SlideShare a Scribd company logo

A DevOps Guide to Web Application Security

Imperva Incapsula
Imperva Incapsula

You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers". These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . . If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat? This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them. This presentation will discuss: • The major security breaches of 2014 • Web application threats and common attack types • How to defend against today’s common attacks • Automated tools to help simplify website security

Technology
1 of 28
A DevOps Guide to Web App Security Tim Matthews, VP Marketing, Incapsula @timmatthewssv
Topics • What we learned from recent web security events • Web application threats and common attack types • How to defend your website against today’s common threats • Automated tools to secure to help simplify website security Incapsula, Inc. / Proprietary and Confidential. 2 All Rights Reserved.
Major Hacks of 2014 2014 has several enormous data breaches from hackers including:
Heartbleed – the Epic SSL Crisis of 2014 • Heartbleed is a security bug that was disclosed in April of 2014 • It was present in the widely used Open SSL Cryptography • When disclosed, around 17% of the Internet's secure web servers was vulnerable • Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords “Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.” Joseph Steinberg – Forbes Incapsula, Inc. / Proprietary and Confidential. 4 All Rights Reserved.
Shellshock Vulnerability What is it? 1. Shellshock is a vulnerability that affects Bash (a.k.a Bourne-again Shell), the most common command-line shell on Linux / Unix / Mac OS systems 2. Allows unauthenticated attacks to remotely execute code on affected machines What damage could this cause your website? • Hackers remotely executing code on your systems can result in > Data theft > Malware injection > Server hijacking Incapsula, Inc. / Proprietary and Confidential. 5 All Rights Reserved.
Distributed Denial Of Service (DDoS) Attacks • DDoS attack are attacks where many infected computers band together to attack a single target • These attacks exhaust network connections and server resources causing website outages Incapsula, Inc. / Proprietary and Confidential. 6 All Rights Reserved.
Web App Threats and Common Attack Types Incapsula, Inc. / Proprietary and Confidential. 7 All Rights Reserved.
Use of Stolen Credentials Reigns Supreme • Use of stolen authentication credentials by hackers is the number one threat of 2013 • Once stolen hackers can use credentials at other websites to increase the impact of a breach • Automated tools combined with stolen password lists become a dangerous combination Sources: Verizon Data Breach Report 2014 Incapsula, Inc. / Proprietary and Confidential. 8 All Rights Reserved.
Websites Have Many Vulnerabilities 96% of web applications have vulnerabilities 96% WEB APP Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013 13% 13% of websites can be compromised automatically
SQL Injection – What it is and why it matters • What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: • What happens if a hacker exploits this vulnerability? > They can access your database and it’s data. • Basic Rule > If it is going into your database, clean it up first! Incapsula, Inc. / Proprietary and Confidential. 10 All Rights Reserved. 'OR “=” The application was expecting my name, but I entered an SQL Statement
Cross Site Scripting (XSS) – What it is and why it matters • What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites • What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page • Basic Rule > If user supplied data is going into your application, clean it up first! Incapsula, Inc. / Proprietary and Confidential. 11 All Rights Reserved. Attacker inserts malicious 1 unfiltered code into an application 2 User visits the web page and malicious code is returned with the web page 3 Attacker gains control over user data or system via injected exploit
How DDoS Attacks Bring Down Websites • DDoS attacks make your website completely inaccessible DDoS Traffic Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 12 All Rights Reserved. Your Site Your Internet Connection Your ISP • If website availability is important to you, then DDoS protection should be too • Any application without a DDoS mitigation strategy is at risk
Automated Clients are the Majority of Web Traffic Over 61% of all website traffic is non-human. 1/2of that is malicious. Incapsula, Inc. / Proprietary and Confidential. 13 All Rights Reserved. 61.5% Non-Human Traffic 38.5% Human Traffic
The Impact of Bots on Website Security Good Bots Bad Bots • DDoS • Site Scraping • Comment Spam • SEO Spam • Fraud • Vulnerability scanning • Search Engine Crawling • Website Health Monitoring • Vulnerability Scanning Incapsula, Inc. / Proprietary and Confidential. 14 All Rights Reserved.
Defending Your Websites and Applications Incapsula, Inc. / Proprietary and Confidential. 15 All Rights Reserved.
Use Multi-factor Authentication for Admin Areas Problem • Lost or stolen passwords allow hackers to bypass your security measure Solution • Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other Incapsula, Inc. / Proprietary and Confidential. 16 All Rights Reserved.
Identify Vulnerabilities White-box and Black-box tools Can you see inside the application (its code)? Incapsula, Inc. / Proprietary and Confidential. 17 All Rights Reserved.
The White-box Approach The white-box approach to finding vulnerabilities is to Review Application Code for vulnerabilities. Can be performed: Manually or Manual Code Review Incapsula, Inc. / Proprietary and Confidential. 18 All Rights Reserved. Automatically Source Code Analysis
The Black-box Approach The Black-box approach to finding vulnerabilities is to Emulate Hacker Activity by probing a website for weaknesses. Can be performed: Manually or Penetration Testing Incapsula, Inc. / Proprietary and Confidential. 19 All Rights Reserved. Automatically Web Vulnerability Scanning
Remediating Vulnerabilities at a Code Level White-box Black-box Manual Manual Code Review • Known vulnerabilities should be remediated • What are the requirements for fixing vulnerabilities at the code level? > Access to application code > Coding expertise and knowledge in Security Incapsula, Inc. / Proprietary and Confidential. 20 All Rights Reserved. Penetration Testing Automated Source Code Analysis Web Vulnerability Scanner List of Vulnerabilities
Use a Web Application Firewall (WAF) • WAFs provide similar protection as traditional network layer firewall but for a web application • Using a WAF can protect website from application layer hacking attempts • WAFs should be used in conjunction with traditional firewalls Incapsula, Inc. / Proprietary and Confidential. 21 All Rights Reserved.
Defend against DDoS attacks • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 22 All Rights Reserved. Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Appliance
DDoS Mitigation Requires Specialized Tools or Services • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive • DDoS attacks should be mitigated close to their source (away from your network) Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 23 All Rights Reserved. Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service
Identify and Block Bad Bots • Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning • Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF Incapsula, Inc. / Proprietary and Confidential. 24 All Rights Reserved.
When To Implement Various Security Tools • Web App Firewall • DDoS Mitigation • Bot Mitigation • Web Vulnerability Scanner • Source Code Analysis • Manual Code Review • Password Security • 2 Factor Authentication PLANNING • Security Requirements • Design • Architecture Incapsula, Inc. / Proprietary and Confidential. 25 All Rights Reserved. CODING PRODUCTION
Finding the Right Tools Incapsula, Inc. / Proprietary and Confidential. 26 All Rights Reserved. Commercial Open Source / Free WAF • Incapsula • Imperva • F5 • Mod Security Web Vulnerability Scanner • Whitehat Security • Nessus • Acunetix • Nikto • Wapiti • Qualys DDoS Mitigation • Incapsula • Prolexic • Neustar • Not available / Not advised Source Code Analysis • Fortify • IBM Appscan • Parasoft • FindSecurityBugs
Website Security and Performance in Minutes with a Simple DNS Change By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Incapsula, Inc. / Proprietary and Confidential. 27 All Rights Reserved. Incapsula Network Your Website Legitimate Traffic For a Free Trial of Incapsula visit us at www.Incapsula.com
Thank you Please send follow up questions to tim@incapsula.com or @timmatthewssv

