Essentials of Web Application Security: what it is, why it matters and how to get started


Published on

Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Essentials of Web Application Security: what it is, why it matters and how to get started

  1. 1. 1 Essentials of Web Application Security: What it is, Why it Matters, and How to Get Started Chris Harget - Product Marketing
  2. 2. 2 What Is Web Application Security?
  3. 3. Apps that (mostly) run in Browsers, and let users submit/retrieve information from databases 3
  4. 4. § Quickly installed/updated § Works across operating systems § Limitless reach, affordable 4 These Are Called “Vulnerabilities” But There Are Problem because… § Your Data is accessible from anywhere § To be useful, Web Apps interpret commands § There are hidden ways commands can be used to breach data
  5. 5. 5 Database Application ServerWeb Server Browser
  6. 6. 6 Database Application ServerWeb Server Browser Vulnerability + Hack
  7. 7. § Firewalls § Antivirus § Encryption § Network Vulnerability Scanners 7
  8. 8. § Cross-Site Scripting (XSS) –  Inserts malicious scripts via trusted URL § Broken Session Management –  Lets hackers access applications § Insecure Authentication –  Lets attack exploit authentication mechanism § Cross Site Request Forgery (CSRF) –  Forces a user to execute unwanted transactions on a Web App they’re logged into. § Structured Query Language (SQL) Injection –  Malicious inputs (commands) modifies SQL queries to steal or modify data. 8
  9. 9. § Web App Vulnerability Scanners conduct mock “attacks” on an application to catalogue which types of real attacks would succeed. § Results, with recommendations for how to fix, are reported to app owner 9
  10. 10. § Proactively scanning your applications for vulnerabilities and remediating them before the bad guys find them. § Measuring online risk to manage it § Highly automated for fast, comprehensive response and best real-world security. 10
  11. 11. 11 Why Does App Security Matter?
  12. 12. § Today’s Economy is all about Web Apps –  They’re your store, your product, your branding, your infrastructure. –  More apps with more valuable data make them a more attractive target § Types of Data that can be stolen –  Customer Identification –  Access Controls –  Transaction Information –  Core Business Data 12
  13. 13. 13 “69% of 12,000+ IT professionals surveyed believed that in 2013 Application Vulnerabilities are the number one security issue.” -The 2013 (ISC)2 Global Information Security Workforce Study %20Security%20Workforce%20Study%20Feb%202013.pdf
  14. 14. 14 Source:
  15. 15. 15
  16. 16. §  80% have Session Management problems §  61% have Cross Site Scripting issues §  45% have Authentication vulnerabilities 16
  17. 17. § Jan.14, 2013: CISO, Justin Somaini left shortly after a Cross Site Scripting (XSS) attack resulted in an embarrassing surge of Spam from compromised Yahoo Mail accounts. § Outside security experts said Yahoo was slow to fix the vulnerability, which may have led to the CISO’s abrupt departure. – departs-with-more-top-execs-under-ceo-scrutiny/ – – hijack-my-neighbors-e-mail-account/? utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A +arstechnica%2Findex+%28Ars+Technica+-+All+content%29 17
  18. 18. § SQL Injection of Heartland Payment Systems’ Web site In March of 2008 exposed 134 million credit cards. –  The vulnerability had been known for a long time –  Perpetrator was caught and is serving 20 years, but… –  …the damage was already done. § worst-data-security-breaches-of-the-21st-century 18
  19. 19. 19 Getting Started
  20. 20. § How many Web applications do you have? § Which apps have mission-critical data behind them? § Who Develops/updates them? § Do you want to build out a security analyst group or retain outside experts? § Do you have mobile apps you want to assess? 20
  21. 21. § Security Analysts: Scan, Analyze, Coordinate § App Developers: Incorporate findings, fix code § QA: Re-run scans to ensure fixes worked § Governance/Risk/Compliance: Consume reports § Production Team: Re-run scans regularly to find new issues § CIO/CISO: View Dashboard to see trends 21
  22. 22. § Many vulnerabilities are relatively easy to detect, block and fix. § Common tools for managing vulnerabilities: –  Secure coding standards –  Web security scanning –  Intrusion/penetration testing –  Web Application Firewalls (WAFs) § Security is a continuous effort –  New developers, software and hardware are employed –  Old vulnerabilities never go away –  Hackers continue to generate new attacks 22
