Noah Jaehnert, profile picture
Uploaded byNoah Jaehnert
PPTX, PDF166 views

Web Security Overview

The document presents an overview of web security by Noah G. Jaehnert, emphasizing the importance of security in protecting valuable assets, particularly in a healthcare setting. Key topics include the definition of security and information security, the challenges of implementing security measures, and steps developers can take to enhance security through resources like OWASP. The document concludes with actionable advice on integrating security throughout the development process and offers various resource links for further information.

Embed presentation

Download to read offline
Web Security Overview Noah G. Jaehnert Director of Information Security OurHealth, LLC
Agenda • Who are you/Who am I? • What is OurHealth? • What is security/What is Information Security? • Why is security difficult? • What happens if we don't do security right? • What can developers do to enhance security? • Questions? • If I only leave you with three things...
Who am I? • Noah G. Jaehnert - Director of Information Security at OurHealth • Email: njaehnert@ourhealth.org,Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert • Previous experience: • Security Architecture Program Manager/Enterprise Security Strategist – • Senior Information Security Consultant – • Enterprise Architect – • Technical Engineer –
Who am I? • Awards/Honors: • 2015 and 2016 Cisco Champion for Security! • 2015 America’s Information Security Leadership Award (AISLA) winner - Up and Coming Information Security Professional • Certifications Include: • Other Interests: • Photography • Skiing • Volunteer as a Firefighter/EMT (a different side of Risk Management) *In Progress
What is OurHealth? CUSTOMNEAR-SITEON-SITE Healthcare Clinics Services We Provide: Adult Primary & Urgent Care Pediatric Urgent Care Wellness Services On-site Labs & Medications Referral Services Online Tools
What is OurHealth’s Mission?People Passion Excellence
What is security? • Security is the degree of resistance to, or protection from, harm. • It applies to any vulnerable and valuable asset, such as a person, dwelling, community, item, nation, or organization. • As noted by the Institute for Security and Open Methodologies (ISECOM) in their Open Source SecurityTesting Methodology Manual (SSTMM), security provides: • A form of protection where a separation is created between the assets and the threat • These separations are generically called "controls," and sometimes include changes to the asset or the threat
Components of Security • The Certified Information Systems Security Professional (CISSP) certification requires knowledge of the following domains/areas: • Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk Management • Legal regulations, investigations, and compliance • Operations Security • Physical and Environmental Security • SecurityArchitecture and Design • Telecommunications and Network Security
What Is Information Security? • The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information • Tools, such as policy, awareness, training, education, and technology are necessary to support the overall protection of information and systems • The C.I.A. triangle was created as a standard to provide guidance on protecting information and systems
Basics of Information Security: CIA
Basics of Information Security: CIA
Basics of Information Security: CIA • Confidentiality – Information, systems, and/or data are not made available or disclosed to unauthorized individuals, entities, or processes • Integrity – Information, systems, and/or data are accurate and complete over their entire lifecycle. This means they cannot be modified in an unauthorized or undetected manner. • Availability – Information, systems, and/or data must be available when it needed. This means that the systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
Why is Security Difficult? • OurHealth
Why is Security Difficult? • OurHealth
Why is Security Difficult? • OurHealth
What happens if we don’t do security right? Source: 2016 Verizon Data Breach Investigation Report • Gray bars indicate the corresponding figure from the DBIR report for 2015. • Web application attacks accounted for the greatest percentage of attacks that resulted in breaches • Increased almost fivefold from 2015!
What can developers do to enhance security? • Build it into what you do! • A plethora of resources for developers on building secure applications are available from the OpenWeb Application Security Project (OWASP).OWASP is: • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for- profit charitable organization focused on improving the security of software. • OWASP’s mission is to make software security visible, so that individuals and organizations are able to make informed decisions. • OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
What can developers do to enhance security? • There is an IndianapolisOWASP Chapter that meets quarterly. • I HIGHLY encourage you attend, because: • There are great presentations on relevant security topics • It is an awesome networking opportunity • Dinner (and sometimes drinks) provided free by a sponsor • Next meeting: TBD Q4 2016. • Visit the Indy OWASP Meetup page for details: http://www.meetup.com/indyowasp/
