Web application security

901 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
901
On SlideShare
0
From Embeds
0
Number of Embeds
117
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web application security

  1. 1. Web Application Security<br />Firewalls will not be able to protect you<br />AkashMahajan – Chapter Lead for null Bangalore<br />
  2. 2. What should keep you up at night<br />95% of attacks are against “Web Servers and Web Applications” aka Websites<br />The top 3 verticals compromised were Financial Services, Hospitality and Retail. <br />More than 60% of attacks were caused by external agents.<br />Primary attack vector was SQL Injection and was used to install customized malware.<br />Injection Attacks are #1 critical flaw in applications<br />Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010<br />
  3. 3. Web App Attacks<br />SQL Injection Attacks<br />Number plate to foil an automatic license plate scanner!<br />An attack which allows SQL to be executed as part of the input. <br />
  4. 4. Web App Attacks<br />Bobby Tables!<br />
  5. 5. Web App Attacks<br />XSS was used to get root on a apache.org server in April 2010<br />A popular shopping website used to sell only books and now sell other stuff as well.<br />That inner window is an iframe injected in a simple search request. <br />Picture courtesy null Keeda Vulnerability Database<br />
  6. 6. Other Critical Flaws/Attacks<br />Cross Site Request Forgery<br />Attacks the user of the application<br />Clickjacking<br />Facebook Like attack<br />SecurityMis-configurations<br />Default passwords in DSL routers<br />Insecure Cryptographic Storage<br />Apache Attack<br />Tiny URLs<br />Employees trust and click on anything!<br />
  7. 7. Solutions/Mitigations<br />Training inSecure Coding for Developers<br />Code Reviews by competent security folks<br />Regular mining of web server logs<br />Application Security Practice<br />Awareness about new attacks<br />Setup a red team in the company<br />
  8. 8. About null<br />Null – Indian Open Security Community null.co.in<br />Registered non-profit society<br />5 active chapters in India<br />We conduct monthly meetings, regular awareness camps and trainings.<br />More than 1000+ security professionals and enthusiasts in the group.<br />Null Keeda Vulnerability Database http://keeda.nullcon.net<br />
  9. 9. AkashMahajan<br /><ul><li>Chapter Lead of null Bangalore</li></ul>Web Security Consultant<br />I hack, test, secure web apps and servers<br />Help companies become secure on AWS cloud<br />Website: akashm.com<br />Email: akashmahajan@gmail.com / aka@null.co.in<br />Twitter: @makash<br />Linkedin: www.linkedin.com/in/akashm<br />

×