Benefits of In-depth Security Testing for the Enterprise

we45 - An Introduction • we45 = “we” + Fortify (45) • Focused Information Security Consulting Company • Research oriented Security Company • Showcased as one of Karnataka’s Top 20 Startups in 2010Copyright © we45 Solutions India Pvt. Ltd.

Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • CISSP, ISO27001:LA, CISA, GWAPT, CPA • Specialization in Web Application Security • Trainer and Workshop Lead for Security Training Workshops • URL: abhaybhargav.com • we45’s Website: we45.comCopyright © we45 Solutions India Pvt. Ltd.

Why test for Secu%ty? • Validation of Controls • Removing the Illusion of Control • Understanding how newer and constantly evolving threats affect your environment • Malicious - People and CodeCopyright © we45 Solutions India Pvt. Ltd.

C%tical Data on IT • Financial Information • Credit Card Information • User Personal Information • Customer Information • Healthcare Information • Other organization sensitive information - Stored, Processesd and Transmitted via ITCopyright © we45 Solutions India Pvt. Ltd.

Dturbing (attics53% of Indian Companies have been victims of cyber attacks 70% of Enterprise Web Applications are found to be vulnerable 60%+ of Enterprise Endpoints vulnerable to client-side attacks Marked Rise in Social Engineering attacks 75% of Web Applications developed with non-secure coding practicesCopyright © we45 Solutions India Pvt. Ltd.

Web A*lications • Web Application Security is key with • Web Application Security Testing is organizations taking extensively to CRITICAL Web 2.0 • Tester should follow best practice • E-Commerce, ERP, Salesforce methodologies Automation, etc • Business Logic cannot be tested with tools • Application attacks: • Application attacks due to non-secure coding practices are massive • Coding Flaws • Conﬁguration and Deployment oriented • Business Logic Flaws attacks are multifold • Conﬁguration Flaws • Framework based attacks - Joomla, DrupalCopyright © we45 Solutions India Pvt. Ltd.

A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular applicationCopyright © we45 Solutions India Pvt. Ltd.

A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privilegesCopyright © we45 Solutions India Pvt. Ltd.

A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privileges • Later, we found a conﬁguration ﬁle in the application server with root username and password to the DBCopyright © we45 Solutions India Pvt. Ltd.

Servers and Endpoints • Server attacks - The Genesis: • Security Testing for Servers and Endpoints is mostly tool-based. • Lack of patching server and kernel level security updates • Low Priority given to Client-Side exploits by testers • Client-Side Software - The new Achilles Heel • Non-Secure Conﬁguration of Endpoints results in over 40% of • Endpoint Security - Insecure Security Flaws Client-side Software, Patches and Browser-based • Internal Security Testing also security ﬂaws essentialCopyright © we45 Solutions India Pvt. Ltd.

Severe Server and Endpoint Secu%ty Vulnerabilities • MS08-067: Critical Flaw in Windows Server allowing attacker to exploit the system and run his/her code - 43% of Enterprise Endpoints and Servers affected • Adobe Reader code execution ﬂaw where attacker can exploit can run commands on victim’s system - 59% of Enterprise Endpoints found to be affected • Multiple Java Exploits affecting servers and endpoints • and many more.....Copyright © we45 Solutions India Pvt. Ltd.

Network Infra(ructure • Network Devices • Have to be tested comprehensively for authentication vulnerabilities - 38% of Network Devices have authentication ﬂaws • Firmware Updates and Security Updates not applied - Compromise the Perimeter • Focus on Depth of Finding, rather than reviewCopyright © we45 Solutions India Pvt. Ltd.

People: &e Weakest Link • People are the easiest targets in a security compromise • Companies must consider comprehensive Social • Targeted Phishing - Spear Engineering Assessments to Phishing Attacks on the rise with identify lapses in User Security over 56,000 reports Awareness • Social Networks and Email: Rife • Organizations Assessments must to spread Malware and compromise user endpoints cover security over Web Browsers • Browser Security considerationsCopyright © we45 Solutions India Pvt. Ltd.

In Conclusion... • Threats are multifold and evolve constantly • Organizations have to test often to avoid being a vulnerability statistic • Tests have to encompass these elements during the year based on applicability • Testers should be chosen carefully based on skills and not tools • Reporting should be clear and prescriptive, not vague and genericCopyright © we45 Solutions India Pvt. Ltd.

http://www.we45.com	228
http://www.abhaybhargav.com	41
http://we45.com	8
http://www.slideshare.net	3
http://www.we45.in	1
http://we45.in	1

Benefits of In-depth Security Testing for the Enterprise

by abhaybhargav on Mar 25, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

6 Embeds 282

Statistics

Benefits of In-depth Security Testing for the Enterprise — Presentation Transcript