Presentation is loading. Please wait.

Presentation is loading. Please wait.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Published byLondon Perrier Modified over 9 years ago

Similar presentations

Presentation on theme: "Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012."— Presentation transcript:

1 Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012

2 Infosec 2012 | 25/4/12 Introduction Application Security vs. Data Security Current Application Security Approach –Vulnerability vs. Risk –Technique vs. Goal Challenges of Existing Application Security Solutions New Approach for Application Data Security

3 Infosec 2012 | 25/4/12 About Myself 16 years in information/application security (Over 10 years hands on penetration testing) Research, Development, Enhancement –Attack & Defense Techniques –WAF / AppSec Testing Products Regular Speaker in Security Conferences OWASP Global Membership Committee & Chairman of OWASP Israel

4 Infosec 2012 | 25/4/12 The Problem Application Security – Goal or Mean? Importance of Protecting Persistent Data DB Security Solutions – Is It Enough? Influence of App Vulns on Data Security AppSec As a Mean for Data Protection AppSec As Integrate Part of R&D?

5 Infosec 2012 | 25/4/12 Current Approach Approach Too Technical Focus on Technical Aspects –Examine it from the vulnerability perspective –Focus on injections & technical problems –Analysis of code, rather than application –Ignoring application data Focus on technology instead of risk Hard to fit into the development lifecycle

6 Infosec 2012 | 25/4/12 Too Many Vulnerabilities… SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Forceful Browsing Session Riding Hidden Field Manipulation LDAP Injection Cookie Poisoning CRLF Injection HTTP Response Splitting XPath Injection Directory Traversal OS Commanding Session Hijacking Insecure Redirect Flow Bypassing Director Listing Insecure Password Storage File Inclusion No User Lockout Unauthenticated Access Buffer Overflow No SSL Session Fixation Detailed Error Messages Misconfiguration Information Leakage URL Encoding

7 Infosec 2012 | 25/4/12 Going Back to the Roots Risk Based Approach CIA –Confidentiality –Integrity (+ Non Repudiation) –Availability Assess Application Vulnerabilities Based on Data Risk

8 Infosec 2012 | 25/4/12 Data Oriented Approach Taking a Data-Oriented Approach to Application Security Testing Logical vs Technical Business Impact Level of Exploitability Risk, Risk, Risk

9 Infosec 2012 | 25/4/12 Example: Unauthorized Data Modification The Attack is Data Modification Can be performed in various ways: –Parameter Tampering –Flow Bypassing –SQL Injection –Cross Site Scripting –Cross Site Request Forgery

10 Infosec 2012 | 25/4/12 The Problem – Take II Existing Solutions – Too Technical No One Used Data Oriented Approach –DAST (Scanners) Analyze Request/Responses – No Data Access Focused on Technical Vulnerabilities –SAST (Static Analyzers) Only Static Code – No Data Access Focused on Technical Vulnerabilities –Pentesters – Better, But Still Mostly Technical

11 Infosec 2012 | 25/4/12 The Problem – Take II Result – Low Security ROI – €€€ spent on solutions not focused on data risk – €€€ spent on professional services trying to sort through the thousands of results – €€€ spent on R&D hours of fixing unnecessary fixes High Costs, Unfocused Efforts, Inefficient.

12 Infosec 2012 | 25/4/12 The Solution: Data Centric Application Security Analysis of Actual Data Handling in System Automatic Data Classification –Sensitivity –Ownership –Accessibility –etc. Identifying Vulns Which Pose Real Risk Verification of Actual Risk Level

13 Infosec 2012 | 25/4/12 Advantages Focus on Real Vulnerabilities Holistic Approach (Application, not Code) Support for Business Transactions –Multi Tier, Multi Step Components, etc. Identify Vulnerabilities Otherwise Unidentified Identify Potential Data Breaches Easy to Integrate into R&D

14 Infosec 2012 | 25/4/12 The Data Centric Approach More REAL Vulnerabilities No IRRELEVANT Vulnerabilities Efficient, Practical, Focused Fits R&D Security Program Provides High Security ROI

15 Infosec 2012 | 25/4/12 About Quotium New Generation Application Security Data Oriented Approach Utilizes new Runtime Analysis Engine –Analysis of application data and code –Exploit verification to classify risk. Intuitive & Easy to Use Adaptive to the Development Process

16 Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer Maor ofer@quotium.com Come Visit Us! Booth #F51

Download ppt "Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012."

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC2012 8 Nov 2012 Haifa, Israel.

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC Nov 2012 Haifa, Israel.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Www.cyberoam.com © Copyright 2012 Elitecore Technologies Ltd. All Rights Reserved. Securing You Web Application Firewall Protection CYBEROAM UTM’s Unified.

© Copyright 2012 Elitecore Technologies Ltd. All Rights Reserved. Securing You Web Application Firewall Protection CYBEROAM UTM’s Unified.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google