Web application security - Emstell Technology Consulting
Download as PPTX, PDF0 likes510 views
The document outlines the critical need for securing web applications against vulnerabilities as they have become prime targets for security attacks, accounting for over 50% of such incidents. It emphasizes the importance of implementing stringent security measures and regulations, alongside industry standards like ISO 27001 and PCI DSS, to protect sensitive data during online transactions. Emstell Technology Consulting is presented as a firm providing solutions in software quality assurance and education, highlighting the necessity of integrating security throughout the application development lifecycle.
Web application security - Emstell Technology Consulting
- 1. Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia
- 2. Understand the need for securing the application layer of web based applications. Understand the various web application vulnerabilities, impact and Counter Measures Security testing. www.emstell.com
- 3. Web applications have evolved from static pages to a more interactive set up. This interaction has started exposing the technical deficiencies of web applications in the form of vulnerabilities. Dependency on the internet to carry out critical and sensitive business transactions has increased . Hence the stake involved is very high. “Over 50% of security attacks are targeted on web based applications” - Gartner Report” Competition is so high that enterprises can‟t ignore the risk associated with their vulnerable application. Loss incurred could vary from monetary losses to loss of credibility. In certain cases it could mean end of business. www.emstell.com
- 4. Many Countries has come up with strict rules and regulations on Information Security of business. IT Act 2011 in India PIPED Act – Canada (Personal Information Protection and Electronic Documents Act) U.S. Information Security Law, HIPAA – 1996 - Health Insurance Portability and Accountability Act Business Customers are increasingly aware of the systems security and is demanding security and quality certifications in the systems ISO 27001 PCI DSS - Payment Card Industry Data Security Standard www.emstell.com
- 5. Large number of applications coming to the hands of common man carrying out transactions with personal and financial data More and more applications moving to cloud where multiple user or enterprise data is stored in single server or data centers. “Application security is no more a Luxury, its Business” www.emstell.com
- 6. Confidentiality – ensuring that information is accessible only to those authorized. Integrity – safeguarding the accuracy and completeness of information and processing methods. Availability – ensuring that authorized users have access to information and associated assets when required. Accountability – ensuring that authorized users use information in appropriate ways. www.emstell.com
- 7. Web Server DBApp Server Firewall Port 80 (Open)HTTP Traffic Client www.emstell.com
- 8. SQL Query SELECT user FROM Users WHERE Username = '"& strname &"' AND Password = '"& strPassword &"„ Query with valid input SELECT user FROM Users WHERE Username = 'avis' AND Password = 'avis' www.emstell.com
- 9. Query with tampered input SELECT user FROM Users WHERE Username = 'avis';--' AND Password = '"& strPassword &"' www.emstell.com
- 10. Authorization Credential/Session Prediction Insufficient Session Expiration Session Fixation Insufficient Authorization Authentication Brute Force Weak Password Recovery Policy Insufficient Authentication Client-Side Attacks Content Spoofing Cross Site Scripting Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection X Path Injection Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti- Automation Insufficient Process Validation www.emstell.com
- 11. Non-availability (By bringing the database down) Breach of confidentiality (By viewing other user‟s records) Breach of integrity (By updating other user‟s records) Impersonation (By logging into accounts without a valid password) + Business Impacts www.emstell.com
- 12. Strong and Secure systems, firewalls and antiviruses Proper Input validation Following standard coding practices Have strong password policy in place. Use of strong session ID generation algorithms Disable scripting in the web browser and disable input echoing Grant only necessary privileges for accounts that are used to connect to DB Implement/configure proper access control mechanisms on the web server. Application Security Testing and Fixing the vulnerabilities Educating the users www.emstell.com
- 13. “Though the significant attacks over time where of Zero Day Attack nature, this forms much a lesser count of the total attacks” Test based on the Target Users Vulnerability Assessments Penetration Testing Manual - a team of security experts manually probe the application for common flaws. Automated - a tool is used for testing the application for flaws. False Positives www.emstell.com
- 14. “The cost of quality is higher in the later stages of an application” Application security should be a part of the application development and should be incorporated to the SDLC Process. Integrating security to the build. Educating the users, using the best of media and creative formats. www.emstell.com
- 16. Emstell Technology Consulting, is a technology firm offering enterprise level software quality assurance and testing services and ERP Solutions in Education sector. Our Media team deliver creative animated videos for educating users on company policies, explaining business and promotion. We deliver ERP Solutions in ◦ Web Enabled School Management ◦ Library Management Solution ◦ Business Accounting and Inventory www.emstell.com
- 17. Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia www.emstell.com