Apps that (mostly) run in Browsers, and let users
submit/retrieve information from databases
§ Quickly installed/updated
§ Works across operating systems
§ Limitless reach, affordable
These Are Called “Vulnerabilities”
But There Are Problem because…
§ Your Data is accessible from anywhere
§ To be useful, Web Apps interpret commands
§ There are hidden ways commands can be
used to breach data
Application ServerWeb Server
Application ServerWeb Server
Vulnerability + Hack
§ Cross-Site Scripting (XSS)
– Inserts malicious scripts via trusted URL
§ Broken Session Management
– Lets hackers access applications
§ Insecure Authentication
– Lets attack exploit authentication mechanism
§ Cross Site Request Forgery (CSRF)
– Forces a user to execute unwanted transactions on a
Web App they’re logged into.
§ Structured Query Language (SQL) Injection
– Malicious inputs (commands) modifies SQL queries to
steal or modify data.
§ Web App Vulnerability Scanners conduct mock
“attacks” on an application to catalogue which types
of real attacks would succeed.
§ Results, with recommendations for how to fix, are
reported to app owner
§ Proactively scanning your applications
for vulnerabilities and remediating them
before the bad guys find them.
§ Measuring online risk to manage it
§ Highly automated for fast, comprehensive
response and best real-world security.
§ Today’s Economy is all about Web Apps
– They’re your store, your product, your branding, your
– More apps with more valuable data make them a more
§ Types of Data that can be stolen
– Customer Identification
– Access Controls
– Transaction Information
– Core Business Data
“69% of 12,000+ IT professionals surveyed
believed that in 2013 Application
Vulnerabilities are the number one
-The 2013 (ISC)2 Global Information Security Workforce Study
§ 80% have Session Management problems
§ 61% have Cross Site Scripting issues
§ 45% have Authentication vulnerabilities
§ Jan.14, 2013: CISO, Justin Somaini left
shortly after a Cross Site Scripting (XSS)
attack resulted in an embarrassing surge
of Spam from compromised Yahoo Mail
§ Outside security experts said Yahoo was
slow to fix the vulnerability, which may have
led to the CISO’s abrupt departure.
§ SQL Injection of Heartland Payment Systems’ Web
site In March of 2008 exposed 134 million credit
– The vulnerability had been known for a long time
– Perpetrator was caught and is serving 20 years, but…
– …the damage was already done.
§ How many Web applications do you have?
§ Which apps have mission-critical data
§ Who Develops/updates them?
§ Do you want to build out a security analyst
group or retain outside experts?
§ Do you have mobile apps you want to
§ Security Analysts: Scan, Analyze, Coordinate
§ App Developers: Incorporate findings, fix code
§ QA: Re-run scans to ensure fixes worked
§ Governance/Risk/Compliance: Consume reports
§ Production Team: Re-run scans regularly to find
§ CIO/CISO: View Dashboard to see trends
§ Many vulnerabilities are relatively easy to detect,
block and fix.
§ Common tools for managing vulnerabilities:
– Secure coding standards
– Web security scanning
– Intrusion/penetration testing
– Web Application Firewalls (WAFs)
§ Security is a continuous effort
– New developers, software and hardware are employed
– Old vulnerabilities never go away
– Hackers continue to generate new attacks
1. Employ coding best practices during
2. Scan and remediate in pre-production test
environment (run-time is most accurate)
3. Monitor production apps, and patch
– Web Application Firewalls, working with
vulnerability scanner, can use policy to “virtually
patch” some vulnerabilities
– Pros: Fixing earlier may be more efficient, more
aggressive testing may be used safely
– Cons: Test environment may not mirror production
– Pros: Most accurate (real environment), Detects newly
discovered vulnerabilities, Web App Firewall virtual
patch may minimize repair time
– Cons: Production team must buy in, care must be taken
to use only safe attacks.
§ Answer? Yes. Both. All of the above.
§ Managed Service
– Pro: Expert, Fast, Easy, can cover Mobile apps too
– Con: $$, Only as good as their tools
§ Cloud-based SaaS
– Pro: Quick Setup, Simple, Affordable
– Con: Shallower scan misses some vulnerability
§ Software (desktop or Enterprise)
– Pro: Powerful, best value for large # of apps
– Con: More to learn, costly for small # of apps
§ Hybrid (Managed Service + Enterprise Software)
– Pro: Most secure, augments your team, flexible
– Con: Mostly for enterprises
§ Mix and Match
– Managed Service for Compliance/Mission Critical apps
– Software or Cloud for the rest
§ Plan to Evolve
– Managed Service to start, migrate to Hyrid or Enterprise
Software (your data can be preserved)
§ Phase I, Phase II
– Cover most important apps first
– Expand to the rest when feasible
– Global NGO with thousands of web sites
– Methodology Assessment of their security posture, and
real-world training of their Developers
– Cenzic PS did a 3-day engagement with their App
– Reviewed 10 most common vulnerabilities, found
examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a
hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate
– High technology company with a mobile
application that accessed sensitive customer
– Vulnerability Scan a mobile app that
can not be traditionally traversed with a spider.
– Cenzic Mobile Scan service performed a dynamic
analysis by placing a proxy in line to the mobile app,
which allowed technicians to replay various attacks
and coupled it with a thorough forensic analysis of
the application on the device to identify
vulnerabilities that exposed customer data.
– A Health Maintenance Organization
– Deep scan of a new application on a tight development
schedule to ensure compliance.
– Cenzic PS performed Manual Penetration testing along
with the comprehensive vulnerability scanning to provide
a very thorough scan which could suffice for any
compliance or audit need.
Of All Attacks on Information Security
Are Directed to the Web Application Layer
Of All Web Applications Are Vulnerable
% of Amount
% of Attacks
§ Justify more IT spend
§ Reallocate existing IT spend
§ Stretch existing App Sec spend
Tip: For more ideas watch
“Top 10 Ways to Win Budget For App Security”
§ Web App Security Trends Report 2013
§ Web Security: Are You Part Of The Problem?
§ Open Web Application Security Project
– (www.OWASP.org) is a broad-based organization seeking
to make software security visible for better decision
§ Industry-leading, patented scanning technology
§ The broadest range of managed service, cloud,
enterprise software and hybrid service solutions to
best meet your evolving needs
§ Training, consulting, and mobile app assessment
§ Audit your environment
– How many apps do you have?
– Are you subject to regulatory compliance?
– Which app is most crucial to your organization?
§ Identify team members who need to get educated
§ Try Cenzic for Free
§ Let us know how we can help you succeed!
– Consulting, Managed Services, and Training always