SlideShare a Scribd company logo

Lessons Learned From the Yahoo! Hack

Imperva
Imperva

The document summarizes lessons learned from the Yahoo! hack of 2013. It describes how security researchers identified the vulnerable third-party astrology application hosted on Yahoo's domain after the hacker released a screenshot. The application was found to be vulnerable to SQL injection attacks due to unvalidated user input. This highlights the risk of third-party code and the need to secure all external applications and libraries.

Technology
1 of 39
Download to read offline
Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.
www.imperva.com - CONFIDENTIAL -

Recommended

Data breach at sony
Data breach at sonyData breach at sony
Data breach at sonyBlueBit Technologies
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeAccenture
 
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfIncident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfSathishKumar960827
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Web defacement
Web defacementWeb defacement
Web defacementstudent
 
Sony Playstation Hack Presentation
Sony Playstation Hack PresentationSony Playstation Hack Presentation
Sony Playstation Hack PresentationCreditCardFinder
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 

Recommended

Data breach at sony
Data breach at sonyData breach at sony
Data breach at sonyBlueBit Technologies
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeAccenture
 
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfIncident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfSathishKumar960827
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Web defacement
Web defacementWeb defacement
Web defacementstudent
 
Sony Playstation Hack Presentation
Sony Playstation Hack PresentationSony Playstation Hack Presentation
Sony Playstation Hack PresentationCreditCardFinder
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Cyber attack
Cyber attackCyber attack
Cyber attackManjushree Mashal
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security FundamentalsApurv Singh Gautam
 
Cyber warfare
Cyber warfareCyber warfare
Cyber warfareVedangiBrahmbhatt
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Cyber crime & security final tapan
Cyber crime & security final tapanCyber crime & security final tapan
Cyber crime & security final tapanTapan Khilar
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation sweetpeace1
 
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryData Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryInternational Institute for Learning
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesSlideTeam
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Cybercrime
CybercrimeCybercrime
CybercrimeVansh Verma
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
HACKING
HACKINGHACKING
HACKINGUpendraSingamsetty
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityADGP, Public Grivences, Bangalore
 
Cybercrime 1
Cybercrime 1Cybercrime 1
Cybercrime 1nayakslideshare
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Industrial espionage
Industrial espionageIndustrial espionage
Industrial espionageLaxman Bhadane
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 

More Related Content

What's hot

Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Cyber crime & security final tapan
Cyber crime & security final tapanCyber crime & security final tapan
Cyber crime & security final tapanTapan Khilar
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation sweetpeace1
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesSlideTeam
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 

What's hot (20)

Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
 
Cyber attack
Cyber attackCyber attack
Cyber attack
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security Fundamentals
 
Cyber warfare
Cyber warfareCyber warfare
Cyber warfare
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber crime & security final tapan
Cyber crime & security final tapanCyber crime & security final tapan
Cyber crime & security final tapan
 
Cyber security presentation
Cyber security presentation Cyber security presentation
Cyber security presentation
 
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryData Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awareness
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
HACKING
HACKINGHACKING
HACKING
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cybercrime 1
Cybercrime 1Cybercrime 1
Cybercrime 1
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Industrial espionage
Industrial espionageIndustrial espionage
Industrial espionage
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & Skills
 

Similar to Lessons Learned From the Yahoo! Hack

Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloudNicholas Chia
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]AngelGomezRomero
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundImperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio RosaTI Safe
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 

Similar to Lessons Learned From the Yahoo! Hack (20)

Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Lessons Learned From the Yahoo! Hack

  • 1. Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
  • 2. Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
  • 3. Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
  • 4. Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
  • 5. Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
  • 6. Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
  • 7. Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
  • 8. Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
  • 9. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
  • 10. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
  • 11. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
  • 12. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
  • 13. Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
  • 14. Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
  • 15. SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
  • 16. SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
  • 17. Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
  • 18. SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
  • 19. Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
  • 20. Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
  • 21. MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
  • 22. From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
  • 23. 3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
  • 24. Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
  • 25. Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
  • 26. You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
  • 27. You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
  • 28. Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
  • 29. Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
  • 30. Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
  • 31. SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
  • 32. Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
  • 33. Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
  • 34. Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
  • 35. Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
  • 36. 3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
  • 37. Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
  • 38. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.