SlideShare una empresa de Scribd logo

Creating Self Defending Applications to Repel Attackers

Descargar como PPTX, PDF
Michael Coates
Michael Coates

Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system. In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats.  This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.

Tecnología
1 de 50
Creating Self Defending Applications to Repel Attackers Michael Coates @_mwc
• Chairman OWASP Board • Shape Security: Director of Product Security Background – 12 years of security adventures • Built and lead security program protecting 450 million Firefox users & Mozilla systems • Secured code processing millions of dollars daily • Bypassed electronic voting systems • Defended fortune 100 global network • Infiltrated telco for mobile networks in Asia and Middle east • “Talked” my way into bank server rooms & to obtain user passwords @_mwc
Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 US $113 Billion – Global price tag of consumer cybercrime
Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136
Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
Underground Market Prices 2013 Dell SecureWorks USD Visa, American Express, Discover $4-$8 Credit Card with track 1 and 2 data $12 Full user information $25 1,000 Infected Computers $20 DDOS Attacks (per hour) $3-$5
The Objective • Protect the most critical data • Handle known and unknown attacks • Identify attackers before compromise • Automated – no humans needed
Critical Data Applications stored & allow access to critical data – by design Name Email Address Credit Card Bank Information Medical Information Purchase History Affiliations …
Gut Check Current Defenses Are Failing • Custom code • unique vulnerabilities -> tailored patches • Unrealistic defensive postures • Signatures only protect against last generic attack • Human required interaction is too slow • Valid signals are lost / ignored • Attackers constantly probe and attack applications without deterrence
Self Defending Applications The Attacker
Attack Points: Requests, Auth, Session
Attack Points: Access Control
Attack Points: Input Validation
Attack Points: Business Logic
Self Defending Applications In The Code
Attack Exposure
Defend with: Detection Points
Detecting Attacks • 50+ attack detection points and growing • Signature & Behavioral • Many have nearly zero false positive rate – Can’t be encountered accidentally by user – POST vs Get – ‘ OR ‘1’=‘1’ http://www.owasp.org/index.php/AppSensor_DetectionPoints
Centralize Attack Detection Knowledge • Detection Points Report to Central Location • AppSensor Integrates w/User Store • Enables Response Actions against User Object
Detect & Eliminate Threat • Strong control of authenticated portion – Lockout user – Disable account • Effective attack reporting for unauthenticated portion
App Defense Eliminates Threats
App Defense Eliminates Threats Block attacker & minimize threat
Humans & Automation • Detection Points – Human driven attacks • Trend Analysis – Automated driven attacks
Human Driven
Automated
Attack Aware Resources • Cross Talk Sept, 2011 - crosstalkonline.org • Software Assurance - buildsecurityin.us-cert.gov/swa/attackaware.html
Alternatives? • Self Defending – in the app, full user object interaction, full app knowledge • Web Application Firewall (stand alone) – generic attack detection • Log Analysis – slow, reactive, ineffective, ignored
Self Defending Applications In The Lifecycle & Organization
Threat Modeling – Identify critical business functionality – Capture abuse cases – Define detection methods
Example • Grant Permission Page site.com/UpdatePermission – Inputs: • targetUser - Integer • grantPerm - Integer (1,2,3) (Read, Write Delete) – Access Control Requirement: • Page Access: Power User • Functionality Access: Power User • Target User: Non-admin
Abuse Cases • Non-integer submitted for targetUser • Invalid number submitted for grantPerm • Force browsing to page from unauthorized account (HTTP GET) • Force submission to page from unauthorized account (HTTP Post) • Target user is admin account • Unexpected rate of use (100 perm changes in 10 seconds?)
Risk Analysis • Tolerance for Fraud & Abuse • Define Acceptable Response – Alert Admins – Logout / Lock Accounts – Limit Functionality
Response Options
Timing & Flow Attack Detection PointsCommon Attack Vectors Design Requirement s Threat Modeling Unique App Attack Vectors Risk Analysis Response Policy/Pla n Response Capabilitie s
Organization Support Who Action Architects, Developers, Biz Owners, Security SMEs Threat Modeling, Determine Detection Points Biz Owners, Architects, Security SMEs Determine Response Actions Architects, Security SMEs Design Response Architecture Operations Team, Security SMEs System Communication for Detection Logging & Response Developers, Security SMEs Implement Detection Point & Response Code Monitoring Team, Security SMEs Define monitoring thresholds, alerting/action requirements
Self Defending Applications Live Implementations
Common Event Format (CEF) • Emerging standard on logging format • Easily parsed by security integration manager (sim) • Enables AppSensor Logging CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
SIM Deployment
Full Stack Knowledge • Application Layer - Custom attack / abuse notification • Network Layer - IDS activity, firewall failures • OS Layer - OS commands (AuditD), System event logs
Data Analysis Failed Captcha on Create User Account Created User Authentication Failed
Trend Analysis
Top Users Failing Auth within Application
App Use Mapping Operation IP Address Account
Auth Failed New Account Change Password
1 IP Address, Multiple Users Auth Fail, New Account acct1 - pw change acct 2 - auth failed
Summary Self Defending Applications: • Detect Malicious Activity in Critical Apps • Enable Immediate Response • Prevent/Limit Compromise • Require Organization Support
AppSensor Project • AppSensor: Version 2 of Book • Sub-project: Preventing Automated Attacks – owasp.org/index.php/OWASP_AppSensor_Project/PAA – Evaluating current approaches, costs & efficacy • CAPTCHA, IP Blocking, Reputation, Human Analysis, etc • Join Us! – owasp.org/index.php/Category:OWASP_AppSensor_Project – owasp-appsensor-project@lists.owasp.org
Questions? @_mwc michael.coates@owasp.org

