   The contents of this talk are my own    personal research and training. FishNet    Security has no affiliation with th...
No Really!        Don‟t Panic!
Facebook   WordPress
• The Internet is BIG• No, no no The Internet is REALLY REALLY BIG• To go along with this really big internet we have a  r...
• OWASP top Ten• OWASP is the open Web Application Security  Project.• Every few years they put out a report of the top te...
Injection means…• Tricking an application into including unintended  commands in the data sent to an interpreterSQL inject...
 Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g.,    prepare...
Occurs any time…• Raw data from attacker is sent to an innocent  user‟s browserTypical Impact• Steal user‟s session, steal...
 Recommendations  Eliminate Flaw      Don‟t include user supplied input in the output page  Defend Against the Flaw   ...
Web applications rely on a secure foundation•Everywhere from the OS up through the App Server•Don‟t forget all the librari...
 Verify your system‟s configuration management    Secure configuration “hardening” guideline        Automation is REALL...
PKI       VPNSSH/SFTP     SSL
Does•Third Party Authentication•PKI encryption•Keeps the conversation between the client and the hostDoes Not•Protect the ...
Does•PKI encryption•Keeps the conversation between the client and the hostDoes Not•Protect the client from malware snoopin...
Does•PKI encryption•Connects to your server for quick secure file management•Allows you to issue commands to your serverDo...
Email: carlton.sue@fishnetsecurity.comTwitter: @iamcoboltWeb: http://www.fishnetsecurity.com/BlogsPersonal: http://www.car...
So Your Company Hired A Pentester
So Your Company Hired A Pentester
So Your Company Hired A Pentester
So Your Company Hired A Pentester
Upcoming SlideShare
Loading in...5
×

So Your Company Hired A Pentester

207

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
207
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

So Your Company Hired A Pentester

  1. 1.  The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
  2. 2. No Really! Don‟t Panic!
  3. 3. Facebook WordPress
  4. 4. • The Internet is BIG• No, no no The Internet is REALLY REALLY BIG• To go along with this really big internet we have a really big Codebase• To add to this really big codebase, just like we learned in our first programming class there are a thousand ways to do just about anything .• Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation.• Now you must be thinking whats a low hanging fruit?
  5. 5. • OWASP top Ten• OWASP is the open Web Application Security Project.• Every few years they put out a report of the top ten vulnerabilities found on the internet.• They Also have some great tools for testing your Web Applications.• If you want an Idea of how to prepare for a Security Audit OWASP is a great resource.
  6. 6. Injection means…• Tricking an application into including unintended commands in the data sent to an interpreterSQL injection is still quite common• Many applications still susceptible (really don‟t know why)• Even though it‟s usually very simple to avoidTypical Impact• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level access
  7. 7.  Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures),  Bind variables allow the interpreter to distinguish between code and data 3. Encode all user input before passing it to the interpreter  Always perform „white list‟ input validation on all user supplied input  Always minimize database privileges to reduce the impact of a flaw
  8. 8. Occurs any time…• Raw data from attacker is sent to an innocent user‟s browserTypical Impact• Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
  9. 9.  Recommendations  Eliminate Flaw  Don‟t include user supplied input in the output page  Defend Against the Flaw  Primary Recommendation: Output encode all user supplied input  Perform „white list‟ input validation on all user input to be included in page  For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
  10. 10. Web applications rely on a secure foundation•Everywhere from the OS up through the App Server•Don‟t forget all the libraries you are using!!Is your source code a secret?•Think of all the places your source code goes•Security should not require secret source codeCM must extend to all parts of the application•All credentials should change in productionTypical Impact•Install backdoor through missing OS or server patch•XSS flaw exploits due to missing application framework patches•Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
  11. 11.  Verify your system‟s configuration management  Secure configuration “hardening” guideline  Automation is REALLY USEFUL here  Must cover entire platform and application  Keep up with patches for ALL components  This includes software libraries, not just OS and Server applications  Analyze security effects of changes Can you “dump” the application configuration  Build reporting into your process  If you can‟t verify it, it isn‟t secure Verify the implementation  Scanning finds generic configuration and missing patch problems
  12. 12. PKI VPNSSH/SFTP SSL
  13. 13. Does•Third Party Authentication•PKI encryption•Keeps the conversation between the client and the hostDoes Not•Protect the client from malware snooping or interference•Remove malicious code.Why Its not standard•Encryption is process heavy•The internet is oldWhen you should use it.•Always…•When dynamic code is used•At least when logins are in use anywhere on the site.
  14. 14. Does•PKI encryption•Keeps the conversation between the client and the hostDoes Not•Protect the client from malware snooping or interference•Remove malicious code.Why Its not standard•Encryption is process heavy•The internet is oldWhen you should use it.•Always…•When dynamic code is used•At least when logins are in use anywhere on the site.
  15. 15. Does•PKI encryption•Connects to your server for quick secure file management•Allows you to issue commands to your serverDoes Not•Help the Client•Provide any code sanitizationWhat It Replaces•FTP•God forbid TelnetWhen You Should Use It.•Anytime you connect to your server•All File transfer for source code•Editing any source on host
  16. 16. Email: carlton.sue@fishnetsecurity.comTwitter: @iamcoboltWeb: http://www.fishnetsecurity.com/BlogsPersonal: http://www.carlsue.com • https://www.owasp.org • Web Application Hackers Handbook • The Tangled Web – No Starch Press • SQL Injection Attacks and DefenseThanks For Having Me!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×