Recommended

Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Imperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...Imperva Incapsula
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
Understanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessUnderstanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessImperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionImperva Incapsula
 
Migrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to KnowMigrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to KnowImperva Incapsula
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
 

Recommended

Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Is the Cloud Going to Kill Traditional Application Delivery?
Is the Cloud Going to Kill Traditional Application Delivery?Imperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...Imperva Incapsula
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
Understanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessUnderstanding Web Bots and How They Hurt Your Business
Understanding Web Bots and How They Hurt Your BusinessImperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Protect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionProtect Your Assets with Single IP DDoS Protection
Protect Your Assets with Single IP DDoS ProtectionImperva Incapsula
 
Migrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to KnowMigrating from Akamai to Incapsula: What You Need to Know
Migrating from Akamai to Incapsula: What You Need to KnowImperva Incapsula
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceIncapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Informationjenkoon
 
ThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your NetworkThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your NetworkThousandEyes
 
Gwava gwava6
Gwava gwava6Gwava gwava6
Gwava gwava6GWAVA
 
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application PerformanceHow CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application PerformanceCloudflare
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatImperva
 
How to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingHow to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingCloudflare
 
Using a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business networkUsing a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business networkNetpluz Asia Pte Ltd
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Cloudflare
 
Latest Trends in Web Application Security
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application SecurityCloudflare
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
Securing Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare AccessSecuring Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare AccessCloudflare
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackCloudflare
 