Recomendados

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 

Recomendados

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product BrochureTodd Helfrich
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
Information Risk and Protection
Information Risk and ProtectionInformation Risk and Protection
Information Risk and Protectionxband
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Donald Malloy
 

Más contenido relacionado

La actualidad más candente

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product BrochureTodd Helfrich
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
Information Risk and Protection
Information Risk and ProtectionInformation Risk and Protection
Information Risk and Protectionxband
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment SpamImperva
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 

La actualidad más candente (20)

Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security Rules
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product Brochure
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
Information Risk and Protection
Information Risk and ProtectionInformation Risk and Protection
Information Risk and Protection
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated Ransomware
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 

Similar a Creating Self Defending Applications to Repel Attackers

Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Donald Malloy
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open SourceDonald Malloy
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Endpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyEndpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyStephen Cobb
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Ethical Hacking by Rasool Kareem Irfan
Ethical Hacking by Rasool Kareem IrfanEthical Hacking by Rasool Kareem Irfan
Ethical Hacking by Rasool Kareem IrfanRasool Irfan
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTechWell
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptxJohn Donahue
 

Similar a Creating Self Defending Applications to Repel Attackers (20)

Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open Source
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Endpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyEndpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategy
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Ethical Hacking by Rasool Kareem Irfan
Ethical Hacking by Rasool Kareem IrfanEthical Hacking by Rasool Kareem Irfan
Ethical Hacking by Rasool Kareem Irfan
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptx
 

Más de Michael Coates

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

Más de Michael Coates (8)

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Creating Self Defending Applications to Repel Attackers

