SlideShare a Scribd company logo

Lessons Learned From the Yahoo! Hack

Imperva
Imperva

The document summarizes lessons learned from the Yahoo! hack of 2013. It describes how security researchers identified the vulnerable third-party astrology application hosted on Yahoo's domain after the hacker released a screenshot. The application was found to be vulnerable to SQL injection attacks due to unvalidated user input. This highlights the risk of third-party code and the need to secure all external applications and libraries.

Technology
1 of 39
Download to read offline
Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.
www.imperva.com - CONFIDENTIAL -

Recommended

Data breach
Data breachData breach
Data breachBurhan Ahmed
 
Seminar on yahoo mail cyber attack
Seminar on yahoo mail cyber attackSeminar on yahoo mail cyber attack
Seminar on yahoo mail cyber attackrohit2495
 
Microsoft success story
Microsoft success storyMicrosoft success story
Microsoft success storyKunal Bagai
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Internet / Cyber Security
Internet / Cyber SecurityInternet / Cyber Security
Internet / Cyber SecuritySrijanMukhopadhyay1
 
Effect of recession ppt
Effect of recession pptEffect of recession ppt
Effect of recession pptrashmi_1214
 
Presentation on corporate frauds
Presentation on corporate fraudsPresentation on corporate frauds
Presentation on corporate fraudsMuti ur Rahman Khan Lodhi
 
PPT on Microsoft Corporation
PPT on Microsoft CorporationPPT on Microsoft Corporation
PPT on Microsoft CorporationVijaykumar Nishad
 

Recommended

Data breach
Data breachData breach
Data breachBurhan Ahmed
 
Seminar on yahoo mail cyber attack
Seminar on yahoo mail cyber attackSeminar on yahoo mail cyber attack
Seminar on yahoo mail cyber attackrohit2495
 
Microsoft success story
Microsoft success storyMicrosoft success story
Microsoft success storyKunal Bagai
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Internet / Cyber Security
Internet / Cyber SecurityInternet / Cyber Security
Internet / Cyber SecuritySrijanMukhopadhyay1
 
Effect of recession ppt
Effect of recession pptEffect of recession ppt
Effect of recession pptrashmi_1214
 
Presentation on corporate frauds
Presentation on corporate fraudsPresentation on corporate frauds
Presentation on corporate fraudsMuti ur Rahman Khan Lodhi
 
PPT on Microsoft Corporation
PPT on Microsoft CorporationPPT on Microsoft Corporation
PPT on Microsoft CorporationVijaykumar Nishad
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Presentation on microsoft
Presentation on microsoftPresentation on microsoft
Presentation on microsoftJoel Pais
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
Scam in india
Scam in indiaScam in india
Scam in indiaVivek Mishra
 
Cyber Crime and a Case Study
Cyber Crime and a Case StudyCyber Crime and a Case Study
Cyber Crime and a Case StudyPratham Jaiswal
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-CommerceDattatreya Reddy Peram
 
Satyam scam
Satyam scamSatyam scam
Satyam scamjabu
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networksTannistho Ghosh
 
Satyam scam
Satyam scamSatyam scam
Satyam scamMishika Talwar
 
Telgi scam
Telgi scamTelgi scam
Telgi scamSrimatha Charla
 
Apple Product Mix and Marketing Mix
Apple Product Mix and Marketing MixApple Product Mix and Marketing Mix
Apple Product Mix and Marketing Mixnb1234
 
Global Financial crisis 2008
Global Financial crisis 2008Global Financial crisis 2008
Global Financial crisis 2008Mominul Haque bhuiyan
 
Currency Crisis
Currency CrisisCurrency Crisis
Currency Crisisszrehman
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPTAnshuman Tripathi
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentationRoel Palmaers
 
Internet
InternetInternet
InternetNaman Goel
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
Financial scam
Financial scamFinancial scam
Financial scamAnkit Porwal
 
AIG - The Fallen Giant
AIG - The Fallen GiantAIG - The Fallen Giant
AIG - The Fallen GiantMy own sweet home!
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 

More Related Content

What's hot

Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Presentation on microsoft
Presentation on microsoftPresentation on microsoft
Presentation on microsoftJoel Pais
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
Cyber Crime and a Case Study
Cyber Crime and a Case StudyCyber Crime and a Case Study
Cyber Crime and a Case StudyPratham Jaiswal
 
Satyam scam
Satyam scamSatyam scam
Satyam scamjabu
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networksTannistho Ghosh
 
Apple Product Mix and Marketing Mix
Apple Product Mix and Marketing MixApple Product Mix and Marketing Mix
Apple Product Mix and Marketing Mixnb1234
 
Currency Crisis
Currency CrisisCurrency Crisis
Currency Crisisszrehman
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentationRoel Palmaers
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 

What's hot (20)

Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Presentation on microsoft
Presentation on microsoftPresentation on microsoft
Presentation on microsoft
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
Scam in india
Scam in indiaScam in india
Scam in india
 
Cyber Crime and a Case Study
Cyber Crime and a Case StudyCyber Crime and a Case Study
Cyber Crime and a Case Study
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
 
Satyam scam
Satyam scamSatyam scam
Satyam scam
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networks
 
Satyam scam
Satyam scamSatyam scam
Satyam scam
 
Telgi scam
Telgi scamTelgi scam
Telgi scam
 
Apple Product Mix and Marketing Mix
Apple Product Mix and Marketing MixApple Product Mix and Marketing Mix
Apple Product Mix and Marketing Mix
 
Global Financial crisis 2008
Global Financial crisis 2008Global Financial crisis 2008
Global Financial crisis 2008
 
Currency Crisis
Currency CrisisCurrency Crisis
Currency Crisis
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentation
 
Internet
InternetInternet
Internet
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptx
 
Financial scam
Financial scamFinancial scam
Financial scam
 
AIG - The Fallen Giant
AIG - The Fallen GiantAIG - The Fallen Giant
AIG - The Fallen Giant
 

Similar to Lessons Learned From the Yahoo! Hack

Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloudNicholas Chia
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]AngelGomezRomero
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundImperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio RosaTI Safe
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 

Similar to Lessons Learned From the Yahoo! Hack (20)

Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Lessons Learned From the Yahoo! Hack

  • 1. Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
  • 2. Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
  • 3. Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
  • 4. Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
  • 5. Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
  • 6. Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
  • 7. Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
  • 8. Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
  • 9. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
  • 10. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
  • 11. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
  • 12. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
  • 13. Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
  • 14. Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
  • 15. SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
  • 16. SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
  • 17. Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
  • 18. SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
  • 19. Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
  • 20. Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
  • 21. MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
  • 22. From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
  • 23. 3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
  • 24. Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
  • 25. Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
  • 26. You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
  • 27. You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
  • 28. Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
  • 29. Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
  • 30. Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
  • 31. SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
  • 32. Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
  • 33. Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
  • 34. Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
  • 35. Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
  • 36. 3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
  • 37. Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
  • 38. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.