Essentials of Web Application Security: what it is, why it matters and how to get started
1 like1,798 views
The document outlines the essentials of web application security, explaining its importance in protecting critical data from various vulnerabilities such as SQL injection and cross-site scripting. It emphasizes the need for proactive scanning, remediation, and the adoption of security best practices to safeguard applications. Additionally, it highlights different types of security services available, including managed services and hybrid solutions, tailored for various organizational needs.
Essentials of Web Application Security: what it is, why it matters and how to get started
- 1. 1 Essentials of Web Application Security: What it is, Why it Matters, and How to Get Started Chris Harget - Product Marketing
- 2. 2 What Is Web Application Security?
- 3. Apps that (mostly) run in Browsers, and let users submit/retrieve information from databases 3
- 4. § Quickly installed/updated § Works across operating systems § Limitless reach, affordable 4 These Are Called “Vulnerabilities” But There Are Problem because… § Your Data is accessible from anywhere § To be useful, Web Apps interpret commands § There are hidden ways commands can be used to breach data
- 8. § Cross-Site Scripting (XSS) – Inserts malicious scripts via trusted URL § Broken Session Management – Lets hackers access applications § Insecure Authentication – Lets attack exploit authentication mechanism § Cross Site Request Forgery (CSRF) – Forces a user to execute unwanted transactions on a Web App they’re logged into. § Structured Query Language (SQL) Injection – Malicious inputs (commands) modifies SQL queries to steal or modify data. 8
- 9. § Web App Vulnerability Scanners conduct mock “attacks” on an application to catalogue which types of real attacks would succeed. § Results, with recommendations for how to fix, are reported to app owner 9
- 10. § Proactively scanning your applications for vulnerabilities and remediating them before the bad guys find them. § Measuring online risk to manage it § Highly automated for fast, comprehensive response and best real-world security. 10
- 11. 11 Why Does App Security Matter?
- 12. § Today’s Economy is all about Web Apps – They’re your store, your product, your branding, your infrastructure. – More apps with more valuable data make them a more attractive target § Types of Data that can be stolen – Customer Identification – Access Controls – Transaction Information – Core Business Data 12
- 13. 13 “69% of 12,000+ IT professionals surveyed believed that in 2013 Application Vulnerabilities are the number one security issue.” -The 2013 (ISC)2 Global Information Security Workforce Study https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information %20Security%20Workforce%20Study%20Feb%202013.pdf
- 15. 15
- 16. § 80% have Session Management problems § 61% have Cross Site Scripting issues § 45% have Authentication vulnerabilities 16
- 17. § Jan.14, 2013: CISO, Justin Somaini left shortly after a Cross Site Scripting (XSS) attack resulted in an embarrassing surge of Spam from compromised Yahoo Mail accounts. § Outside security experts said Yahoo was slow to fix the vulnerability, which may have led to the CISO’s abrupt departure. – http://allthingsd.com/20130114/yahoos-chief-information-security-officer- departs-with-more-top-execs-under-ceo-scrutiny/ – http://allthingsd.com/20130110/that-yahoo-mail-vulnerability-not-really-fixed/ – http://arstechnica.com/security/2013/01/how-yahoo-allowed-hackers-to- hijack-my-neighbors-e-mail-account/? utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A +arstechnica%2Findex+%28Ars+Technica+-+All+content%29 17
- 18. § SQL Injection of Heartland Payment Systems’ Web site In March of 2008 exposed 134 million credit cards. – The vulnerability had been known for a long time – Perpetrator was caught and is serving 20 years, but… – …the damage was already done. § http://www.csoonline.com/article/700263/the-15- worst-data-security-breaches-of-the-21st-century 18
- 20. § How many Web applications do you have? § Which apps have mission-critical data behind them? § Who Develops/updates them? § Do you want to build out a security analyst group or retain outside experts? § Do you have mobile apps you want to assess? 20
- 21. § Security Analysts: Scan, Analyze, Coordinate § App Developers: Incorporate findings, fix code § QA: Re-run scans to ensure fixes worked § Governance/Risk/Compliance: Consume reports § Production Team: Re-run scans regularly to find new issues § CIO/CISO: View Dashboard to see trends 21
- 22. § Many vulnerabilities are relatively easy to detect, block and fix. § Common tools for managing vulnerabilities: – Secure coding standards – Web security scanning – Intrusion/penetration testing – Web Application Firewalls (WAFs) § Security is a continuous effort – New developers, software and hardware are employed – Old vulnerabilities never go away – Hackers continue to generate new attacks 22
