web security common security threats and hacking
DESCRIPTION
Web Security Common security threats and hacking . Nahidul Kibria Co-Leader, OWASP Bangladesh , Senior Software Engineer, KAZ Software Ltd. Twitter:@nahidupa. Writing code for fun and food. And security enthusiastic. Shahee Mirza # Certified Ethical Hacker (C|EH). - PowerPoint PPT PresentationTRANSCRIPT
Web Security Common security threats and hacking Nahidul KibriaCo-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd. Twitter:@nahidupa
Writing code for fun and food. And security enthusiasticThe OWASP Foundationhttp://www.owasp.org2Shahee Mirza
# Certified Ethical Hacker (C|EH).# Microsoft Certified Systems Administrator.#Information Security Consultant, Nexus IT Zone.
http://www.shaheemirza.com FB: shaheemirzaTwitter: @shaheemirza
The OWASP Foundationhttp://www.owasp.org3
Why should we care?You already learn about web programming 4
5
NOT SECUREPhone/SMS banking and Online bankinge-comarce
56
Most sites are not secure!Attacker can access unauthorized data!They use your web site to attack your users!
67
Historically the web wasnt designed to be secure
Built for static, read only pagesAlmost no intrinsic securityA few security features were bolted-on later
The web wasnt designed to be secure Built for static, read only pagesAlmost no intrinsic securityA few security features were bolted on later
Do not have session initially
78What does that mean?
Cookie based sessions can be hijacked
No separation of logic and data
All client supplied data cannot be trusted
89The vast majority of web applications have serious security vulnerabilities!
Most developers not aware of the issues.
The vast majority of web applications have serious security vulnerabilities! Most developers not aware of the issues.910
Lets start over1011
Web Application threat surface12
XSSCSRFClick jackingParameter tempering /sniffingFORGED TOKENDirectory TraversalDIRECT OBJECT REFERENCESQL InjectionXML InjectionThe way web browser handle Sessions --CSRFJavaScript-XSSTransparency -Click jackingData transported-Parameter tempering /sniffingAuthentication/authorization
Files are uploaded/downloaded path travel Interact with database Interact with web service
All are hotspot and exploitable
Ajax/flash/ flex /air /applets
Large attack surface and its growing
1213Ajax FlashSilverlight Applets
The attack surface is growing!
13Some incident example
14
INSECURE-Mag-31
http://www.dnaindia.com/mumbai/report_cyber-crime-costs-india-rs34110-crore-per-year_1588917Study: Global cybercrime costs more than illegal drugs Global drug tradeabout $288 billionGlobal $114 billion India 34,110 core Rs
http://news.consumerreports.org/electronics/2011/09/study-global-cybercrime-costs-more-than-fighting-llegal-drugs.html
15Common question is Im inocent why should I will be target? 16
I dont have any sensitive data.Im not even serve any important data.I have no enemy
16Answer is You have resource...May be a Multi-core processor...BandwidthAttacker weaponize your pc to attack other or use you resource ...
17
Turn your pc to zombie
Even they may run hash crackerAnonimity Attack otherClick floodDDOS
You may got i said about botnets
17Botnet-Just in brief18
18
19This is a problem
Network security and others20
But developers21
Application security Threat modeling
2122
S e c u r ityQuick Resource Guide23About OWASPOWASPs mission is to make application security visible, so that people and organizations can make informed decisions about true application
Attacker not use black art to exploit your application 24220 Chapters25
25OWASP Bangladesh Chapter Bangladeshi community of Security professionalGlobally recognizedOpen for allFree for all
What do we have to offer?Monthly MeetingsMailing ListPresentations & GroupsOpen Forums for DiscussionVendor Neutral Environments
The OWASP Foundationhttp://www.owasp.orgOWASP Top 10 Web Application Security Risks (2010 Edition)http://www.owasp.org/index.php/Top_10Application Developers
28
New attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons
28The OWASP Enterprise Security API29Existing Enterprise Security Services/Libraries29Application Testers and Quality Assurance
30
ToolsTesting guide/pentesterApplication Security Verification Standard Project
30
OWASP ZAP Proxy/ WebScarab31
31OWASP CSRFTester
3232Application Project Management and Staff
33
Define the processSDLCCode ReviewDecision maker
33OWASP Code Review Project
Code review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net
code review is not only for readability/better architecture/
But you goal only can be code review for finding un secure code. 34OWASP Testing Framework4.2 Information Gathering4.3 Configuration Management Testing4.4 Business logic testing4.5 Authentication Testing4.6 Authorization Testing4.7 Session Management Testing4.8 Data Validation Testing4.9 Testing for Denial of Service4.10 Web Services Testing4.11 Ajax Testing
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
OWASP Testing Guide v3
V4 is not finalize
3536
Myth-The developer will provide me with a secure solution without me asking36Download
Get OWASP Books3738Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert#2 System, Network, and/or Web Penetration Tester#3 Forensic Analyst#4 Incident Responder#5 Security Architect#6 Malware Analyst#7 Network Security Engineer#8 Security Analyst#9 Computer Crime Investigator#10 CISO/ISO or Director of Security#11 Application Penetration Tester#12 Security Operations Center Analyst#13 Prosecutor Specializing in Information Security Crime#14 Technical Director and Deputy CISO#15 Intrusion Analyst#16 Vulnerability Researcher/ Exploit Developer#17 Security Auditor#18 Security-savvy Software Developer#19 Security Maven in an Application Developer Organization#20 Disaster Recovery/Business Continuity Analyst/Manager
39Subscribe mailing listhttps://www.owasp.org/index.php/Bangladeshhttps://www.facebook.com/OWASP.BangladeshKeep up to date!Twitter:@nahidupaTwitter:@owaspbangladesh
39