snap shot of the presentation
DESCRIPTION
Snap Shot of the Presentation. About Me Web Applications – The Challenge Why Web Applications are Vulnerable Top 10 Vulnerabilities Is Application Security a Tool Business ? Methodology Suggested Tools Whats Next ?. About Me. - PowerPoint PPT PresentationTRANSCRIPT
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner
Is Your WebApplication Security Cleared?
Dr. Ravi Kiran Raju Yerra
Vice President – Security Testing
Arsin Corporation
Documents> Security Services > Web Application
Snap Shot of the Presentation
About Me Web Applications – The Challenge Why Web Applications are Vulnerable Top 10 Vulnerabilities Is Application Security a Tool Business ? Methodology Suggested Tools Whats Next ?
Documents> Security Services > Web Application
Holds Doctor of Science in Internet Security Management
Have 15 years of experience in Information Technology & Information Security solutions
Vice President – QA (Security Testing) at Arsin Corporation
Actively involved in 10 different innovative information threat management projects with various universities across the globe.
About Me
Documents> Security Services > Web Application
Web Applications – The challenge
WebServer
DatabaseServer
ApplicationServer
Web ApplicationThe World Wide Web has evolved into a global environment delivering applications such as reservation systems, online shopping or auction sites, games, multimedia applications, calendars, maps, chat applications or data entry/display systems, and many more
Web applications are characterized by multiculturalism, continuous change, fast pace and competitiveness, high demands on user adaptivity,
Thus, the complexity of securing such Web applications has increased significantly
Documents> Security Services > Web Application
Why Web Applications are Vulnerable
Application attacks are the latest trend when it comes to hacking.On average, 90% of all dynamic content sites have vulnerabilities associated with them.No single web server and database server combination has been found to be immune!Current security solutions do not offer adequate protectionAttacks pass through perimeter firewall security over port 80 (or 443 for SSL).Exploiting bugs and poor security programming practices in the software.
Documents> Security Services > Web Application 7
What is Web Application Security?
Web Application Security is not:Traditional Layers Traditional Security Controls
Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners
Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners
Commercial and
Open Source
Applications
Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners
Documents> Security Services > Web Application 8
What is Web Application Security?
Web Application Security is:
Traditional Layers Traditional Security Controls
Network Protocols Firewalls, Routers, Operating System IP Stack Configuration and Filtering, VPNs, and Vulnerability Scanners
Operating System Operating System Patches and OS Configuration, Authentication, Authorization, Encryption, and Vulnerability Scanners
Commercial and
Open Source
Applications
Minimize Services, Application configuration, Patches, Application level Authentication Authorization, and Vulnerability Scanners
Custom Web Applications
Architecture, Design and Code Reviews,
Application Scanners,
Testing with Malicious Input
Documents> Security Services > Web Application 10
How Bad Is It? – Vulnerability Reports
• Vulnerability reports consistent report Web Applications with highest # of vulnerabilities.
• For example SANS @RISK Aug 2007
SANS @RISK Aug 2007 8/7 8/13 8/20 8/27 Total
Microsoft Products 0 5 15 0 20
Mac 1 0 1 2 4
Linux 4 5 1 5 15
Unix, Solaris, etc 6 2 6 3 17
Network Device 1 2 3 5 11
Web Applications 50 35 23 22 130
Documents> Security Services > Web Application 13
OWASP 2007 Top Ten List
A1. Cross-Site Scripting (XSS) A2. Injections Flaws A3. Malicious File ExecutionA4. Insecure Direct Object ReferenceA5. Cross Site Request Forgery (CSRF)A6. Information Leakage & Improper Error HandlingA7. Broken Authentication & Session ManagementA8. Insecure Cryptographic StorageA9. Insecure CommunicationsA10. Failure to Restrict URL Access
www.owasp.org
Documents> Security Services > Web Application
Is Application Security A Tool Business???
Web applications can be tested in combination of tools.
Typical Web Application Testing believes 30% Tool and 70 % Manual Effort
Often tools throw false positive results
Evaluation of the results of scanner and Analyzing Statement Of Applicability is a Key
Tools may not have the “ Risk Based Approach”
The Answer is
NO.
Documents> Security Services > Web Application
Methodology – Web Application Penetration Testing
Test Against OWASP 2004
Test Against OWASP 2007
Deliver Final Reports
Test Protocol Security Issues
Recommend / Implement
SolutionsRe Test the Application
Mapping of Technical vulnerabilities to Business Risks
Documents> Security Services > Web Application
Testing Against OWASP 2004:
Understand the Applications in detail.
Test against OWASP 2004 (Intrusive / Non Intrusive Methods)
Authorized User Test & Black Box Testing
Testing Against OWASP 2007 & Protocol Security Testing :
Test against OWASP 2007 (Intrusive / Non Intrusive Methods) & Implement fuzzing techniques for Protocol analysis
External Code Posture Analysis
Recommend or Implement Solutions:
Recommend appropriate solutions include CODE Snippet Design
If required, Arsin COE Security also helps in Implementing solutions.
Re Test the fixed Applications•Re Test the entire applications against OWASP 2004 & 2007 and Protocol issues.
• Retesting process will continue till the bugs reduced to < 5% (Non Severe).
Deliver Report• On successful completion of testing Arsin delivers the an Executive, Technical report with appropriate applicable Recommendations
Methodology – Contd
Documents> Security Services > Web Application
Is there any suggested tools…
There are couple of industry standard commercial and open source tools like.
Rational Appscan from IBM
Web Scrap from OWASP
HP – Web Inspect etc.
Documents> Security Services > Web Application
Next !
Generally web applications are tested against the “Application” only.
Web Applications must also undergo respective protocol security testing i.e
HTTPHTTPS etc
It means, a security testing must upgrade to “Application Layer” to “Network Layer”
Web Services security testing will also plays an important role.
Documents> Security Services > Web Application
Queries
Dr. Ravi Kiran Raju [email protected]
IM – Yahoo : brightvaio Image References: Black Hat Briefings – & www.owasp.org
Documents> Security Services > Web Application
Thank You
For More DetailsJonathan McClean