The document discusses various security risks associated with web applications, emphasizing the OWASP Top Ten security risks that organizations need to address to ensure secure code development. It highlights the importance of understanding different types of hackers and the modern risks posed by cloud computing, mobile apps, and IoT devices. Overall, it encourages adopting secure software development practices to mitigate threats and protect sensitive data.

1. [SECURITY]
Wednesday, 12-Dec-2017

2. Topics
 Why Security?
 Different types of security risks
 Different types of hackers
 Why some web apps are frequently insecure?
 Modern apps risks could be even worse
 Cloud
 Mobility
 IoT (Internet of Things)
 How IBM categorizes security threats?
 IBM security products and services

3. Why Security, what if not secured?
 Confidential customer data can be stolen
 Unauthorized person can login to the system
and pretend like valid user and can make
transactions
 Can crash the website completely
 User can be redirected to spam websites
 Web page content can be replaced with
hackers content
 Can steal contact list and can send spam emails from your email account
 Application business logic can be modified to perform malicious activities
 Spam posts, blogs can be uploaded from your account

4. Different types of security risks
Most of the critical web application security flaws can be covered
under the top 10 list of security risks represented by OWASP.
Adopting the OWASP Top Ten is perhaps the most effective first
step towards changing the software development culture within
your organization into one that produces secure code.
“The Open Web Application Security Project (OWASP) is an online
community which creates freely-available articles, methodologies,
documentation, tools, and technologies in the field of web application security.”
https://www.owasp.org/

5. Top 10 security risks by owasp
A1 - Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker's hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
Example: http://example.com/app/accountView?id=' or '1'='1
“In July 2012 a hacker group stole 450,000 login credentials from
Yahoo! The logins were stored in plain text and were allegedly taken
from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's
security by using a "union-based SQL injection technique”

6. Top 10 security risks by owasp continues
A2 - BrokenAuthentication and Session Management
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.
Example:
http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPS
KHCJUN2JV?car_model=BMW_335i
“Intruders accessed Target's network on Nov. 15, 2013 using network
credentials stolen from a provider of refrigeration and HVAC systems.”

7. Top 10 security risks by owasp continues
A3 – Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping. XSS
allows attackers to execute scripts in the victim's browser which can
hijack user sessions, deface web sites, or redirect the user to malicious
sites.
Example: <script> name='alert(document.domain)';
location.href='http://tw.adspecs.yahoo.com/tc/index.php'; </script>
“(January 2013) Hackers exploit a cross-site scripting (XSS) vulnerability in a
Yahoo website to hijack the email accounts of Yahoo users and use them for
spam. In the background, a piece of JavaScript code exploits a crosssite
scripting (XSS) vulnerability in the Yahoo Developer Network (YDN) Blog site in
order to steal the visitor's Yahoo session cookie.”

8. Top 10 security risks by owasp continues
A4 – Insecure Direct Object References
An direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory,
or database key. Without an access control check or other protection,
attackers can manipulate these references to access unauthorized
data.
Example: http://www.victim.com/global.asa+.htr
“ WordPress Site Hacks Continue: 70% of WordPress sites are running
outdated software, recent examples hit MIT, NEA and Penn State servers.
Information Week 10/1/2013 - The .htaccess file of WordPress is often not
properly protected which makes the site vulnerable.”

9. Top 10 security risks by owasp continues
A5 – Security Misconfiguration
Good security requires having a secure
configuration defined and deployed for the
application, frameworks, application server, web
server, database server, and platform. Secure
settings should be defined, implemented, and
maintained, as defaults are often insecure.
Additionally, software should be kept up to
date.
Example: Webserver admin password set
to password
“Hardened eCommerce server started sending spam email for one day, then suddenly
stopped. Firewall administrator had accidentally made a rule change.”

10. Top 10 security risks by owasp continues
A6 – Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as
credit cards, tax IDs, and authentication credentials. Attackers may
steal or modify such weakly protected data to conduct credit card
fraud, identity theft, or other crimes. Sensitive data deserves extra
protection such as encryption at rest or in transit, as well as special
precautions when exchanged with the browser.
Example: Passwords stored unencrypted in database
“The Sony PlayStation Network was compromised in April 2011 and the
personal details from approximately 77 million accounts were stolen and
prevented users of PlayStation 3 and PlayStation Portable consoles from
playing online through the service.”

11. Top 10 security risks by owasp continues
A7 – Missing Function Level Access Control
Most web applications verify function level access rights before making that
functionality visible in the UI. However, applications need to perform the same
access control checks on the server when each function is accessed. If
requests are not verified, attackers will be able to forge requests in order to
access functionality without proper authorization.
https://vmware1/folder?dcPath=ha-datacenter
Need to prohibit ability to execute functions on web page not just hide page
from navigation.
“Server hack prompts call for cPanel customers to take “immediate
action” Change root and account passwords and rotate SSH keys, company
advises."- Arstechnica February 2013”

12. Top 10 security risks by owasp continues
A8 - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into
loading a page that contains a malicious request. It is malicious in the sense
that it inherits the identity and privileges of the victim to perform an undesired
function on the victim's behalf, like change the victim's e-mail address, home
address, or password, or purchase something. CSRF attacks generally target
functions that cause a state change on the server but can also be used to
access sensitive data.
Example: Malware infected web browser at hotel steals cookies and allows
airline site login
“Security researcher Ronen Zilberman publicly disclosed a new Cross-Site
Request Forgery (CSRF) attack vector that uses an HTML image tag to steal a Facebook
user's information. According to Zilberman's disclosure, the user needs only to load an
infected page to launch the attack. –Internet News 8/20/2009.”

