SIGITE 2008: 16-18 Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.
Vulnerability Assessment Course Applications Assessment.
Barracuda Web Application Firewall
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Firewalls and Intrusion Detection Systems
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Course 201 – Administration, Content Inspection and SSL VPN
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
FORESEC Academy FORESEC Academy Security Essentials (II)
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University
Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
What is FORENSICS? Why do we need Network Forensics?
Penetration Testing James Walden Northern Kentucky University.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
May 2, 2007St. Cloud State University Software Security.
Web 2.0 Security James Walden Northern Kentucky University.
Web Application Firewall (WAF) RSA ® Conference 2013.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
The benefits of externalizing Web DMZ-as-a-Service in the Cloud James Smith, Sr. Security Sentrix
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Module 7: Advanced Application and Web Filtering.
Module 11: Designing Security for Network Perimeters.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Security fundamentals Topic 10 Securing the network perimeter.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
NKU James Walden Director of the CIS
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.
Role Of Network IDS in Network Perimeter Defense.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Information Systems Design and Development Security Precautions Computing Science.
Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Web Application Protection Against Hackers and Vulnerabilities
Critical Security Controls
World Wide Web policy.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
HTML Level II (CyberAdvantage)
Myths About Web Application Security That You Need To Ignore.
AKAMAI INTELLIGENT PLATFORM™
Presentation transcript:

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University

SIGITE 2008: Oct Topics 1. Why should we teach web application security? 2. What material do we need to cover? 3. How should we cover that material? 4. Where do we go from here?

SIGITE 2008: Oct Is Web Hacking Really That Easy? “Exploits of a Mom”, XKCD

SIGITE 2008: Oct Vulnerability Growth

SIGITE 2008: Oct Web Vulnerabilities Dominate

SIGITE 2008: Oct Reasons for Attacking Web Apps

SIGITE 2008: Oct Firewalls Don’t Protect Web Apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp

SIGITE 2008: Oct Browser Malware Bypasses Firewall

SIGITE 2008: Oct Goals 1. Identify and explain common vulnerabilities. 2. Explain security implications of client-side technologies like Javascript and ActiveX. 3. Detect security vulnerabilities in web applications using appropriate tools. 4. Design and implement web applications that do not contain common vulnerabilities. 5. Deploy and configure a web application in a secure manner.

SIGITE 2008: Oct Topic Outline 1. Web Application Input 2. Client-side Technologies 3. Input-based Attacks 4. Injection Attacks 5. Cross-site Attacks 6. Authentication 7. Secure Programming 8. Operational Security

SIGITE 2008: Oct Web App Security in IT2005 Web Application Security IPT5 Software Security IAS6 Security Domains WS5 Web Security IAS11 Vulnerabilities

SIGITE 2008: Oct Labs 1. WebGoat exercises on specific vulnerabilities. 2. Using a testing proxy to solve more advanced WebGoat exercises. 3. Assessing an application using a web vulnerability scanner. 4. Assessing a web application using a testing proxy. 5. Reviewing the code of an application using a static analysis tool. 6. Deploying a web application firewall. 7. Participating in the international CTF competition.

SIGITE 2008: Oct WebGoat

Tools Web Proxies Web Application Firewalls Static Analysis Vulnerability Scanners

SIGITE 2008: Oct Web Proxies

SIGITE 2008: Oct Altering Form Parameters

SIGITE 2008: Oct Fuzz Testing Fuzz testing consists of  Sending unexpected input.  Monitoring for exceptions.

SIGITE 2008: Oct Web Application Firewalls What is a WAF? Web monitoring. Web monitoring. Access control. Access control. Behind SSL endpoint. Behind SSL endpoint.A/K/A Deep packet inspection. Deep packet inspection. Web IDS/IPS. Web IDS/IPS. Web App Proxy/Shield. Web App Proxy/Shield.mod_security Open source. Open source. Embeds in Apache. Embeds in Apache. Reverse proxy. Reverse proxy.

SIGITE 2008: Oct Vulnerability Scanners 1. Spiders site. 2. Identifies inputs. 3. Sends list of malicious inputs to each input. 4. Monitors responses.

SIGITE 2008: Oct Static Analysis Automated assistance for code auditing Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Results Tools Coverity Coverity FindBugs FindBugs Fortify Fortify Klocwork Klocwork Ounce Labs Ounce Labs

SIGITE 2008: Oct Labs 1. WebGoat exercises on specific vulnerabilities. 2. Using a testing proxy to solve more advanced WebGoat exercises. 3. Assessing an application using a web vulnerability scanner. 4. Assessing a web application using a testing proxy. 5. Reviewing the code of an application using a static analysis tool. 6. Deploying a web application firewall. 7. Participating in the international CTF competition.

SIGITE 2008: Oct Approaches 1. Students evaluate and fix their own code. 1. Students learn about their own coding mistakes. 2. Scale of project limited to what students can write. 2. Students evaluate and fix your code. 1. Write a web application designed for teaching students. 3. Students evaluate and fix someone else’s code. 1. Use a web application designed for teaching. 2. Analyze an open source web application with known vulnerabilities reported in NVD or other bug db.

SIGITE 2008: Oct Teaching Applications Hacme Bank, Books, Casino, Travel

SIGITE 2008: Oct Future Directions: AJAX Security Asynchronous Javascript and XML  Expanded server side API.  Server API calls can be issued in any order by attacker; cannot assume calls issued in order by your client.  Larger amount of client state.  Client/server communication using data (XML/JSON) rather than presentation (HTML.)

SIGITE 2008: Oct Future Directions: Web Sec Class 1. Web Application Input 2. Client-side Technologies 3. Service Oriented Architectures 4. AJAX 5. Input-based Attacks 6. Injection Attacks 7. Race Conditions 8. Cross-site Attacks 9. Authentication 10. Secure Programming 11. Operational Security

SIGITE 2008: Oct Conclusions 1. Defense is shifting from network to application layer. Firewalls, anti-virus, SSL input validation, WAF 2. Students need to learn to identify vulnerabilities. 1. Static analysis of source code. 2. Web proxies and scanners for testing. 3. Students need to learn to remediate vulnerabiliites. 1. Web application firewalls for immediate short-term fixes. 2. Repairing source code for long term fixes.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.