Cyber proofing your data from application attacks

  • 349 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
349
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cyber-Proofing your Data from Application Attacks Irene Abezgauz Product Manager© 2005-2011. All Rights Reserved to Seeker Security Ltd. 2005-2012.
  • 2. Introduction • Cyber-Proofing – Application Security vs. Data Security • Current Application Security Approach • Vulnerability vs. Risk • Technique vs. Goal • Adaptive Approach for Application Security© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 3. About Myself • Over 8 Years in Information Security • Application Threats Expert • Hands-on Penetration Testing, Research and Vulnerability Disclosure • Speaker at Security Conferences© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 4. The Problem • Cyber Threats – Focused, Persistent Attacks • Evolution of Information Security – YOU are being Targeted • Find as Many Vulnerabilities as Possible – is that really the Goal?© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 5. The Problem • Influence of Application Vulnerabilities on Information Security • Dealing with Security Information Overload • Remediation Prioritization - “Critical”, “Very High”, “The Rest” • The Need for Manageable Results© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 6. Current Approach • Approach is Too Technical • Focus on Technical Aspects • Examine it from the Vulnerability Perspective • Focus on Injections & Technical Problems • Analysis of Code rather than Application • Ignoring Application Data • Focus on Technology instead of Risk© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 7. Too Many Vulnerabilities… Flow Bypassing URL Encoding Cross Site Request Forgery Buffer Overflow Session Hijacking SQL Injection LDAP Injection Session Fixation Director Listing Session Riding No SSL File Inclusion OS Commanding Directory Traversal Forceful Browsing Cookie Poisoning CRLF InjectionUnauthenticated Access Information Leakage No User Lockout Cross Site Scripting XPath Injection Insecure Password Storage Misconfiguration Parameter Tampering Detailed Error Messages Insecure Redirect HTTP Response Splitting Hidden Field Manipulation© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 8. Example – Unauthorized Data Modification • The Attack is Data Modification • Can be Performed in Various Ways • Parameter Tampering • Flow Bypassing • SQL Injection • Cross Site Scripting • Cross Site Request Forgery© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 9. The Problem – Take II • Low Security ROI • Spending on solutions not focused on risk • Spending on professional services trying to simplify hay-stacks that resemble needles • Spending on R&D hours of fixing unnecessary issues© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 10. Going back to the Roots • Risk Based Approach • CIA • Confidentiality • Integrity • Availability • Assess Application Vulnerabilities Based on Data Risk© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 11. Data Oriented Approach • Taking a Data Oriented Approach to Application Security Testing • Logical vs. Technical • Business Impact • Level of Exploitability • Risk, Risk, Risk© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 12. The Solution – Data Centric Application Security • Analysis of Actual Data Handling • Automatic Data Classification • Sensitivity • Ownership • Accessibility • Identifying Vulnerabilities that Pose a Real Threat • Verification of Actual Risk Level© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 13. Automatic Classification of Risk© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 14. Visualization of Risk© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 15. Summary • Cyber-Proofing! • Identify More Vulnerabilities • Focus on Real Threats • Holistic Approach • Integrate into SDLC • Efficient, Practical, Focused, Better ROI© 2005-2011. All Rights Reserved to Seeker Security Ltd.
  • 16. Thank You!© 2005-2011. All Rights Reserved to Seeker Security Ltd.