SlideShare a Scribd company logo

Propelling security

Download as PPTX, PDF
J
Jayant Kumar

This document discusses various security topics including application security, injection vulnerabilities, infrastructure security, and developing a security strategy and plan. It covers the Open Web Application Security Project (OWASP) top 10 risks, examples of SQL and OS injection vulnerabilities, mitigation techniques like input validation and web application firewalls, and approaches to infrastructure security like preventing DDoS attacks and unauthorized access. The importance of continuous improvement, monitoring, and prioritizing security is emphasized.

Technology
Related topics:
Application Security
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Propelling Security Driving security that makes sense
Why is security important ? ● Data security : protect users who use your website ● Network security : protect your infrastructure from DOS, Spyware & unintended misuse. Source : http://breachlevelindex.com/
Application Security ● What is OWASP top 10 ? ○ Open Web Application Security Project ○ Focus on making security visible ○ Help organizations can take informed decisions ○ Top 10 most critical application security risks ○ Available at http://www.owasp.org
How OWASP helps? ● Check if your application is vulnerable ● Sample attack patterns ● Prevention guidelines ● What is the Business impact? ○ sell it to your investors Most critical vulnerability in 2017 : Injection
SQL / NoSQL injection Query in code : String sql = "SELECT * FROM USERS WHERE USERID='"+request.getParameter("id")+"'"; App url : http://mywebsite.com/app/userView?id='123' or '1'='1 Query which gets executed : "SELECT * FROM USERS WHERE USERID='123 or '1'='1'"; What if someone is able to execute "SELECT * FROM USERS WHERE USERID='123'; DROP TABLE USERS;"
OS Command injection Code : delete.php <?php $file = $_GET['filename']; system("rm $file"); ?> URL : http://mywebsite.com/delete.php?filename=abc;ls -l What if the attacker runs : URL : http://mywebsite.com/delete.php?filename=abc;cat dbconfig.php
Injection : Story
Injection : Story Vulnerabilities exploited ● file upload ● sql injections Attacker uploaded webshell get yours at https://github.com/JohnTroony/php-webshells.git shell used : c99_locus7s.php ● what did the attacker get ? ● how was the attacker discovered ?
Mitigating injections ● Check user input ○ type check : string, int, float ○ format check : ip address, email ● Web application firewall ○ 3rd party tool ○ WAF by AWS / Akamai
Network / Infrasturcture security ● DDOS ○ Personal experience story ○ Letsbuy DDOS attack ■ SYN flooding ○ How was it mitigated ? ● Common solutions to DDOS ○ Reverse proxy ○ IP Blocking ? ○ Paid solutions - Akamai / AWS
Infrastructure misuse ● AWS Hacking story ● Discovery ? ● Mitigation ?
Security Strategy ● Figure out where you stand ● Prioritize security ● Creating an action plan
Application security plan ● Keep a lookout on latest security vulnerabilities ○ OWASP top 10 ● Collect and analyze all data ○ ELK ? ○ Know your users ○ Anomaly alerts based on Traffic / Database query ● Get WAF (specifically startups) ○ Progressive tuning required ● Black Box / gray box scanning ○ On premise tool : Acunetix web application vulnerability scanner ○ 3rd party black box scans at regular intervals
Infrastructure security plan ● DDOS prevention strategy ○ AWS / Firewall / Akamai ● DNS attacks ○ DNS DOS attack ○ SYN Flooding ○ DNS hijacking ● Protect your DNS ○ Use better DNS provider ○ Ultra DNS ○ Route 53
Can I handle phishing ? ● Replica websites ○ Have you received phishing mails of hdfc / icici bank ? ● Strategy to detect phishing ○ Honeypot ○ Logging / monitoring
Continuous improvement plan ● Change organization culture ● Code review : is this code secure ? ● Security roadmap ● Track progress at regular intervals ○ JIRA Epic ○ Prioritization
Remember Hackers are always 1 step ahead No lock can stop a skilled thief Q & A

More Related Content

PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PPTX
Linux confau 2019: Web Security 2019
James Bromberger
 
