Hybrid website security from Indusface


Published on

1. Automatic scans do not make a web security program jump like a duck
2. Hype around auto scans and why they fail to deliver most of the times
3. How to detect logical flaws - the bed-rock of almost all impactful web application vulnerabilities

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hybrid website security from Indusface

  1. 1. HYBRID WEBSITE SECURITY 01 www.indusface.com | Indusface, Proprietary
  2. 2. AGENDA Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 02 www.indusface.com | Indusface, Proprietary
  3. 3. Websites – Business and Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 03 www.indusface.com | Indusface, Proprietary 3
  4. 4. Websites and Web Applications for Everything! Websites and Web Applications contain valuable data which can be misused if accessed by the wrong people! 04 www.indusface.com | Indusface, Proprietary Hence ensuring comprehensive security of a website and web application, which checks for technical and logical vulnerabilities is of utmost importance!
  5. 5. Websites and Web Applications Are Vulnerable 75% of all attacks are targeted towards the application layer. Gartner More than 90 % of web applications containing some type of security vulnerability. Imperva Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. Gartner 13% More than of all reviewed sites can be compromised completely automatically. The most wide spread vulnerabilities were Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. WASC 73% of organizations have been hacked at least once in the past two years through insecure websites and web applications. Ponemon Institute Automation is not always effective without manual configuration or testing activity; manual testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner 05 www.indusface.com | Indusface, Proprietary
  6. 6. Mind Block Website is secured as it has been scanned by state of the art scanning software Firewalls and SSL are adequate security for a web application IDS protects the web server and databases Frequent software updates and new website functionality increases the potential for new web application vulnerabilities Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. Security assessment of an application is never complete without involvement of a application security expert 06 www.indusface.com | Indusface, Proprietary
  7. 7. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 07 www.indusface.com | Indusface, Proprietary 7
  8. 8. The Importance of Website Scanning 1 Increasing threats, regulations, and the changing IT landscape has made dynamic software security testing important. 2 Web applications are now an integral part of any business 3 Web applications have become increasingly complex, having tremendous amounts of sensitive data which can be used in unexpected ways, abused, stolen, and attacked. 4 Vulnerabilities in applications lead to security breaches which are a threat to brand reputation. 5 The best web application security coverage is the combination of using automated scanning and manual penetration testing. Comprehensive Website Security Scanning is Mandatory! 08 www.indusface.com | Indusface, Proprietary Source: Gartner
  9. 9. Automated and Manual Website Scanning Automated Scanning Manual Scanning • Easily identifies technical vulnerabilities. • Intervention of a subject matter expert • Very thorough in the testing process. • Identifies logical flaws and complex weaknesses • Opportunity to increase the frequency of scans (daily). • Ability to co-relate multiple vulnerabilities to create a bigger impact Proactive approach of detecting a vulnerability in less time • Ability to pass steps where a human intervention is needed Confidence booster to business/app owners • Ability to concentrate on test cases based on critical threats to business • • Human intelligence assessments and automated scanners are required for complete vulnerability coverage when it comes to web applications. 09 www.indusface.com | Indusface, Proprietary
  10. 10. Technical Flaws versus Logical Flaws TECHNICAL FLAWS Confidential Information Disclosure Known Directory Known CGI File Configuration File Disclosure Backup File Disclosure Application Input Manipulation SQL Injection Cross-Site/In-Line Scripting Buffer Overflow OS Command Injection Meta Character Injection Directory Traversal Null Injection Extension Manipulation Frame Spoofing LOGICAL FLAWS Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forging Password Recovery Logical Vulnerabilities Disclosure Verbose Error Messages HTML Comments Application Input Manipulation User-Agent Manipulation Referrer Manipulation Debug Commands Logical Flaws Account Privilege Escalation Page Sequencing User Impersonation Improper Session Handling Confidential Information To detect logical flaws, human intelligence intervention is required. 010 www.indusface.com | Indusface, Proprietary
  11. 11. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 011 www.indusface.com | Indusface, Proprietary 11
