Académique Documents
Professionnel Documents
Culture Documents
Part 6: Q&A
Introduction
Application Database
Wireless Web Servers Server Server
Presentation Business Customer
Layer Logic Identification
Media Store Content Access
Browser services Controls
Transaction
Information
Core Business
Data
HTTP
Firewall only
INSIDE
allows application
server to talk to
database server.
- Gartner Group
Again, a demonstration!
Allow me to demonstrate!
Application Worm
The worm uses the Google search engine to find potential new
infection targets. Google has now implemented blocking
Perl.Santy search requests, which is expected to greatly reduce
the worm's ability to propagate and lower the risk of further
infections.
Application hacking is
becoming more complex
as applications are
becoming more complex.
The possibilities are
endless when it comes
down to what can you
exploit in web
applications.
Privacy
HIPPA (Health Insurance Portability and
Accountability Act)
SOX (The Sarbanes-Oxley Act )
GLBA (Gramm-Leach-Bliley Act)
Disclosure
CA1386
Federal Trade Commission
Privacy Policy
Practice
PCI
SPI Dynamics Confidential
Privacy
Privacy
HIPAA (Health Insurance Portability and
Accountability Act)
SOX (The Sarbanes-Oxley Act )
GLBA (Gramm-Leach-Bliley Act)
Disclosure
CA1386
MANY others are coming VERY SOON
www.owasp.org
www.webappsec.org
www.securityfocus.com
www.spidynamics.com
From: http://www.ftc.gov/privacy/
“Under the FTC Act, the Commission guards against
unfairness and deception by enforcing companies'
privacy promises about how they collect , use and
secure consumers' personal information.”
Web security challenge:
Companies are being investigated for FTC violations
because they are not living up to there stated policy
http://www.webappsec.org/documents/real_world_web_hack
PETCO
Guess
Many others
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
Go to VISA.COM and search for PCI
Support &
Requirements Design Development Test (QA) Release
Services
Pen Testing
Regulatory Compliance
S Q
Application Developers
• Must have clear cut security
D
requirement to follow during
Development and QA phases
• Need to run automated tests on code
during Development phase
• Must utilize secure code for re-use
• Require automated testing products
A
that integrate into current Web
Web
environment
Web
Application
Application
Application
Security
S Q
Must test applications not only for functionality but also for security
•
Must test environments for potential flaws and insecurities
D
•
•
•
Must provide detailed security flaw reports to development
Require automated testing products that integrate into current
environment
A
Web
Web
Web
Application
Application
Application
Security
Security Operations
• Must continually test application in a real
D
world environment to asses impact of ongoing
code changes A
• Must look for all levels of web vulnerabilities
WebWeb
• Platform Web
Application
Application
Application
• Informational
Security
• Application
Q
S
Security
S Q
- www.spidynamics.com
CGISecurity.net – http://www.cgisecurity.net/
For a free
WebInspectTM 15-day
trial download visit:
www.spidynamics.co
m