Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Published byMyron Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University."— Presentation transcript:

1 SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University

2 SIGITE 2008: 16-18 Oct Topics 1. Why should we teach web application security? 2. What material do we need to cover? 3. How should we cover that material? 4. Where do we go from here?

3 SIGITE 2008: 16-18 Oct Is Web Hacking Really That Easy? “Exploits of a Mom”, XKCD

4 SIGITE 2008: 16-18 Oct Vulnerability Growth

5 SIGITE 2008: 16-18 Oct Web Vulnerabilities Dominate

6 SIGITE 2008: 16-18 Oct Reasons for Attacking Web Apps

7 SIGITE 2008: 16-18 Oct Firewalls Don’t Protect Web Apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp

8 SIGITE 2008: 16-18 Oct Browser Malware Bypasses Firewall

9 SIGITE 2008: 16-18 Oct Goals 1. Identify and explain common vulnerabilities. 2. Explain security implications of client-side technologies like Javascript and ActiveX. 3. Detect security vulnerabilities in web applications using appropriate tools. 4. Design and implement web applications that do not contain common vulnerabilities. 5. Deploy and configure a web application in a secure manner.

10 SIGITE 2008: 16-18 Oct Topic Outline 1. Web Application Input 2. Client-side Technologies 3. Input-based Attacks 4. Injection Attacks 5. Cross-site Attacks 6. Authentication 7. Secure Programming 8. Operational Security

11 SIGITE 2008: 16-18 Oct Web App Security in IT2005 Web Application Security IPT5 Software Security IAS6 Security Domains WS5 Web Security IAS11 Vulnerabilities

12 SIGITE 2008: 16-18 Oct Labs 1. WebGoat exercises on specific vulnerabilities. 2. Using a testing proxy to solve more advanced WebGoat exercises. 3. Assessing an application using a web vulnerability scanner. 4. Assessing a web application using a testing proxy. 5. Reviewing the code of an application using a static analysis tool. 6. Deploying a web application firewall. 7. Participating in the international CTF competition.

13 SIGITE 2008: 16-18 Oct WebGoat

14 Tools Web Proxies Web Application Firewalls Static Analysis Vulnerability Scanners

15 SIGITE 2008: 16-18 Oct Web Proxies

16 SIGITE 2008: 16-18 Oct Altering Form Parameters

17 SIGITE 2008: 16-18 Oct Fuzz Testing Fuzz testing consists of  Sending unexpected input.  Monitoring for exceptions.

18 SIGITE 2008: 16-18 Oct Web Application Firewalls What is a WAF? Web monitoring. Web monitoring. Access control. Access control. Behind SSL endpoint. Behind SSL endpoint.A/K/A Deep packet inspection. Deep packet inspection. Web IDS/IPS. Web IDS/IPS. Web App Proxy/Shield. Web App Proxy/Shield.mod_security Open source. Open source. Embeds in Apache. Embeds in Apache. Reverse proxy. Reverse proxy.

19 SIGITE 2008: 16-18 Oct Vulnerability Scanners 1. Spiders site. 2. Identifies inputs. 3. Sends list of malicious inputs to each input. 4. Monitors responses.

20 SIGITE 2008: 16-18 Oct Static Analysis Automated assistance for code auditing Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Results Tools Coverity Coverity FindBugs FindBugs Fortify Fortify Klocwork Klocwork Ounce Labs Ounce Labs

21 SIGITE 2008: 16-18 Oct Labs 1. WebGoat exercises on specific vulnerabilities. 2. Using a testing proxy to solve more advanced WebGoat exercises. 3. Assessing an application using a web vulnerability scanner. 4. Assessing a web application using a testing proxy. 5. Reviewing the code of an application using a static analysis tool. 6. Deploying a web application firewall. 7. Participating in the international CTF competition.

22 SIGITE 2008: 16-18 Oct Approaches 1. Students evaluate and fix their own code. 1. Students learn about their own coding mistakes. 2. Scale of project limited to what students can write. 2. Students evaluate and fix your code. 1. Write a web application designed for teaching students. 3. Students evaluate and fix someone else’s code. 1. Use a web application designed for teaching. 2. Analyze an open source web application with known vulnerabilities reported in NVD or other bug db.

23 SIGITE 2008: 16-18 Oct Teaching Applications Hacme Bank, Books, Casino, Travel

24 SIGITE 2008: 16-18 Oct Future Directions: AJAX Security Asynchronous Javascript and XML  Expanded server side API.  Server API calls can be issued in any order by attacker; cannot assume calls issued in order by your client.  Larger amount of client state.  Client/server communication using data (XML/JSON) rather than presentation (HTML.)

25 SIGITE 2008: 16-18 Oct Future Directions: Web Sec Class 1. Web Application Input 2. Client-side Technologies 3. Service Oriented Architectures 4. AJAX 5. Input-based Attacks 6. Injection Attacks 7. Race Conditions 8. Cross-site Attacks 9. Authentication 10. Secure Programming 11. Operational Security

26 SIGITE 2008: 16-18 Oct Conclusions 1. Defense is shifting from network to application layer. Firewalls, anti-virus, SSL input validation, WAF 2. Students need to learn to identify vulnerabilities. 1. Static analysis of source code. 2. Web proxies and scanners for testing. 3. Students need to learn to remediate vulnerabiliites. 1. Web application firewalls for immediate short-term fixes. 2. Repairing source code for long term fixes.

Download ppt "SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.

Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Similar presentations

Ads by Google