About the OWASP Top 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project, after • Developers Guide • WebGoat • Maybe WebScarab ?? First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
OWASP Top Ten (2013 Edition)
What Didn’t Change • Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
2013-A1 – Injection • Tricking an application into including unintended commands in the data sent to an interpreter Injection means… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… Interpreters… • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid SQL injection is still quite common • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access Typical Impact
SQL Injection – Illustrated Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP respons e   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:
A1 – Avoiding Injection Flaws • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw Recommendations • For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet References
2013-A2 – Broken Authentication and Session Management • Means credentials have to go with every request • Should use SSL for everything requiring authentication HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Session management flaws • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Beware the side-doors • User accounts compromised or user sessions hijacked Typical Impact
Broken Authentication Illustrated Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions 1 User sends credentials 2Site uses URL rewriting (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum www.boi.com?JSESSIONID=9FA1DB9EA... 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Hacker uses JSESSIONID and takes over victim’s account
A2 – Avoiding Broken Authentication and Session Management • Authentication should be simple, centralized, and standardized • Use the standard session id provided by your container • Be sure SSL protects both credentials and session id at all times Verify your architecture • Forget automated analysis approaches • Check your SSL certificate • Examine all the authentication-related functions • Verify that logoff actually destroys the session • Use OWASP’s WebScarab to test the implementation Verify the implementation • https://www.owasp.org/index.php/Authentication_Cheat_Sheet Follow the guidance from
Summary: How do you address these problems? • Develop Secure Code – Follow the best practices in OWASP’s Guide to Building Secure Web Applications • https://www.owasp.org/index.php/Guide • And the cheat sheets: https://www.owasp.org/index.php/Cheat_Sheets – Use OWASP’s Application Security Verification Standard (ASVS) as a guide to what an application needs to be secure: https://www.owasp.org/index.php/ASVS – Use standard security components that are a fit for your organization • Use OWASP’s ESAPI as a basis for your standard components: https://www.owasp.org/index.php/ESAPI • Review Your Applications – Have an expert team review your applications – Review your applications yourselves following OWASP Guidelines • OWASP Code Review Guide: https://www.owasp.org/index.php/Code_Review_Guide • OWASP Testing Guide: https://www.owasp.org/index.php/Testing_Guide
A few stories from my past…
A few stories from my past…
Questions?
If I only leave you with three things: 1. WE CAN FIXTHIS! 2. Learn all you can about security. Build it into what you do, and do it early and often throughout your projects. Don’t wait until the end. Doing so makes it infinitely much harder to fix (and it probably won’t ever be fixed). 3. Use the resources available to you, such asOWASP. Never be afraid to ask (or Google, or Google then ask)!
Sources/Resources • 2016Verizon Data Breach Investigation Report: http://www.verizonenterprise.com/verizon- insights-lab/dbir/2016/ • Open Web Application Security Project (OWASP): https://www.owasp.org • OWASP Cheat Sheets: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series • OWASP TopTen Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • OWASP TopTen 2013 (latest edition): https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf • OWASP TopTen Slides (used in this presentation): https://storage.googleapis.com/google- code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20- %20Presentation.pptx
My contact information: • If I can ever be a resource to you, please do not hesitate to reach out! • Email: njaehnert@ourhealth.org • Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert

More Related Content

PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PDF
Chapter 15 incident handling
bynewbie2019
 
PPSX
Enterprise mobileapplicationsecurity
byVenkat Alagarsamy
 
PDF
Offensive cyber security engineer updated
byInfosecTrain
 
PDF
Chapter 13 web security
bynewbie2019
 
PPTX
Webdays blida mobile top 10 risks
byIslam Azeddine Mennouchi
 
PPTX
Security Imeprative for iOS and Android Apps
bySymosis Security (Previously C-Level Security)
 
