SPI Dynamics web application security 101
Upcoming SlideShare
Loading in...5
×
 

SPI Dynamics web application security 101

on

  • 257 views

Web application security 101 explained by SPI Dynamics.

Web application security 101 explained by SPI Dynamics.

Statistics

Views

Total Views
257
Views on SlideShare
257
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SPI Dynamics web application security 101 SPI Dynamics web application security 101 Presentation Transcript

  • Web Application Security
  • security. protection. intelligence.Q: Where Do Your Current SecurityMeasures Fail?A: Your Proprietary, Custom writtenWeb Applications
  • security. protection. intelligence.Today over 70% of attacks against a company‟sWeb site or Web application come at the„Application Layer‟ not the Network or Systemlayer.A complete security solution requires attention at each potentialpoint of attack. View slide
  • security. protection. intelligence.A: Enact policies requiring your developersto write secure code.Q: So how do we remedy this situation?•Verify all request parameters are in proper format (via through astandard library)•Any unknown or incorrect user data should be logged andterminated. View slide
  • security. protection. intelligence.But if you instituted this policy, howwould you effectively enforce it?What measures would you have inplace to make sure that they comply?“A unenforceable policy, or one without a process to determine theoutlined specifications, is just asgood, as no policy at all.”
  • security. protection. intelligence.Q: But I use XYZ Scanner, won’t it discoverthese types of vulnerabilities?A: No, and this is why.
  • security. protection. intelligence.Where Today’s Security Measures Fail
  • security. protection. intelligence.A: Because other Scanners are a security Broadsword,where ours is a Security ScalpelWebInspectTMis NOT meant to replace any tools that arecurrently being used, instead it complements them.Q: How can SPI Dynamics do all of thisand the others can’t?
  • security. protection. intelligence.How SPI Solves The Problem
  • security. protection. intelligence.WebInspectTMscans the whole site:Web serverWeb pagesScriptsProprietary applicationsCookiesDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
  • security. protection. intelligence.WebInspectTMScans authentication codesAssesses security proceduresCarves into confidential data… Just like a hacker wouldDatabase ServerInternet IDSFirewallCC#’s DatabaseUsers DatabaseWeb Server
  • security. protection. intelligence.WebInspect™, automates our security expertise so that customers can simulate anadvanced web-application attack on their own. WebInspect™ detects holes inboth standard and proprietary applications, and crawls over the entire website insearch of potential security problems.WebInspect™
  • security. protection. intelligence.WebInspect™ is easy to use. Simply enter the URL of the Website or Web application you wish to scan and click go.WebInspect™
  • security. protection. intelligence.WebInspect™ is easy to understand. The Vulnerability Report islisted in order of severity and contains HTML links for navigation.WebInspect™
  • security. protection. intelligence.Features & Benefits of WebInspectTMUnique Focus: Your proprietary Web site or Web applicationSuperior Scanning: Products codify our security expertiseExtremely Fast: WebInspectTMruns in minutes/ hours vs. days/weeks it takes to complete traditional vulnerability assessmentsAutomated: Continuously maintain your security integrityUpdated: Continuously keep up to date on the latest vulnerabilitieswith the online update featureSimple & Cost Effective: Licensed per IP address or per consultantRisk-Free: Offered on a trial basis at no cost
  • security. protection. intelligence.How does WebInspectTMdo this?Hidden ManipulationParameter TamperingCookie PoisoningStealth CommandingForceful BrowsingBackdoor/Debug OptionsConfiguration SubversionVendor–Assisted Hacking
  • security. protection. intelligence.The SPI Works Product SuiteUse WebInspectTMtoassess current Websites or Webapplications.Use WebInspectTMtoQA new applicationsduring developmentprior to release intoproduction.Available nowKnow your vulnerabilitiesUse LogAlertTMtoaudit Web logs toknow if an attackerhas successfullycompromised yourWeb site or Webapplication.Use LogAlertTMafteryou have beenattacked for Web logforensic analysis.Available nowKnow if you have been attackedUse WebDefendTMtoproactively stop Website or Web applicationintrusions.Available Q2 2002Proactively stop attacksWebInspectApplication AssessmentWebDefendApplication Intrusion ProtectionLogAlertApplication Log AuditTM TMTM
  • security. protection. intelligence.Our CompanyFounded in April 2000 by recognized InformationSecurity industry expertsReleased WebInspectTMin April 2001HQ in Atlanta, GeorgiaResellers in New York, Chicago, Washington D.C., Knoxville,Miami, LondonSPI serves clients in each of the following verticalindustries:HealthCareInsuranceFinancial ServicesGovernmentGlobal EnterpriseConsulting
  • security. protection. intelligence.SPI Dynamics is the leading provider ofautomated Web Application security products.SPI develops “hands-off” security products thatcontain the knowledge and expertise of aninformation security professional embedded in thecode.The embedded “hacker logic” enables our software tothink for the end-user, making their job easier.