This document summarizes a presentation on web security given at the Confoo Conference in 2012. The presentation was given by Antonio Fontes from L7 and David Mirza from Subgraph. They discussed the history of web attacks moving from host/network intrusion to modern vulnerabilities like XSS and SQL injection. They explained that all business logic and data is now on the web, making it the main target for attacks. The motivations for these attacks include money, ideology, fame, and supporting other criminal activities. They outlined the impacts such as financial costs, reputation damage, and legal/compliance issues. Finally, they provided recommendations on technical controls like web application testing and process controls like secure development practices and training to help address these ongoing

1. Web security
Confoo Conference 2012 – Montréal
Antonio Fontes (L7)
David Mirza (Subgraph)

2. Syllabus
• Who are we?
• Why are we here? What has changed?
• Motivations
• Impacts
• Opportunities: how can you/we help?

3. About us
• Antonio
• David

4. History
• Fun pranks
• Earlyattacks: host/network intrusion
• Now: web application vulnerabilities

5. Now
• OWASP Top 10
– XSS
– SQLi
– CSRF
– OS Command injection
– Etc..

6. Why?
• Mature network/host layer security
• All business logicis/has moved to the web
– alongwith the data…
• Web apps are THE remaining open door
• More people understandthereis « value »
– General awareness

7. Motivations
• Money
• Political/Ideological grounds
• Fame, fun, curiosity
• Industrial espionage
• Supporting other forms of organized crime
• State / Corporate surveillance
• Randomness

9. Source: arstechnica.com / nov.2011

10. Do you feel motivated now?
792 Euro = 1’051 CAD
4 yearsoperation = 14m$  3.5m/year
3.5m / 7 people  500’000 CAD/year  31’320
Euro/month  40 times the avg. income

16. Impacts
• Financial
• Reputation
• Health/integrity safety
• Legal/Fines
• Regulation / Compliance
• Operations / Productivity

17. Impacts
Average breach cost 7M
Wost incident cost
over $35 million

18. Impacts
• Averagecost of a data breach (in Usm)
$40.0
$30.0
Average
$20.0
Maximum
$10.0
$0.0
2010

19. Perception of Insecurity
“I have a Mac”

20. What can we do about it?
• Technical controls
– Web application assessment
• DAST
• SAST
• Hybrid
– WAFs, IPSs, next generation firewalls, DLP
• Process Controls
– Risk assessment processes
• SDLC
• Penetration testing
• Awareness!
– Community: OWASP
– Training

21. Conclusion
Analyze Design Implement Verify Deploy Respond
Security Secure Security Incident
requirements Secure coding testing Secure response
design deployment
Risk Design Vulnerability
Code review management
analysis Threat review Risk
modeling assessment Penetration
testing
Training & awareness
Policy / Compliance
Governance (Strategy , Metrics)
21

22. Threat Horizon
Cryptography in Web Applications
Code Sharing
Backdoored Code on Repositories
Mobile Application backends
Data leaks / Password leaks
Clickjacking / Redressing

23. Duo Panel
• Questions?
• Contact
– David: @attractr / www.subgraph.com
– Antonio: @starbuck3000 / www.L7securite.ch