  23. 23. 1.  Employ coding best practices during development. 2.  Scan and remediate in pre-production test environment (run-time is most accurate) 3.  Monitor production apps, and patch accordingly –  Web Application Firewalls, working with vulnerability scanner, can use policy to “virtually patch” some vulnerabilities 23
  24. 24. § Pre-Production –  Pros: Fixing earlier may be more efficient, more aggressive testing may be used safely –  Cons: Test environment may not mirror production environment. § Production –  Pros: Most accurate (real environment), Detects newly discovered vulnerabilities, Web App Firewall virtual patch may minimize repair time –  Cons: Production team must buy in, care must be taken to use only safe attacks. § Answer? Yes. Both. All of the above. 24
  25. 25. § Managed Service –  Pro: Expert, Fast, Easy, can cover Mobile apps too –  Con: $$, Only as good as their tools § Cloud-based SaaS –  Pro: Quick Setup, Simple, Affordable –  Con: Shallower scan misses some vulnerability types § Software (desktop or Enterprise) –  Pro: Powerful, best value for large # of apps –  Con: More to learn, costly for small # of apps § Hybrid (Managed Service + Enterprise Software) –  Pro: Most secure, augments your team, flexible –  Con: Mostly for enterprises 25
  26. 26. 26 Managed Service Cloud Hybrid Service + Software Enterprise Software Skill Required Depth of Scan
  27. 27. § Mix and Match –  Managed Service for Compliance/Mission Critical apps –  Software or Cloud for the rest § Plan to Evolve –  Managed Service to start, migrate to Hyrid or Enterprise Software (your data can be preserved) § Phase I, Phase II –  Cover most important apps first –  Expand to the rest when feasible 27
  28. 28. § Who? –  Global NGO with thousands of web sites § Need? –  Methodology Assessment of their security posture, and real-world training of their Developers § Solution? –  Cenzic PS did a 3-day engagement with their App Developers. –  Reviewed 10 most common vulnerabilities, found examples in their production apps. –  Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities –  Reviewed coding best practices to completely eliminate said vulnerabilities. 28
  29. 29. § Who? –  High technology company with a mobile application that accessed sensitive customer data § Need? –  Vulnerability Scan a mobile app that can not be traditionally traversed with a spider. § Solution? –  Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data. 29
  30. 30. § Who? –  A Health Maintenance Organization § Need? –  Deep scan of a new application on a tight development schedule to ensure compliance. § Solution? –  Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need. 30
  31. 31. 31 Bronze   Silver   Gold   Pla0num    Industry  Best-­‐ Prac0ces  for   Brochureware   sites   Industry  Best-­‐ Prac0ces  for  forms   and  login  protected   sites   Compliance  for   sites  with  user   data    Comprehensive   scans  for  Mission   cri0cal   applica0ons   Phishing   X    X   X    x   Light  input   valida0on   X   X   X    x   Data  Security   X   X   X   x     Session   management   X   X   x     OWASP   compliance   X   x     PCI  compliance   X   x     Business  logic   tes0ng   x   Applica0on  logic   tes0ng   x   Manual   penetra0on   tes0ng   x  
  32. 32. 32 Of All Attacks on Information Security Are Directed to the Web Application Layer Of All Web Applications Are Vulnerable Network Server Web Application % of Amount Security Budget 10% 90% % of Attacks Risk 75% Web Layer 25%
  33. 33. 33 § Justify more IT spend § Reallocate existing IT spend § Stretch existing App Sec spend Tip: For more ideas watch “Top 10 Ways to Win Budget For App Security”
  34. 34. § Web App Security Trends Report 2013 – Report.html § Web Security: Are You Part Of The Problem? – security-primer-are-you-part-of-the-problem/ § Open Web Application Security Project –  ( is a broad-based organization seeking to make software security visible for better decision making 34
  35. 35. We offer: § Industry-leading, patented scanning technology § The broadest range of managed service, cloud, enterprise software and hybrid service solutions to best meet your evolving needs § Training, consulting, and mobile app assessment 35
  36. 36. §  Audit your environment –  How many apps do you have? –  Are you subject to regulatory compliance? –  Which app is most crucial to your organization? §  Identify team members who need to get educated §  Try Cenzic for Free – §  Let us know how we can help you succeed! –  Consulting, Managed Services, and Training always help 36
  37. 37. | 1-866-4-CENZIC (1-866-423-6942) Questions? or 1.866-4-Cenzic Blog: