Intro
-
Gartner group
In a decade, companies will deal with 30 times more information
-
McKinsey Group
Investors are willing to pay 28% more for stocks if company data is secure
-
Aberdeen Group
40% of companies now employ a CSO (Chief Security Officer)
https://www.nomoreransom.org/ is a site that offers tools to deal with ransomware
Web applications are the number one target of hackers
AppScan is a desktop solution that automates application security testing for IT security, auditors, and penetration testers
Certified Information Security Manager - get certified @
https://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx
OWASP
https://www.owasp.org/index.php/Main_Page is a website thta freely produces guidance on application security risks
OWASP maintains a list of top 10 critical application security risks
Using the list is considered industry best practice
WASC
The Web Application Security Consortium develops, asopts, and advocates standards for web application security
Intrusion Detection vs Intrusion Prevention
Types of Security Testing
-
Network / Infrastructure Testing
- Network Penetration test
-
Application Security Testing
- Vulnerability assesment using AppScan
- Application penetration test
- Partial / Component security test
- Tests used as part of the purchasing process
-
Black Box testing - Dynamic Application Security Testing (DAST)
- No information is provided about the target
-
White Box testing - Static Application Security Testing (SAST)
- Information about the target is provided to assist the test
- Includes logon details and, in some cases, code
- Traditionally used if fucntions and unit test cycles
| Dynamic Analysis | Static Analysis | |
|---|---|---|
| Scan input | Live web application | Source code |
| Assessment techniques | Tampering with HTTP messages | Taint analysis & pattern matching |
| Results & output | Results are presented as HTTP messages (exploit requests) | Results are presented by line of code |
Attack & Penetration Tests
An attacker can use a variety of techniques to exploit the web application. The following list shows some of the most common attacks
- Parameter tempering: Modifying parameters that form part of the URL or hidden HTML form tags
- Forced Parameter: Tampering with debug and test flags within the passed code to change the nature of the application
- Cookie Poisoning: Modifying cookies in order to gain unauthorized access
- Cross-site scripting: Injecting a script into unsanitized input fields, which can lead to phishing attacks
- SQL injection: Passing SQL code into unsanitized input fields
- Brute-force attack: Cycling through a predefined list of logins
- Buffer Overflow: Sending too much data into a buffer, causing an overflow - might execute the "extra" data
- Direct access browsing: Browsing directly to directories on the server, bypassing any authentication
- Directory traversal: Traversing up the web server directory structure in order to gain access to the web root
- Form manipulation: Exploiting credentials that are passed in plain text within the HTTP POST request
Altoro Mutual is a mock website that IBM setup to test attacks
The source is available on GitHub @
https://github.com/tapansirol/AltoroMutual