PPTX
Identity and Security in the Cloud
byRichard Diver
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Chapter 15 incident handling
bynewbie2019
 
Enterprise mobileapplicationsecurity
byVenkat Alagarsamy
 
Offensive cyber security engineer updated
byInfosecTrain
 
Chapter 13 web security
bynewbie2019
 
Webdays blida mobile top 10 risks
byIslam Azeddine Mennouchi
 
Security Imeprative for iOS and Android Apps
bySymosis Security (Previously C-Level Security)
 
Identity and Security in the Cloud
byRichard Diver
 

What's hot

PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Operational Security Intelligence
bySplunk
 
PDF
Managing privileged account security
byRaleigh ISSA
 
PPTX
Access Controls
byprimeteacher32
 
PPTX
Chapter 5 - Identity Management
byKarthikeyan Dhayalan
 
PDF
Database Security, Better Audits, Lower Costs
byImperva
 
PPTX
Self Defending Applications
byMichael Coates
 
PPTX
Mandatory access control for information security
byAjit Dadresa
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
PPTX
Ethical Hacking Services
byVirtue Security
 
PPTX
Core defense mechanisms against security attacks on web applications
byKaran Nagrecha
 
PDF
Top 10 Database Threats
byImperva
 
PPTX
Hackers, Cyber Crime and Espionage
byImperva
 
PDF
Top Five Security Must-Haves for Office 365
byImperva
 
PDF
Application security testing an integrated approach
byIdexcel Technologies
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PPTX
Unit4 next
byIntegral university, India
 
PPTX
Con8813 securing privileged accounts with an integrated idm solution - final
byOracleIDM
 
PPTX
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
byOWASP Khartoum
 
How to develop an AppSec culture in your project
by99X Technology
 
Operational Security Intelligence
bySplunk
 
Managing privileged account security
byRaleigh ISSA
 
Access Controls
byprimeteacher32
 
Chapter 5 - Identity Management
byKarthikeyan Dhayalan
 
Database Security, Better Audits, Lower Costs
byImperva
 
Self Defending Applications
byMichael Coates
 
Mandatory access control for information security
byAjit Dadresa
 
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
Ethical Hacking Services
byVirtue Security
 
Core defense mechanisms against security attacks on web applications
byKaran Nagrecha
 
Top 10 Database Threats
byImperva
 
Hackers, Cyber Crime and Espionage
byImperva
 
Top Five Security Must-Haves for Office 365
byImperva
 
Application security testing an integrated approach
byIdexcel Technologies
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
Unit4 next
byIntegral university, India
 
Con8813 securing privileged accounts with an integrated idm solution - final
byOracleIDM
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
byOWASP Khartoum
 

Similar to Web Security Overview

PDF
Secure coding guidelines
byZakaria SMAHI
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
PPTX
OWASP_Training.pptx
byPradip Bhattarai
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PPTX
OWASP top 10-2013
bytmd800
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
PDF
Owasp Top 10
byShivam Porwal
 
PPTX
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPTX
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
PDF
2013 OWASP Top 10
bybilcorry
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
How to Harden the Security of Your .NET Website
byDNN
 
PDF
Security Awareness
byLucas Hendrich
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PPTX
Information Security: We are all InfoSec (updated for 2018)
byMichael Swinarski
 
PPTX
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 
Secure coding guidelines
byZakaria SMAHI
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
OWASP_Training.pptx
byPradip Bhattarai
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
OWASP top 10-2013
bytmd800
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
Owasp Top 10
byShivam Porwal
 
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
Owasp top 10 2017
byibrahimumer2
 
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
2013 OWASP Top 10
bybilcorry
 
Owasp top 10 2013
byEdouard de Lansalut
 
How to Harden the Security of Your .NET Website
byDNN
 
Security Awareness
byLucas Hendrich
 
What is Information Security and why you should care ...
byJames Mulhern
 
Information Security: We are all InfoSec (updated for 2018)
byMichael Swinarski
 
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 

Recently uploaded

PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
AI Technology important knowledge ......
byutkarshj2007
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

