Transcript of "SPI Dynamics web application security 101 "
Web Application Security
security. protection. intelligence.Q: Where Do Your Current SecurityMeasures Fail?A: Your Proprietary, Custom writtenWeb Applications
security. protection. intelligence.Today over 70% of attacks against a company‟sWeb site or Web application come at the„Application Layer‟ not the Network or Systemlayer.A complete security solution requires attention at each potentialpoint of attack.
security. protection. intelligence.A: Enact policies requiring your developersto write secure code.Q: So how do we remedy this situation?•Verify all request parameters are in proper format (via through astandard library)•Any unknown or incorrect user data should be logged andterminated.
security. protection. intelligence.But if you instituted this policy, howwould you effectively enforce it?What measures would you have inplace to make sure that they comply?“A unenforceable policy, or one without a process to determine theoutlined specifications, is just asgood, as no policy at all.”
security. protection. intelligence.Q: But I use XYZ Scanner, won’t it discoverthese types of vulnerabilities?A: No, and this is why.
security. protection. intelligence.A: Because other Scanners are a security Broadsword,where ours is a Security ScalpelWebInspectTMis NOT meant to replace any tools that arecurrently being used, instead it complements them.Q: How can SPI Dynamics do all of thisand the others can’t?
security. protection. intelligence.How SPI Solves The Problem
security. protection. intelligence.WebInspectTMscans the whole site:Web serverWeb pagesScriptsProprietary applicationsCookiesDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
security. protection. intelligence.WebInspectTMScans authentication codesAssesses security proceduresCarves into confidential data… Just like a hacker wouldDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
security. protection. intelligence.WebInspect™, automates our security expertise so that customers can simulate anadvanced web-application attack on their own. WebInspect™ detects holes inboth standard and proprietary applications, and crawls over the entire website insearch of potential security problems.WebInspect™
security. protection. intelligence.WebInspect™ is easy to use. Simply enter the URL of the Website or Web application you wish to scan and click go.WebInspect™
security. protection. intelligence.WebInspect™ is easy to understand. The Vulnerability Report islisted in order of severity and contains HTML links for navigation.WebInspect™
security. protection. intelligence.Features & Benefits of WebInspectTMUnique Focus: Your proprietary Web site or Web applicationSuperior Scanning: Products codify our security expertiseExtremely Fast: WebInspectTMruns in minutes/ hours vs. days/weeks it takes to complete traditional vulnerability assessmentsAutomated: Continuously maintain your security integrityUpdated: Continuously keep up to date on the latest vulnerabilitieswith the online update featureSimple & Cost Effective: Licensed per IP address or per consultantRisk-Free: Offered on a trial basis at no cost
security. protection. intelligence.The SPI Works Product SuiteUse WebInspectTMtoassess current Websites or Webapplications.Use WebInspectTMtoQA new applicationsduring developmentprior to release intoproduction.Available nowKnow your vulnerabilitiesUse LogAlertTMtoaudit Web logs toknow if an attackerhas successfullycompromised yourWeb site or Webapplication.Use LogAlertTMafteryou have beenattacked for Web logforensic analysis.Available nowKnow if you have been attackedUse WebDefendTMtoproactively stop Website or Web applicationintrusions.Available Q2 2002Proactively stop attacksWebInspectApplication AssessmentWebDefendApplication Intrusion ProtectionLogAlertApplication Log AuditTM TMTM
security. protection. intelligence.Our CompanyFounded in April 2000 by recognized InformationSecurity industry expertsReleased WebInspectTMin April 2001HQ in Atlanta, GeorgiaResellers in New York, Chicago, Washington D.C., Knoxville,Miami, LondonSPI serves clients in each of the following verticalindustries:HealthCareInsuranceFinancial ServicesGovernmentGlobal EnterpriseConsulting
security. protection. intelligence.SPI Dynamics is the leading provider ofautomated Web Application security products.SPI develops “hands-off” security products thatcontain the knowledge and expertise of aninformation security professional embedded in thecode.The embedded “hacker logic” enables our software tothink for the end-user, making their job easier.
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.