Firefox  Safari  Chrome  Fully Patched operating systems  Windows  Ubuntu  OS X  Solaris
  • 37. www.niiconsulting.com Chaining multiple issues How other OWASP can be lethal when put together
  • 38. www.niiconsulting.com Death by thousand cuts (Rsnake Case Study)  #1 - webmail is easily located  #2 - easily discoverable and plentiful email addresses  #3 - forgotten passwords are sent in plain text  #4 - system will allow users to change email address to any email address they want (with no verification)  #5 - XSS vulnerabilities in the application  #6 - usernames are email addresses  #7 - recommendation engine sends custom emails  #8 - login redirection issue  #9 - function to detect valid users.  #10 - change email function is vulnerable to CSRF
  • 39. www.niiconsulting.com Death by thousand cuts - Attack  Detect Valid user on the website (2#, 6# and 9#)  Now change my email address to one of the email addresses of a corporate user (#4) that's NOT a user on the system  Finding valid users using the change email function (#9)  Send an email to one of the valid users on the system (#2) using the recommendation engine (#7).
  • 40. www.niiconsulting.com Death by thousand cuts - Attack  The link is a link to the login function (#8) that redirects the user to an XSS hole (#5).  Now the user has logged in and their browser is under our control.  Forward the user invisibly to the change email function and force them to change their email address through CSRF (#10) to another email address that we've got control over.  Then I have their browser submit the forgot password function (#3) which delivers their password to my inbox.
  • 41. www.niiconsulting.com Take away..  Often minor issues are overlooked but even in some cases the smallest issues can mount into huge compromises in security  Even minor issues that are regularly dismissed in security assessments can be leveraged by a determined attacker to compromise a corporation
  • 43. www.niiconsulting.com Problem Background Lack of Business Risk Perspective – US Department of Homeland Security: “Most penetration testing processes and tools do little, if anything, to substantively address the business risks... This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on... Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense. At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous. …the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/penetration/655- BSI.html Software Security – building security in, Chapter 6 on “Penetration Testing Today” “The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
  • 44. www.niiconsulting.com The challenge “Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and come back as something else.” - Brian Chess, Co-Founder, Fortify Software
  • 45. www.niiconsulting.com LET’S START AT THE BEGINNING Some theory
  • 46. www.niiconsulting.com Approach  Pre-sales Approach  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”  Pre-sales approach evolved  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”
  • 47. www.niiconsulting.com Traditional vs. Risk-based Security Testing Traditional Testing Risk-based Testing Focus is on technical vulnerabilities Focus is on business risks Requires strong technical know- how Requires both technical and business process know-how Having the right set of tools is critical Understanding the workings of the business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory environment is good Understanding the regulatory environment is mandatory
  • 48. www.niiconsulting.com Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on technical parameters Severity levels are based on risk to the business Risk levels in report are assigned post facto Risk levels in report reflect the levels assigned prior to testing Test cases are build based on testing methodologies or generic testing processes Tests cases additionally build on risk scenarios Audience for the report is usually the IT and Security teams Audience for the report also includes the business process owners and heads of departments
  • 49. www.niiconsulting.com Case study  Corporate Banking Platform – allows 3 logins  Maker who enters the transaction into the system  Verifier who checks the transaction data  Authorizer who authorizes the final payment  Each screen in the web application is different based on privilege level of logged in user  Security implemented by:  Restricting access to URLs that allow certain transactions  Parameters that trigger certain transactions
  • 50. www.niiconsulting.com Case study  RA Phase  Understand business process  Understand business risks  Define test cases  Can maker do what verifier does  Can verifier do what authorizer does  Can client’s admin do what bank’s admin does  So forth  Pentesting discovers  http://www.bankPay.co.in/BankPayApp/authorizePaymentAction. action is available only to Authorizer  But what if Maker puts it in his browser?  Transaction still doesn’t get authorized  Further investigation reveals a parameter:  Filter=‘block’  When this value is changed to:  Filter=‘submitToPay’
