SlideShare a Scribd company logo

A Comedy of Errors in Web Application Security

Rob Dudley
Rob Dudley

Covering a wide selection of security best practice, from OWASP through NIST each point is explored, explained and demonstrated by exploring a classic failure in the wide world of Web Dev. With more SQL Injections than SQL flu season, Lax Permissions on a global scale, buffer overflows, stack overflows and actual overflows, this talk is for anyone who wants to learn more about securing their applications … but doesn’t want to be lulled to sleep as a result.

Software
1 of 52
Download to read offline
A Comedy of Errors in web application security with apologies to William Shakespeare
This is a code lite talk!
Rob Dudley CTO/CISO for a crypto currency hedge fund Web application developer Podcaster Quiz host 😁
Web application security Examples of how NOT to do it How can we handle it better?
GAME OF. PWNS
Web Application 
 Development IS Security
Very real consequences 
 for getting it wrong
Comedy?
Let’s get started shall we?
July 2017 - Equifax • Attackers breached Equifax’s web application and gained access to their core databases • Impacted as many as 143 million consumers • Social Security numbers, birth dates, addresses, driver's license numbers, and ~209,000 credit card numbers • Equifax offered $125 to each affected user • Equifax stock dropped over 30%
How did it happen? • They didn’t update their software (OWASP A9:29017) • Apache Struts vulnerability (known and patched for TWO MONTHS!) • Actual bug was an XML deserialisation error (OWASP A8:2017)
How could it be prevented? • Patch your sh*t! • Subscribe to security announce lists for frameworks / modules • Run app vuln scanner (and act on the results)
Moving on to something … larger
Yup … the entire country!
September 2019 - Equador • Records of more than 20 million people found by security firm during a sweep • Equador’s population is 16 million • Contained full names, gender, dates and places of birth, phone numbers and addresses, to marital statuses, national identification numbers (similar to social security numbers), employment information, and details of education as well as bank account statuses, current balances and credit type, along with detailed information about individuals' family members
September 2019 - Equador • This included data on the president  Lenín Moreno • The general manager of IT consulting firm was arrested
How did it happen? • A marketing agency had put the data in an ElasticSearch server • Which was exposed to the web (OWASP A3:2017) • And had no authentication (OWASP A6:2017)
How could it be prevented? • Firewall your servers • Change default or apply credentials and rotate passwords • Scope data retention requirements
Meanwhile, in the USA…
The Pentagon
September 2017 - The Pentagon • U.S. Department of Defense announced a series of unsecured S3 buckets • Containing: • Archive of over 1.8 billion social media posts scraped for “analytics" purposes • Private encryption keys used to hash passwords for an intelligence sharing platform • Thousands of resumes for job applicants seeking intelligence positions
How did it happen? • Systems were built and operated by a now defunct private-sector government contractor • They left the S3 buckets publicly accessible (OWASP A3:2017) • DOH!
How could it be prevented? • Third party vendor risk • Secure your cloud resources • Least privilege
Back in merry ole England…
August 2018 - British Airways • Between 21st August and 5th September, ba.com was running malicious code • Financial and personal details of 380,000 customers stolen
 (that means credit card data)
How did it happen? • no <iframe> isolation of the payment card fields leading to • Cross Site Scripting XSS (OWASP A7:2017)
How could it be prevented? • Validating, filtering, encoding and escaping methods • Use a Security Encoding Library! • Enforce secure headers
From air fares to cell phones…
October 2015 - TalkTalk • Names, addresses, dates of birth, and credit card/bank details of 157,000 TalkTalk customers stolen • Data then sold on the dark web and used to take money from credit cards, phish users and blackmail company execs • Cost the company £77m
How did it happen? • The hackers identified an SQL injection attack on the TalkTalk website
 (OWASP A1:2017)
How could it be prevented? • Don’t trust user input (ever) • Parameterise your queries • Use an abstraction layer (DBAL / ORM) • Use a SQL proxy
And finally…
🤭Er … awkward …
A well known hotel chain!
November 2018 - The Marriott • 500 million customers of its Starwood hotels had their data stolen • One of the largest breaches at the time … until Equador
How did it happen? • Various! • SQL injection on the website • Internal machines compromised with malware likely due to phishing • But more critically, the hackers had been in place since 2014
How could it be prevented? • Systemic failures in the systems hard to address without significant culture change • Monitoring should have picked up a breach … they had 4 years to spot it! • Check your logs, monitor traffic & connections, review processes on servers
Resources
Resources • www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • www2.owasp.org/www-project-juice-shop/ • www.proxysql.com
Closing thoughts
–Bruce Schneier “Amateurs hack systems, professionals hack people.”
Questions?
General • https://medium.com/@cxosmo/owasp-top-10-real-world-examples-part-1- a540c4ea2df5 • https://medium.com/@cxosmo/owasp-top-10-real-world-examples- part-2-3cdb3bebc976 • https://snyk.io/blog/owasp-top-10-breaches/ • https://businessinsights.bitdefender.com/worst-amazon-breaches Equifax • https://techcrunch.com/tag/equifax-hack/ • https://www.wired.com/story/equifax-breach-no-excuse/ • https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax Equador • https://thehackernews.com/2019/09/ecuador-data-breach.html Pentagon • https://www.upguard.com/breaches/cloud-leak-centcom BA • https://www.itwire.com/security/84379-ba-site-breach-through-xss-flaw,- says-tech-firm-chief.html TalkTalk • https://www.tripwire.com/state-of-security/security-data-protection/cyber- security/the-talktalk-breach-timeline-of-a-hack/ Marriott • https://www.washingtonpost.com/business/2018/11/30/marriott-discloses- massive-data-breach-impacting-million-guests/
@robdudley @robdudley@mastodon.social www.rcwd.dev

