Breaking ! Wall..        Benefits of In-Depth Security Testing for the EnterpriseCopyright © we45 Solutions India Pvt. Ltd.
we45 - An Introduction   • we45 = “we” + Fortify (45)   • Focused Information Security Consulting Company   • Research ori...
Y#rs Truly...  •   Co-author of ‘Secure Java For Web      Application Development’  •   CISSP, ISO27001:LA, CISA,      GWA...
Why test for Secu%ty?  •   Validation of Controls  •   Removing the Illusion of      Control  •   Understanding how newer ...
&e Gap  •   Security Tests largely fail      because of:      •   Lack of focus by the testers      •   Organization - Lac...
C%tical Data on IT  •   Financial Information  •   Credit Card Information  •   User Personal Information  •   Customer In...
Dturbing (attics53% of Indian Companies have been victims of cyber attacks  70% of Enterprise Web Applications are found t...
&e Solution: In-Dep) Secu%ty TestingCopyright © we45 Solutions India Pvt. Ltd.
Web A*lications  •   Web Application Security is key with   •   Web Application Security Testing is      organizations tak...
A*lication A+acks: Case StudyCopyright © we45 Solutions India Pvt. Ltd.
A*lication A+acks: Case Study  •   Testing a large infrastructure      company’s critical web appCopyright © we45 Solution...
A*lication A+acks: Case Study  •   Testing a large infrastructure      company’s critical web app  •   Finding SQL Injecti...
A*lication A+acks: Case Study  •   Testing a large infrastructure      company’s critical web app  •   Finding SQL Injecti...
A*lication A+acks: Case Study  •   Testing a large infrastructure      company’s critical web app  •   Finding SQL Injecti...
Servers and Endpoints  •   Server attacks - The Genesis:          •   Security Testing for Servers and                    ...
Severe Server and Endpoint Secu%ty Vulnerabilities   •   MS08-067: Critical Flaw in Windows       Server allowing attacker...
Upcoming SlideShare
Loading in...5
×

Benefits of In-depth Security Testing for the Enterprise

2,447

Published on

we45's CTO, Abhay Bhargav, delivering a talk on the benefits of In-depth Security Testing for the Enterprise at the Bangalore Cyber Security Summit 2011

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,447
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Benefits of In-depth Security Testing for the Enterprise

    1. 1. Breaking ! Wall.. Benefits of In-Depth Security Testing for the EnterpriseCopyright © we45 Solutions India Pvt. Ltd.
    2. 2. we45 - An Introduction • we45 = “we” + Fortify (45) • Focused Information Security Consulting Company • Research oriented Security Company • Showcased as one of Karnataka’s Top 20 Startups in 2010Copyright © we45 Solutions India Pvt. Ltd.
    3. 3. Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • CISSP, ISO27001:LA, CISA, GWAPT, CPA • Specialization in Web Application Security • Trainer and Workshop Lead for Security Training Workshops • URL: abhaybhargav.com • we45’s Website: we45.comCopyright © we45 Solutions India Pvt. Ltd.
    4. 4. Why test for Secu%ty? • Validation of Controls • Removing the Illusion of Control • Understanding how newer and constantly evolving threats affect your environment • Malicious - People and CodeCopyright © we45 Solutions India Pvt. Ltd.
    5. 5. &e Gap • Security Tests largely fail because of: • Lack of focus by the testers • Organization - Lack of Awareness and Will • Tools vs SkillsCopyright © we45 Solutions India Pvt. Ltd.
    6. 6. C%tical Data on IT • Financial Information • Credit Card Information • User Personal Information • Customer Information • Healthcare Information • Other organization sensitive information - Stored, Processesd and Transmitted via ITCopyright © we45 Solutions India Pvt. Ltd.
    7. 7. Dturbing (attics53% of Indian Companies have been victims of cyber attacks 70% of Enterprise Web Applications are found to be vulnerable 60%+ of Enterprise Endpoints vulnerable to client-side attacks Marked Rise in Social Engineering attacks 75% of Web Applications developed with non-secure coding practicesCopyright © we45 Solutions India Pvt. Ltd.
    8. 8. &e Solution: In-Dep) Secu%ty TestingCopyright © we45 Solutions India Pvt. Ltd.
    9. 9. Web A*lications • Web Application Security is key with • Web Application Security Testing is organizations taking extensively to CRITICAL Web 2.0 • Tester should follow best practice • E-Commerce, ERP, Salesforce methodologies Automation, etc • Business Logic cannot be tested with tools • Application attacks: • Application attacks due to non-secure coding practices are massive • Coding Flaws • Configuration and Deployment oriented • Business Logic Flaws attacks are multifold • Configuration Flaws • Framework based attacks - Joomla, DrupalCopyright © we45 Solutions India Pvt. Ltd.
    10. 10. A*lication A+acks: Case StudyCopyright © we45 Solutions India Pvt. Ltd.
    11. 11. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web appCopyright © we45 Solutions India Pvt. Ltd.
    12. 12. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular applicationCopyright © we45 Solutions India Pvt. Ltd.
    13. 13. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privilegesCopyright © we45 Solutions India Pvt. Ltd.
    14. 14. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privileges • Later, we found a configuration file in the application server with root username and password to the DBCopyright © we45 Solutions India Pvt. Ltd.
    15. 15. Servers and Endpoints • Server attacks - The Genesis: • Security Testing for Servers and Endpoints is mostly tool-based. • Lack of patching server and kernel level security updates • Low Priority given to Client-Side exploits by testers • Client-Side Software - The new Achilles Heel • Non-Secure Configuration of Endpoints results in over 40% of • Endpoint Security - Insecure Security Flaws Client-side Software, Patches and Browser-based • Internal Security Testing also security flaws essentialCopyright © we45 Solutions India Pvt. Ltd.
    16. 16. Severe Server and Endpoint Secu%ty Vulnerabilities • MS08-067: Critical Flaw in Windows Server allowing attacker to exploit the system and run his/her code - 43% of Enterprise Endpoints and Servers affected • Adobe Reader code execution flaw where attacker can exploit can run commands on victim’s system - 59% of Enterprise Endpoints found to be affected • Multiple Java Exploits affecting servers and endpoints • and many more.....Copyright © we45 Solutions India Pvt. Ltd.
    17. 17. Network Infra(ructure • Network Devices • Have to be tested comprehensively for authentication vulnerabilities - 38% of Network Devices have authentication flaws • Firmware Updates and Security Updates not applied - Compromise the Perimeter • Focus on Depth of Finding, rather than reviewCopyright © we45 Solutions India Pvt. Ltd.
    18. 18. People: &e Weakest Link • People are the easiest targets in a security compromise • Companies must consider comprehensive Social • Targeted Phishing - Spear Engineering Assessments to Phishing Attacks on the rise with identify lapses in User Security over 56,000 reports Awareness • Social Networks and Email: Rife • Organizations Assessments must to spread Malware and compromise user endpoints cover security over Web Browsers • Browser Security considerationsCopyright © we45 Solutions India Pvt. Ltd.
    19. 19. In Conclusion... • Threats are multifold and evolve constantly • Organizations have to test often to avoid being a vulnerability statistic • Tests have to encompass these elements during the year based on applicability • Testers should be chosen carefully based on skills and not tools • Reporting should be clear and prescriptive, not vague and genericCopyright © we45 Solutions India Pvt. Ltd.
    20. 20. &ank Y# • URL: www.we45.com • Email: abhay@we45.com • Twitter: @abhaybhargav • abhaybhargav.comCopyright © we45 Solutions India Pvt. Ltd.

    ×