soroush dalili 9 dec. 2008 computer security msc. of birmingham university
TRANSCRIPT
WEB APPLICATION SECURITY
Importance of
Soroush Dalili9 Dec. 2008Computer Security MSc. of Birmingham University
in 5 minutes
Which part of network should be more secure than the others?
• By the risk assessment?
is like a chain; is only as strong as the weakest link.
Web Server
Database
DNS
Mail Server
Security
RAS Server
Some interesting facts
95% of websites are vulnerable [1]
Average of 7 vulnerabilities per website [2]
No one wants to use a web application if there is a possibility of information compromise to unauthorized people
On average, more than 10 security vulnerabilities in web applications are published everyday.
Gartner Rule
Web Applications
Network Servers
75%
25%
90%
10%
Security Spending
% of Attacks % of DollarsOnly
Key Problem Factors [4]
Immature Security Awareness In-House Development Deceptive Simplicity Rapidly Evolving Threat Profile Resource and Time Constraints
Solution
SSL, Firewall, or any specific tools? NO!
Secure Design Secure Programming Periodic Penetration Tests Source Code Audit
The best free web applications security reference
WWW.OWASP.ORGThe Open Web Application Security ProjectFocused on improving the security of
application software.More than 100 categorized vulnerabilities in
the web applications!
Yesterday’s News about web application security (8-12-2008) [5]
“SquirrelMail” Insecure Cookie Disclosure Weakness
“IBM Rational ClearQuest” Web Multiple Unspecified Cross Site Scripting Vulnerabilities
“Apple iPhone Configuration Web Utility” for Windows Directory Traversal Vulnerability
“TikiWiki” Multiple Unspecified Vulnerabilities
“Secure Downloads for vBulletin” 'fileinfo.php' SQL Injection Vulnerability
“XOOPS” Local File Include and HTML Injection Vulnerabilities
Thank you very
much
Questions?
References
[1] Studies from numerous penetration tests by Imperva, http://www.imperva.com/application_defense_center/papers/how_safe_is_it.html
[2] Jeremiah Grossman, “Website Vulnerabilities Revealed: What everyone knew, but afraid to believe”, WhiteHat Security 2008
[3] Gartner, Nov 2005, http://gartner.com
[4] Stuttard Dafydd, Pinto Marcus, "The Web Application Hacker's Handbook Discovering and Exploiting Security Flaws", Wiley Publishing Inc., 2008
[5] Http://www.securityfocus.com