Recommended

Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessM.Syarifudin, ST, OSCP, OSWP
 
Cyber security
Cyber security Cyber security
Cyber security Samidha Gandhi
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepalICT Frame Magazine Pvt. Ltd.
 
General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber SecurityDominic Rajesh
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacksCybersecurity 2 cyber attacks
Cybersecurity 2 cyber attackssommerville-videos
 
Cyber Security & Hygine
Cyber Security & HygineCyber Security & Hygine
Cyber Security & HygineAmit Arya
 
Cyber Security –PPT
Cyber Security –PPTCyber Security –PPT
Cyber Security –PPTRajat Kumar
 

Recommended

Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessM.Syarifudin, ST, OSCP, OSWP
 
Cyber security
Cyber security Cyber security
Cyber security Samidha Gandhi
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepalICT Frame Magazine Pvt. Ltd.
 
General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber SecurityDominic Rajesh
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacksCybersecurity 2 cyber attacks
Cybersecurity 2 cyber attackssommerville-videos
 
Cyber Security & Hygine
Cyber Security & HygineCyber Security & Hygine
Cyber Security & HygineAmit Arya
 
Cyber Security –PPT
Cyber Security –PPTCyber Security –PPT
Cyber Security –PPTRajat Kumar
 
CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270Dario
 
IT Security Summit 2016
IT Security Summit 2016IT Security Summit 2016
IT Security Summit 2016AGC Conferences - AGC Development Corp
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityGareth Davies
 
Nat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) PostersNat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) PostersNetLockSmith
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1Kabul Education University
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber CrimeDeepak Kumar
 
CYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTYCYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTYFaMulan2
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingDepartment of Defense
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKunal Gawade, CFE
 
Vishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Badgujar
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityQuick Heal Technologies Ltd.
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeZeeshan Khan
 
Cybersecurity service provider
Cybersecurity service providerCybersecurity service provider
Cybersecurity service providerVishvendra Saini
 
Cyber
CyberCyber
Cyberpooja kumari
 
Beyond The Dark Hacking Screen
Beyond The Dark Hacking ScreenBeyond The Dark Hacking Screen
Beyond The Dark Hacking ScreenSegun Ebenezer Olaniyan
 
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...nexxtep
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and SecurityAlex Hyer
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 

More Related Content

What's hot

CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270Dario
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityGareth Davies
 
