Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more...

14
Securing the New Breed of Web Applications Dave Ferguson Solution Architect, Application Security SME

Transcript of Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more...

Page 1: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Securing the New Breed of Web Applications

Dave Ferguson

Solution Architect, Application Security SME

Page 2: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Web Application Security

Often overlooked or neglected

Regulatory compliance

Reduce risk / due diligence

Contract language may include application

security

But how to assure your applications are secure?

2

Page 3: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Application Testing Approaches

3

Dynamic Analysis

Static Code Analysis

Manual penetration testing

Page 4: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

In the Beginning

4

Server-side Includes

CGIClassic ASP

Java servlets / JSPs

Static site / HTML 4

ASP.NET

1995

1996

1997

1998

1999

2000

2001

2002

ColdFusion

PHP

Page 5: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Web 2.0

5

2002

2003

2004

2005

2006

2007

2008

2009

Dynamic HTML

AJAX

JSON

Flash/Flex

Silverlight

JavaFX

Mashups

Page 6: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

The New Breed of Web Apps

6

2009

2010

2011

2012

2013

2014

2015

2016

HTML5

AngularJS

WebSocket

Single Page Apps

GWT REST APIsURL Rewriting

Backbone JSExt JS

Page 7: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Challenges for Dynamic Scanners

Web Applications

Crawling must be more intelligent

Can't simply parse HTML to find links or forms

Identify JavaScript events to "fire" them

Determine injection points in URL rewriting

REST APIs

Commonly used as backend for mobile apps

Crawling concept does not apply

Tool must know how to invoke the service endpoints

7

Page 8: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Responding to the Challenge

8

Page 9: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Dynamic Test Tools Are Evolving

Automation is critical (resources are scarce!)

Many scanners adapting to the new web technologies

Also testing for new types of web vulnerabilities

Test coverage remains vital

Tool should be able to authenticate to the system

Tool should be able to crawl web apps, even with new JS framework

Tool should support URL rewriting

Tool should support REST APIs

9

Page 10: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

SDLC

10

Page 11: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Application Security Program

AppSec Center of Excellence

Maintain secure coding guidelines/standards

Organize security training for developers

Manage testing activities

Confirm 3rd-party libraries are not vulnerable

Track metrics to demonstrate improvement

OpenSAMM (www.opensamm.org)

BSIMM (www.bsimm.com)

11

Page 12: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Software Assurance Maturity Model

12

Page 13: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Security in the SDLC

Define security requirements

Maintain an inventory of applications

Scan apps early and often in the dev lifecycle

Leverage scan tool APIs to automate testing

Perform application threat modeling

Require secure code training for developers

Leverage the security features of development frameworks

13

Page 14: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript

Thank You


Distributed Crawling of Rich Internet Applications · New generation of web applications, known as Rich Internet Applications (RIAs), pose major challenges to the web crawlers. RIAs

Distributed Crawling of Rich Internet Applications · New generation of web applications, known as Rich Internet Applications (RIAs), pose major challenges to the web crawlers. RIAs

Crawling Rich Internet Applications

Crawling Rich Internet Applications

Building Web Applications Using Parse REST APIsamples.leanpub.com/...using-parse-rest-api-sample.pdf · Introduction 6 NowWhat? Let’ssee,wehaveinstalledLaravel4,wehavecreatedanaccountonParse.com,whatelsedo

Building Web Applications Using Parse REST APIsamples.leanpub.com/...using-parse-rest-api-sample.pdf · Introduction 6 NowWhat? Let’ssee,wehaveinstalledLaravel4,wehavecreatedanaccountonParse.com,whatelsedo

Building Web Applications Using Parse Rest API

Building Web Applications Using Parse Rest API

COMPUTER SCIENCE AND APPLICATIONS · process. Lexical analysis. Lex package on Unix system. Context free grammars. Parsing and parse trees. Representation of parse (derivation) trees