D3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityD3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityImperva Incapsula
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesCloudflare
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlD3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlImperva Incapsula
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Aruba, a Hewlett Packard Enterprise company
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 

More Related Content

What's hot

An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Informationjenkoon
 
ThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your NetworkThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your NetworkThousandEyes
 
Gwava gwava6
Gwava gwava6Gwava gwava6
Gwava gwava6GWAVA
 
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application PerformanceHow CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application PerformanceCloudflare
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatImperva
 
How to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingHow to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingCloudflare
 
Using a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business networkUsing a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business networkNetpluz Asia Pte Ltd
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Cloudflare
 
Latest Trends in Web Application Security
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application SecurityCloudflare
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
Securing Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare AccessSecuring Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare AccessCloudflare
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackCloudflare
 
D3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityD3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityImperva Incapsula
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesCloudflare
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlD3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlImperva Incapsula
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 

What's hot (20)

An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
 
ThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your NetworkThousandEyes Alerting Essentials for Your Network
ThousandEyes Alerting Essentials for Your Network
 
Gwava gwava6
Gwava gwava6Gwava gwava6
Gwava gwava6
 
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application PerformanceHow CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application Performance
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent Threat
 
How to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingHow to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart Routing
 
Using a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business networkUsing a secured, cloud-delivered SD-WAN to transform your business network
Using a secured, cloud-delivered SD-WAN to transform your business network
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
 
Latest Trends in Web Application Security
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application Security
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
 
Securing Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare AccessSecuring Internal Applications with Cloudflare Access
Securing Internal Applications with Cloudflare Access
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS Attack
 
D3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize SecurityD3NY17- Using IncapRules to Customize Security
D3NY17- Using IncapRules to Customize Security
 
How to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer GamesHow to Plan for Performance and Scale for Multiplayer Games
How to Plan for Performance and Scale for Multiplayer Games
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access ControlD3SF17- Using Incap Rules to Customize Your Security and Access Control
D3SF17- Using Incap Rules to Customize Your Security and Access Control
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 

Viewers also liked

Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Chris Theisen
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at ScaleChris Theisen
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackImperva
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksLionel Briand
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 

Viewers also liked (15)

Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
 
Software Security Education at Scale
Software Security Education at ScaleSoftware Security Education at Scale
Software Security Education at Scale
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist AttackUnmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012
 
DefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network securityDefCamp 2013 - In vehicle CAN network security
DefCamp 2013 - In vehicle CAN network security
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection Attacks
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 

Similar to A DevOps Guide to Web Application Security

Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxvamshimatangi
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxfuebf
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 

Similar to A DevOps Guide to Web Application Security (20)

Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptxIntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Network security
Network securityNetwork security
Network security
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Web Security
Web SecurityWeb Security
Web Security
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 

More from Imperva Incapsula

D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?Imperva Incapsula
 
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...Imperva Incapsula
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesImperva Incapsula
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationImperva Incapsula
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnD3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
 
D3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudD3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudImperva Incapsula
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesImperva Incapsula
 
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...Imperva Incapsula
 
D3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients PerformanceD3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients PerformanceImperva Incapsula
 
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons LearnedD3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons LearnedImperva Incapsula
 
D3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the CurveD3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the CurveImperva Incapsula
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Load Balancing from the Cloud - Layer 7 Aware Solution
Load Balancing from the Cloud - Layer 7 Aware SolutionLoad Balancing from the Cloud - Layer 7 Aware Solution
Load Balancing from the Cloud - Layer 7 Aware SolutionImperva Incapsula
 
Humans Are Now A Minority On The Internet
Humans Are Now A Minority On The InternetHumans Are Now A Minority On The Internet
Humans Are Now A Minority On The InternetImperva Incapsula
 
Under DDoS: Instant Access to Live Information
Under DDoS: Instant Access to Live InformationUnder DDoS: Instant Access to Live Information
Under DDoS: Instant Access to Live InformationImperva Incapsula
 

More from Imperva Incapsula (18)

D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it Safe
 
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
 
D3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation TechniquesD3TLV17- Advanced DDoS Mitigation Techniques
D3TLV17- Advanced DDoS Mitigation Techniques
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS MitigationD3LDN17 - A Pragmatists Guide to DDoS Mitigation
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
 
D3LDN17 - Keynote
D3LDN17 - KeynoteD3LDN17 - Keynote
D3LDN17 - Keynote
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnD3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
 
