© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Ing. Karina Astudillo B.

Gerente de IT – Elixircorp S.A.

Copyright 2013 - Karina Astudillo - Este documento se distribuye bajo la licencia 3.0 de Creative Commons Attribution Share Alike

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Co-fundadora de Elixircorp S.A.

• Consultora de Seguridad Informática

Hacking Ético

Cómputo Forense

Networking

Unix/Linux

• Docente de FIEC-ESPOL

• Instructora de Cisco-Espol

• Algunas certificaciones: CEH, Computer Forensics US, CCNA Security, CCNA R&SW, SCSA, Network Security, Internet Security, VmWare VSP, CCAI.

Karina.Astudillo@elixircorp.biz Twitter: KAstudilloB

Facebook: Kastudi

Blog: SeguridadInformaticaFacil.com

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

• ¿Qué son los riesgos de aplicaciones?

• Evaluación de riesgos

• OWASP Top 10

• Medidas preventivas

• Tipos de auditorías

• Herramientas de software

• Demo

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

• Open

• Web

• Application

• Security

• Project

• http://www.owasp.org

“El proyecto abierto de seguridad en aplicaciones Web (OWASP por sus siglas en inglés) es una comunidad abierta dedicada a facultar a las organizaciones a desarrollar, adquirir y mantener aplicaciones que pueden ser confiables.”

Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Fuente: OWASP Top 10 - 2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

• Capacitación para los desarrolladores sobre Codificación Segura de Aplicaciones.

• Incluir la seguridad desde la fase de Diseño.

• Hacer uso de API’s seguras.

• Validar la seguridad de las actualizaciones en un ambiente de pruebas previo al paso a producción.

• Ejecutar auditorías internas y externas periódicas.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

• Hacking Ético:

Web Application Hacking

Ejecutado por un hacker ético experto

Pruebas de intrusión externas e internas

Formas de ejecución: hacking manual y automático

Entregable: informe de hallazgos y recomendaciones de mejora

• Revisión de código:

Auditoría de codificación segura

Ejecutado por un desarrollador experto en revisión de código

Proceso exhaustivo manual

Se realiza una revisión de todo el código de la aplicación (a veces es necesario realizar ingeniería reversa de librerías)

Entregable: informe de hallazgos y recomendaciones de mejora

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

• Hacking Frameworks profesionales. Ej: Core Impact Pro, Metasploit Professional.

• Entornos especializados. Ej.: Samurai Linux, Kali Linux (otrora Bactrack).

• Aplicaciones independientes: W3AF, WebSecurify Suite, Nikto, RAFT, etc.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

• Website: http://www.elixircorp.biz

• Blog: http://www.SeguridadInformaticaFacil.com

• Facebook: www.facebook.com/elixircorp

• Twitter: www.twitter.com/elixircorp

• Google+: http://google.com/+SeguridadInformaticaFacil

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

http://www.elixircorp.biz

http://www.facebook.com/elixircorp

Thank you.