SlideShare una empresa de Scribd logo

WebAppSec: Assessment and Defense

A
ajitdhumale

Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016 Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.

Software
1 de 26
Descargar para leer sin conexión
WebAppSec Assessment and Defense Ajit Dhumale adhumale@qualys.com OWASP Pune Chapter Meetup 21st April 2016
WebApp eco-system OS/VM/Docker Web Server App Container WepApp Network Stack DB NoSQL … Browser UserInternet FW NAT LB Data Center App
Assessment and Defense • Assessment – Test if web app has vulnerabilities • Defense – Protect against known and unknown vulnerabilities
Assessment BlackBox Vs WhiteBox
BlackBox vs WhiteBox Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)
DAST (BlackBox) • Easy logistics • (Fairly) low FP rate* DAST: Dynamic Application Security Testing WebAppHTTP(s)://
DAST: How it works? Crawl: Get links, forms and AJAX requests to test Test (mostly fuzzing): Send malformed/evil variants of the crawled requests and see how the web app responds
DAST: Concerns – Coverage • Is the entire web app crawled? • Auto form filling • Authentication – Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html • http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html • http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html • http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html • Thousands of similar links – Less direct help to developers
SAST (WhiteBox) Source Code SAST: Static Application Security Testing Images: in.mathworks.com
SAST • High FP • Difficult Logistics – Access to source code – Confidentiality/trust issues • Provides direct help to developers • Programming language dependent – News languages, templating, runtime binding  problems • (opaque) 3rd party libraries, external systems
IAST • Co-relatedDASTandSASTresults OR • Insertmonitoringagentinapplicationruntime. • ObserverappbehaviorwhiledrivingtheappusingDAST • TunetheDASTtests(automatically)basedonmonitoring Provides • Bettercoverage,accuracyandefficiency • Betterdirecthelptodevelopers IAST:Interactive/integratedApplicationSecurityTesting I DAST SAST T
Assessment Manual Vs Automated
Automated vs Manual Lower accuracy Higher FP High accuracy* Low FP* Fast Hours to days per web app Slower Weeks to months per web app Bad at business logic flaw detection Good at business logic flaw detection* Lower cost Very (very) high cost * Subject to expertise of the manual pen tester(s)
Automated and Manual Automated with manual assistance Manual verification Best of both worlds
We found vulnerabilities now what?
Fix the vulnerabilities …but what till the fix is available? Patch in on the way …
WebAppFirewall • Protects production web apps from attacks
WAF: How it works • Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist • Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields W A F
Deploying WAF (phases) • Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline • Notification – Apply rules, notify violation – (manually) tune the rules • Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
WAF Concerns • Installation needs network changes – SSL termination • Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration • Potential performance impact • Point of failure • Incorrect rule  blocks legit traffic  business impact
WAF bypass • Naïve pattern based filtering can be bypassed
RASP Runtime Application Self-Protection • Installs runtime agent within the application binary (runtime dependency) • Analyzes input, event flow and application behavior at runtime • Alerts or stops malicious execution
WAF vs RASP External Internal One for many apps One (agent) per app Technology* Independent Technology* Dependent *Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
Trends/Future • Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – … • DAST – JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2 • Secure coding/development – Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops • SAST + DAST + WAF + RASP
? Questions
Credits • Images: – Icons: https://icons8.com – Images: http://www.freedigitalphotos.net/

Recomendados

Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverSachin-QA
 
Automation Tool Overview
Automation Tool OverviewAutomation Tool Overview
Automation Tool OverviewANKUR-BA
 
C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010Marker Studio
 
I3 - for Web & J2EE
I3 - for Web & J2EEI3 - for Web & J2EE
I3 - for Web & J2EEsebastian.guerrero
 
Sql injection brief for slideshare
Sql injection brief for slideshareSql injection brief for slideshare
Sql injection brief for slideshareFrank Rietta
 
Securing broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSecuring broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSuraj Khetani
 

Recomendados

Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverSachin-QA
 
Automation Tool Overview
Automation Tool OverviewAutomation Tool Overview
Automation Tool OverviewANKUR-BA
 
C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010Marker Studio
 
I3 - for Web & J2EE
I3 - for Web & J2EEI3 - for Web & J2EE
I3 - for Web & J2EEsebastian.guerrero
 
Sql injection brief for slideshare
Sql injection brief for slideshareSql injection brief for slideshare
Sql injection brief for slideshareFrank Rietta
 
Securing broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSecuring broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSuraj Khetani
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
Dependency check
Dependency checkDependency check
Dependency checkDavid Karlsen
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Adin Ermie
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access FirewallBalaBhaskaraRao CEH,CCNA Security,CHFI,Qualys Specialist
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Jim McKeeth
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAmazon Web Services
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 

Más contenido relacionado

Destacado

Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 

Destacado (7)

Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation Fails
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metrics
 
Dependency check
Dependency checkDependency check
Dependency check
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 

Similar a WebAppSec: Assessment and Defense

2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Adin Ermie
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Jim McKeeth
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAmazon Web Services
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksAmazon Web Services
 
Cross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaCross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaSoftware Guru
 

Similar a WebAppSec: Assessment and Defense (20)

2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Web assembly with PWA
Web assembly with PWA Web assembly with PWA
Web assembly with PWA
 
Cross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaCross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficiencia
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 

Último

tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 

Último (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

WebAppSec: Assessment and Defense

  • 1. WebAppSec Assessment and Defense Ajit Dhumale adhumale@qualys.com OWASP Pune Chapter Meetup 21st April 2016
  • 2. WebApp eco-system OS/VM/Docker Web Server App Container WepApp Network Stack DB NoSQL … Browser UserInternet FW NAT LB Data Center App
  • 3. Assessment and Defense • Assessment – Test if web app has vulnerabilities • Defense – Protect against known and unknown vulnerabilities
  • 5. BlackBox vs WhiteBox Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)
  • 6. DAST (BlackBox) • Easy logistics • (Fairly) low FP rate* DAST: Dynamic Application Security Testing WebAppHTTP(s)://
  • 7. DAST: How it works? Crawl: Get links, forms and AJAX requests to test Test (mostly fuzzing): Send malformed/evil variants of the crawled requests and see how the web app responds
  • 8. DAST: Concerns – Coverage • Is the entire web app crawled? • Auto form filling • Authentication – Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html • http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html • http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html • http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html • Thousands of similar links – Less direct help to developers
  • 9. SAST (WhiteBox) Source Code SAST: Static Application Security Testing Images: in.mathworks.com
  • 10. SAST • High FP • Difficult Logistics – Access to source code – Confidentiality/trust issues • Provides direct help to developers • Programming language dependent – News languages, templating, runtime binding  problems • (opaque) 3rd party libraries, external systems
  • 11. IAST • Co-relatedDASTandSASTresults OR • Insertmonitoringagentinapplicationruntime. • ObserverappbehaviorwhiledrivingtheappusingDAST • TunetheDASTtests(automatically)basedonmonitoring Provides • Bettercoverage,accuracyandefficiency • Betterdirecthelptodevelopers IAST:Interactive/integratedApplicationSecurityTesting I DAST SAST T
  • 13. Automated vs Manual Lower accuracy Higher FP High accuracy* Low FP* Fast Hours to days per web app Slower Weeks to months per web app Bad at business logic flaw detection Good at business logic flaw detection* Lower cost Very (very) high cost * Subject to expertise of the manual pen tester(s)
  • 14. Automated and Manual Automated with manual assistance Manual verification Best of both worlds
  • 16. Fix the vulnerabilities …but what till the fix is available? Patch in on the way …
  • 17. WebAppFirewall • Protects production web apps from attacks
  • 18. WAF: How it works • Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist • Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields W A F
  • 19. Deploying WAF (phases) • Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline • Notification – Apply rules, notify violation – (manually) tune the rules • Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
  • 20. WAF Concerns • Installation needs network changes – SSL termination • Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration • Potential performance impact • Point of failure • Incorrect rule  blocks legit traffic  business impact
  • 21. WAF bypass • Naïve pattern based filtering can be bypassed
  • 22. RASP Runtime Application Self-Protection • Installs runtime agent within the application binary (runtime dependency) • Analyzes input, event flow and application behavior at runtime • Alerts or stops malicious execution
  • 23. WAF vs RASP External Internal One for many apps One (agent) per app Technology* Independent Technology* Dependent *Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
  • 24. Trends/Future • Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – … • DAST – JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2 • Secure coding/development – Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops • SAST + DAST + WAF + RASP
  • 26. Credits • Images: – Icons: https://icons8.com – Images: http://www.freedigitalphotos.net/