  12. 12. Challenges for Automated Scanning 1 Infinite Website Structure 2 Multi-Step Process 3 Authentication and Authorization 012 www.indusface.com | Indusface, Proprietary
  13. 13. Infinite Website Structure Complex and dynamic websites are impossible to get comprehensively scanned in an automatic manner. Human intelligence can define finite test cases for finite threats. DYNAMIC WEB SITES: • • • • Rate of addition Rate of decay Very large database of 500,000 items + links Dynamic URL creation 013 www.indusface.com | Indusface, Proprietary
  14. 14. Multi-Step Process • Multi-step process requires human intervention to complete the process • An automated approach can never find all flaws or complete the process to find logical weakness 014 www.indusface.com | Indusface, Proprietary
  15. 15. Authentication and Authorization Authentication and authorization are complex in nature 015 www.indusface.com | Indusface, Proprietary
  16. 16. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 016 www.indusface.com | Indusface, Proprietary 16
  17. 17. Hybrid Website Security = Automated + Manual Hybrid model ensuring the best of automated scanning combined with manual testing, covering an internal and external assessment of vulnerabilities AUTOMATED Daily scans provide a proactive approach on identifying technical vulnerabilities on a daily basis MANUAL Checks for logical flaws and performs session based checks using security experts IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware. 017 www.indusface.com | Indusface, Proprietary
  18. 18. Comprehensive Automated and Manual Website Security Complete, Actionable Reporting Detailed Remediation Guidelines Unlimited Expert Support Web service API Flexible Notification Manual Revalidation Flexible Management of Websites Zero False Positives Business Logic Testing Role Based Access Control Test Database Test Case Developme nt CUSTOMER WEB APPLICATION Manual Feedback Test Execution Application Review Module Enumeration Draft Test Report Case Validation 018 www.indusface.com | Indusface, Proprietary
  19. 19. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 019 www.indusface.com | Indusface, Confidential and Proprietary
  20. 20. Online Travel Portal A Travel portal is designed to follow a business logic of allowing its consumers to book a flight ticket online with the price listed as shown $ 1000/changed to $ 100/- $ 1000/- A malicious user trying to book an online ticket An online travel company can lose millions if the application is not able to handle and identify such online frauds. A flaw in their business logic was identified. Selects the itenary with the listed price The same user exploits the application vulnerability to modify the listed price to a much lesser price $ 100/charged Travel portal accepts the transaction as successful and issues a ticket to the consumer 020 www.indusface.com | Indusface, Proprietary Payment gateways verifies the transaction as valid
  21. 21. Online Voting System An Online Voting portal has a feature which allows the user to cast a vote only after entering the One Time Password (OTP) sent on the user’s registered mobile number A malicious user logs into the application and selects the candidate for whom he wants to cast the vote Now application will ask the user to enter the OTP which was sent to his registered mobile number. Now, if an attacker gets the access to a valid user’s username and password, he can cast the vote a number of times without entering the OTP 021 www.indusface.com | Indusface, Proprietary After some manipulation , the attacker is successful in casting the vote without entering the OTP
  22. 22. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 022 www.indusface.com | Indusface, Confidential and Proprietary
  23. 23. Benefits of Hybrid Website Security Automated + Manual • • • • • • • Complete coverage on website and web application security assessment Zero false positives Involvement of subject matter expert Proactive approach in finding vulnerabilities on a daily basis using automated scans Evidence of exploit for business owners to create a business impact Ability to identify complex logical weaknesses Ability to assess complex, huge and dynamic websites This powerful combination of technology and human intelligence is required to ensure a comprehensive security coverage is provided to a web application. 023 www.indusface.com | Indusface, Proprietary
  24. 24. Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA A/2-3, 3rd Floor, Status Plaza Opp Relish Resort Atladara Old Padra Road Vadodara – 390020 Gujarat, India BANGALORE, INDIA 408, 2nd Floor Regency Enclave 4, Magrath Road Bangalore – 560025 Karnataka, India MUMBAI, INDIA 1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705 Maharashtra, India. T: F: T: T : +91 22 61214961 +91 265 3933000 +91 265 2355820 F : +91 80 65608570 +91 80 65608571 +91 80 41129296 DELHI, INDIA Regus Serviced Office 2F Elegance, Jasola District Center, Old Mathura Road, New Delhi – 110025, India T : +91 9974090400 024 www.indusface.com | Indusface, Confidential and Proprietary