Introduction to the basics of Web Application Security and Security testing. Presentation delivered by Emstell Director Ayoob at the Info Sec Conference Kuwait

1. Ayoob Kalathingal - PMP
Director - Emstell Technology Consulting
Ayoob.ok@emstell.com
Kuwait, India, United Kingdom, Saudi Arabia

2.  Understand the need for securing the application layer of web based
applications.
 Understand the various web application vulnerabilities, impact and Counter
Measures
 Security testing.
www.emstell.com

3.  Web applications have evolved from static pages to a more interactive set up.
This interaction has started exposing the technical deficiencies of web
applications in the form of vulnerabilities.
 Dependency on the internet to carry out critical and sensitive business
transactions has increased . Hence the stake involved is very high.
 “Over 50% of security attacks are targeted on web based applications” -
Gartner Report”
 Competition is so high that enterprises can‟t ignore the risk associated with
their vulnerable application. Loss incurred could vary from monetary losses
to loss of credibility. In certain cases it could mean end of business.
www.emstell.com

4. Many Countries has come up with strict rules and regulations on Information
Security of business.
 IT Act 2011 in India
 PIPED Act – Canada (Personal Information Protection and Electronic Documents Act)
 U.S. Information Security Law,
 HIPAA – 1996 - Health Insurance Portability and Accountability Act
Business Customers are increasingly aware of the systems security and is
demanding security and quality certifications in the systems
 ISO 27001
 PCI DSS - Payment Card Industry Data Security Standard
www.emstell.com

5. Large number of applications coming to the hands of common man carrying out
transactions with personal and financial data
More and more applications moving to cloud where multiple user or enterprise
data is stored in single server or data centers.
“Application security is no more a Luxury, its Business”
www.emstell.com

6.  Confidentiality – ensuring that information is accessible only to those authorized.
 Integrity – safeguarding the accuracy and completeness of information and processing
methods.
 Availability – ensuring that authorized users have access to information and associated
assets when required.
 Accountability – ensuring that authorized users use information in appropriate ways.
www.emstell.com

7. Web
Server
DBApp
Server
Firewall
Port 80 (Open)HTTP Traffic
Client
www.emstell.com

8. SQL Query
SELECT user FROM Users
WHERE
Username = '"& strname &"' AND Password = '"& strPassword &"„
Query with valid input
SELECT user FROM Users
WHERE
Username = 'avis' AND Password = 'avis'
www.emstell.com

9. Query with tampered input
SELECT user FROM Users
WHERE
Username = 'avis';--' AND Password = '"& strPassword &"'
www.emstell.com

10. Authorization
 Credential/Session
Prediction
 Insufficient Session
Expiration
 Session Fixation
 Insufficient
Authorization
Authentication
 Brute Force
 Weak Password Recovery
Policy
 Insufficient
Authentication
Client-Side Attacks
 Content Spoofing
 Cross Site Scripting
Information Disclosure
 Directory Indexing
 Information Leakage
 Path Traversal
 Predictable Resource
Location
Command Execution
 Buffer Overflow
 Format String Attack
 LDAP Injection
 OS Commanding
 SQL Injection
 SSI Injection
 X Path Injection
Logical Attacks
 Abuse of Functionality
 Denial of Service
 Insufficient Anti-
Automation
 Insufficient Process
Validation
www.emstell.com

11.  Non-availability (By bringing the database down)
 Breach of confidentiality (By viewing other user‟s records)
 Breach of integrity (By updating other user‟s records)
 Impersonation (By logging into accounts without a valid password)
 + Business Impacts
www.emstell.com

12.  Strong and Secure systems, firewalls and antiviruses
 Proper Input validation
 Following standard coding practices
 Have strong password policy in place.
 Use of strong session ID generation algorithms
 Disable scripting in the web browser and disable input echoing
 Grant only necessary privileges for accounts that are used to connect to DB
 Implement/configure proper access control mechanisms on the web server.
 Application Security Testing and Fixing the vulnerabilities
 Educating the users
www.emstell.com

13. “Though the significant attacks over time where of Zero Day Attack nature, this
forms much a lesser count of the total attacks”
Test based on the Target Users
 Vulnerability Assessments
 Penetration Testing
Manual - a team of security
experts manually probe the
application for common flaws.
Automated - a tool is used for
testing the application for flaws.
False Positives
www.emstell.com

14. “The cost of quality is higher in the later stages of an application”
Application security should be a part of the application development and
should be incorporated to the SDLC Process.
Integrating security to the build.
Educating the users, using the best of media and creative formats.
www.emstell.com

15. Ref: www.owasp.org
www.emstell.com

16. Emstell Technology Consulting, is a technology firm offering enterprise level
software quality assurance and testing services and ERP Solutions in Education
sector.
Our Media team deliver creative animated videos for educating users on
company policies, explaining business and promotion.
We deliver ERP Solutions in
◦ Web Enabled School Management
◦ Library Management Solution
◦ Business Accounting and Inventory
www.emstell.com

17. Ayoob Kalathingal - PMP
Director - Emstell Technology Consulting
Ayoob.ok@emstell.com
Kuwait, India, United Kingdom, Saudi Arabia
www.emstell.com