You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers".
These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . .
If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat?
This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them.
This presentation will discuss:
• The major security breaches of 2014
• Web application threats and common attack types
• How to defend against today’s common attacks
• Automated tools to help simplify website security
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
A DevOps Guide to Web Application Security
1. A DevOps Guide to Web App Security
Tim Matthews, VP Marketing, Incapsula
@timmatthewssv
2. Topics
• What we learned from recent web security events
• Web application threats and common attack types
• How to defend your website against today’s common
threats
• Automated tools to secure to help simplify website
security
Incapsula, Inc. / Proprietary and Confidential. 2 All Rights Reserved.
3. Major Hacks of 2014
2014 has several enormous data breaches from hackers including:
4. Heartbleed – the Epic SSL Crisis of 2014
• Heartbleed is a security bug that was
disclosed in April of 2014
• It was present in the widely used
Open SSL Cryptography
• When disclosed, around 17% of
the Internet's secure web servers was vulnerable
• Why do I care?
> The vulnerability allowed for the theft of the servers' private
keys and users' session cookies and passwords
“Some might argue that [Heartbleed] is the worst vulnerability
found since commercial traffic began to flow on the Internet.”
Joseph Steinberg – Forbes
Incapsula, Inc. / Proprietary and Confidential. 4 All Rights Reserved.
5. Shellshock Vulnerability
What is it?
1. Shellshock is a vulnerability that affects Bash (a.k.a Bourne-again Shell), the
most common command-line shell on Linux / Unix / Mac OS systems
2. Allows unauthenticated attacks to remotely execute code on affected
machines
What damage could this cause your website?
• Hackers remotely executing code on your systems can result in
> Data theft
> Malware injection
> Server hijacking
Incapsula, Inc. / Proprietary and Confidential. 5 All Rights Reserved.
6. Distributed Denial Of Service (DDoS) Attacks
• DDoS attack are attacks where many infected computers band
together to attack a single target
• These attacks exhaust network connections and server
resources causing website outages
Incapsula, Inc. / Proprietary and Confidential. 6 All Rights Reserved.
7. Web App Threats and Common Attack Types
Incapsula, Inc. / Proprietary and Confidential. 7 All Rights Reserved.
8. Use of Stolen Credentials Reigns Supreme
• Use of stolen authentication
credentials by hackers is the number
one threat of 2013
• Once stolen hackers can use
credentials at other websites to
increase the impact of a breach
• Automated tools combined with
stolen password lists become a
dangerous combination
Sources: Verizon Data Breach Report 2014
Incapsula, Inc. / Proprietary and Confidential. 8 All Rights Reserved.
9. Websites Have Many Vulnerabilities
96% of web applications
have vulnerabilities
96%
WEB
APP
Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013
13%
13% of websites can be
compromised automatically
10. SQL Injection – What it is and why it matters
• What is SQL Injection?
> SQL Injection attacks attempt to use application code to access or
corrupt database content
> It is accomplished by embedding SQL statements in user supplied Data
> Example:
• What happens if a hacker exploits this vulnerability?
> They can access your database and it’s data.
• Basic Rule
> If it is going into your database, clean it up first!
Incapsula, Inc. / Proprietary and Confidential. 10 All Rights Reserved.
'OR “=” The application was
expecting my name, but I
entered an SQL Statement
11. Cross Site Scripting (XSS) – What it is and why it matters
• What is XSS?
> A type of attack in which hackers
inject scripts (like JavaScript) into
otherwise trusted websites
• What happens if a hacker
exploits an XSS vuln on my
website?
> Stolen cookies or sessions
> Redirection to a malicious page
• Basic Rule
> If user supplied data is going into
your application, clean it up first!
Incapsula, Inc. / Proprietary and Confidential. 11 All Rights Reserved.
Attacker inserts malicious
1 unfiltered code into an application
2
User visits the web
page and malicious
code is returned with
the web page
3
Attacker gains
control over user
data or system via
injected exploit
12. How DDoS Attacks Bring Down Websites
• DDoS attacks make your website completely inaccessible
DDoS Traffic
Legitimate
Traffic
Incapsula, Inc. / Proprietary and Confidential. 12 All Rights Reserved.
Your Site
Your Internet
Connection
Your ISP
• If website availability is important to you, then DDoS
protection should be too
• Any application without a DDoS mitigation strategy is at risk
13. Automated Clients are the Majority of Web Traffic
Over 61% of all website traffic is non-human.
1/2of that is malicious.
Incapsula, Inc. / Proprietary and Confidential. 13 All Rights Reserved.
61.5%
Non-Human Traffic
38.5%
Human Traffic
14. The Impact of Bots on Website Security
Good Bots Bad Bots
• DDoS
• Site Scraping
• Comment Spam
• SEO Spam
• Fraud
• Vulnerability
scanning
• Search Engine
Crawling
• Website Health
Monitoring
• Vulnerability
Scanning
Incapsula, Inc. / Proprietary and Confidential. 14 All Rights Reserved.
