![Page 1: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/1.jpg)
Web Application Security
7/14/16
Jamie Lam UCSF School of Medicine Dean’s Office Information Services Unit
![Page 2: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/2.jpg)
Web Application Attacks – 30% in Edu
Source: 2016 Data Breach Investigations Report - Verizon
7/14/16 UCCSC 2016 2
30% of data breaches in Education involve web application attacks
![Page 3: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/3.jpg)
Breaches per pattern
7/14/16 UCCSC 2016 3
![Page 4: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/4.jpg)
Getting started
§ OWASP Top 10
• Most common attack vectors and guides for preventing these attacks
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
§ SANS Security Checklist for Web Application Design • https://www.sans.org/reading-room/whitepapers/securecode/security-checklist-web-application-design-1389
7/14/16 UCCSC 2016 4
![Page 5: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/5.jpg)
Demo
§ Demo: http://www.techpanda.org/index.php • Source: http://www.guru99.com/learn-sql-injection-with-practical-example.html
SQL Injection
7/14/16 UCCSC 2016 5
§ Backend logic for checking user ID: SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);
• Username: Any email address • Password: Any password
appended by: ') OR 1 = 1 -- ]
![Page 6: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/6.jpg)
Demo (con’t)
How it works
7/14/16 UCCSC 2016 6
![Page 7: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/7.jpg)
How to secure web application
• Code review • Vulnerability
scanning
• Patching • Logging and
Monitoring
• Authentication and Access control
• Session Management
• Input Validation • Error Handling
• Data classification and associated data security requirements
Planning Development
Validation Production
Incorporate security into web application lifecycle
7/14/16 Presentation Title and/or Sub Brand Name Here 7
![Page 8: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/8.jpg)
Web Application Scanning
§ Most (All?) campuses provide web application scanning service • IBM AppScan
• Netsparker
• Qualys
• Acunetix
§ Web application vulnerability scanning tool automatically scans web applications for potential vulnerabilities
• Quick and automated
• False positives and false negatives
§ Should not be used alone to perform the entire task of securing a web application
7/14/16 Presentation Title and/or Sub Brand Name Here 8
![Page 9: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/9.jpg)
Takeaways
§ Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist
§ Do not trust user input – validate and sanitize (server side a must)
§ Scan your web application before go-live, after major changes, and on a regular basis
§ Maintenance:
• Keep server, third-party applications, and library up-to-date
• Log and monitor server and application activities, and review alerts
7/14/16 Presentation Title and/or Sub Brand Name Here 9
![Page 10: Web Application Security - UCCSC 2016Takeaways Consider web application security at all points during the web application lifecycle • Use the SANS Security Checklist Do not trust](https://reader036.vdocument.in/reader036/viewer/2022070715/5ed7fa51c64afa2ac7587e29/html5/thumbnails/10.jpg)