Uploaded bykarthz
58 views

Security guidelines

The document outlines essential security guidelines for safeguarding customer environments, emphasizing the security gaps that arise from a lack of collaboration between security professionals and application developers. It discusses various application vulnerabilities and outlines best practices for incorporating security into the software development lifecycle, including threat modeling and the use of security assessments. Additionally, it highlights the importance of educating developers, managing user access, and maintaining updated security protocols to protect against known vulnerabilities.

Embed presentation

SECURITY GUIDELINES ARE WE RIGHTLY SAFEGUARDING OUR CUSTOMER ENVIRONMENTS ? Karthik Sagar P Technology Evangelist Karthiksagar.p@outlook.com
“Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
SAMPLE Let see an example
EVAL () • eval() like functions takes string argument and • evaluate those as source code • var x = req.body.x; • var y = req.body.y; • var sum = eval(a + "+" + b);what if attacker fills 'x' with: some.super.class.wipe.the.database('now’); LOL :)
WHY APPLICATION VULNERABILITIES OCCUR
SECURITY GAP Security Professionals Don’t Know The Applications Application Developers and QA Professionals Don’t Know Security The Web Application Security Gap “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
VULNERABILITIES Platform Administration Application Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow scripting Application vulnerabilities occur in multiple areas.
HOW TO SECURE APPLICATIONS
WHAT I SAY ! The best way to secure anything is to learn how someone can break it
HOW? • Incorporating security into lifecycle • Integrate security into application requirements • Including information security professionals in software architecture/design review • Security APIs & libraries (e.g. ESAPI, Validator, etc.) when possible • Threat modeling • Web application vulnerability assessment tools (VAPT)
SECURE YOUR DB
DB SECURITY • User Access Management –Authentication • User Rights Management – Authorization • Auditing • Environmental and Process Control • Encryption • Network Encryption • Network Filter • Binding IP Addresses • Running in VPNs • Dedicated OS User Account. • File System Permissions • Query Injection • Physical Access Controls Environment & Processes SSL Encryption for DB communication
ENVIRONMENT & PROCESSES •Network Filter Binding IP Addresses Running in VPNs Dedicated OS User Account. File System Permissions Query Injection Physical Access Controls
MY ARCHITECTURE SSL Web Application Mobile Application Firewall Port No’s: 83 & 2011 Public IP App Server Port :83 Port :88 Public IP – Static IP Web Server Port :2011 Public IP – Static IP Port :2016 Static IP 1 Static IP 3 DB Server DB Node Web Server Port:271 8 SSL Bind IP :Static IP 1 Traffic Log Customer Environment
EDUCATE Developers • Software security best practices Security Professionals • Software development • Software coding best practices Testers • Methods for identifying vulnerabilitie s Executives, System Owners, etc Understanding the risk and why they should be concerned Who is your Security Owner ?
CREATING THE RISK ASSESSMENT
RESIDUAL RISK TABLES
PRACTISE • Update your DB and application versions • Always ensure to move your traffic through firewall • Identify security owner for your applications • Test for what it has not been developed for • Create rules in the firewall • Educate your network administrator • Prepare Risk Assessment blog
QUESTION AND ANSWERS ?
THANK YOU
REFERENCES • https://www.slideshare.net/LiranTal1/nodejs-security-done-right-tips-and-tricks-they-wont-teach- you-in- school?utm_source=slideshow&utm_medium=ssemail&utm_campaign=download_notification • https://docs.mongodb.com/manual/security/
BACKUP SLIDES
Platform Known Vulnerabilities PLATFORM • Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience – “script kiddies” • Most easily defendable of all web vulnerabilities • MUST have streamlined patching procedures
Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • Less easily corrected than known issues • Require increased awareness • More than just configuration, must be aware of security flaws in actual content • Remnant files can reveal applications and versions in use • Backup files can reveal source code and database connection strings ADMINISTRATION
• Common coding techniques do not necessarily include security • Input is assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting APPLICATION

More Related Content

PPTX
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PDF
Automated Security Testing
byseleniumconf
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PPTX
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
PDF
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
PPTX
Alfredo Reino - Monitoring aws and azure
byDevSecCon
 
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
Automated Security Testing
byseleniumconf
 
Security testautomation
byLinkesh Kanna Velu
 
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
Alfredo Reino - Monitoring aws and azure
byDevSecCon
 

What's hot

PPTX
Hacker Proof web app using Functional tests
byAnkita Gupta
 
PDF
The Joy of Proactive Security
byAndy Hoernecke
 
PPTX
OpenSourceSecurityTools - UPDATED
bySparsh Raj
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
PDF
Stories from the Security Operations Center (S.O.C.)
byAlert Logic
 
PPTX
Essential security measures in ASP.NET MVC
byRafał Hryniewski
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
byAlert Logic
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
PDF
CSS17: Houston - Protecting Web Apps
byAlert Logic
 
PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PDF
How to Harden the Security of Your .NET Website
byDNN
 
PPTX
Web Application Security 101
byJannis Kirschner
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PDF
Protecting Against Web App Attacks
byAlert Logic
 
PDF
5 step plan to securing your APIs
by💻 Javier Garza
 
PPTX
AllDayDevOps 2019 AppSensor
byjtmelton
 
PDF
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
PDF
Managed Threat Detection and Response
byAlert Logic
 
PDF
Stories from the Security Operations Center
byAlert Logic
 
Hacker Proof web app using Functional tests
byAnkita Gupta
 
The Joy of Proactive Security
byAndy Hoernecke
 
OpenSourceSecurityTools - UPDATED
bySparsh Raj
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
Stories from the Security Operations Center (S.O.C.)
byAlert Logic
 
