Web Application Security Firewalls will not be able to protect you AkashMahajan – Chapter Lead for null Bangalore
What should keep you up at night 95% of attacks are against “Web Servers and Web Applications” aka Websites The top 3 verticals compromised were Financial Services, Hospitality and Retail. More than 60% of attacks were caused by external agents. Primary attack vector was SQL Injection and was used to install customized malware. Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
Web App Attacks SQL Injection Attacks Number plate to foil an automatic license plate scanner! An attack which allows SQL to be executed as part of the input.
Web App Attacks XSS was used to get root on a apache.org server in April 2010 A popular shopping website used to sell only books and now sell other stuff as well. That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
Other Critical Flaws/Attacks Cross Site Request Forgery Attacks the user of the application Clickjacking Facebook Like attack SecurityMis-configurations Default passwords in DSL routers Insecure Cryptographic Storage Apache Attack Tiny URLs Employees trust and click on anything!
Solutions/Mitigations Training inSecure Coding for Developers Code Reviews by competent security folks Regular mining of web server logs Application Security Practice Awareness about new attacks Setup a red team in the company
About null Null – Indian Open Security Community null.co.in Registered non-profit society 5 active chapters in India We conduct monthly meetings, regular awareness camps and trainings. More than 1000+ security professionals and enthusiasts in the group. Null Keeda Vulnerability Database http://keeda.nullcon.net
Web Security Consultant I hack, test, secure web apps and servers Help companies become secure on AWS cloud Website: akashm.com Email: email@example.com / firstname.lastname@example.org Twitter: @makash Linkedin: www.linkedin.com/in/akashm