Web Vulnerability Assessments

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Module 1: Demystifying Software Defined Networking Module 2: Realizing SDN - Microsoft’s Software Defined Networking Solutions with Windows Server 2012.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Web Application Security Assessment and Vulnerability Assessment.
The Business of Penetration Testing
Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.
Norman SecureSurf Protect your users when surfing the Internet.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing
0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.
Global Infrastructure Management Business Update Vivek Gupta and Tom Tucker 20 th February, 2013 © 2013, Zensar Technologies. All Rights Reserved..
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
A Framework for Automated Web Application Security Evaluation
Penetration Testing James Walden Northern Kentucky University.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.
Application Security
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
Information Technology at Emory Information Technology Division Technical Services IT Briefing Agenda 7/17/05 New scanning tools EOL/eVax & BTS Oracle.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Microsoft Management Seminar Series SMS 2003 Change Management.
Frontline Enterprise Security
Strategic Security, Inc. © Application Security is Easy Right?
1 Session Number Presentation_ID © 2002, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Web Site for Network Security and Virtual Private.
Company Overview Introduction For more than 6 years, Geelers has been integrating technology solutions that solve our clients business.
Alfresco Enterprise on Azure Shah Rahman Founder and CEO, CloudlyIO.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Alfresco on Azure Shah Rahman Founder and CEO, CloudlyIO.
● The most common website platform ● User friendly-easy to edit ● Constantly improving-updates, plugins, themes Why WordPress?
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Software Testing Training Online. Software testing is ruling the software business in current scenario. It provides an objective, independent view of.
Defining your requirements for a successful security (and compliance
Fourth Dimension Technologies
Chapter 6: Securing the Cloud
Azure Infrastructure for SAP®
Chapter 7: Identifying Advanced Attacks
CompTIA Security+ SY0-401 Real Exam Question Answer
NEED OF JAILBREAKING IN IOS PENETRATION TESTING
HTML Level II (CyberAdvantage)
COMPTIA CAS-003 Dumps VCE
PT0-001 Dumps PDF CompTIA PenTest+ Exam Exam Code Exam Name.
Mcafee updates Mcafee antivirus uses a database of known virus definitions to identify malware and other threats on your computer system. So it is important.
Validating Your Information Security Program (ISP 3 of 3)
Security Essentials for Small Businesses
Network hardening Chapter 14.
Presentation transcript:

Web Vulnerability Assessments NEWDUG January, 2015 In order to modify the “client confidential” notice please go to View > Slide Master and delete or edit the text box Click “close slide Master” on the Slide Master tab to exit

Agenda About Web Vulnerability Assessments Tools Demos Goals Types SOW Steps Tools Demos Goals Demonstrate Web VA, show techniques Pen-testers and Hackers use to find vulnerabilities in your sites Provide some techniques and tools to help secure your code

John Reynders Consultant with OpenSky Corp. Seven years experience in Web Security: Program Development Dynamic Testing Static Analysis Coding Standards Web Application Firewalls Eight years of general Information Security experience

OpenSky - An Award Winning Company Everything starts with our people. Our success comes from their expertise and dedication to always “doing the right thing” for our clients. Our people Expert resources: CRN Tech Elite 250 (2013) Quality work environment: Top Workplace (2011, 2012, 2013) Our people create top tier solutions GRC Solution Award with client Shire Pharmaceuticals: OCEG (2013) Our people and our solutions create lasting relationships and new partners Multiple growth awards: Inc 500 (2012), CRN (2011, 2012), Marcum Tech Top 40 (2011, 2012)

Complete Solutions for Major Enterprises Secure Manage Plan, Design & Migrate IT Risk Management & Security Services Assessment and Advisory Application Secure Coding Vulnerability Assessment and Penetration Testing Security Program and Framework Technology Implementation and Engineering Mobile Device and Virtualization Security Datacenter & Cloud Infrastructure Services Data Center and Cloud Integration Network Infrastructure Virtualization Storage and Computing Infrastructure Applications End-User Computing GRC Services GRC Strategy GRC Maturity Assessment GRC Configuration and Custom Development Technical Business Consulting IT Transformation and Strategy Technical Project Management IT Supplier & Sourcing Management IT Expense Management

Web Vulnerability Assessments Conducted against a contract with specific terms, most often called the Statement of Work (SOW) Specify in the SOW: System to be tested (URL) Production or Non-Prod? Type and level of testing Level of Automated and Manual testing “Safe” Tests only? Hours for testing Nights only? Whitelist IP addresses in WAF, IPS? Special Concerns? The more information the better the assessment Additional considerations: Number of user roles, whether retesting is included, if non-prod, will travel be involved.

Web Vulnerability Assessments Types of Application Security Testing: Dynamic Analysis Security Testing (DAST) “Black Box” Tests actual web site for vulnerabilities Simulates what a real attacker would do Static Analysis Security Testing (SAST) “White Box” Tests code for vulnerabilities A real attacker would likely not have access to the code, this method is a different approach to identifying potential security flaws. Hybrid “Glass Box” Dynamic test against instrumented web server Manual testing can occur in each type Talk covers Dynamic Testing Some tools perform static analysis of JavaScript

“Typical” Web Assessment Steps Recon Site components and architecture Open ports? Hack the server Manually crawl site with an Intercepting Proxy Automated Scan of site Results verification – False positives removal Manual testing Things tools don’t do well Business Logic Privilege Escalation etc. Reporting

Recon Visit site Site information Google Dorks Port Scan Netcraft, Shodan etc. Google Dorks Files, passwords, WSDL, Admin logons etc. Port Scan Nmap, Nessus, Qualys May perform an infrastrucuture vulnerability scan Missing patches, configuration issues etc. Check security configuration

Configuration Checkers Microsoft Web Application Configuration Analyzer Needs Admin on Server, Checks SQL Server too http://www.microsoft.com/en-ca/download/details.aspx?id=573 Check Your Headers http://cyh.herokuapp.com/cyh SSL Labs https://www.ssllabs.com/ssltest/index.html ASAFAWEB https://asafaweb.com/

Crawl Site with Intercepting Proxies Burp* http://portswigger.net/ Fiddler http://www.telerik.com/fiddler Zed Attack Proxy (ZAP) https://code.google.com/p/zaproxy/wiki/Downloads * - Free and Professional versions

Intercepting Proxy Intercepting Proxy Man-in-the-Middles all traffic Hackers and Testers can see all data transmitted Hidden Fields => NOT a security feature

Burp

Burp – Analyze Request & Response

Scan Site – Dynamic Scanners Acunetix http://www.acunetix.com/ AppScan http://www-03.ibm.com/software/products/en/appscan WebInspect http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/ Burp & ZAP have scanning modules

AppScan

DEMO

Resources WASC - http://www.webappsec.org/ OWASP - http://www.owasp.org/ Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets Testing Guide https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents WASC - http://www.webappsec.org/ Not updated recently but some good content The Web Application Hacker's Handbook http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470

Web Site: http://www.openskycorp.com/ Contact Information Email: jreynders@openskycorp.com Web Site: http://www.openskycorp.com/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.