SlideShare a Scribd company logo

WEB APP SECURITY: PROTECTING YOUR APPLICATION

•
•
TriNimbus
TriNimbus

Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.

Technology
1 of 42
Download to read offline
WEB APPLICATION SECURITY: PROTECTING YOUR WEB APPLICATION Ryan Holland Sr. Director, Cloud Architecture
Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
Web Apps – Prime Target for Attackers Source: Cloud Security Spotlight Report 2016 Source: VDBIR 2016 UP 300% SINCE 2014
Alert Logic data – Breaking down web app attacks Source: Alert Logic ActiveWatch analysis Aug 2015 through Dec 2016
SQL Injection Last 60 Days
Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
HOW WEB APPLICATION BECOME VULNERABLE
Poor Coding Practices • Unsanitized Data - User controlled input - Web forms - URL query exposure • Whitelisting - Control expected user input - Accept known, expected data • Meta-Character Sanitization - Quotes break up a query - Names with quotes should be the exception Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Old Reliable Code and Processes • Lack of Code Cleanup - Failed old code - Decommissioned backend systems - Account credentials - Backup systems - Discovery of application topology (API and static links) - Unnecessary comments and notes
Unpatched and Unsupported Code • CMS versions are updated - Vulnerable plug-ins and themes remain o Still function o No error codes o CMS application doesn’t check • TimThumb Word Press Plug-in - Library used to resize larger images - 39 million operational - Author announced end of support - Plug-in hacked
Lack of Security Oversight • Security is not longer just advisory • Inject Security into the SDLC • Inject Requirements • Make sure the Technologies are Secure • Automatically and Manually review all code during multiple points throughout the development process • Test, Test, Test • Continuous monitoring and scanning
HACKER RECON METHODS
Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
Google Dork – Example
Open Forums • Vulnerabilities reported to vendors - Vendors should o Acknowledge vulnerability o Provide timeline to fix o Announce vulnerability to the public o Provide fix/patch or work-around o Within a reasonable timeframe - Some Vendors o Delay response to reports o Don’t provide a patch o Announce vulnerability only to customers o Bury patches with other “upgrades”
Open Forums • Information sharing - Researchers post vulnerabilities o Lack of response from the vendor o Bypass vendor completely - Public service to Internet community o On-going debate • Bypass the vendors and post vulnerabilities • Involve the vendor first o What is a reasonable amount of time • Some say it should be 24 hours or less • Some agree to wait 4-6 weeks • Others somewhere in between Open forums facilitate vendor due diligence
Open Forums - Examples • Exploit Database - www.exploit-db.com - A non-profit project that provides a public service to share information about vulnerabilities and is run by Offensive Security • Full Disclosure - http://seclists.org/fulldisclosure/ - A public, vendor-neutral forum of vulnerabilities, exploitation techniques and other events of interest to the community • Cryptome - https://cryptome.org/ - Collects information about freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and government secrecy
Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
Dark Web - Example
ATTACK METHODOLOGIES
Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
FROM WEB APPS TO PRIVILEGED ACCESS
From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
REMEDIATION STRATEGIES
Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
Understand Your Service Providers Security Model
Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • CloudTrail – Use it, Love it. • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • AMI and Golden Images • Reference Architecture, Formation Templates
Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
DevSecOps Release Pipeline Design • Cloud Insight is a purpose built SaaS platform providing vulnerability assessment for AWS customers. • Jinkins and AWS services are used for deployment pipeline. • Micro-services architecture with several development teams. • Multiple deployments a week. • Fully automated deployment pipeline. • Deployment pipeline consists of 4 environments • Development • Integration • Staging • Production • Requirement that vulnerabilities are identified and remediated before changes push to production. • Cloud Insight will scan all instances running in Integration every 24 hours.
How to Implemented Scanning in the Pipeline • Scanning a large number of instances takes time –want to avoid slowing down releases. • Workflow for Staging environment queries vulnerability data from scans in Integration. • Vulnerabilities tracked by AMI, not instance IDs. • Scan reports are attached to RFCs and stored in S3. • Any vulnerability of CVSS > 4.0 triggers a rollback. - Scan report with remediation steps are attached to the report
Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/
Thank you.

