Get more from your Web VAPT

2,380 views
2,302 views

Published on

Web Application Security is a priority for several organizations all over the world. Organizations hosting mission critical Web Applications look into Web Application Security is a key priority. One of the most important aspects of a strong Web Application Security program in an organization is the security testing of the web application.

Organizations primarily use Vulnerability Assessments and Penetration Tests (VAPT) as tests of security against the web application. VAPTs are widely recognized as effective security tests against an enterprise IT infrastructure. However, Web Application VAPT is radically different from Network or OS Level VAPT. Several organizations are unaware of the various intricacies of Web Application VAPTs, resulting in a situation where they accept poor quality tests from external vendors and internal security teams, lulling them into a false (and dangerous) sense of security.

This talk will provide a practical view of Web Application VAPTs and will explore the some of the key factors that organizational decision-makers should evaluate when evaluating Web Application VAPTs. I will discuss some of the metrics that organizations can use to analyze and interpret results of VAPTs and devise suitable remediation measures. I will also be exploring some of the benefits and limitations of a Web Application VAPT and how these factors are very different from a Network or OS level VAPT. This will be helpful to set expectations and have the ability to analyze the VAPT and its results from a better perspective.

I will also be briefly touching upon certain VAPT essentials for Internal Security teams and how they can add a great deal of value in an internal Web Application VAPT.

This talk is ideally meant for CIO/CTOs/CISOs, Information Security and Risk Professionals, Internal Penetration testers and any other professionals who would like to understand the subtleties of strong Web Application Security Testing for their organization.

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,380
On SlideShare
0
From Embeds
0
Number of Embeds
423
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Get more from your Web VAPT

  1. 1. Get ! best #t of y#r Web VAPT Abhay Bhargav - CTO, we45 Solutions India Pvt.Ltd. Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  2. 2. Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • Specialization in Web Vulnerability Assessment and Penetration Testing • Trainer and Workshop Lead for Security Training Workshops • My blog: http:// citadelnotes.blogspot.com Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  3. 3. $e Web and its increasing footp%nt • Web Applications extensively adopted by S - M and L entities • E-Commerce, Social Networking • Government is web-ifying everything • Websites evolving into Apps • Super Speciality Web Apps for highly specific tasks • The rise of Web 2.0 and mashups Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  4. 4. Current State of Web Secu%ty • Industry average of 70% of web apps - vulnerable to serious security issues. 80% from Personal Experience • Rise of Multi-tasking Application Driven Malware • Web 2.0 and RIA - Greater Attack Surface • Attack Vectors hidden and dangerous • Its is only getting easier..... Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  5. 5. Why ! &sconnect? • Management - Unable to understand and grapple with Web Security • Developers - Largely unaware of Web Security issues and fixes • No Security in the Lifecycle • Non-secure Coding Practices • Poor Quality of Security Testing Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  6. 6. Why y# need a solid Web VAPT • Web Applications - Box of Chocolates • Proof of Concept - A Powerful Motivator • Simulated to real-world environment • Efficient • Recognition • Business Case Simplicity Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  7. 7. Why Web VAPTs lar'ly fail • Web - new Paradigm, old testing techniques • Management expectations - cloudy • No Differentiation between a VA and a PT • Business Logic = Un-Tested • Over-reliance on Tools Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  8. 8. Is it ! Web?? • Most Web VAPTs are not Web VAPTs • Web 2.0 is ignored extensively • Flash and Java applets are considered “Safe, Compiled Code” Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  9. 9. Me(odology • Consistent and Repeatable Methodology is all important • What are the best practices they follow? • Name Dropping is not a methodology Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  10. 10. Dep( • VA != PT - The difference is huge • Search Engines and Social Networking - A Treasure Trove for attackers • Web 2.0 coverage - 30-40% increase in attack surface • Business Logic Testing is Logical Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  11. 11. Pe%ls of Assembly Line • Skills, not Tools matter • All tools and no manual, maketh a surface-level test • Tools cannot test Business Logic • Hybrid Approach works best Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  12. 12. Analys* and Repo+ing • Analysis for Web Apps is key - Custom Vulnerabilities • Risk Ranking Vulnerabilities • Threat Modeling • Specific Recommendations • Involvement with Developers • Platform specific recommendations • Risk Based Approach • Compliance Requirements Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  13. 13. Research • The Web is changing everyday • Organizations doing VAPT need to have research capabilities Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  14. 14. O(er Best Practices • Rules of Engagement - Management sets them • Test Early and Test Often • Haste makes for a non-secure app • No Website too small, no Web App too large • Fix please! • Recognize the limitations Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010
  15. 15. $ank Y#!!! • Email: abhay@we45.com • Micromessage: @abhaybhargav - Twitter • LinkedIn: http://www.linkedin.com/in/abhaybhargav • Website: www.we45.com • Blog: citadelnotes.blogspot.com Copyright © we45 Solutions India Pvt. Ltd. Tuesday, July 20, 2010

×