SPI Dynamics web application security 101
Download as PPTX, PDF0 likes529 views
Web applications are vulnerable to attacks at the application layer, with over 70% of attacks targeting websites and web applications directly. Traditional network and system security tools do not adequately assess vulnerabilities in custom web applications. SPI Dynamics develops automated web application security products that contain expert security knowledge to comprehensively scan websites and web applications, simulating how a hacker would attack. Their flagship product, WebInspect, automatically crawls an entire website and tests for vulnerabilities, providing an easy to understand report of issues found.
SPI Dynamics web application security 101
- 2. security. protection. intelligence. Q: Where Do Your Current Security Measures Fail? A: Your Proprietary, Custom written Web Applications
- 3. security. protection. intelligence. Today over 70% of attacks against a company‟s Web site or Web application come at the „Application Layer‟ not the Network or System layer. A complete security solution requires attention at each potential point of attack.
- 4. security. protection. intelligence. A: Enact policies requiring your developers to write secure code. Q: So how do we remedy this situation? •Verify all request parameters are in proper format (via through a standard library) •Any unknown or incorrect user data should be logged and terminated.
- 5. security. protection. intelligence. But if you instituted this policy, how would you effectively enforce it? What measures would you have in place to make sure that they comply? “A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”
- 6. security. protection. intelligence. Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities? A: No, and this is why.
- 7. security. protection. intelligence. Where Today’s Security Measures Fail
- 8. security. protection. intelligence. A: Because other Scanners are a security Broadsword, where ours is a Security Scalpel WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them. Q: How can SPI Dynamics do all of this and the others can’t?
- 9. security. protection. intelligence. How SPI Solves The Problem
- 10. security. protection. intelligence. WebInspectTM scans the whole site: Web server Web pages Scripts Proprietary applications Cookies Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
- 11. security. protection. intelligence. WebInspectTM Scans authentication codes Assesses security procedures Carves into confidential data … Just like a hacker would Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
- 12. security. protection. intelligence. WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems. WebInspect™
- 13. security. protection. intelligence. WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go. WebInspect™
- 14. security. protection. intelligence. WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation. WebInspect™
- 15. security. protection. intelligence. Features & Benefits of WebInspectTM Unique Focus: Your proprietary Web site or Web application Superior Scanning: Products codify our security expertise Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments Automated: Continuously maintain your security integrity Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature Simple & Cost Effective: Licensed per IP address or per consultant Risk-Free: Offered on a trial basis at no cost
- 16. security. protection. intelligence. How does WebInspectTM do this? Hidden Manipulation Parameter Tampering Cookie Poisoning Stealth Commanding Forceful Browsing Backdoor/Debug Options Configuration Subversion Vendor–Assisted Hacking
- 17. security. protection. intelligence. The SPI Works Product Suite Use WebInspectTM to assess current Web sites or Web applications. Use WebInspectTM to QA new applications during development prior to release into production. Available now Know your vulnerabilities Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application. Use LogAlertTM after you have been attacked for Web log forensic analysis. Available now Know if you have been attacked Use WebDefendTM to proactively stop Web site or Web application intrusions. Available Q2 2002 Proactively stop attacks WebInspect Application Assessment WebDefend Application Intrusion Protection LogAlert Application Log Audit TM TM TM
- 18. security. protection. intelligence. Our Company Founded in April 2000 by recognized Information Security industry experts Released WebInspectTM in April 2001 HQ in Atlanta, Georgia Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London SPI serves clients in each of the following vertical industries: HealthCare Insurance Financial Services Government Global Enterprise Consulting
- 19. security. protection. intelligence. SPI Dynamics is the leading provider of automated Web Application security products. SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code. The embedded “hacker logic” enables our software to think for the end-user, making their job easier.