- 23. 1. Employ coding best practices during development. 2. Scan and remediate in pre-production test environment (run-time is most accurate) 3. Monitor production apps, and patch accordingly – Web Application Firewalls, working with vulnerability scanner, can use policy to “virtually patch” some vulnerabilities 23
- 24. § Pre-Production – Pros: Fixing earlier may be more efficient, more aggressive testing may be used safely – Cons: Test environment may not mirror production environment. § Production – Pros: Most accurate (real environment), Detects newly discovered vulnerabilities, Web App Firewall virtual patch may minimize repair time – Cons: Production team must buy in, care must be taken to use only safe attacks. § Answer? Yes. Both. All of the above. 24
- 25. § Managed Service – Pro: Expert, Fast, Easy, can cover Mobile apps too – Con: $$, Only as good as their tools § Cloud-based SaaS – Pro: Quick Setup, Simple, Affordable – Con: Shallower scan misses some vulnerability types § Software (desktop or Enterprise) – Pro: Powerful, best value for large # of apps – Con: More to learn, costly for small # of apps § Hybrid (Managed Service + Enterprise Software) – Pro: Most secure, augments your team, flexible – Con: Mostly for enterprises 25
- 26. 26 Managed Service Cloud Hybrid Service + Software Enterprise Software Skill Required Depth of Scan
- 27. § Mix and Match – Managed Service for Compliance/Mission Critical apps – Software or Cloud for the rest § Plan to Evolve – Managed Service to start, migrate to Hyrid or Enterprise Software (your data can be preserved) § Phase I, Phase II – Cover most important apps first – Expand to the rest when feasible 27
- 28. § Who? – Global NGO with thousands of web sites § Need? – Methodology Assessment of their security posture, and real-world training of their Developers § Solution? – Cenzic PS did a 3-day engagement with their App Developers. – Reviewed 10 most common vulnerabilities, found examples in their production apps. – Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities – Reviewed coding best practices to completely eliminate said vulnerabilities. 28
- 29. § Who? – High technology company with a mobile application that accessed sensitive customer data § Need? – Vulnerability Scan a mobile app that can not be traditionally traversed with a spider. § Solution? – Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data. 29
- 30. § Who? – A Health Maintenance Organization § Need? – Deep scan of a new application on a tight development schedule to ensure compliance. § Solution? – Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need. 30
- 31. 31 Bronze Silver Gold Pla0num Industry Best-‐ Prac0ces for Brochureware sites Industry Best-‐ Prac0ces for forms and login protected sites Compliance for sites with user data Comprehensive scans for Mission cri0cal applica0ons Phishing X X X x Light input valida0on X X X x Data Security X X X x Session management X X x OWASP compliance X x PCI compliance X x Business logic tes0ng x Applica0on logic tes0ng x Manual penetra0on tes0ng x
- 32. 32 Of All Attacks on Information Security Are Directed to the Web Application Layer Of All Web Applications Are Vulnerable Network Server Web Application % of Amount Security Budget 10% 90% % of Attacks Risk 75% Web Layer 25%
- 33. 33 § Justify more IT spend § Reallocate existing IT spend § Stretch existing App Sec spend Tip: For more ideas watch “Top 10 Ways to Win Budget For App Security” https://info.cenzic.com/webinar-security-budget.html
- 34. § Web App Security Trends Report 2013 – https://info.cenzic.com/2013-Application-Security-Trends- Report.html § Web Security: Are You Part Of The Problem? – http://coding.smashingmagazine.com/2010/01/14/web- security-primer-are-you-part-of-the-problem/ § Open Web Application Security Project – (www.OWASP.org) is a broad-based organization seeking to make software security visible for better decision making 34
- 35. We offer: § Industry-leading, patented scanning technology § The broadest range of managed service, cloud, enterprise software and hybrid service solutions to best meet your evolving needs § Training, consulting, and mobile app assessment 35
- 36. § Audit your environment – How many apps do you have? – Are you subject to regulatory compliance? – Which app is most crucial to your organization? § Identify team members who need to get educated § Try Cenzic for Free – https://info.cenzic.com/evaluate-software.html § Let us know how we can help you succeed! – Consulting, Managed Services, and Training always help http://www.cenzic.com/services-support/training/ 36
- 37. www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942) Questions? request@cenzic.com or 1.866-4-Cenzic Blog: https://blog.cenzic.com