PPTX
Cyber Security Briefing for Beginners
István Lőrincz
 
ODP
Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive t...
PROIDEA
 
PPTX
Defend your organisation from Cyber Attacks
begmohsin
 
PDF
Security awareness training
Sumedt Jitpukdebodin
 
PDF
Information Security Awareness Training (En)_Information Security Awareness F...
Shah Nawaj Ahmad
 
PDF
OWASP, PHP, life and universe
Sebastien Gioria
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
Linux confau 2019: Web Security 2019
James Bromberger
 
Cyber Security Briefing for Beginners
István Lőrincz
 
Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive t...
PROIDEA
 
Defend your organisation from Cyber Attacks
begmohsin
 
Security awareness training
Sumedt Jitpukdebodin
 
Information Security Awareness Training (En)_Information Security Awareness F...
Shah Nawaj Ahmad
 
OWASP, PHP, life and universe
Sebastien Gioria
 

What's hot (15)

PPTX
Security in the IoT generation - Guy Rombaut - Codemotion Amsterdam 2017
Codemotion
 
PDF
Living with Determined Attackers MOSI Edition
James '​-- Mckinlay
 
PDF
Vault and Security as a Service
Patrick Shields
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
PPTX
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Codemotion
 
PDF
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
PDF
Secure wordpress
Prabesh Thapa
 
PDF
CloudFlare - The Heartbleed Bug - Webinar
Cloudflare
 
PPTX
Xss attack
Ambuj Kumar
 
PPTX
Basic WordPress Security
⚙ Stephen Harvey
 
PDF
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
PDF
Openbar Leuven // Top 5 focus areas in cyber security linked to you digital t...
Openbar
 
PPTX
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
PDF
Forcepoint - Analýza chování uživatelů
MarketingArrowECS_CZ
 
PDF
SSH - From Zero to Hero
OWASP Khartoum
 
Security in the IoT generation - Guy Rombaut - Codemotion Amsterdam 2017
Codemotion
 
Living with Determined Attackers MOSI Edition
James '​-- Mckinlay
 
Vault and Security as a Service
Patrick Shields
 
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Codemotion
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
Secure wordpress
Prabesh Thapa
 
CloudFlare - The Heartbleed Bug - Webinar
Cloudflare
 
Xss attack
Ambuj Kumar
 
Basic WordPress Security
⚙ Stephen Harvey
 
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
Openbar Leuven // Top 5 focus areas in cyber security linked to you digital t...
Openbar
 
CLUSIR INFONORD OWASP iot 2014
Sebastien Gioria
 
Forcepoint - Analýza chování uživatelů
MarketingArrowECS_CZ
 
SSH - From Zero to Hero
OWASP Khartoum
 
Ad

Similar to Propelling security (20)

PDF
Become a Security Ninja
Paul Gilzow
 
PPTX
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
PDF
Web Security
KHOANGUYNNGANH
 
PDF
Protecting Against Web App Attacks
Alert Logic
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
PDF
CSS17: Houston - Protecting Web Apps
Alert Logic
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Altitude SF 2017: Security at the edge
Fastly
 
PDF
Shields up - improving web application security
Konstantin Mirin
 
PDF
Web Security
Gerald Villorente
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
Web Security Overview
Noah Jaehnert
 
PPT
Information security
Sathyanarayana Panduranga
 
PPTX
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
PDF
Web hackingtools cf-summit2014
ColdFusionConference
 
PDF
Web hackingtools 2015
ColdFusionConference
 
PDF
Web hackingtools 2015
devObjective
 
PPTX
Security is not a feature
Elizabeth Smith
 
PPTX
Web App Security
Deepak Chandani
 
Become a Security Ninja
Paul Gilzow
 
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
Web Security
KHOANGUYNNGANH
 
Protecting Against Web App Attacks
Alert Logic
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Secure coding guidelines
Zakaria SMAHI
 
Altitude SF 2017: Security at the edge
Fastly
 
Shields up - improving web application security
Konstantin Mirin
 
Web Security
Gerald Villorente
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Web Security Overview
Noah Jaehnert
 
