spi dynamics web application security 101
Post on 21-Oct-2014
274 views
DESCRIPTION
Web application security 101 explained by SPI Dynamics.TRANSCRIPT
![Page 1: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/1.jpg)
Web Application Security
![Page 2: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/2.jpg)
security. protection. intelligence.
Q: Where Do Your Current Security Measures Fail?
A: Your Proprietary, Custom written Web Applications
![Page 3: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/3.jpg)
security. protection. intelligence.
Today over 70% of attacks against a company’s Web site or Web application come at the ‘Application Layer’ not the
Network or System layer.
A complete security solution requires attention at each potential point of attack.
![Page 4: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/4.jpg)
security. protection. intelligence.
A: Enact policies requiring your developers to write secure code.
Q: So how do we remedy this situation?
• Verify all request parameters are in proper format (via through a standard library)
• Any unknown or incorrect user data should be logged and terminated.
![Page 5: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/5.jpg)
security. protection. intelligence.
But if you instituted this policy, how would you effectively enforce
it? What measures would you have in place to make sure that they
comply?“A unenforceable policy, or one
with out a process to determine the outlined specifications, is just
as good, as no policy at all.”
![Page 6: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/6.jpg)
security. protection. intelligence.
Q: But I use XYZ Scanner, won’t it discover these types of
vulnerabilities?
A: No, and this is why.
![Page 7: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/7.jpg)
security. protection. intelligence.
Where Today’s Security Measures Fail
![Page 8: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/8.jpg)
security. protection. intelligence.
A: Because other Scanners are a security Broadsword,
where ours is a Security Scalpel
WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them.
Q: How can SPI Dynamics do all of this and the others can’t?
![Page 9: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/9.jpg)
security. protection. intelligence.
How SPI Solves The Problem
![Page 10: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/10.jpg)
security. protection. intelligence.
WebInspectTM scans the whole
site:
Web server
Web pages
Scripts
Proprietary applications
Cookies
Database Server
Internet IDS
Firewall
CC#’s Database
Users Database
Web Server
![Page 11: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/11.jpg)
security. protection. intelligence.
WebInspectTM
Scans authentication codes
Assesses security procedures
Carves into confidential data
… Just like a hacker would
Database Server
Internet IDS
Firewall
CC#’s Database
Users Database
Web Server
![Page 12: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/12.jpg)
security. protection. intelligence.
WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems.
WebInspect™
![Page 13: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/13.jpg)
security. protection. intelligence.
WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go.
WebInspect™
![Page 14: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/14.jpg)
security. protection. intelligence.
WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation.
WebInspect™
![Page 15: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/15.jpg)
security. protection. intelligence.
Features & Benefits of WebInspectTM
Unique Focus: Your proprietary Web site or Web application
Superior Scanning: Products codify our security expertise
Extremely Fast: WebInspectTM runs in minutes/ hours vs.
days/ weeks it takes to complete traditional vulnerability
assessments
Automated: Continuously maintain your security integrity
Updated: Continuously keep up to date on the latest
vulnerabilities with the online update feature
Simple & Cost Effective: Licensed per IP address or per
consultant
Risk-Free: Offered on a trial basis at no cost
![Page 16: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/16.jpg)
security. protection. intelligence.
How does WebInspectTM do this?
Hidden Manipulation
Parameter Tampering
Cookie Poisoning
Stealth Commanding
Forceful Browsing
Backdoor/Debug Options
Configuration Subversion
Vendor–Assisted Hacking
![Page 17: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/17.jpg)
security. protection. intelligence.
The SPI Works Product Suite
Use WebInspectTM to assess current Web sites or Web applications.
Use WebInspectTM to QA new applications during development prior to release into production.
Available now
Know your vulnerabilities
Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application.
Use LogAlertTM after you have been attacked for Web log forensic analysis.
Available now
Know if you have been attacked
Use WebDefendTM to proactively stop Web site or Web application intrusions.
Available Q2 2002
Proactively stop attacks
WebInspectApplication Assessment
WebDefendApplication Intrusion Protection
LogAlertApplication Log Audit
TM TM
TM
![Page 18: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/18.jpg)
security. protection. intelligence.
Our Company
Founded in April 2000 by recognized Information Security industry experts
Released WebInspectTM in April 2001HQ in Atlanta, Georgia
Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London
SPI serves clients in each of the following vertical industries:
HealthCare
Insurance
Financial Services
Government
Global Enterprise
Consulting
![Page 19: SPI Dynamics web application security 101](https://reader033.vdocuments.net/reader033/viewer/2022052521/5445928fb1af9fdb068b45bd/html5/thumbnails/19.jpg)
security. protection. intelligence.
SPI Dynamics is the leading provider of automated Web Application security products.
SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code.
The embedded “hacker logic” enables our software to think for the end-user, making their job easier.