Presentation is loading. Please wait.

Presentation is loading. Please wait.

APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101.

Published byAlannah Fox Modified over 9 years ago

Similar presentations

Presentation on theme: "APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101."— Presentation transcript:

1 APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101

2 WHAT IS APPSEC (APPLICATION SECURITY)? Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application. *wikipedia

3 WHAT IS APPSEC? Wait, what does “application” mean? AppSec and My InfoSec program Application security is only one part of a complete information security program Successful InfoSec programs have “buy-in” from all levels of the organization Application security has a higher importance within an InfoSec program due to exposure This requires a focus on “real world” testing Pen Testing

4 WHAT IS APPSEC? What is a penetration test? A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. wikipedia

5 WHAT IS APPSEC? Penetration tests are valuable for several reasons: Determining the feasibility of a particular set of attack vectors Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

6 WHAT IS APPSEC? Penetration tests are valuable for several reasons: Assessing the magnitude of potential business and operational impacts of successful attacks Testing the ability of network defenders to successfully detect and respond to the attacks Providing evidence to support increased investments in security personnel and technology

7 WHAT IS APPSEC? Testing Types White Box Testing In penetration testing, white-box testing refers to a methodology where an ethical hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system. Black Box Testing In penetration testing, black-box testing refers to a methodology where an ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration test is to simulate an external hacking or cyber warfare attack.

8 Network security defects Secured By Firewalls and IDS’s Server security defects Secured By Access Controls, Firewalls, IDS’s, Patch Management. Application and Web Services security defects Ref: OWASP Top 10 SQL INJECTION Cross Site Scripting CSRF Session Hijacking Source Disclosure Malware Code injection Unauthorized access The applications are the most easily exploitable conduit to the data WHAT IS APPSEC?

9 Who are my enemies? Hackers Insider Attacks Script Kiddies Hacktivists

10 WHAT IS APPSEC? Hackers White Hat A "white hat hacker" (also known as an ethical hacker) breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. Black Hat A "black hat hacker" (also known as a cracker) is a hacker who violates computer security with malicious intent or for personal gain" (Moore, 2005).

11 WHAT IS APPSEC? Insider Threats Disgruntled Employees Corporate Espionage Internal threats include any harmful actions with data that violate at least one of the fundamental principles of information security (integrity, availability, and confidentiality) and originate from within a company’s information system.

12 WHAT IS APPSEC? Script Kiddies A "script kiddie" (aka skiddie) is a person who breaks into computer systems using automated tools with no understanding or care of how they work. Hactivist A hacktivist is a hacker regardless of classification who utilizes technology to announce a social, ideological, religious, or political message.

13 WHAT IS APPSEC? Key Terms Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

14 WHAT IS APPSEC? Key Terms Threat Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

15 WHAT IS APPSEC? Key Terms Risk The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

16 WHAT IS APPSEC? Key Terms APT An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.

17 WHAT IS APPSEC? What are the most likely threats facing my AppSec Program? Cross-Site Scripting (XSS) SQL Injection (SQLi) Weak Authentication Secure Session Vulnerabilities Secure Transmission Vulnerabilities Privilege Escalation Information Leakage and Improper Error Handling

18 WHAT IS APPSEC? Cross-Site Scripting (XSS) Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Persistent VS. Reflected

19 WHAT IS APPSEC? SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

20 WHAT IS APPSEC? Weak Authentication Vulnerabilities Weak Passwords User Enumeration Lack of Account Lockout Password Reset Vulnerabilities

21 WHAT IS APPSEC? Secure Session Vulnerabilities Session Poisoning A method to exploit insufficient input validation within a server application Session Fixation An attack that permits an attacker to hijack a valid user session Persistent Cookies Remain on your hard drive until you erase them or they expire Stored with your browser when you click the "remember me" button on the login form

22 WHAT IS APPSEC? Insecure Communication Login Forms without SSL Encryption Old or Out Dated Algorithm use Backend host communication Failure to encrypt sensitive communications means that an attacker who can sniff traffic from the network will be able to access the conversation, including any credentials or sensitive information transmitted

23 WHAT IS APPSEC? Privilege Escalation Occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation/changes should have been prevented by the application

24 WHAT IS APPSEC? Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers Web applications will often leak information about their internal state through detailed or debug error messages

25 THE STORY OF JOHNNY… Counselor Wendy “Hello, I would like to review my grades please…” Johnny “Sure Johnny, Let me just log in and take a look at your “record”… Johnny plants an attack (within his record) to hijack Wendy’s sessionid The attack executes in Wendy’s browser without notice. Johnny has captured her sessionid. Username / password sessionid Johnny substitutes his sessionid with that of Wendy and assumes the identity of Wendy within the application. He then contact’s Wendy by phone…

26 WHAT HAPPENED TO THE FIREWALL??? Hackers Malicious Insiders Worms & Viruses

27 FUNDAMENTALLY FLAWED PERCEPTION Web-facing Applications Legacy Application Integration Connectivity with Partners, Suppliers Outsourcing Employee Self-Service Today, even the code itself is sometimes “outside the firewall!” Fails to protect the most critical component - the Applications http/https

28 WHAT THE USER SEES…

29 Social Engineering Information Gathering Account Enumeration Password Guessing Eavesdropping SQL Injection Cross-Site Scripting WHAT A HACKER SEES…

30 Intended Functionality Actual Functionality In a perfect world… HOW DOES THIS HAPPEN?

31 Intended Functionality Actual Functionality Working Features Security Defects In The Real World… Functional Defects ? ?

32 Firewall Web Server AppsHost Firewall Application Server AppsHost Database Server Database Host Network Security Router Firewall Switch Threats and Countermeasures Secure The Application Exception ManagementCryptography Input ValidationAuthorization Configuration ManagementProtect Sensitive Data Session ManagementAuthentication Parameter ManipulationAuditing and Logging Secure The Host PatchesAccountsPorts UpdatesFilesRegistry ServicesDirectoriesAuditing ProtocolsSharesLogging

Download ppt "APPLICATION SECURITY… WHAT’S THAT? AN INTRODUCTION TO APPLICATION SECURITY LEVEL 101."

Similar presentations

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Security

Web Application Security
Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1.

Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google