SlideShare a Scribd company logo

Webinar: Strategies for Web Application Security

OpSource
OpSource

Learn about OpSource enterprise cloud and managed hosting in a webinar on ‘Strategies for web application security’.

TechnologyBusiness
1 of 22
Download to read offline
The webinar will begin at 9am PT / Noon ET Webinar: Strategies for Web Application Security Featuring: Andy Hoernecke Turn up the speakers on your computer Sr. Application Security Consultant for streamed audio or dial in to: Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room: David McKenzie *8886695051#) Sr. Director Business Consulting OpSource © 2010 OpSource, Inc. All rights reserved.
Agenda • Housekeeping • Intro to OpSource • Featured Presentation by Neohapsis • Q&A Session © 2010 OpSource, Inc. All rights reserved.
Welcome! • Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource • All phones are set on mute • If you have a question, please use the Chat Q&A box located below the presentation panel • We will collect questions throughout the webinar and answer as many as we can at the end • If we don’t answer your question, we’ll follow-up with an answer via email • Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
OpSource: Enterprise Cloud and Managed Hosting • OpSource provides Enterprise Cloud and Managed Hosting Services • Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms • Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT • Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore • Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
OpSource Serves 600+ Clients with Millions of End-Users SaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
OpSource Partner Ecosystem Telecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
Andy Hoernecke, Sr. Application Security Consultant, Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures 9 Neohapsis Confidential
Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team 10 Neohapsis Confidential
Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis 11 Neohapsis Confidential
Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted 12 Neohapsis Confidential
Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection 13 Neohapsis Confidential
Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use 14 Neohapsis Confidential
Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001) 15 Neohapsis Confidential
Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation 16 Neohapsis Confidential
Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment 17 Neohapsis Confidential
Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites 18 Neohapsis Confidential
Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production 19 Neohapsis Confidential
Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application 20 Neohapsis Confidential
Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness 21 Neohapsis Confidential
Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – david@opsource.net Sales Inquiries – sales@opsource.net or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.

Recommended

Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 

Recommended

Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution Engineering Software Lab
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTRogue Wave Software
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 

More Related Content

What's hot

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 

What's hot (20)

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution Palamida Open Source Compliance Solution
Palamida Open Source Compliance Solution
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

Similar to Webinar: Strategies for Web Application Security

Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationBlack Duck by Synopsys
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile ApplicationTechWell
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impactRogue Wave Software
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Similar to Webinar: Strategies for Web Application Security (20)

Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoT
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Architect a Winning Mobile Application
Architect a Winning Mobile ApplicationArchitect a Winning Mobile Application
Architect a Winning Mobile Application
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

More from OpSource

Customer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company ProfitabilityCustomer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company ProfitabilityOpSource
 
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud ComplexitiesHot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud ComplexitiesOpSource
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 
Overview & Demo: OpSource Cloud
Overview & Demo: OpSource CloudOverview & Demo: OpSource Cloud
Overview & Demo: OpSource CloudOpSource
 
Demo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing CloudDemo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing CloudOpSource
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudOpSource
 
Scalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept SoftwareScalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept SoftwareOpSource
 
Challenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVsChallenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVsOpSource
 
SAP Business Objects
SAP Business ObjectsSAP Business Objects
SAP Business ObjectsOpSource
 
Saas business model_thinkstrategies
Saas business model_thinkstrategiesSaas business model_thinkstrategies
Saas business model_thinkstrategiesOpSource
 
Scaling SaaS on Oracle
Scaling SaaS on OracleScaling SaaS on Oracle
Scaling SaaS on OracleOpSource
 
Create Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsCreate Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsOpSource
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSOpSource
 
Cloud Disaster Recovery
Cloud Disaster Recovery Cloud Disaster Recovery
Cloud Disaster Recovery OpSource
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersOpSource
 
Case Study: ClearBenefits
Case Study: ClearBenefitsCase Study: ClearBenefits
Case Study: ClearBenefitsOpSource
 
Case Study: ACCEPT
Case Study: ACCEPTCase Study: ACCEPT
Case Study: ACCEPTOpSource
 
Astoria case study
Astoria case studyAstoria case study
Astoria case studyOpSource
 
Case Study: Aerohive
Case Study: AerohiveCase Study: Aerohive
Case Study: AerohiveOpSource
 
The Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS DeliveryThe Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS DeliveryOpSource
 

More from OpSource (20)