13. Top 10 security risks by owasp continues
A9 - Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software
modules, almost always run with full privileges. If a vulnerable
component is exploited, such an attack can facilitate serious
data loss or server takeover. Applications using components with
known vulnerabilities may undermine application defenses and
enable a range of possible attacks and impacts.
Example: Using outdated version of Apache web server
“Heartbleed. Technically vulnerability was not 'known', however this
illustrates how single component vulnerability can have widespread
impact.”

14. Top 10 security risks by owasp continues
A10 – Invalidated Redirects and Forwards
Web applications frequently redirect and
forward users to other pages and websites,
and use untrusted data to determine the
destination pages. Without proper validation,
attackers can redirect victims to phishing or
malware sites, or use forwards to access
unauthorized pages.
Example: Link within a site to different server to accept payments.
“Super Bowl-Related Web Sites Hacked – PC World 2/2/2007 -The Dolphins' sites
were serving up malicious JavaScript code that exploits two known Windows
vulnerabilities, then attempted to connect with a second Web server that installs a Trojan
horse downloader and a password stealing program on the victim's computer.”

15. Top 10 security risks by owasp continues
Web Goat with all risks
WebGoat is a deliberately insecure web application maintained by
OWASP designed to teach web application security lessons. You can
install and practice with WebGoat. There are other 'goats' such as
WebGoat for .Net.
In each lesson, users must demonstrate their understanding of a security
issue by exploiting a real vulnerability in the WebGoat applications.
For example, in one of the lessons the user must use SQL injection to steal
fake credit card numbers.
The application aims to provide a realistic teaching environment, providing
users with hints and code to further explain the lesson.
https://github.com/WebGoat/WebGoat/releases

16. Different types of hackers
Outsiders: Outsiders are individuals or a group seeks to gain protected information by
infiltrating and taking over profile of a trusted user from outside the organization.
Malicious Insiders: An Insider is an
individual with privileged access to
an IT system in an organization. An
Insider threat can be defined as ‘a
current or former employee, contractor
or other business partner with access
to the organization’s network, system or data and intentionally misuses them or whose
access results in misuse’. Insider threats aren’t just employees, they can also be
vendors, or even volunteers that come in and work in the organization.
Inadvertent Actor: Also known as insider threats. In other words, they were instigated
by people you’d be likely to trust. IBM Security has released two reports to educate the
public on these threats: the “IBM 2015 Cyber Security Intelligence Index” and the “IBM X-
Force Threat Intelligence Quarterly – 2Q 2015.”

17. Why some web apps are frequently insecure?
 Underestimation of Risks and Threats Related to Insecure Web
Applications
 Lack of Continuous Monitoring
 Missing or Poorly-Implemented Secure Software Development
Life Cycle (S-SDLC)
 Dominance of Business Needs Over Security Processes
 Ignorance of Third-Party Risks

18. Modern apps risks could be even worse
Cloud Computing
As companies accelerate their
adoption of cloud technologies, the
need for solutions that provide secure
access and reliable operations in the
cloud increases in importance.
Using cloud technologies means
distributing your data and applications
to multiple data centers effectively
creating a new security perimeter a
new set of doors to guard.
Bad guys can purchase cloud just like you. Be sure you can customize the
configuration of the security tools available from a cloud provider to fit your
specific needs.

19. Modern apps risks could be even worse
Mobility
The majority of mobile security breaches through
2016 will be the result of installing malicious apps.
These apps are capable of auto-synchronize
data with personal cloud services and can easily
leak personal data to hackers.
Growing number of mobile applications request
permission to gather data that they do not need.
Many of the free apps contain adware that
captures information like contacts, information,
device ID and so forth. This adware can trigger
accidental web requests and even leak personal or business data to a third party.
Businesses who follow BYOD policies must take steps to minimize this problem in order
to stay safe in today’s mobile-first environment.

20. Modern apps risks could be even worse
IoT (Internet of Things)
Connected devices make it
easier for malicious individuals
to plant inconspicuous items
that can record or steal
company information.
What happens if the employees
themselves are the ones who
bring these devices and leave
them lying about unsecured,
unpatched, and filled with sensitive information? This is how lost, stolen or
hacked devices or wearables can compromise a network. Nifty sensors or
smart cameras can be very attractive targets for attackers looking to know
about an upcoming product launch or a clever marketing strategy.

21. References
 http://www.redbooks.ibm.com/redbooks/pdfs/sg248100.pdf
 https://www.owasp.org/index.php/Top_10_2013-Top_10
 Insider vs. Outsider Threats: Identify and Prevent - InfoSec Resources
 The Threat Is Coming From Inside the Network: Insider Threats Outrank External
Attacks
 Why are web apps are so frequently insecure? Here are five reasons | ITProPortal.com
 Five Burning Security Issues in Cloud Computing
 Mobile Security Issues Facing Businesses in 2016 - Information Security Buzz
 What to Consider Before Bringing IoT Devices and Wearables to the Workplace -
Security News - Trend Micro USA

22. Thank you