  • 1. Creating Self Defending Applications to Repel Attackers Michael Coates @_mwc
  • 2. • Chairman OWASP Board • Shape Security: Director of Product Security Background – 12 years of security adventures • Built and lead security program protecting 450 million Firefox users & Mozilla systems • Secured code processing millions of dollars daily • Bypassed electronic voting systems • Defended fortune 100 global network • Infiltrated telco for mobile networks in Asia and Middle east • “Talked” my way into bank server rooms & to obtain user passwords @_mwc
  • 3. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
  • 4. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 US $113 Billion – Global price tag of consumer cybercrime
  • 5. Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136
  • 6. Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
  • 7. Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
  • 8. Underground Market Prices 2013 Dell SecureWorks USD Visa, American Express, Discover $4-$8 Credit Card with track 1 and 2 data $12 Full user information $25 1,000 Infected Computers $20 DDOS Attacks (per hour) $3-$5
  • 9. The Objective • Protect the most critical data • Handle known and unknown attacks • Identify attackers before compromise • Automated – no humans needed
  • 10. Critical Data Applications stored & allow access to critical data – by design Name Email Address Credit Card Bank Information Medical Information Purchase History Affiliations …
  • 11. Gut Check Current Defenses Are Failing • Custom code • unique vulnerabilities -> tailored patches • Unrealistic defensive postures • Signatures only protect against last generic attack • Human required interaction is too slow • Valid signals are lost / ignored • Attackers constantly probe and attack applications without deterrence
  • 20. Detecting Attacks • 50+ attack detection points and growing • Signature & Behavioral • Many have nearly zero false positive rate – Can’t be encountered accidentally by user – POST vs Get – ‘ OR ‘1’=‘1’ http://www.owasp.org/index.php/AppSensor_DetectionPoints
  • 21. Centralize Attack Detection Knowledge • Detection Points Report to Central Location • AppSensor Integrates w/User Store • Enables Response Actions against User Object
  • 22. Detect & Eliminate Threat • Strong control of authenticated portion – Lockout user – Disable account • Effective attack reporting for unauthenticated portion
  • 24. App Defense Eliminates Threats Block attacker & minimize threat
  • 25. Humans & Automation • Detection Points – Human driven attacks • Trend Analysis – Automated driven attacks
  • 28. Attack Aware Resources • Cross Talk Sept, 2011 - crosstalkonline.org • Software Assurance - buildsecurityin.us-cert.gov/swa/attackaware.html
  • 29. Alternatives? • Self Defending – in the app, full user object interaction, full app knowledge • Web Application Firewall (stand alone) – generic attack detection • Log Analysis – slow, reactive, ineffective, ignored
  • 30. Self Defending Applications In The Lifecycle & Organization
  • 31. Threat Modeling – Identify critical business functionality – Capture abuse cases – Define detection methods
  • 32. Example • Grant Permission Page site.com/UpdatePermission – Inputs: • targetUser - Integer • grantPerm - Integer (1,2,3) (Read, Write Delete) – Access Control Requirement: • Page Access: Power User • Functionality Access: Power User • Target User: Non-admin
  • 33. Abuse Cases • Non-integer submitted for targetUser • Invalid number submitted for grantPerm • Force browsing to page from unauthorized account (HTTP GET) • Force submission to page from unauthorized account (HTTP Post) • Target user is admin account • Unexpected rate of use (100 perm changes in 10 seconds?)
  • 34. Risk Analysis • Tolerance for Fraud & Abuse • Define Acceptable Response – Alert Admins – Logout / Lock Accounts – Limit Functionality
  • 36. Timing & Flow Attack Detection PointsCommon Attack Vectors Design Requirement s Threat Modeling Unique App Attack Vectors Risk Analysis Response Policy/Pla n Response Capabilitie s
  • 37. Organization Support Who Action Architects, Developers, Biz Owners, Security SMEs Threat Modeling, Determine Detection Points Biz Owners, Architects, Security SMEs Determine Response Actions Architects, Security SMEs Design Response Architecture Operations Team, Security SMEs System Communication for Detection Logging & Response Developers, Security SMEs Implement Detection Point & Response Code Monitoring Team, Security SMEs Define monitoring thresholds, alerting/action requirements
  • 39. Common Event Format (CEF) • Emerging standard on logging format • Easily parsed by security integration manager (sim) • Enables AppSensor Logging CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
  • 41. Full Stack Knowledge • Application Layer - Custom attack / abuse notification • Network Layer - IDS activity, firewall failures • OS Layer - OS commands (AuditD), System event logs
  • 42. Data Analysis Failed Captcha on Create User Account Created User Authentication Failed
  • 44. Top Users Failing Auth within Application
  • 45. App Use Mapping Operation IP Address Account
  • 47. 1 IP Address, Multiple Users Auth Fail, New Account acct1 - pw change acct 2 - auth failed
  • 48. Summary Self Defending Applications: • Detect Malicious Activity in Critical Apps • Enable Immediate Response • Prevent/Limit Compromise • Require Organization Support
  • 49. AppSensor Project • AppSensor: Version 2 of Book • Sub-project: Preventing Automated Attacks – owasp.org/index.php/OWASP_AppSensor_Project/PAA – Evaluating current approaches, costs & efficacy • CAPTCHA, IP Blocking, Reputation, Human Analysis, etc • Join Us! – owasp.org/index.php/Category:OWASP_AppSensor_Project – owasp-appsensor-project@lists.owasp.org

Notas del editor

  1. http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reportshttps://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdfhttp://www.symantec.com/about/news/release/article.jsp?prid=20131001_01
  2. Datalossdb.org – 48% from hacking, 8% fraud, 7% stolen laptopVerizon DBR – 52% involved hacking