Customer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company ProfitabilityCustomer Success: The Key To SaaS Company Profitability
Customer Success: The Key To SaaS Company Profitability
 
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud ComplexitiesHot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
Hot Cloud Companies: Tap In Systems - The Problem: Managing Cloud Complexities
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 
Overview & Demo: OpSource Cloud
Overview & Demo: OpSource CloudOverview & Demo: OpSource Cloud
Overview & Demo: OpSource Cloud
 
Demo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing CloudDemo: Easily Deploy Applications with Standing Cloud
Demo: Easily Deploy Applications with Standing Cloud
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
 
Scalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept SoftwareScalable & Cost Effective SaaS: Case Study: Accept Software
Scalable & Cost Effective SaaS: Case Study: Accept Software
 
Challenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVsChallenges & Solutions for SaaS ISVs
Challenges & Solutions for SaaS ISVs
 
SAP Business Objects
SAP Business ObjectsSAP Business Objects
SAP Business Objects
 
Saas business model_thinkstrategies
Saas business model_thinkstrategiesSaas business model_thinkstrategies
Saas business model_thinkstrategies
 
Scaling SaaS on Oracle
Scaling SaaS on OracleScaling SaaS on Oracle
Scaling SaaS on Oracle
 
Create Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN ConnectionsCreate Secure Site-to-Cloud VPN Connections
Create Secure Site-to-Cloud VPN Connections
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaS
 
Cloud Disaster Recovery
Cloud Disaster Recovery Cloud Disaster Recovery
Cloud Disaster Recovery
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 
Case Study: ClearBenefits
Case Study: ClearBenefitsCase Study: ClearBenefits
Case Study: ClearBenefits
 
Case Study: ACCEPT
Case Study: ACCEPTCase Study: ACCEPT
Case Study: ACCEPT
 
Astoria case study
Astoria case studyAstoria case study
Astoria case study
 
Case Study: Aerohive
Case Study: AerohiveCase Study: Aerohive
Case Study: Aerohive
 
The Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS DeliveryThe Build vs. Buy Decision for SaaS Delivery
The Build vs. Buy Decision for SaaS Delivery
 

Recently uploaded

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Recently uploaded (20)

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Webinar: Strategies for Web Application Security