  • 55. www.niiconsulting.com Understanding the business  Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?  What applications do they use?  What data do they access through these applications?  What are the risks if any of these actors turns bad?  What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
  • 56. www.niiconsulting.com Regulations that drive webapp testing  PCI DSS  For all credit card processing merchants  Quarterly, semi-annual, annual network scans and penetration tests  Focus on web application security  Requires high-level of protection of credit card data  There are no fines for non-compliance but breaches of security could put you out of business  HIPAA  For healthcare and pharma providers  Requires high-level of protection for patient records and medical history  Fines for non-compliance are usually high  Breaches could put you out of practice/business
  • 58. www.niiconsulting.com Technology Solutions  Web Application Firewalls  Privileged Identity Management Suites  Application-Aware Firewalls  Application-Aware SIEMS  Database Access Management Solutions
  • 59. www.niiconsulting.com Before we get to the technology…
  • 61. www.niiconsulting.com Secure Design  Secure Designing Models  Client Inputs  Client Education  Threat Modeling  Vulnerability Classification – STRIDE  Risk Classification – DREAD
  • 63. www.niiconsulting.com Secure Coding Overview Secure coding isn’t taught in school  Homeland Security's Build Security In Maturity Model (BSIMM)  Microsoft's Security Development Lifecycle (SDL)  OpenSAMM (Software Assurance Maturity Model)  OWASP Secure Coding Guides
  • 64. www.niiconsulting.com Vendor Management  Big names != Good security  Contractual weaknesses  Lack of vendor oversight  No penalties for blatantly buggy code!
  • 65. www.niiconsulting.com Secure Hosting  Web Security  Secured web server  Secured application server – all components  Web application firewalls  Database Security  Security Patches  Users and Roles  Access Control  Logging  Password Security  Database Table Encryption  Data Masking  OS Security  Security Patches  Users and Groups  Access Control  Security Policies  Secured Login  Logging
  • 66. www.niiconsulting.com Secure Testing  Security testing options  Blackbox  Greybox  Whitebox  Source Code Review  OWASP Top Ten (www.owasp.org)  OWASP Testing Guide
  • 67. www.niiconsulting.com Training  Back to basics  Natural thought process  Look at larger picture  Make it fun  Giving back to the community
  • 69. www.niiconsulting.com Ground realities  Business priorities  Expand, grow, market share!!  Developer illiteracy  Unaware of security implications  Shortcut fixes  Vendor apathy  Problem re-enforced by weak contracts  Unclear budgets  Lip service by management towards information security  CISO left fighting the battle alone without adequate resources
  • 71. www.niiconsulting.com Applications’ Triage / 1  Application Risk Assessment  Regulatory  PCI DSS  DOT  HIPAA/SOX/etc.  Legal  Contractual  Business Impact  Reputation Impact
  • 72. www.niiconsulting.com Applications’ Triage / 2  Nature of the Application  Internal  External  Mixed  Number of registered users  Revenue generating / Business process supporting / Back-office / Reporting  Data that it deals with  Financial  PII  Corporate  Other
  • 73. www.niiconsulting.com Applications Triage / 3  Developed In-house  Currently being supported  Developers have moved on  Outsourced  Within the country  Externally  Commercial Off the Shelf  High Level of Customization  No Customization  Vendor Leverage  Code/Libraries in Escrow  Existing Vendor Relationship  Dormant/Dead Vendor Relationship
  • 75. www.niiconsulting.com Sample Strategies / A FINPRO Financial Processing – Accessible over Internet COTSE – Heavily Customized Isolate System in the Data Center Vendor Relationship - Dormant Revive Vendor Relationship Implement PIM & WAF Determine Alternatives
  • 76. www.niiconsulting.com Sample Strategies / B ATLAS Claims Processing – Agents Access Over Internet In-house Developed Implement & Enforce Internal SLAs Active Development Team Regular Secure Coding Training Emphasis on Secure Coding Libraries Secure Hosting
  • 77. www.niiconsulting.com Take-Aways  Application security has a long way to go for most large organizations  The threat is ever-present and sustained  Not all applications can be dealt with in the same manner  Strategizing helps direct limited resources towards high-risk problems  Vendors, business units, and information security have to co-ordinate efforts, and stop the blame-game