This document contains slides from a presentation on application security testing. It discusses what application security is, the growing threats from cyber attacks, and why application vulnerabilities are difficult to detect. It emphasizes that application security needs to be addressed throughout the entire software development lifecycle (SDLC) by security experts working together with developers. Key approaches mentioned include understanding common risks like injection flaws, creating testing procedures, applying defenses, and validating security requirements to get everyone involved in prioritizing application security.
5. www.eurostarconferences.com
What is Application Security?
It is NOT Building, or Network Security!
84% of attacks target
the applications (Source: HP)
90% of sites are vulnerable
to application attacks
(Watchfire)
12. www.eurostarconferences.com
Using Web Security Scanners to Detect Vulnerabilities in Web Services
Marco Vieira, Nuno Antunes, and Henrique Madeira
CISUC, Department of Informatics Engineering, University of Coimbra – Portugal
“The differences in the vulnerabilities detected and the high number of
false-positives (35% and 40% in two cases) and low coverage (less than
20% for two of the scanners) observed highlight the limitations of web
vulnerability scanners on detecting security vulnerabilities in web
services.”
14. www.eurostarconferences.com
And so to Firewalls
w.w.w. data is exploding:
2010 = 1.2 zettabytes
2015 = 7.9 zettabytes
2020 = 40 zettabytes?
1.2 million variants of malware per day
20%-30% of
malware is
caught by anti-
virus
15. www.eurostarconferences.com
HP alone sift through 2.5 Billion security events per day
Perimeter / Network defences are failing
Web Application Firewalls, IDS, & IPS filter HTTP
conversations by applying rules to block common attacks.
BUT They cannot read HTTPS messages.
They cannot identify zero-day (new or obfuscated) attacks.
They need significant effort to customize and maintain.
Methods of attack and
defence change over time.
20. www.eurostarconferences.com
Who should be doing what?
• We can reverse the asymmetric economics
• Security experts are experts in security, not your system!
• We are the experts in our applications.
• We can build security into the whole SDLC.
• We need to understand the subject.
• Identify what can be done now, and what requires experts.
• We need to make everyone aware of application security.