SlideShare a Scribd company logo

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Alert Logic
Alert Logic

The document discusses strategies for protecting web applications from security threats. It begins by examining the types of attacks organizations face, including application attacks, brute force attacks, and suspicious activity. It then covers hacker reconnaissance methods such as crawling websites, using vulnerability scanners, and searching open forums and the dark web. The document outlines how attacks can escalate from exploiting web applications to gaining privileged access. It concludes by providing recommendations for developing a secure code, access management policies, patch management, monitoring strategies, and staying informed of the latest vulnerabilities.

Technology
1 of 30
Download to read offline
WEB APPLICATION SECURITY: PROTECTING YOUR WEB APPLICATION Stephen Coty Chief Security Evangelist, Alert Logic
Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
Web Application Security sqli, 59% openvas, 13% apache_struts, 9% joomlaua, 4% pagerank, 2% havij, 2% magento_sqli, 2% sqli_error, 2% sqlmap, 1% tor, 1% sqli openvas apache_struts joomlaua pagerank havij magento_sqli sqli_error sqlmap tor Source: Alert Logic CSR 2016
SQL Injection Last 60 Days - 060817
Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduce unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
HACKER RECON METHODS
Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
Open Forums – Example
Targeted - Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
ATTACK METHODOLOGIES
Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
FROM WEB APPS TO PRIVILEGED ACCESS
From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
REMEDIATION STRATEGIES
Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • Golden Images • Reference Architecture, Formation Templates
Understand Your Service Providers Security Model Azure Platform Services Security & Management Azure Infrastructure Services Web Apps Mobile Apps API Management API Apps Logic Apps Notification Hubs Content Delivery Network (CDN) Media Services HDInsight Machine Learning Stream Analytics Data Factory Event Hubs Mobile Engagement Active Directory Multi-Factor Authentication Portal Key Vault Biztalk Services Hybrid Connections Service Bus Storage Queues Store / Marketplace Hybrid Operations Backup StorSimple Site Recovery Import/Export SQL Database DocumentDB Redis Cache Search Tables SQL Data Warehouse Azure AD Connect Health AD Privileged Identity Management Operational Insights Cloud Services Batch Remote App Service Fabric Visual Studio Application Insights Azure SDK Team Project VM Image Gallery & VM Depot Azure Security Center Automation
Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • Data types (OS, CMS, DB, Web) • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic @StephenCoty @_PaulFletcher Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/
How Alert Logic Detects Threats

Recommended

Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 

Recommended

Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
Matt Soseman
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 

More Related Content

What's hot

What's hot (20)

CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 

Similar to Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 

Similar to Css sf azure_8-9-17-protecting_web_apps_stephen coty_al (20)

Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Security testing
Security testingSecurity testing
Security testing
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

More from Alert Logic

More from Alert Logic (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 

Recently uploaded (20)

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

  • 1. WEB APPLICATION SECURITY: PROTECTING YOUR WEB APPLICATION Stephen Coty Chief Security Evangelist, Alert Logic
  • 2. Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
  • 3. Web Application Security sqli, 59% openvas, 13% apache_struts, 9% joomlaua, 4% pagerank, 2% havij, 2% magento_sqli, 2% sqli_error, 2% sqlmap, 1% tor, 1% sqli openvas apache_struts joomlaua pagerank havij magento_sqli sqli_error sqlmap tor Source: Alert Logic CSR 2016
  • 4. SQL Injection Last 60 Days - 060817
  • 5. Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduce unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 6. Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 7. Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 9. Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 10. Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
  • 11. Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
  • 12. Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
  • 13. Open Forums – Example
  • 14. Targeted - Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
  • 16. Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
  • 17. Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
  • 18. Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
  • 19. FROM WEB APPS TO PRIVILEGED ACCESS
  • 20. From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
  • 21. From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
  • 22. From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
  • 24. Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
  • 25. Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
  • 26. Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • Golden Images • Reference Architecture, Formation Templates
  • 27. Understand Your Service Providers Security Model Azure Platform Services Security & Management Azure Infrastructure Services Web Apps Mobile Apps API Management API Apps Logic Apps Notification Hubs Content Delivery Network (CDN) Media Services HDInsight Machine Learning Stream Analytics Data Factory Event Hubs Mobile Engagement Active Directory Multi-Factor Authentication Portal Key Vault Biztalk Services Hybrid Connections Service Bus Storage Queues Store / Marketplace Hybrid Operations Backup StorSimple Site Recovery Import/Export SQL Database DocumentDB Redis Cache Search Tables SQL Data Warehouse Azure AD Connect Health AD Privileged Identity Management Operational Insights Cloud Services Batch Remote App Service Fabric Visual Studio Application Insights Azure SDK Team Project VM Image Gallery & VM Depot Azure Security Center Automation
  • 28. Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • Data types (OS, CMS, DB, Web) • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
  • 29. Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic @StephenCoty @_PaulFletcher Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/
  • 30. How Alert Logic Detects Threats