Recommended

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 

Recommended

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Frameworkđź‘€ Joe Gray
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolschrizjohn896
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 

More Related Content

What's hot

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolschrizjohn896
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

What's hot (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web application security
Web application securityWeb application security
Web application security
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and tools
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 

Similar to WEB APP SECURITY: PROTECTING YOUR APPLICATION

CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptgealehegn
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...North Texas Chapter of the ISSA
 

Similar to WEB APP SECURITY: PROTECTING YOUR APPLICATION (20)

CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 

More from TriNimbus

Convergence of Containers and Serverless by Mency Woo
Convergence of Containers and Serverless by Mency WooConvergence of Containers and Serverless by Mency Woo
Convergence of Containers and Serverless by Mency WooTriNimbus
 
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_Insights
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_InsightsJuni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_Insights
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_InsightsTriNimbus
 
Teri_Radichel_Top_5_Priorities_for_Cloud_Security
Teri_Radichel_Top_5_Priorities_for_Cloud_SecurityTeri_Radichel_Top_5_Priorities_for_Cloud_Security
Teri_Radichel_Top_5_Priorities_for_Cloud_SecurityTriNimbus
 
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_Data
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_DataPeter_Smith_PhD_ACL_10000_Foot_View_of_Big_Data
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_DataTriNimbus
 
Darin_Briskman_AWS_Machine_Learning_Beyond_the_Hype
Darin_Briskman_AWS_Machine_Learning_Beyond_the_HypeDarin_Briskman_AWS_Machine_Learning_Beyond_the_Hype
Darin_Briskman_AWS_Machine_Learning_Beyond_the_HypeTriNimbus
 
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Beyond
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and BeyondAmazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Beyond
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and BeyondTriNimbus
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWSTriNimbus
 
AWS 2017 re:Invent re:Cap - TriNimbus Presentation Slides
AWS 2017 re:Invent re:Cap - TriNimbus Presentation SlidesAWS 2017 re:Invent re:Cap - TriNimbus Presentation Slides
AWS 2017 re:Invent re:Cap - TriNimbus Presentation SlidesTriNimbus
 
Performance Optimization of Cloud Based Applications by Peter Smith, ACL
Performance Optimization of Cloud Based Applications by Peter Smith, ACLPerformance Optimization of Cloud Based Applications by Peter Smith, ACL
Performance Optimization of Cloud Based Applications by Peter Smith, ACLTriNimbus
 
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web Services
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web ServicesBuilding and Operating AI Services at Scale by Randall Hunt, Amazon Web Services
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web ServicesTriNimbus
 
Virtual Desktops on AWS by Mike Burke, Farm Credit Canada
Virtual Desktops on AWS by Mike Burke, Farm Credit CanadaVirtual Desktops on AWS by Mike Burke, Farm Credit Canada
Virtual Desktops on AWS by Mike Burke, Farm Credit CanadaTriNimbus
 
Dan Crawford - Canadian Executive Cloud & DevOps Summit Presentation
Dan Crawford - Canadian Executive Cloud & DevOps Summit PresentationDan Crawford - Canadian Executive Cloud & DevOps Summit Presentation
Dan Crawford - Canadian Executive Cloud & DevOps Summit PresentationTriNimbus
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Eric_Gales_Amazon_June_9_2017_presentation
Eric_Gales_Amazon_June_9_2017_presentationEric_Gales_Amazon_June_9_2017_presentation
Eric_Gales_Amazon_June_9_2017_presentationTriNimbus
 