Nat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) PostersNat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) PostersNetLockSmith
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber CrimeDeepak Kumar
 
CYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTYCYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTYFaMulan2
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingDepartment of Defense
 
Vishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Badgujar
 
Cybersecurity service provider
Cybersecurity service providerCybersecurity service provider
Cybersecurity service providerVishvendra Saini
 
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...nexxtep
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and SecurityAlex Hyer
 

What's hot (20)

CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270CyberCrime - Lse summer school 2010 mg270
CyberCrime - Lse summer school 2010 mg270
 
IT Security Summit 2016
IT Security Summit 2016IT Security Summit 2016
IT Security Summit 2016
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Nat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) PostersNat'l Cyber Security Awareness Month (NCSAM) Posters
Nat'l Cyber Security Awareness Month (NCSAM) Posters
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber Crime
 
CYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTYCYBER ETHICS, CRIMES AND SAFTY
CYBER ETHICS, CRIMES AND SAFTY
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness Briefing
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Vishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM Spying
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cybersecurity service provider
Cybersecurity service providerCybersecurity service provider
Cybersecurity service provider
 
Cyber
CyberCyber
Cyber
 
Beyond The Dark Hacking Screen
Beyond The Dark Hacking ScreenBeyond The Dark Hacking Screen
Beyond The Dark Hacking Screen
 
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
What You Can Do to Keep Your Email, Bank Accounts and Business Safe from Cybe...
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and Security
 

Similar to A Comedy of Errors in Web Application Security

Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
What is Network Security and Why is it Needed?
What is Network Security and Why is it Needed?What is Network Security and Why is it Needed?
What is Network Security and Why is it Needed?lorzinian
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTechWell
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Equifax data breach
Equifax data breachEquifax data breach
Equifax data breachSajib Sen
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Abzetdin Adamov
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015RapidSSLOnline.com
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondPraveen Nair
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From CybercrimeDavid J Rosenthal
 
Keeping your business safe online cosy club
Keeping your business safe online cosy clubKeeping your business safe online cosy club
Keeping your business safe online cosy clubGet up to Speed
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 

Similar to A Comedy of Errors in Web Application Security (20)

Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
 
Quant & Crypto Gold
Quant & Crypto GoldQuant & Crypto Gold
Quant & Crypto Gold
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
What is Network Security and Why is it Needed?
What is Network Security and Why is it Needed?What is Network Security and Why is it Needed?
What is Network Security and Why is it Needed?
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
Equifax data breach
Equifax data breachEquifax data breach
Equifax data breach
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and Beyond
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Keeping your business safe online cosy club
Keeping your business safe online cosy clubKeeping your business safe online cosy club
Keeping your business safe online cosy club
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 

Recently uploaded

What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Recently uploaded (20)

Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

A Comedy of Errors in Web Application Security

  • 1. A Comedy of Errors in web application security with apologies to William Shakespeare
  • 2. This is a code lite talk!
  • 3. Rob Dudley CTO/CISO for a crypto currency hedge fund Web application developer Podcaster Quiz host 😁
  • 4. Web application security Examples of how NOT to do it How can we handle it better?
  • 7. Very real consequences 
 for getting it wrong
  • 8.
  • 9.
  • 10.
  • 12. Let’s get started shall we?
  • 13.
  • 14. July 2017 - Equifax • Attackers breached Equifax’s web application and gained access to their core databases • Impacted as many as 143 million consumers • Social Security numbers, birth dates, addresses, driver's license numbers, and ~209,000 credit card numbers • Equifax offered $125 to each affected user • Equifax stock dropped over 30%
  • 15. How did it happen? • They didn’t update their software (OWASP A9:29017) • Apache Struts vulnerability (known and patched for TWO MONTHS!) • Actual bug was an XML deserialisation error (OWASP A8:2017)
  • 16. How could it be prevented? • Patch your sh*t! • Subscribe to security announce lists for frameworks / modules • Run app vuln scanner (and act on the results)
  • 18.
  • 19. Yup … the entire country!
  • 20. September 2019 - Equador • Records of more than 20 million people found by security firm during a sweep • Equador’s population is 16 million • Contained full names, gender, dates and places of birth, phone numbers and addresses, to marital statuses, national identification numbers (similar to social security numbers), employment information, and details of education as well as bank account statuses, current balances and credit type, along with detailed information about individuals' family members
  • 21. September 2019 - Equador • This included data on the president  Lenín Moreno • The general manager of IT consulting firm was arrested
  • 22. How did it happen? • A marketing agency had put the data in an ElasticSearch server • Which was exposed to the web (OWASP A3:2017) • And had no authentication (OWASP A6:2017)
  • 23. How could it be prevented? • Firewall your servers • Change default or apply credentials and rotate passwords • Scope data retention requirements
  • 26. September 2017 - The Pentagon • U.S. Department of Defense announced a series of unsecured S3 buckets • Containing: • Archive of over 1.8 billion social media posts scraped for “analytics" purposes • Private encryption keys used to hash passwords for an intelligence sharing platform • Thousands of resumes for job applicants seeking intelligence positions
  • 27. How did it happen? • Systems were built and operated by a now defunct private-sector government contractor • They left the S3 buckets publicly accessible (OWASP A3:2017) • DOH!
  • 28. How could it be prevented? • Third party vendor risk • Secure your cloud resources • Least privilege
  • 29. Back in merry ole England…
  • 30.
  • 31. August 2018 - British Airways • Between 21st August and 5th September, ba.com was running malicious code • Financial and personal details of 380,000 customers stolen
 (that means credit card data)
  • 32. How did it happen? • no <iframe> isolation of the payment card fields leading to • Cross Site Scripting XSS (OWASP A7:2017)
  • 33. How could it be prevented? • Validating, filtering, encoding and escaping methods • Use a Security Encoding Library! • Enforce secure headers
  • 34. From air fares to cell phones…
  • 35.
  • 36. October 2015 - TalkTalk • Names, addresses, dates of birth, and credit card/bank details of 157,000 TalkTalk customers stolen • Data then sold on the dark web and used to take money from credit cards, phish users and blackmail company execs • Cost the company £77m
  • 37. How did it happen? • The hackers identified an SQL injection attack on the TalkTalk website
 (OWASP A1:2017)
  • 38. How could it be prevented? • Don’t trust user input (ever) • Parameterise your queries • Use an abstraction layer (DBAL / ORM) • Use a SQL proxy
  • 40.
  • 42. A well known hotel chain!
  • 43. November 2018 - The Marriott • 500 million customers of its Starwood hotels had their data stolen • One of the largest breaches at the time … until Equador
  • 44. How did it happen? • Various! • SQL injection on the website • Internal machines compromised with malware likely due to phishing • But more critically, the hackers had been in place since 2014
  • 45. How could it be prevented? • Systemic failures in the systems hard to address without significant culture change • Monitoring should have picked up a breach … they had 4 years to spot it! • Check your logs, monitor traffic & connections, review processes on servers
  • 49. –Bruce Schneier “Amateurs hack systems, professionals hack people.”
  • 51. General • https://medium.com/@cxosmo/owasp-top-10-real-world-examples-part-1- a540c4ea2df5 • https://medium.com/@cxosmo/owasp-top-10-real-world-examples- part-2-3cdb3bebc976 • https://snyk.io/blog/owasp-top-10-breaches/ • https://businessinsights.bitdefender.com/worst-amazon-breaches Equifax • https://techcrunch.com/tag/equifax-hack/ • https://www.wired.com/story/equifax-breach-no-excuse/ • https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax Equador • https://thehackernews.com/2019/09/ecuador-data-breach.html Pentagon • https://www.upguard.com/breaches/cloud-leak-centcom BA • https://www.itwire.com/security/84379-ba-site-breach-through-xss-flaw,- says-tech-firm-chief.html TalkTalk • https://www.tripwire.com/state-of-security/security-data-protection/cyber- security/the-talktalk-breach-timeline-of-a-hack/ Marriott • https://www.washingtonpost.com/business/2018/11/30/marriott-discloses- massive-data-breach-impacting-million-guests/