D3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudD3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the Cloud
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery RulesD3SF17- Boost Your Website Performance with Application Delivery Rules
D3SF17- Boost Your Website Performance with Application Delivery Rules
 
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
 
D3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients PerformanceD3SF17- Improving Our China Clients Performance
D3SF17- Improving Our China Clients Performance
 
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons LearnedD3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
 
D3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the CurveD3SF17 -Keynote - Staying Ahead of the Curve
D3SF17 -Keynote - Staying Ahead of the Curve
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 
Load Balancing from the Cloud - Layer 7 Aware Solution
Load Balancing from the Cloud - Layer 7 Aware SolutionLoad Balancing from the Cloud - Layer 7 Aware Solution
Load Balancing from the Cloud - Layer 7 Aware Solution
 
Humans Are Now A Minority On The Internet
Humans Are Now A Minority On The InternetHumans Are Now A Minority On The Internet
Humans Are Now A Minority On The Internet
 
Under DDoS: Instant Access to Live Information
Under DDoS: Instant Access to Live InformationUnder DDoS: Instant Access to Live Information
Under DDoS: Instant Access to Live Information
 

Recently uploaded

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

A DevOps Guide to Web Application Security

  • 1. A DevOps Guide to Web App Security Tim Matthews, VP Marketing, Incapsula @timmatthewssv
  • 2. Topics • What we learned from recent web security events • Web application threats and common attack types • How to defend your website against today’s common threats • Automated tools to secure to help simplify website security Incapsula, Inc. / Proprietary and Confidential. 2 All Rights Reserved.
  • 3. Major Hacks of 2014 2014 has several enormous data breaches from hackers including:
  • 4. Heartbleed – the Epic SSL Crisis of 2014 • Heartbleed is a security bug that was disclosed in April of 2014 • It was present in the widely used Open SSL Cryptography • When disclosed, around 17% of the Internet's secure web servers was vulnerable • Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords “Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.” Joseph Steinberg – Forbes Incapsula, Inc. / Proprietary and Confidential. 4 All Rights Reserved.
  • 5. Shellshock Vulnerability What is it? 1. Shellshock is a vulnerability that affects Bash (a.k.a Bourne-again Shell), the most common command-line shell on Linux / Unix / Mac OS systems 2. Allows unauthenticated attacks to remotely execute code on affected machines What damage could this cause your website? • Hackers remotely executing code on your systems can result in > Data theft > Malware injection > Server hijacking Incapsula, Inc. / Proprietary and Confidential. 5 All Rights Reserved.
  • 6. Distributed Denial Of Service (DDoS) Attacks • DDoS attack are attacks where many infected computers band together to attack a single target • These attacks exhaust network connections and server resources causing website outages Incapsula, Inc. / Proprietary and Confidential. 6 All Rights Reserved.
  • 7. Web App Threats and Common Attack Types Incapsula, Inc. / Proprietary and Confidential. 7 All Rights Reserved.
  • 8. Use of Stolen Credentials Reigns Supreme • Use of stolen authentication credentials by hackers is the number one threat of 2013 • Once stolen hackers can use credentials at other websites to increase the impact of a breach • Automated tools combined with stolen password lists become a dangerous combination Sources: Verizon Data Breach Report 2014 Incapsula, Inc. / Proprietary and Confidential. 8 All Rights Reserved.
  • 9. Websites Have Many Vulnerabilities 96% of web applications have vulnerabilities 96% WEB APP Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013 13% 13% of websites can be compromised automatically
  • 10. SQL Injection – What it is and why it matters • What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: • What happens if a hacker exploits this vulnerability? > They can access your database and it’s data. • Basic Rule > If it is going into your database, clean it up first! Incapsula, Inc. / Proprietary and Confidential. 10 All Rights Reserved. 'OR “=” The application was expecting my name, but I entered an SQL Statement
  • 11. Cross Site Scripting (XSS) – What it is and why it matters • What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites • What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page • Basic Rule > If user supplied data is going into your application, clean it up first! Incapsula, Inc. / Proprietary and Confidential. 11 All Rights Reserved. Attacker inserts malicious 1 unfiltered code into an application 2 User visits the web page and malicious code is returned with the web page 3 Attacker gains control over user data or system via injected exploit
