Académique Documents
Professionnel Documents
Culture Documents
INTRODUCTIONS
PART 1: The Evolution of Web Applications and
Why They Need to Be Secured
PART 2: Web Application Vulnerabilities in
Depth and Hacking Demonstration
PART 3: Business Drivers Behind Web Application
Security and Current Regulations
PART 4: Managing and Detecting Web Application
Vulnerabilities Throughout the Application
Lifecycle
PART 5: About WebInspect, About Our Partner,
Closing and Q&A
SPI Dynamics
Web Server
Browser HTML
CGI
Web Applications
Application Database
Wireless Web Servers Server Server
Presentation Business Customer
Layer Logic Identification
Media Store Content Access
Browser services Controls
Transaction
Information
Core Business
Data
Common Web Applications
Web Applications Invite Public Access
HTTP(S)
INTERNET
web server.
Firewall only
INSIDE
allows application
server to talk to
database server.
Victoria’s Secret,
Victoria’s Secret November 27, 2002
A vulnerability at the
Victoria’s Secret web
site allowed
customers who
purchased items
there to view other
customers’ orders.
By simply changing
the data in the URL
address line the web
application was
manipulated.
Recent Web Application Hack Example
Ziff Davis
Hacked August 2002
Ziff Davis Media has agreed to revamp its website's
security and pay affected customers $500 each after lax
security exposed the personal data of thousands of
subscribers last year.
The agreement between Ziff Davis -- publisher of PC
Magazine and other tech titles, including a slew of
gaming magazines -- and attorneys general from New
York, Vermont and California came after web surfers
discovered an unprotected data file on Ziff Davis' site in
November.
The file contained names, addresses, e-mail addresses -
- and, in some instances, credit card numbers -- of
12,000 people who signed up for a special promotion to
receive Electronic Gaming Monthly magazine.
Other Hacked Websites
Platform:
• Known vulnerabilities can be
exploited immediately with a
minimum of skill or experience –
“script kiddies”
• Most easily defendable of all web
vulnerabilities
• MUST have streamlined patching
procedures
Platform • MUST have inventory process
Known
Vulnerabilities
Web Application Vulnerabilities
Administration:
• Information Disclosures
• Hacking is 99% Information disclosure
• Less easily corrected than known issues
• Require increased awareness
Administration • More than just configuration, must be
Extension Checking aware of security flaws in actual
Common File Checks content
Data Extension • Remnant files can reveal applications
Checking and versions in use
Backup Checking • Backup files can reveal source code and
Directory database connection strings.
Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Web Application Vulnerabilities
Application Programming:
• Common coding techniques do not
necessarily include security
Application
• Input is assumed to be valid, but not
tested
Parameter Manipulation Administration
Cross-Site Scripting • Inappropriate file calls can reveal
SQL Injection source code and system files
Buffer Overflow • Unexamined input from a browser
Reverse Directory can inject scripts into page for replay
Transversal against later visitors
JAVA Decompilation • Unhandled error messages reveal
Path Truncation application and database structures
Hidden Web Paths • Unchecked database calls can be
Cookie Manipulation ‘piggybacked’ with a hacker’s own
Application Mapping
database call, giving direct access to
our business data through a web
Backup Checking
browser
Directory Enumeration
Live Web Application Hacking Demo
What is HIPAA?
Health Insurance Portability and Accountability Act of 1996
US Public Law 104-191
Regulatory requirements for use of healthcare information
What is GLBA?
Gramm-Leach-Bliley Act of 1999
U.S. Public Law 106-102 (113 Stat. 1338)
Regulatory requirements for Financial Institutions
What is Sarbanes-Oxley?
Sarbanes-Oxley Act of 2002 (also known as SOX)
U.S. Public Law 107-204
Regulatory requirements for Public Company Accounting Practices
IT organizations must pay particular attention to Section 404:
Management Assessment Of Internal Controls
What is SB 1386?
In effect since July 1st, 2003, SB 1386 is a far reaching law that states any
breach of computer security which results in the loss of personal data of
any California resident, or which MIGHT have resulted in the loss of
personal data of any California resident, must be publicly disclosed.
Design Development
Production Testing
Security QA and
Operations Developers
and Auditors
Application Lifecycle Phases
Design Development
Production Testing
Security QA and
Operations Developers
and Auditors
Application Lifecycle Phases
Design Development
Production Testing
Security QA and
Operations Developers
and Auditors
Web Application ROI
John Pescatore
VP Gartner Group
Research Note
“Require Vulnerability Testing During Software
Development”
10 September 2003
Web Application ROI
Chris King
META Group
Return On Intelligence
Assessing Application Vulnerability Global
Networking Strategies Security & Risk Strategies
Client Advisor 2034, 12 August 2003
Web Application ROI
Eric Hemmendinger
Research director for security and privacy
Aberdeen Group
Web Application ROI
Ray Geroski
"WebInspect Learns as it Automates Web App Security
Assessment"
Jan 7, 2003 TechRepublic
Managing Web Application Vulnerabilities
A D
Must find all the Must unit test for code
vulnerabilities in related security issues
the enterprise and during the development
evaluate risks. cycle.
S Q
Enterprise-Wide Web Application Security
Application Developers
• Must have clear cut security
D
requirement to follow during
Development and QA phases
• Need to run automated tests on code
during Development phase
• Must utilize secure code for re-use
• Require automated testing products
A
that integrate into current Web
Web
environment
Web
Application
Application
Application
Security
S Q
Enterprise-Wide Web Application Security
Q
Enterprise-Wide Web Application Security
Security Operations
• Must continually test application in a
real world environment to asses A D
impact of ongoing code changes
WebWeb
• Must look for all levels of web Web
Application
Application
Application
vulnerabilities Security
• Platform
• Informational Q
• Application
S
Security
Enterprise-Wide Web Application Security
Web Application
Security testing must
be applied in all
phases of the A D
Application Lifecycle
and by all Web
constituencies Application
throughout the Security
enterprise – Auditors,
Application S Q
Developers, QA and
Security Operations.
PART 5
Automated
Works with all web applications and web services
(WebSphere, ColdFusion, Oracle Application
Server, .NET, Weblogic and others)
Used across application lifecycle (development,
QA, security operations/production, auditing)
Extensible, Flexible, Accurate, Comprehensive
Used by major organizations in all industries
WebInspect Product Line
WebInspect Features
Adaptive-Agents™ Technology
RCA (Recursive Crawl and Attack) Technology
Custom Scripting
Securebase™
SPI Tools
Smart Update™
Enterprise Framework
Survey-based policy generation
AVDL support (emerging interoperability standard being
proposed by leading application security vendors as part
of the OASIS standards process)
WebInspect Product Line
www.spidynamics.com
About Our Partner
Questions?
PART 5 – WebInspect Live Demo
TM
For a free WebInspect 15-day
trial download visit:
www.spidynamics.com