Web Security Overview

  • 1.
    Web Security Overview NoahG. Jaehnert Director of Information Security OurHealth, LLC
  • 2.
    Agenda • Who areyou/Who am I? • What is OurHealth? • What is security/What is Information Security? • Why is security difficult? • What happens if we don't do security right? • What can developers do to enhance security? • Questions? • If I only leave you with three things...
  • 3.
    Who am I? •Noah G. Jaehnert - Director of Information Security at OurHealth • Email: njaehnert@ourhealth.org,Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert • Previous experience: • Security Architecture Program Manager/Enterprise Security Strategist – • Senior Information Security Consultant – • Enterprise Architect – • Technical Engineer –
  • 4.
    Who am I? •Awards/Honors: • 2015 and 2016 Cisco Champion for Security! • 2015 America’s Information Security Leadership Award (AISLA) winner - Up and Coming Information Security Professional • Certifications Include: • Other Interests: • Photography • Skiing • Volunteer as a Firefighter/EMT (a different side of Risk Management) *In Progress
  • 5.
    What is OurHealth? CUSTOMNEAR-SITEON-SITE HealthcareClinics Services We Provide: Adult Primary & Urgent Care Pediatric Urgent Care Wellness Services On-site Labs & Medications Referral Services Online Tools
  • 6.
    What is OurHealth’sMission?People Passion Excellence
  • 7.
    What is security? •Security is the degree of resistance to, or protection from, harm. • It applies to any vulnerable and valuable asset, such as a person, dwelling, community, item, nation, or organization. • As noted by the Institute for Security and Open Methodologies (ISECOM) in their Open Source SecurityTesting Methodology Manual (SSTMM), security provides: • A form of protection where a separation is created between the assets and the threat • These separations are generically called "controls," and sometimes include changes to the asset or the threat
  • 8.
    Components of Security •The Certified Information Systems Security Professional (CISSP) certification requires knowledge of the following domains/areas: • Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk Management • Legal regulations, investigations, and compliance • Operations Security • Physical and Environmental Security • SecurityArchitecture and Design • Telecommunications and Network Security
  • 9.
    What Is InformationSecurity? • The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information • Tools, such as policy, awareness, training, education, and technology are necessary to support the overall protection of information and systems • The C.I.A. triangle was created as a standard to provide guidance on protecting information and systems
  • 10.
    Basics of InformationSecurity: CIA
  • 11.
    Basics of InformationSecurity: CIA
  • 12.
    Basics of InformationSecurity: CIA • Confidentiality – Information, systems, and/or data are not made available or disclosed to unauthorized individuals, entities, or processes • Integrity – Information, systems, and/or data are accurate and complete over their entire lifecycle. This means they cannot be modified in an unauthorized or undetected manner. • Availability – Information, systems, and/or data must be available when it needed. This means that the systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
  • 13.
    Why is SecurityDifficult? • OurHealth
  • 14.
    Why is SecurityDifficult? • OurHealth
  • 15.
    Why is SecurityDifficult? • OurHealth
  • 16.
    What happens ifwe don’t do security right? Source: 2016 Verizon Data Breach Investigation Report • Gray bars indicate the corresponding figure from the DBIR report for 2015. • Web application attacks accounted for the greatest percentage of attacks that resulted in breaches • Increased almost fivefold from 2015!
  • 17.
    What can developersdo to enhance security? • Build it into what you do! • A plethora of resources for developers on building secure applications are available from the OpenWeb Application Security Project (OWASP).OWASP is: • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for- profit charitable organization focused on improving the security of software. • OWASP’s mission is to make software security visible, so that individuals and organizations are able to make informed decisions. • OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
  • 18.
    What can developersdo to enhance security? • There is an IndianapolisOWASP Chapter that meets quarterly. • I HIGHLY encourage you attend, because: • There are great presentations on relevant security topics • It is an awesome networking opportunity • Dinner (and sometimes drinks) provided free by a sponsor • Next meeting: TBD Q4 2016. • Visit the Indy OWASP Meetup page for details: http://www.meetup.com/indyowasp/
