By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Barracuda Web Application Firewall
Server-Side vs. Client-Side Scripting Languages
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Uniqueness of user names is enforced Customer information logged to database Require contact information as well as address address will.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Introduction to Application Penetration Testing
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien Senior Support Readiness May 2012.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
COLD FUSION Deepak Sethi. What is it…. Cold fusion is a complete web application server mainly used for developing e-business applications. It allows.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
CCAT Troubleshooting Training XenApp April 2012 Citrix Consulting Architecture Team.
Attacking Applications: SQL Injection & Buffer Overflows.
Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
Security fundamentals Topic 8 Securing network applications.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Internet Information Server 6.0 & new management features.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
ALL THINGS IIS TERRI DONAHUE
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
ArcGIS for Server Security: Advanced
Web Application Security
TMG Client Protection 6NPS – Session 7.
Web Application Protection Against Hackers and Vulnerabilities
Critical Security Controls
TOPIC: Web Security (Part-4)
Penetration Test Debrief
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
HTML Level II (CyberAdvantage)
Security of web applications.
Website Security Testing: Why Business Need It Very Badly.
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Security at the Source.
Office 365 – How NOT to do it UKNOF43.
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
6. Application Software Security
Securing web applications Externally
Web Application Development Using PHP
Presentation transcript:

By Ben Pratt and Clint Forseth

 Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall Admin, “Other Duties as Assigned”  Clint Forseth ◦ Primary Role: Active Directory Accounts Admin ◦ Secondary Roles: Web Server Admin, Database Admin, Applications Developer, DNS/DHCP Admin, “Jack of All Trades, …”

 “Largest” University in MnSCU  Located in Central Minnesota ◦ About 70 miles NW of Minneapolis  Enrollment: ~1600 students  Web Environment ◦ Primarily Microsoft (Windows 2003/2008 and IIS) ◦ Classic ASP Web Apps with some PHP, Java, etc. ◦ Most new development in.NET

 SQL Injection ◦ Allows an attacker to run unwanted SQL queries against your database ◦ Can result in data loss or data manipulation ◦ SQL Inject Me (Firefox Add-on), sqlmap, etc. 

 Cross Site Scripting (XSS) ◦ Allows an attacker to modify your web site ◦ Can result in unwanted HTML or scripts being run as your web site ◦ XSS Me (Firefox Add-on), XSS-Proxy, etc.  Many Others ◦ Information gathering ◦ Forceful browsing ◦ Buffer overflow ◦ Cookie tampering

 Samurai Web Testing Framework (WTF) ◦  W3af ◦  OWASP WebScarab ◦  Others ◦ pubs/create-attacks-tr054-abstract.html ◦

 A System or Application that Limits Data Sent Between a Web Browser and a Web Server ◦ Inspects traffic at layer 7 of the OSI Model  Runs Traffic Through Rules to Detect Attacks Against Web Applications ◦ Rules can check for SQL Injection Attempts, Cross Site Scripting (XSS) Attempts, invalid cookies, manipulated form data, other invalid user submitted data

  SQL Injection Worm on the Loose ◦ “…a SQL Injection worm that is on the loose. From a quick google [sic] search it shows that there are about 4,000 websites infected and that this worm started at least mid- April if not earlier. …but what they are doing is putting in some scripts and iframes to take over visitors to the websites.”   Winzipices.cn SQL injection attack ◦ “According to Microsoft, there's no patch to fix the issue -- the vulnerability lies in custom ASP code that fails to follow well-established security practices for handling database input.”

 Write More Secure Web Applications ◦ Getting easier with more secure development tools ◦ Requires rewrite/updating of old/insecure apps ◦ Depends on trusting 3 rd party applications ◦ Depends on attacker methods not evolving  Use Web Application Firewall ◦ Allows for separation of web application security responsibilities from development team ◦ Can be implemented with almost any web application ◦ Single/reduced points of updates for new attacks

 dotDefender from AppliCure ◦ ISAPI filter for IIS (Available for Apache too)  Installs Directly on Web Server  Quick to Install and Secure Web Sites  Requires Less Network Knowledge to Configure  Lower Cost for Individual Servers  Ability to Protect All SSL Traffic  Higher Impact on Server Performance  All Attacks Reach Web Server

 Citrix NetScaler Application Firewall ◦ Integrated into NetScaler Load Balancers ◦ Positive Security Model (Default Deny) ◦ Use of RegEx to minimize rules  Takes Application Firewall Processing Load Off of Web Servers  May Require Re-architecture of Datacenter Network and ACLs ◦ May require code modification for applications  Higher Cost for Individual Servers

 Required Immediate Response to Active Web Application Attacks with Ability to Grow  dotDefender Installed for Quick Response to Common Web Application Attacks  Determined Long Term Response Would Utilize Citrix Network Load Balancers Already in Environment

 Initial Focus on Public, Unauthenticated Sites  April 2008 ◦ dotDefender installed with (mostly) default settings  June 2008 ◦ Citrix Application Firewall training  July & August 2008 ◦ Updated sites not routing traffic through the Citrix network load balancer (nlb) to do so ◦ A majority of our public facing web sites were put into Learning Mode

 September 2008 ◦ The sites that had been in Learning Mode were switched into Blocking Mode  October 2008 ◦ Most popular/open sites were felt to be secure  Ongoing ◦ As new issues arise or applications come online the app firewall rules are adjusted ◦ A plan is being developed for securing further, “tricky” applications  Dynamic URLs, applications reading IP headers, etc.

 Focusing on.NET Development for New Apps ◦ Increased data input validation  Project Plans and Change Management ◦ Project plans include security and privacy section ◦ More Formalized Change Management Procedures  Increasing Developer Awareness of Common Web Application Attacks ◦ Increased training and tools ◦ Peer reviews of code

 Payment Card Industry Data Security Standard (PCI-DSS) version 1.2 ◦ Required as of June 30, 2008  Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes  Installing a web-application firewall in front of public-facing web applications  Forces someone other than your developers to understand the functionality of your site

 Contact Info ◦ Ben Pratt   Evaluations ◦  Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.