E-Banking Web Application Security That's Where the Money Is

Corporate Security Management How much can port 80 / 443 affect

OWASP top 10 – NEW ! 19 May 2007 Cross Site Scripting (XSS)‏ Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF)‏ Information Leakage and Improper Error Handling

Cross Site Scripting (XSS)‏

Injection Flaws

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)‏

Information Leakage and Improper Error Handling

OWASP top 10 – NEW ! 19 May 2007 Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access

Broken Authentication and Session Management

Insecure Cryptographic Storage

Insecure Communications

Failure to Restrict URL Access

PCI DSS 1.1 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security Installing an application layer firewall in front of web-facing applications. Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Web Application Firewalls Easy Deployment HTTP/S Support Detection Techniques ProtectionTechniques Virtual Patching No Fixing Still Vulnerable www.webappsec.org

Easy Deployment

HTTP/S Support

Detection Techniques

ProtectionTechniques

Virtual Patching

No Fixing

Still Vulnerable

Zero false positives You are in control – Ethical Hacking Push beyond low hanging fruits It takes one to know one Layer 8 Analysis – It’s Human

Zero false positives

You are in control – Ethical Hacking

Push beyond low hanging fruits

It takes one to know one

But you don’t do the assessment You see the report ! It is a pain !

But you don’t do the assessment

You see the report !

Certification Experience Go For Quality Dragos Lungu [email_address] Images from www.flickr.com Methodology References

Certification

Experience

Methodology

References