  • 1. The webinar will begin at 9am PT / Noon ET Webinar: Strategies for Web Application Security Featuring: Andy Hoernecke Turn up the speakers on your computer Sr. Application Security Consultant for streamed audio or dial in to: Neohapsis – U.S.: (888) 669-5051 – International: (303) 330-0440 (Room: David McKenzie *8886695051#) Sr. Director Business Consulting OpSource © 2010 OpSource, Inc. All rights reserved.
  • 2. Agenda • Housekeeping • Intro to OpSource • Featured Presentation by Neohapsis • Q&A Session © 2010 OpSource, Inc. All rights reserved.
  • 3. Welcome! • Moderating: Dave McKenzie, Sr. Director Business Consulting, OpSource • All phones are set on mute • If you have a question, please use the Chat Q&A box located below the presentation panel • We will collect questions throughout the webinar and answer as many as we can at the end • If we don’t answer your question, we’ll follow-up with an answer via email • Full-screen button will let you toggle between a larger image view and the view with Q&A box to type in questions – you can use it throughout the webinar © 2010 OpSource, Inc. All rights reserved.
  • 4. OpSource: Enterprise Cloud and Managed Hosting • OpSource provides Enterprise Cloud and Managed Hosting Services • Solutions for SaaS, Enterprise, Telecoms and Cloud Platforms • Investors: Crosslink Ventures, Velocity Founded in 2002 Interactive Group, Intel and NTT • Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore • Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud Computing © 2010 OpSource, Inc. All rights reserved.
  • 5. OpSource Serves 600+ Clients with Millions of End-Users SaaS & Managed Hosting Hybrid Hosting Cloud Hosting © 2010 OpSource, Inc. All rights reserved.
  • 6. OpSource Partner Ecosystem Telecom Distribution Consulting Cloud Platform Infrastructure © 2010 OpSource, Inc. All rights reserved.
  • 7. Andy Hoernecke, Sr. Application Security Consultant, Neohapsis • Sr. Application Security Consultant • Graduate of Iowa State University with a Master's degree in Information Assurance and Computer Engineering. • Performs a variety of assessments including penetration tests, blackbox / whitebox assessment, SDLC review, and security tool implementation • Industries Served include Federal/Local Government, Financial Services, Entertainment, Manufacturing, Retail, and Internet Service Providers © 2010 OpSource, Inc. All rights reserved.
  • 8. Strategies for Web Application Security Andy Hoernecke Sr. Application Security Consultant April 13th, 2011
  • 9. Agenda Background Tool Introduction Web Application Scanning Strengths/Weaknesses Where Scanning Makes Sense SDL Integration Supplemental Security Measures 9 Neohapsis Confidential
  • 10. Background ~96% of records breached involved “hacking” or malware ~92% of records stolen through “hacking” involved a web application Most commonly exploited web application vulnerabilities include: SQL Injection Brute Force Attacks OS Commanding Default/Guessable Credentials Cross-Site Scripting Source: 2010 Data Breach Investigations Report, Verizon Business Risk Team 10 Neohapsis Confidential
  • 11. Tool Introduction-Dynamic Analysis Tests running web applications by making requests as a normal user would Examples: IBM AppScan HP WebInspect WhiteHat Scanning phases generally include Spidering Fault Injection Analysis 11 Neohapsis Confidential
  • 12. Tool Introduction-Static Analysis Tests through the analysis of source or object code Examples: Fortify Veracode Capabilities vary greatly May require compilable code May only handle certain languages Not currently as widely adopted 12 Neohapsis Confidential
  • 13. Dynamic Analysis Strengths Performing tedious tests (Fuzzing) XSS File Path manipulation SSL issues Signature Based Tests Known vulnerabilities in common applications Sensitive Information Checks Default files/scripts Certain types of information disclosure (internal IP addresses) Configuration Issues Parameter based fault injection 13 Neohapsis Confidential
  • 14. Dynamic Analysis Weaknesses Logic Bugs Example: Negative Pricing/Quantity Authentication Issues SSO Related Authorization Problems User Role Enforcement Forced Browsing Vulnerabilities part of complex/multi-step processes Identifying discrete pages in “rewritten URLs” Results can vary greatly based on configuration and scanner in use 14 Neohapsis Confidential
  • 15. Percent Vulnerabilities Identified Source: Suto, Larry. "Analyzing the Accuracy and Time Costs of Web Application Security Scanners." (2001) 15 Neohapsis Confidential
  • 16. Experience Needed Web application scanners are not like antivirus tools Most will require tuning and customization to get good results Login and session management can often cause problems There WILL be false positives Tuning and interpretation of results requires application security knowledge Unlikely that canned reports can be handed off to average developers without some additional explanation 16 Neohapsis Confidential
  • 17. Where Scanning Makes Sense Application Scanning is a piece of the overall SDL Most standard web applications using HTTP/HTTPS Modern scanners provide decent JavaScript parsing Mostly platform/language independent As the first stage of a manual assessment 17 Neohapsis Confidential
  • 18. Where Scanning Makes Doesn’t Sense Applications heavily reliant on client side code Non-HTTP applications CORBA RMI Proprietary protocols Results could be limited for: Web Services/SOAP APIs Very AJAX intensive applications Other client-side technologies Flash Silverlight Completely static sites 18 Neohapsis Confidential
  • 19. Application Scanning and SDL Web application scanners are valuable as part of the Secure Development Lifecycle Variables include: How frequently to scan Dependent on several factors: Application/Data sensitivity Development Cycle Business Criticality Available Resources Which environments to scan? Production Generally the most important code base to be secure Requires the most care as outages are generally not well received QA, Staging, Development Good to catch vulnerabilities before rolled into production Many development groups have hands full fixing issues in production 19 Neohapsis Confidential
  • 20. Application Scanning and SDL Dynamic scanning has limitations Won’t be able to find everything a code review could find Can provide finding relatively quickly and help focus on potentially insecure areas of an application 20 Neohapsis Confidential
  • 21. Supplementing Application Scanning Periodic manual testing for sensitive applications Blackbox, Greybox, Whitebox May be targeted to certain functionality Standard IT best practices Separation of duties Defense in depth Working in security during earlier development phases Security requirements Architecture review Developer security training/awareness 21 Neohapsis Confidential
  • 22. Questions & Answers / Contact Info Q&A Type your questions into the chat box below the presentation panel Contact OpSource: Dave McKenzie – david@opsource.net Sales Inquiries – sales@opsource.net or 800-664-9973 Recorded webinar and slides will be posted within 48 hours on the OpSource website. © 2010 OpSource, Inc. All rights reserved.