Darin Briskman_Amazon_June_9_2017_Presentation
Darin Briskman_Amazon_June_9_2017_PresentationDarin Briskman_Amazon_June_9_2017_Presentation
Darin Briskman_Amazon_June_9_2017_PresentationTriNimbus
 
VMware + Amazon Web Services
VMware + Amazon Web ServicesVMware + Amazon Web Services
VMware + Amazon Web ServicesTriNimbus
 
DevOps in the Amazon Warehouse - Shawn Gandhi
DevOps in the Amazon Warehouse - Shawn GandhiDevOps in the Amazon Warehouse - Shawn Gandhi
DevOps in the Amazon Warehouse - Shawn GandhiTriNimbus
 
The New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaThe New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaTriNimbus
 
Staying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierStaying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierTriNimbus
 
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...TriNimbus
 

More from TriNimbus (20)

Convergence of Containers and Serverless by Mency Woo
Convergence of Containers and Serverless by Mency WooConvergence of Containers and Serverless by Mency Woo
Convergence of Containers and Serverless by Mency Woo
 
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_Insights
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_InsightsJuni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_Insights
Juni_Mukherjee_The_DevSecOps_Journey_AntiPatterns_Analytics_and_Insights
 
Teri_Radichel_Top_5_Priorities_for_Cloud_Security
Teri_Radichel_Top_5_Priorities_for_Cloud_SecurityTeri_Radichel_Top_5_Priorities_for_Cloud_Security
Teri_Radichel_Top_5_Priorities_for_Cloud_Security
 
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_Data
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_DataPeter_Smith_PhD_ACL_10000_Foot_View_of_Big_Data
Peter_Smith_PhD_ACL_10000_Foot_View_of_Big_Data
 
Darin_Briskman_AWS_Machine_Learning_Beyond_the_Hype
Darin_Briskman_AWS_Machine_Learning_Beyond_the_HypeDarin_Briskman_AWS_Machine_Learning_Beyond_the_Hype
Darin_Briskman_AWS_Machine_Learning_Beyond_the_Hype
 
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Beyond
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and BeyondAmazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Beyond
Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Beyond
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
 
AWS 2017 re:Invent re:Cap - TriNimbus Presentation Slides
AWS 2017 re:Invent re:Cap - TriNimbus Presentation SlidesAWS 2017 re:Invent re:Cap - TriNimbus Presentation Slides
AWS 2017 re:Invent re:Cap - TriNimbus Presentation Slides
 
Performance Optimization of Cloud Based Applications by Peter Smith, ACL
Performance Optimization of Cloud Based Applications by Peter Smith, ACLPerformance Optimization of Cloud Based Applications by Peter Smith, ACL
Performance Optimization of Cloud Based Applications by Peter Smith, ACL
 
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web Services
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web ServicesBuilding and Operating AI Services at Scale by Randall Hunt, Amazon Web Services
Building and Operating AI Services at Scale by Randall Hunt, Amazon Web Services
 
Virtual Desktops on AWS by Mike Burke, Farm Credit Canada
Virtual Desktops on AWS by Mike Burke, Farm Credit CanadaVirtual Desktops on AWS by Mike Burke, Farm Credit Canada
Virtual Desktops on AWS by Mike Burke, Farm Credit Canada
 
Dan Crawford - Canadian Executive Cloud & DevOps Summit Presentation
Dan Crawford - Canadian Executive Cloud & DevOps Summit PresentationDan Crawford - Canadian Executive Cloud & DevOps Summit Presentation
Dan Crawford - Canadian Executive Cloud & DevOps Summit Presentation
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Eric_Gales_Amazon_June_9_2017_presentation
Eric_Gales_Amazon_June_9_2017_presentationEric_Gales_Amazon_June_9_2017_presentation
Eric_Gales_Amazon_June_9_2017_presentation
 
Darin Briskman_Amazon_June_9_2017_Presentation
Darin Briskman_Amazon_June_9_2017_PresentationDarin Briskman_Amazon_June_9_2017_Presentation
Darin Briskman_Amazon_June_9_2017_Presentation
 