  • 12. How DDoS Attacks Bring Down Websites • DDoS attacks make your website completely inaccessible DDoS Traffic Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 12 All Rights Reserved. Your Site Your Internet Connection Your ISP • If website availability is important to you, then DDoS protection should be too • Any application without a DDoS mitigation strategy is at risk
  • 13. Automated Clients are the Majority of Web Traffic Over 61% of all website traffic is non-human. 1/2of that is malicious. Incapsula, Inc. / Proprietary and Confidential. 13 All Rights Reserved. 61.5% Non-Human Traffic 38.5% Human Traffic
  • 14. The Impact of Bots on Website Security Good Bots Bad Bots • DDoS • Site Scraping • Comment Spam • SEO Spam • Fraud • Vulnerability scanning • Search Engine Crawling • Website Health Monitoring • Vulnerability Scanning Incapsula, Inc. / Proprietary and Confidential. 14 All Rights Reserved.
  • 15. Defending Your Websites and Applications Incapsula, Inc. / Proprietary and Confidential. 15 All Rights Reserved.
  • 16. Use Multi-factor Authentication for Admin Areas Problem • Lost or stolen passwords allow hackers to bypass your security measure Solution • Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other Incapsula, Inc. / Proprietary and Confidential. 16 All Rights Reserved.
  • 17. Identify Vulnerabilities White-box and Black-box tools Can you see inside the application (its code)? Incapsula, Inc. / Proprietary and Confidential. 17 All Rights Reserved.
  • 18. The White-box Approach The white-box approach to finding vulnerabilities is to Review Application Code for vulnerabilities. Can be performed: Manually or Manual Code Review Incapsula, Inc. / Proprietary and Confidential. 18 All Rights Reserved. Automatically Source Code Analysis
  • 19. The Black-box Approach The Black-box approach to finding vulnerabilities is to Emulate Hacker Activity by probing a website for weaknesses. Can be performed: Manually or Penetration Testing Incapsula, Inc. / Proprietary and Confidential. 19 All Rights Reserved. Automatically Web Vulnerability Scanning
  • 20. Remediating Vulnerabilities at a Code Level White-box Black-box Manual Manual Code Review • Known vulnerabilities should be remediated • What are the requirements for fixing vulnerabilities at the code level? > Access to application code > Coding expertise and knowledge in Security Incapsula, Inc. / Proprietary and Confidential. 20 All Rights Reserved. Penetration Testing Automated Source Code Analysis Web Vulnerability Scanner List of Vulnerabilities
  • 21. Use a Web Application Firewall (WAF) • WAFs provide similar protection as traditional network layer firewall but for a web application • Using a WAF can protect website from application layer hacking attempts • WAFs should be used in conjunction with traditional firewalls Incapsula, Inc. / Proprietary and Confidential. 21 All Rights Reserved.
  • 22. Defend against DDoS attacks • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 22 All Rights Reserved. Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Appliance
  • 23. DDoS Mitigation Requires Specialized Tools or Services • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive • DDoS attacks should be mitigated close to their source (away from your network) Legitimate Traffic Incapsula, Inc. / Proprietary and Confidential. 23 All Rights Reserved. Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service
  • 24. Identify and Block Bad Bots • Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning • Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF Incapsula, Inc. / Proprietary and Confidential. 24 All Rights Reserved.
  • 25. When To Implement Various Security Tools • Web App Firewall • DDoS Mitigation • Bot Mitigation • Web Vulnerability Scanner • Source Code Analysis • Manual Code Review • Password Security • 2 Factor Authentication PLANNING • Security Requirements • Design • Architecture Incapsula, Inc. / Proprietary and Confidential. 25 All Rights Reserved. CODING PRODUCTION
  • 26. Finding the Right Tools Incapsula, Inc. / Proprietary and Confidential. 26 All Rights Reserved. Commercial Open Source / Free WAF • Incapsula • Imperva • F5 • Mod Security Web Vulnerability Scanner • Whitehat Security • Nessus • Acunetix • Nikto • Wapiti • Qualys DDoS Mitigation • Incapsula • Prolexic • Neustar • Not available / Not advised Source Code Analysis • Fortify • IBM Appscan • Parasoft • FindSecurityBugs
  • 27. Website Security and Performance in Minutes with a Simple DNS Change By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Incapsula, Inc. / Proprietary and Confidential. 27 All Rights Reserved. Incapsula Network Your Website Legitimate Traffic For a Free Trial of Incapsula visit us at www.Incapsula.com
  • 28. Thank you Please send follow up questions to tim@incapsula.com or @timmatthewssv