Transcript Slide 1
Is Your Web
Application Security
Cleared?
Dr. Ravi Kiran Raju Yerra
Vice President – Security Testing
Arsin Corporation
“Today over 70% of attacks against a company’s network come at the ‘Application
Layer’ not the Network or System layer.”
- Gartner
Snap Shot of the Presentation
About Me
Web Applications – The Challenge
Why Web Applications are Vulnerable
Top 10 Vulnerabilities
Is Application Security a Tool Business ?
Methodology
Suggested Tools
Whats Next ?
Documents> Security Services > Web Application
About Me
Holds Doctor of Science in Internet
Security Management
Have 15 years of experience in
Information Technology & Information
Security solutions
Vice President – QA (Security Testing) at
Arsin Corporation
Actively involved in 10 different
innovative information threat management
projects with various universities across the
globe.
Documents> Security Services > Web Application
Web Applications – The challenge
The World Wide Web has evolved into a global
environment delivering applications such as
reservation systems, online shopping or auction sites,
games, multimedia applications, calendars, maps,
chat applications or data entry/display systems, and
many more
Web Application
Web applications are characterized by
multiculturalism, continuous change, fast pace and
competitiveness, high demands on user adaptivity,
Thus, the complexity of securing such Web
applications has increased significantly
Documents> Security Services > Web Application
Web
Server
Application
Server
Database
Server
Why is this important?
Documents> Security Services > Web Application
Why Web Applications are Vulnerable
Application attacks are the latest trend
when it comes to hacking.
On average, 90% of all dynamic content
sites have vulnerabilities associated with
them.
No single web server and database server
combination has been found to be
immune!
Current security solutions do not offer
adequate protection
Attacks pass through perimeter firewall
security over port 80 (or 443 for SSL).
Exploiting bugs and poor security
programming practices in the software.
Documents> Security Services > Web Application
What is Web Application Security?
Web Application Security is not:
Traditional Layers
Traditional Security Controls
Network Protocols
Firewalls, Routers, Operating System IP Stack
Configuration and Filtering, VPNs, and
Vulnerability Scanners
Operating System
Operating System Patches and OS
Configuration, Authentication, Authorization,
Encryption, and Vulnerability Scanners
Commercial and
Open Source
Applications
Minimize Services, Application configuration,
Patches, Application level Authentication
Authorization, and Vulnerability Scanners
Documents> Security Services > Web Application
7
What is Web Application Security?
Web Application Security is:
Traditional Layers
Traditional Security Controls
Network Protocols
Firewalls, Routers, Operating System IP Stack
Configuration and Filtering, VPNs, and
Vulnerability Scanners
Operating System
Operating System Patches and OS
Configuration, Authentication, Authorization,
Encryption, and Vulnerability Scanners
Commercial and
Open Source
Applications
Minimize Services, Application configuration,
Patches, Application level Authentication
Authorization, and Vulnerability Scanners
Custom Web
Applications
Architecture, Design and Code Reviews,
Application Scanners,
Testing with Malicious Input
Documents> Security Services > Web Application
8
Data Flow example
Documents> Security Services > Web Application
How Bad Is It? – Vulnerability Reports
• Vulnerability reports consistent report Web Applications with
highest # of vulnerabilities.
• For example SANS @RISK Aug 2007
SANS @RISK Aug 2007
8/7
8/13
8/20
8/27
Total
Microsoft Products
0
5
15
0
20
Mac
1
0
1
2
4
Linux
4
5
1
5
15
Unix, Solaris, etc
6
2
6
3
17
Network Device
1
2
3
5
11
Web Applications
50
35
23
22
130
Documents> Security Services > Web Application
10
Story
A Successful Hack
Documents> Security Services > Web Application
What are the Top 10 Vulnerabilities ?
Documents> Security Services > Web Application
OWASP 2007 Top Ten List
A1. Cross-Site Scripting (XSS)
A2. Injections Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Information Leakage & Improper Error Handling
A7. Broken Authentication & Session Management
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
www.owasp.org
Documents> Security Services > Web Application
13
Is Application Security A Tool Business???
Web applications can be tested in
combination of tools.
Typical Web Application Testing
believes 30% Tool and 70 % Manual
Effort
Often tools throw false positive results
Evaluation of the results of scanner
and Analyzing Statement Of
Applicability is a Key
Tools may not have the “ Risk Based
Approach”
Documents> Security Services > Web Application
The Answer is
NO
.
Story
A Great Damage
Documents> Security Services > Web Application
Methodology
Documents> Security Services > Web Application
Methodology – Web Application Penetration Testing
Recommend /
Implement
Solutions
Re Test the
Application
Test Protocol
Security Issues
Mapping of Technical vulnerabilities to
Business Risks
Deliver Final
Reports
Test Against
OWASP 2007
Test Against
OWASP 2004
Documents> Security Services > Web Application
Methodology – Contd
Testing Against OWASP
2004:
Understand the
Applications in detail.
Test against OWASP 2004
(Intrusive / Non Intrusive
Methods)
Authorized User Test &
Black Box Testing
Testing Against OWASP 2007
& Protocol Security Testing :
Test against OWASP 2007
(Intrusive / Non Intrusive
Methods) & Implement fuzzing
techniques for Protocol analysis
External Code Posture
Analysis
Deliver Report
• On successful completion of testing
Arsin delivers the an Executive,
Technical report with appropriate
applicable Recommendations
Recommend or Implement
Solutions:
Recommend appropriate
solutions include CODE Snippet
Design
If required, Arsin COE Security
also helps in Implementing
solutions.
Re Test the fixed Applications
•Re Test the entire applications
against OWASP 2004 & 2007
and Protocol issues.
• Retesting process will continue
till the bugs reduced to < 5%
(Non Severe).
Documents> Security Services > Web Application
Is there any suggested tools…
There are couple of industry standard commercial and open source tools
like.
Rational Appscan from IBM
Web Scrap from OWASP
HP – Web Inspect etc.
Documents> Security Services > Web Application
What’s Next ?
Documents> Security Services > Web Application
Next !
Generally web applications are tested against the “Application”
only.
Web Applications must also undergo respective protocol
security testing i.e
HTTP
HTTPS etc
It means, a security testing must upgrade to “Application
Layer” to “Network Layer”
Web Services security testing will also plays an important role.
Documents> Security Services > Web Application
Queries
Dr. Ravi Kiran Raju Yerra
[email protected]
IM – Yahoo : brightvaio
Image References: Black Hat Briefings – & www.owasp.org
Documents> Security Services > Web Application
Thank You
For More Details
Jonathan McClean
[email protected]
Documents> Security Services > Web Application