VMware + Amazon Web Services
VMware + Amazon Web ServicesVMware + Amazon Web Services
VMware + Amazon Web Services
 
DevOps in the Amazon Warehouse - Shawn Gandhi
DevOps in the Amazon Warehouse - Shawn GandhiDevOps in the Amazon Warehouse - Shawn Gandhi
DevOps in the Amazon Warehouse - Shawn Gandhi
 
The New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaThe New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS Canada
 
Staying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierStaying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave Millier
 
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...
Goran (Kima) Kimovski, Beyond Virtualization: IT In a World of Software Defin...
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

WEB APP SECURITY: PROTECTING YOUR APPLICATION

  • 1. WEB APPLICATION SECURITY: PROTECTING YOUR WEB APPLICATION Ryan Holland Sr. Director, Cloud Architecture
  • 2. Threats by Customer Environment Source: Alert Logic 2015 Customer Data 48% 23% 21% 2% 6% CLOUD ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick and Mortar ATTACKS APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
  • 3. Web Apps – Prime Target for Attackers Source: Cloud Security Spotlight Report 2016 Source: VDBIR 2016 UP 300% SINCE 2014
  • 4. Alert Logic data – Breaking down web app attacks Source: Alert Logic ActiveWatch analysis Aug 2015 through Dec 2016
  • 6. Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 7. Web Application Security Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 8. Web Application Vulnerability Example CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL Patch MS98-003 Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 10. Poor Coding Practices • Unsanitized Data - User controlled input - Web forms - URL query exposure • Whitelisting - Control expected user input - Accept known, expected data • Meta-Character Sanitization - Quotes break up a query - Names with quotes should be the exception Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 11. Old Reliable Code and Processes • Lack of Code Cleanup - Failed old code - Decommissioned backend systems - Account credentials - Backup systems - Discovery of application topology (API and static links) - Unnecessary comments and notes
  • 12. Unpatched and Unsupported Code • CMS versions are updated - Vulnerable plug-ins and themes remain o Still function o No error codes o CMS application doesn’t check • TimThumb Word Press Plug-in - Library used to resize larger images - 39 million operational - Author announced end of support - Plug-in hacked
  • 13. Lack of Security Oversight • Security is not longer just advisory • Inject Security into the SDLC • Inject Requirements • Make sure the Technologies are Secure • Automatically and Manually review all code during multiple points throughout the development process • Test, Test, Test • Continuous monitoring and scanning
  • 15. Hacker Recon Methods Crawling Target Website Mass Vulnerability Crawl Open Forums Dark Web Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
  • 16. Crawling Target Website • Manual - Browse the website as a normal user - Gather email addresses, related domains and domain info - Web application code language o Revision o Plug-ins - Web server OS - User input pages - Directory structure - Backend systems • Software tools - Find hidden forms, software version, js files, links and comments
  • 17. Mass Vulnerability Crawl - Example • Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries - Plug in search string to find vulnerable websites - Some have preset search strings - Search results are dynamic - Timing is everything o Target system could be patched o Other hackers got there first
  • 19. Open Forums • Vulnerabilities reported to vendors - Vendors should o Acknowledge vulnerability o Provide timeline to fix o Announce vulnerability to the public o Provide fix/patch or work-around o Within a reasonable timeframe - Some Vendors o Delay response to reports o Don’t provide a patch o Announce vulnerability only to customers o Bury patches with other “upgrades”
  • 20. Open Forums • Information sharing - Researchers post vulnerabilities o Lack of response from the vendor o Bypass vendor completely - Public service to Internet community o On-going debate • Bypass the vendors and post vulnerabilities • Involve the vendor first o What is a reasonable amount of time • Some say it should be 24 hours or less • Some agree to wait 4-6 weeks • Others somewhere in between Open forums facilitate vendor due diligence