15. Defending Your Websites and Applications
Incapsula, Inc. / Proprietary and Confidential. 15 All Rights Reserved.
16. Use Multi-factor Authentication for Admin Areas
Problem
• Lost or stolen passwords
allow hackers to bypass
your security measure
Solution
• Secure Admin areas with
multi-factor authentication
> Email
> SMS
> Google Authenticator
> Other
Incapsula, Inc. / Proprietary and Confidential. 16 All Rights Reserved.
17. Identify Vulnerabilities
White-box and Black-box tools
Can you see inside the application (its code)?
Incapsula, Inc. / Proprietary and Confidential. 17 All Rights Reserved.
18. The White-box Approach
The white-box approach to finding vulnerabilities is to
Review Application Code for vulnerabilities.
Can be performed:
Manually or
Manual Code
Review
Incapsula, Inc. / Proprietary and Confidential. 18 All Rights Reserved.
Automatically
Source Code
Analysis
19. The Black-box Approach
The Black-box approach to finding vulnerabilities is
to Emulate Hacker Activity by probing a website
for weaknesses.
Can be performed:
Manually or
Penetration
Testing
Incapsula, Inc. / Proprietary and Confidential. 19 All Rights Reserved.
Automatically
Web
Vulnerability
Scanning
20. Remediating Vulnerabilities at a Code Level
White-box Black-box
Manual Manual Code
Review
• Known vulnerabilities should be remediated
• What are the requirements for fixing vulnerabilities at the
code level?
> Access to application code
> Coding expertise and knowledge in Security
Incapsula, Inc. / Proprietary and Confidential. 20 All Rights Reserved.
Penetration Testing
Automated Source Code
Analysis
Web
Vulnerability
Scanner
List of
Vulnerabilities
21. Use a Web Application Firewall (WAF)
• WAFs provide similar protection as traditional network layer
firewall but for a web application
• Using a WAF can protect website from application layer hacking
attempts
• WAFs should be used in conjunction with traditional firewalls
Incapsula, Inc. / Proprietary and Confidential. 21 All Rights Reserved.
22. Defend against DDoS attacks
• DDoS mitigation services are preferable to Mitigation Appliances
• Overprovisioning bandwidth is expensive
Legitimate
Traffic
Incapsula, Inc. / Proprietary and Confidential. 22 All Rights Reserved.
Your Site
Your Internet
Connection
DDoS Traffic
Your ISP
DDoS Mitigation Appliance
23. DDoS Mitigation Requires Specialized Tools or Services
• DDoS mitigation services are preferable to Mitigation Appliances
• Overprovisioning bandwidth is expensive
• DDoS attacks should be mitigated close to their source
(away from your network)
Legitimate
Traffic
Incapsula, Inc. / Proprietary and Confidential. 23 All Rights Reserved.
Your Site
Your Internet
Connection
DDoS Traffic
Your ISP
DDoS
Mitigation
Service
24. Identify and Block Bad Bots
• Implement a solution which can block bad bots to prevent
> Comment Spam
> Site Scraping
> Vulnerability Scanning
> Automated SEO Poisoning
• Bot Mitigation can be
> Standalone service or appliance
> Part of other tools like a WAF
Incapsula, Inc. / Proprietary and Confidential. 24 All Rights Reserved.
25. When To Implement Various Security Tools
• Web App Firewall
• DDoS Mitigation
• Bot Mitigation
• Web Vulnerability
Scanner
• Source Code
Analysis
• Manual Code
Review
• Password Security
• 2 Factor
Authentication
PLANNING
• Security
Requirements
• Design
• Architecture
Incapsula, Inc. / Proprietary and Confidential. 25 All Rights Reserved.
CODING
PRODUCTION
26. Finding the Right Tools
Incapsula, Inc. / Proprietary and Confidential. 26 All Rights Reserved.
Commercial Open Source / Free
WAF
• Incapsula
• Imperva
• F5
• Mod Security
Web Vulnerability
Scanner
• Whitehat Security
• Nessus
• Acunetix
• Nikto
• Wapiti
• Qualys
DDoS Mitigation
• Incapsula
• Prolexic
• Neustar
• Not available /
Not advised
Source Code
Analysis
• Fortify
• IBM Appscan
• Parasoft
• FindSecurityBugs
27. Website Security and Performance in Minutes with a
Simple DNS Change
By routing website traffic through the Incapsula network,
malicious traffic is blocked, and legitimate traffic is accelerated.
Incapsula, Inc. / Proprietary and Confidential. 27 All Rights Reserved.
Incapsula Network Your Website
Legitimate Traffic
For a Free Trial of Incapsula visit us at
www.Incapsula.com
28. Thank you
Please send follow up questions to tim@incapsula.com
or @timmatthewssv