Essential security measures in ASP.NET MVC
byRafał Hryniewski
 
Realities of Security in the Cloud - CSS ATX 2017
byAlert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
CSS17: Houston - Protecting Web Apps
byAlert Logic
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
How to Harden the Security of Your .NET Website
byDNN
 
Web Application Security 101
byJannis Kirschner
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
Protecting Against Web App Attacks
byAlert Logic
 
5 step plan to securing your APIs
by💻 Javier Garza
 
AllDayDevOps 2019 AppSensor
byjtmelton
 
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
Managed Threat Detection and Response
byAlert Logic
 
Stories from the Security Operations Center
byAlert Logic
 

Similar to Security guidelines

PPTX
00. introduction to app sec v3
byEoin Keary
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PDF
C01461422
byIOSR Journals
 
PPTX
Application security
byHagar Alaa el-din
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PDF
Designing Secure APIs
bySteven Chen
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PDF
Web App Security: Top Threats and How to Protect Your App.pdf
byNathan Smith
 
PDF
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
PPT
Bank One App Sec Training
byMike Spaulding
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
bysiteseo
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PDF
GitHub: Secure Software Development for Financial Services
byDebbie A. Everson
 
PPTX
Lecture......................... wmas.pptx
bymegonaoffi
 
PPT
Web Application Security
byColin English
 
PDF
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
byVeracode
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
00. introduction to app sec v3
byEoin Keary
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
C01461422
byIOSR Journals
 
Application security
byHagar Alaa el-din
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
Designing Secure APIs
bySteven Chen
 
Application Security - Your Success Depends on it
byWSO2
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
Web App Security: Top Threats and How to Protect Your App.pdf
byNathan Smith
 
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
Bank One App Sec Training
byMike Spaulding
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Best Practices for Secure Web Application Development by Site Invention.pdf
bysiteseo
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
GitHub: Secure Software Development for Financial Services
byDebbie A. Everson
 
Lecture......................... wmas.pptx
bymegonaoffi
 
Web Application Security
byColin English
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
byVeracode
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 

Recently uploaded

PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
apidays New York 2025 | AI in Application Security
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 

Security guidelines

  • 1.
    SECURITY GUIDELINES ARE WERIGHTLY SAFEGUARDING OUR CUSTOMER ENVIRONMENTS ? Karthik Sagar P Technology Evangelist Karthiksagar.p@outlook.com
  • 2.
    “Every program hasat least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  • 3.
  • 4.
    EVAL () • eval()like functions takes string argument and • evaluate those as source code • var x = req.body.x; • var y = req.body.y; • var sum = eval(a + "+" + b);what if attacker fills 'x' with: some.super.class.wipe.the.database('now’); LOL :)
  • 5.
  • 6.
    SECURITY GAP Security ProfessionalsDon’t Know The Applications Application Developers and QA Professionals Don’t Know Security The Web Application Security Gap “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
  • 7.
    VULNERABILITIES Platform Administration Application Known Vulnerabilities Extension Checking CommonFile Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow scripting Application vulnerabilities occur in multiple areas.
  • 8.
    HOW TO SECUREAPPLICATIONS
  • 9.
    WHAT I SAY! The best way to secure anything is to learn how someone can break it
  • 10.
    HOW? • Incorporating securityinto lifecycle • Integrate security into application requirements • Including information security professionals in software architecture/design review • Security APIs & libraries (e.g. ESAPI, Validator, etc.) when possible • Threat modeling • Web application vulnerability assessment tools (VAPT)
  • 11.
  • 12.
    DB SECURITY • UserAccess Management –Authentication • User Rights Management – Authorization • Auditing • Environmental and Process Control • Encryption • Network Encryption • Network Filter • Binding IP Addresses • Running in VPNs • Dedicated OS User Account. • File System Permissions • Query Injection • Physical Access Controls Environment & Processes SSL Encryption for DB communication
  • 13.
    ENVIRONMENT & PROCESSES •Network FilterBinding IP Addresses Running in VPNs Dedicated OS User Account. File System Permissions Query Injection Physical Access Controls
  • 14.
    MY ARCHITECTURE SSL Web Application Mobile Application Firewall Port No’s: 83& 2011 Public IP App Server Port :83 Port :88 Public IP – Static IP Web Server Port :2011 Public IP – Static IP Port :2016 Static IP 1 Static IP 3 DB Server DB Node Web Server Port:271 8 SSL Bind IP :Static IP 1 Traffic Log Customer Environment
  • 15.
    EDUCATE Developers • Software security best practices Security Professionals •Software development • Software coding best practices Testers • Methods for identifying vulnerabilitie s Executives, System Owners, etc Understanding the risk and why they should be concerned Who is your Security Owner ?
  • 16.
  • 17.
  • 18.
    PRACTISE • Update yourDB and application versions • Always ensure to move your traffic through firewall • Identify security owner for your applications • Test for what it has not been developed for • Create rules in the firewall • Educate your network administrator • Prepare Risk Assessment blog
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
    Platform Known Vulnerabilities PLATFORM • Known vulnerabilitiescan be exploited immediately with a minimum amount of skill or experience – “script kiddies” • Most easily defendable of all web vulnerabilities • MUST have streamlined patching procedures
  • 24.
    Administration Extension Checking Common FileChecks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • Less easily corrected than known issues • Require increased awareness • More than just configuration, must be aware of security flaws in actual content • Remnant files can reveal applications and versions in use • Backup files can reveal source code and database connection strings ADMINISTRATION
  • 25.
    • Common codingtechniques do not necessarily include security • Input is assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting APPLICATION