  • 21. Open Forums - Examples • Exploit Database - www.exploit-db.com - A non-profit project that provides a public service to share information about vulnerabilities and is run by Offensive Security • Full Disclosure - http://seclists.org/fulldisclosure/ - A public, vendor-neutral forum of vulnerabilities, exploitation techniques and other events of interest to the community • Cryptome - https://cryptome.org/ - Collects information about freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and government secrecy
  • 22. Open Forums - Example • Vulnerability details - Date reported - Type of vulnerability - Platform impacted - Author (not shown) - Verification (time permitting) - Link to infected application (some)
  • 23. Dark Web • Encrypted network • Restricted access between Tor servers and clients • Collection of DBs and communication channels • Hidden from conventional search engines • Shares some features with Open Forums • Tor browser required • More advanced resources and tools
  • 24. Dark Web - Example
  • 26. Attack Methodology • Attack of opportunity - Hacker finds vulnerability within skillset - Target system and organization irrelevant • Targeted attack - Specific to people or organization - System resources • Low cost of entry - Open list of vulnerabilities - Targets easy to find - Hacker’s skill-set varies
  • 27. Attacks of Opportunity • Vulnerability Database Monitoring • Block Network Vulnerability Scanning • Google Dorking • Shodan • Application Vulnerability Scan
  • 28. Targeted Attacks • Scanning IP Internet Assets • Application/Network Vulnerability Scan • Careers Page • Research Technologies • Social Media Profiling • Phishing Email • Escalate Privileges • Maintain Access • Exfiltration of Data
  • 29. FROM WEB APPS TO PRIVILEGED ACCESS
  • 30. From Web Apps to Privileged Access • How hacking a web app can lead to system compromise - Code analysis o Review of code to reveal unintended system information - System scanning o Other software could have vulnerabilities - Session Hijacking o Exploiting a current, valid session - Social Engineering o Deception used to manipulate behavior
  • 31. From Web Apps to Privileged Access • Code analysis - Account information o Usernames and passwords o Plain text or hashed - Software tools o Web search o Scan to identify • Usernames & passwords o Brute force to crack encryption o Throttle tools to avoid detection o Offline may be an option
  • 32. From Web Apps to Privileged Access • Session Hijacking - Obfuscated code o Embedded in images o Mouse-over techniques - Proxy replay - Malicious binary - Session cookies - Java script injection - Cross-site scripting - Routine system maintenance - Bind shell
  • 34. Create Access Management Policies • Identify data infrastructure that requires access • Define roles and responsibilities • Simplify access controls • Key Management System (KMS) • Continually audit access • Start with a least privilege access model
  • 35. Understand Your Service Providers Security Model
  • 36. Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • CloudTrail – Use it, Love it. • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring
  • 37. Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • AMI and Golden Images • Reference Architecture, Formation Templates
  • 38. Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
  • 39. DevSecOps Release Pipeline Design • Cloud Insight is a purpose built SaaS platform providing vulnerability assessment for AWS customers. • Jinkins and AWS services are used for deployment pipeline. • Micro-services architecture with several development teams. • Multiple deployments a week. • Fully automated deployment pipeline. • Deployment pipeline consists of 4 environments • Development • Integration • Staging • Production • Requirement that vulnerabilities are identified and remediated before changes push to production. • Cloud Insight will scan all instances running in Integration every 24 hours.
  • 40. How to Implemented Scanning in the Pipeline • Scanning a large number of instances takes time –want to avoid slowing down releases. • Workflow for Staging environment queries vulnerability data from scans in Integration. • Vulnerabilities tracked by AMI, not instance IDs. • Scan reports are attached to RFCs and stored in S3. • Any vulnerability of CVSS > 4.0 triggers a rollback. - Scan report with remediation steps are attached to the report
  • 41. Follow our Research & Stay Informed on the Latest Vulnerabilities Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/