  • 19.
    About the OWASPTop 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project, after • Developers Guide • WebGoat • Maybe WebScarab ?? First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
  • 20.
    OWASP Top Ten(2013 Edition)
  • 21.
    What Didn’t Change •Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
  • 22.
    2013-A1 – Injection •Tricking an application into including unintended commands in the data sent to an interpreter Injection means… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… Interpreters… • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid SQL injection is still quite common • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access Typical Impact
  • 23.
    SQL Injection –Illustrated Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP respons e   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:
  • 24.
    A1 – AvoidingInjection Flaws • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw Recommendations • For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet References
  • 25.
    2013-A2 – Broken Authenticationand Session Management • Means credentials have to go with every request • Should use SSL for everything requiring authentication HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Session management flaws • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Beware the side-doors • User accounts compromised or user sessions hijacked Typical Impact
  • 26.
    Broken Authentication Illustrated CustomCode Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions 1 User sends credentials 2Site uses URL rewriting (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum www.boi.com?JSESSIONID=9FA1DB9EA... 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Hacker uses JSESSIONID and takes over victim’s account
  • 27.
    A2 – AvoidingBroken Authentication and Session Management • Authentication should be simple, centralized, and standardized • Use the standard session id provided by your container • Be sure SSL protects both credentials and session id at all times Verify your architecture • Forget automated analysis approaches • Check your SSL certificate • Examine all the authentication-related functions • Verify that logoff actually destroys the session • Use OWASP’s WebScarab to test the implementation Verify the implementation • https://www.owasp.org/index.php/Authentication_Cheat_Sheet Follow the guidance from
  • 28.
    Summary: How doyou address these problems? • Develop Secure Code – Follow the best practices in OWASP’s Guide to Building Secure Web Applications • https://www.owasp.org/index.php/Guide • And the cheat sheets: https://www.owasp.org/index.php/Cheat_Sheets – Use OWASP’s Application Security Verification Standard (ASVS) as a guide to what an application needs to be secure: https://www.owasp.org/index.php/ASVS – Use standard security components that are a fit for your organization • Use OWASP’s ESAPI as a basis for your standard components: https://www.owasp.org/index.php/ESAPI • Review Your Applications – Have an expert team review your applications – Review your applications yourselves following OWASP Guidelines • OWASP Code Review Guide: https://www.owasp.org/index.php/Code_Review_Guide • OWASP Testing Guide: https://www.owasp.org/index.php/Testing_Guide
  • 29.
    A few storiesfrom my past…
  • 30.
    A few storiesfrom my past…
  • 31.
  • 32.
    If I onlyleave you with three things: 1. WE CAN FIXTHIS! 2. Learn all you can about security. Build it into what you do, and do it early and often throughout your projects. Don’t wait until the end. Doing so makes it infinitely much harder to fix (and it probably won’t ever be fixed). 3. Use the resources available to you, such asOWASP. Never be afraid to ask (or Google, or Google then ask)!
  • 33.
    Sources/Resources • 2016Verizon DataBreach Investigation Report: http://www.verizonenterprise.com/verizon- insights-lab/dbir/2016/ • Open Web Application Security Project (OWASP): https://www.owasp.org • OWASP Cheat Sheets: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series • OWASP TopTen Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • OWASP TopTen 2013 (latest edition): https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf • OWASP TopTen Slides (used in this presentation): https://storage.googleapis.com/google- code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20- %20Presentation.pptx
  • 34.
    My contact information: •If I can ever be a resource to you, please do not hesitate to reach out! • Email: njaehnert@ourhealth.org • Twitter: @njaehner • LinkedIn: https://www.linkedin.com/in/noahjaehnert