The webinar                                                                         will begin at 9am PT /                ...
Agenda• Housekeeping• Intro to OpSource• Featured Presentation by Neohapsis• Q&A Session                      © 2010 OpSou...
Welcome!• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource• All phones are set on mute• If you have a...
OpSource: Enterprise Cloud and Managed Hosting• OpSource provides Enterprise Cloud  and Managed Hosting Services• Solution...
OpSource Serves 600+ Clients with Millions of End-UsersSaaS & Managed Hosting          Hybrid Hosting                     ...
OpSource Partner EcosystemTelecom   Distribution        Consulting                    Cloud Platform   Infrastructure     ...
Andy Hoernecke, Sr. Application Security Consultant,Neohapsis • Sr. Application Security Consultant • Graduate of Iowa Sta...
Strategies for Web Application Security                     Andy Hoernecke                     Sr. Application Security Co...
Agenda          Background          Tool Introduction          Web Application Scanning Strengths/Weaknesses          Wher...
Background           ~96% of records breached involved “hacking” or           malware           ~92% of records stolen thr...
Tool Introduction-Dynamic Analysis           Tests running web applications by making requests as a           normal user ...
Tool Introduction-Static Analysis           Tests through the analysis of source or object code           Examples:       ...
Dynamic Analysis Strengths           Performing tedious tests (Fuzzing)                 XSS                 File Path mani...
Dynamic Analysis Weaknesses           Logic Bugs                 Example: Negative Pricing/Quantity           Authenticati...
Percent Vulnerabilities Identified       Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Se...
Experience Needed           Web application scanners are not like antivirus tools           Most will require tuning and c...
Where Scanning Makes Sense           Application Scanning is a piece of the overall SDL           Most standard web applic...
Where Scanning Makes Doesn’t Sense           Applications heavily reliant on client side code           Non-HTTP applicati...
Application Scanning and SDL           Web application scanners are valuable as part of the Secure           Development L...
Application Scanning and SDL           Dynamic scanning has           limitations                 Won’t be able to find   ...
Supplementing Application Scanning           Periodic manual testing for sensitive applications                 Blackbox, ...
Questions & Answers / Contact Info                         Q&A Type your questions into the chat box below the presentatio...
Upcoming SlideShare
Loading in...5
×

Strategies for Web Application Security

326

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
326
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Strategies for Web Application Security

  1. 1. The webinar will begin at 9am PT / Noon ETWebinar: Strategies for Web Application SecurityFeaturing:Andy Hoernecke Turn up the speakers on your computerSr. Application Security Consultant for streamed audio or dial in to:Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room:David McKenzie *8886695051#)Sr. Director Business ConsultingOpSource © 2010 OpSource, Inc. All rights reserved.
  2. 2. Agenda• Housekeeping• Intro to OpSource• Featured Presentation by Neohapsis• Q&A Session © 2010 OpSource, Inc. All rights reserved.
  3. 3. Welcome!• Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource• All phones are set on mute• If you have a question, please use the Chat Q&A box located below the presentation panel• We will collect questions throughout the webinar and answer as many as we can at the end• If we don’t answer your question, we’ll follow-up with an answer via email• Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
  4. 4. OpSource: Enterprise Cloud and Managed Hosting• OpSource provides Enterprise Cloud and Managed Hosting Services• Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms• Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore• Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
  5. 5. OpSource Serves 600+ Clients with Millions of End-UsersSaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
  6. 6. OpSource Partner EcosystemTelecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
  7. 7. Andy Hoernecke, Sr. Application Security Consultant,Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Masters degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
  8. 8. Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
  9. 9. Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures9 Neohapsis Confidential
  10. 10. Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team10 Neohapsis Confidential
  11. 11. Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis11 Neohapsis Confidential
  12. 12. Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted12 Neohapsis Confidential
  13. 13. Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection13 Neohapsis Confidential
  14. 14. Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use14 Neohapsis Confidential
  15. 15. Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001)15 Neohapsis Confidential
  16. 16. Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation16 Neohapsis Confidential
  17. 17. Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment17 Neohapsis Confidential
  18. 18. Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites18 Neohapsis Confidential
  19. 19. Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production19 Neohapsis Confidential
  20. 20. Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application20 Neohapsis Confidential
  21. 21. Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness21 Neohapsis Confidential
  22. 22. Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – david@opsource.net Sales Inquiries – sales@opsource.net or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×