SPI Dynamics web application security 101


Published on

Web application security 101 explained by SPI Dynamics.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SPI Dynamics web application security 101

  1. 1. Web Application Security
  2. 2. security. protection. intelligence.Q: Where Do Your Current SecurityMeasures Fail?A: Your Proprietary, Custom writtenWeb Applications
  3. 3. security. protection. intelligence.Today over 70% of attacks against a company‟sWeb site or Web application come at the„Application Layer‟ not the Network or Systemlayer.A complete security solution requires attention at each potentialpoint of attack.
  4. 4. security. protection. intelligence.A: Enact policies requiring your developersto write secure code.Q: So how do we remedy this situation?•Verify all request parameters are in proper format (via through astandard library)•Any unknown or incorrect user data should be logged andterminated.
  5. 5. security. protection. intelligence.But if you instituted this policy, howwould you effectively enforce it?What measures would you have inplace to make sure that they comply?“A unenforceable policy, or one without a process to determine theoutlined specifications, is just asgood, as no policy at all.”
  6. 6. security. protection. intelligence.Q: But I use XYZ Scanner, won’t it discoverthese types of vulnerabilities?A: No, and this is why.
  7. 7. security. protection. intelligence.Where Today’s Security Measures Fail
  8. 8. security. protection. intelligence.A: Because other Scanners are a security Broadsword,where ours is a Security ScalpelWebInspectTMis NOT meant to replace any tools that arecurrently being used, instead it complements them.Q: How can SPI Dynamics do all of thisand the others can’t?
  9. 9. security. protection. intelligence.How SPI Solves The Problem
  10. 10. security. protection. intelligence.WebInspectTMscans the whole site:Web serverWeb pagesScriptsProprietary applicationsCookiesDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
  11. 11. security. protection. intelligence.WebInspectTMScans authentication codesAssesses security proceduresCarves into confidential data… Just like a hacker wouldDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
  12. 12. security. protection. intelligence.WebInspect™, automates our security expertise so that customers can simulate anadvanced web-application attack on their own. WebInspect™ detects holes inboth standard and proprietary applications, and crawls over the entire website insearch of potential security problems.WebInspect™
  13. 13. security. protection. intelligence.WebInspect™ is easy to use. Simply enter the URL of the Website or Web application you wish to scan and click go.WebInspect™
  14. 14. security. protection. intelligence.WebInspect™ is easy to understand. The Vulnerability Report islisted in order of severity and contains HTML links for navigation.WebInspect™
  15. 15. security. protection. intelligence.Features & Benefits of WebInspectTMUnique Focus: Your proprietary Web site or Web applicationSuperior Scanning: Products codify our security expertiseExtremely Fast: WebInspectTMruns in minutes/ hours vs. days/weeks it takes to complete traditional vulnerability assessmentsAutomated: Continuously maintain your security integrityUpdated: Continuously keep up to date on the latest vulnerabilitieswith the online update featureSimple & Cost Effective: Licensed per IP address or per consultantRisk-Free: Offered on a trial basis at no cost
  16. 16. security. protection. intelligence.How does WebInspectTMdo this?Hidden ManipulationParameter TamperingCookie PoisoningStealth CommandingForceful BrowsingBackdoor/Debug OptionsConfiguration SubversionVendor–Assisted Hacking
  17. 17. security. protection. intelligence.The SPI Works Product SuiteUse WebInspectTMtoassess current Websites or Webapplications.Use WebInspectTMtoQA new applicationsduring developmentprior to release intoproduction.Available nowKnow your vulnerabilitiesUse LogAlertTMtoaudit Web logs toknow if an attackerhas successfullycompromised yourWeb site or Webapplication.Use LogAlertTMafteryou have beenattacked for Web logforensic analysis.Available nowKnow if you have been attackedUse WebDefendTMtoproactively stop Website or Web applicationintrusions.Available Q2 2002Proactively stop attacksWebInspectApplication AssessmentWebDefendApplication Intrusion ProtectionLogAlertApplication Log AuditTM TMTM
  18. 18. security. protection. intelligence.Our CompanyFounded in April 2000 by recognized InformationSecurity industry expertsReleased WebInspectTMin April 2001HQ in Atlanta, GeorgiaResellers in New York, Chicago, Washington D.C., Knoxville,Miami, LondonSPI serves clients in each of the following verticalindustries:HealthCareInsuranceFinancial ServicesGovernmentGlobal EnterpriseConsulting
  19. 19. security. protection. intelligence.SPI Dynamics is the leading provider ofautomated Web Application security products.SPI develops “hands-off” security products thatcontain the knowledge and expertise of aninformation security professional embedded in thecode.The embedded “hacker logic” enables our software tothink for the end-user, making their job easier.