COMPUTER SCIENCE AND APPLICATIONS · process. Lexical analysis. Lex package on Unix system. Context free grammars. Parsing and parse trees. Representation of parse (derivation) trees

M-Crawler: Crawling Rich Internet Applications Using Menu ......M-Crawler: Crawling Rich Internet Applications Using Menu Meta-Model Suryakant Choudhary Thesis submitted to the Faculty

M-Crawler: Crawling Rich Internet Applications Using Menu ......M-Crawler: Crawling Rich Internet Applications Using Menu Meta-Model Suryakant Choudhary Thesis submitted to the Faculty

Crawling Rich Internet Applications - Engineeringbochmann/talks/RIAcrawling.pdf · Rich Internet Applications (RIA – “Web-2”) – pages contain executable code (e.g. JavaScript,

Crawling Rich Internet Applications - Engineeringbochmann/talks/RIAcrawling.pdf · Rich Internet Applications (RIA – “Web-2”) – pages contain executable code (e.g. JavaScript,

Focused Crawling with Scalable Ordinal Regression Solverssaketh/research/icml07slides.pdf · Focused Crawling Focused Crawling Focused Crawling Given a topic (seed pages) find out

Focused Crawling with Scalable Ordinal Regression Solverssaketh/research/icml07slides.pdf · Focused Crawling Focused Crawling Focused Crawling Given a topic (seed pages) find out

What's Parse

What's Parse

Parse Table Composition · In this paper we introduce an algorithm for parse table composition to support separate compilation of grammars to parse table components. Parse table com-ponents

Parse Table Composition · In this paper we introduce an algorithm for parse table composition to support separate compilation of grammars to parse table components. Parse table com-ponents

Efficiently Crawling CMS Applications

Efficiently Crawling CMS Applications

Crawling AJAX-Based Web Applications through Dynamic …amesbah/docs/tweb-final.pdf · 2012-03-11 · 3 Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface

Crawling AJAX-Based Web Applications through Dynamic …amesbah/docs/tweb-final.pdf · 2012-03-11 · 3 Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface

A Statistical Approach for Efficient Crawling of Rich Internet Applications

A Statistical Approach for Efficient Crawling of Rich Internet Applications

Distributed Crawling of Rich Internet Applicationsssrg.eecs.uottawa.ca/docs/Seyed-M-Mir-Taheri-Thesis.pdfDistributed Crawling of Rich Internet Applications Seyed M. Mir Taheri Thesis

Distributed Crawling of Rich Internet Applicationsssrg.eecs.uottawa.ca/docs/Seyed-M-Mir-Taheri-Thesis.pdfDistributed Crawling of Rich Internet Applications Seyed M. Mir Taheri Thesis

Intelligent Crawling of Web Applications for Web Archivingssrg.eecs.uottawa.ca/faheem/publications/ · Outline Traditional Crawling Approach Application-Aware Helper Methodology Results

Intelligent Crawling of Web Applications for Web Archivingssrg.eecs.uottawa.ca/faheem/publications/ · Outline Traditional Crawling Approach Application-Aware Helper Methodology Results

BW PARSE | PARSE ACTIVITIES | WISHTREE TECHNOLOGIES | LEARNING | TIBCO TRAINING |CORPORATE | TRAININ

BW PARSE | PARSE ACTIVITIES | WISHTREE TECHNOLOGIES | LEARNING | TIBCO TRAINING |CORPORATE | TRAININ

Alternative as Competitors to Facebook Parse: If not Parse Then What?

Alternative as Competitors to Facebook Parse: If not Parse Then What?

Web crawling

Web crawling

R. M. Balzer and D. J, Färber · The parse-elements can either be a parse-group or a parse-atom. A parse-group is simply a named or un-named parse-alternative list enclosed in brackets

R. M. Balzer and D. J, Färber · The parse-elements can either be a parse-group or a parse-atom. A parse-group is simply a named or un-named parse-alternative list enclosed in brackets

PARSE JOURNAL

PARSE JOURNAL