Information security
Sathyanarayana Panduranga
 
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Web hackingtools cf-summit2014
ColdFusionConference
 
Web hackingtools 2015
ColdFusionConference
 
Web hackingtools 2015
devObjective
 
Security is not a feature
Elizabeth Smith
 
Web App Security
Deepak Chandani
 
Ad

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A Presentation on Artificial Intelligence
memembruh336
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Propelling security

  • 2. Why is security important ? ● Data security : protect users who use your website ● Network security : protect your infrastructure from DOS, Spyware & unintended misuse. Source : http://breachlevelindex.com/
  • 3. Application Security ● What is OWASP top 10 ? ○ Open Web Application Security Project ○ Focus on making security visible ○ Help organizations can take informed decisions ○ Top 10 most critical application security risks ○ Available at http://www.owasp.org
  • 4. How OWASP helps? ● Check if your application is vulnerable ● Sample attack patterns ● Prevention guidelines ● What is the Business impact? ○ sell it to your investors Most critical vulnerability in 2017 : Injection
  • 5. SQL / NoSQL injection Query in code : String sql = "SELECT * FROM USERS WHERE USERID='"+request.getParameter("id")+"'"; App url : http://mywebsite.com/app/userView?id='123' or '1'='1 Query which gets executed : "SELECT * FROM USERS WHERE USERID='123 or '1'='1'"; What if someone is able to execute "SELECT * FROM USERS WHERE USERID='123'; DROP TABLE USERS;"
  • 6. OS Command injection Code : delete.php <?php $file = $_GET['filename']; system("rm $file"); ?> URL : http://mywebsite.com/delete.php?filename=abc;ls -l What if the attacker runs : URL : http://mywebsite.com/delete.php?filename=abc;cat dbconfig.php
  • 8. Injection : Story Vulnerabilities exploited ● file upload ● sql injections Attacker uploaded webshell get yours at https://github.com/JohnTroony/php-webshells.git shell used : c99_locus7s.php ● what did the attacker get ? ● how was the attacker discovered ?
  • 9. Mitigating injections ● Check user input ○ type check : string, int, float ○ format check : ip address, email ● Web application firewall ○ 3rd party tool ○ WAF by AWS / Akamai
  • 10. Network / Infrasturcture security ● DDOS ○ Personal experience story ○ Letsbuy DDOS attack ■ SYN flooding ○ How was it mitigated ? ● Common solutions to DDOS ○ Reverse proxy ○ IP Blocking ? ○ Paid solutions - Akamai / AWS
  • 11. Infrastructure misuse ● AWS Hacking story ● Discovery ? ● Mitigation ?
  • 12. Security Strategy ● Figure out where you stand ● Prioritize security ● Creating an action plan
  • 13. Application security plan ● Keep a lookout on latest security vulnerabilities ○ OWASP top 10 ● Collect and analyze all data ○ ELK ? ○ Know your users ○ Anomaly alerts based on Traffic / Database query ● Get WAF (specifically startups) ○ Progressive tuning required ● Black Box / gray box scanning ○ On premise tool : Acunetix web application vulnerability scanner ○ 3rd party black box scans at regular intervals
  • 14. Infrastructure security plan ● DDOS prevention strategy ○ AWS / Firewall / Akamai ● DNS attacks ○ DNS DOS attack ○ SYN Flooding ○ DNS hijacking ● Protect your DNS ○ Use better DNS provider ○ Ultra DNS ○ Route 53
  • 15. Can I handle phishing ? ● Replica websites ○ Have you received phishing mails of hdfc / icici bank ? ● Strategy to detect phishing ○ Honeypot ○ Logging / monitoring
  • 16. Continuous improvement plan ● Change organization culture ● Code review : is this code secure ? ● Security roadmap ● Track progress at regular intervals ○ JIRA Epic ○ Prioritization
  • 17. Remember Hackers are always 1 step ahead No lock can stop a skilled thief Q & A