Benefits of In-depth Security Testing for the Enterprise1. Breaking ! Wall..
Benefits of In-Depth Security Testing for the Enterprise
Copyright © we45 Solutions India Pvt. Ltd.
2. we45 - An Introduction
• we45 = “we” + Fortify (45)
• Focused Information Security Consulting Company
• Research oriented Security Company
• Showcased as one of Karnataka’s Top 20 Startups in
2010
Copyright © we45 Solutions India Pvt. Ltd.
3. Y#rs Truly...
• Co-author of ‘Secure Java For
Web Application Development’
• Specialization in Web
Application Security
• Trainer and Workshop Lead
for Security Training
Workshops
• URL: abhaybhargav.com
• we45’s Website: we45.com
Copyright © we45 Solutions India Pvt. Ltd.
4. Why test for Secu%ty?
• Validation of Controls
• Removing the Illusion of
Control
• Understanding how newer and
constantly evolving threats
affect your environment
• Malicious - People and Code
Copyright © we45 Solutions India Pvt. Ltd.
5. &e Gap
• Security Tests largely fail
because of:
• Lack of focus by the testers
• Organization - Lack of
Awareness and Will
• Tools vs Skills
Copyright © we45 Solutions India Pvt. Ltd.
6. C%tical Data on IT
• Financial Information
• Credit Card Information
• User Personal Information
• Customer Information
• Healthcare Information
• Other organization sensitive
information - Stored, Processesd
and Transmitted via IT
Copyright © we45 Solutions India Pvt. Ltd.
7. D'turbing (at'tics
53% of Indian Companies have been victims of cyber attacks
70% of Enterprise Web Applications are found to be vulnerable
60%+ of Enterprise Endpoints vulnerable to client-side attacks
Marked Rise in Social Engineering attacks
75% of Web Applications developed with non-secure coding
practices
Copyright © we45 Solutions India Pvt. Ltd.
9. Web A*lications
• Web Application Security is key with • Web Application Security Testing is
organizations taking extensively to CRITICAL
Web 2.0
• Tester should follow best practice
• E-Commerce, ERP, Salesforce methodologies
Automation, etc
• Business Logic cannot be tested with tools
• Application attacks:
• Application attacks due to non-secure
coding practices are massive
• Coding Flaws
• Configuration and Deployment oriented
• Business Logic Flaws attacks are multifold
• Configuration Flaws • Framework based attacks - Joomla, Drupal
Copyright © we45 Solutions India Pvt. Ltd.
10. A*lication A+acks: Case Study
• Testing a large infrastructure
company’s critical web app
• Finding SQL Injection while testing
the authentication of a particular
application
• Database was running with ‘root’
privileges
• Later, we found a configuration file
in the application server with root
username and password to the DB
Copyright © we45 Solutions India Pvt. Ltd.
11. Servers and Endpoints
• Server attacks - The Genesis: • Security Testing for Servers and
Endpoints is mostly tool-based.
• Lack of patching server and
kernel level security updates • Low Priority given to Client-Side
exploits by testers
• Client-Side Software - The
new Achilles Heel • Non-Secure Configuration of
Endpoints results in over 40% of
• Endpoint Security - Insecure Security Flaws
Client-side Software,
Patches and Browser-based • Internal Security Testing also
security flaws essential
Copyright © we45 Solutions India Pvt. Ltd.
12. Severe Server and Endpoint Secu%ty Vulnerabilities
• MS08-067: Critical Flaw in Windows
Server allowing attacker to exploit the
system and run his/her code - 43% of
Enterprise Endpoints and Servers affected
• Adobe Reader code execution flaw
where attacker can exploit can run
commands on victim’s system - 59% of
Enterprise Endpoints found to be affected
• Multiple Java Exploits affecting servers
and endpoints
• and many more.....
Copyright © we45 Solutions India Pvt. Ltd.
13. Network Infra(ructure
• Network Devices
• Have to be tested
comprehensively for
authentication vulnerabilities -
38% of Network Devices have
authentication flaws
• Firmware Updates and Security
Updates not applied -
Compromise the Perimeter
• Focus on Depth of Finding, rather
than review
Copyright © we45 Solutions India Pvt. Ltd.
14. People: &e Weakest Link
• People are the easiest targets in
a security compromise
• Companies must consider
comprehensive Social
• Targeted Phishing - Spear
Engineering Assessments to
Phishing Attacks on the rise with
identify lapses in User Security
over 56,000 reports
Awareness
• Social Networks and Email: Rife
• Organizations Assessments must
to spread Malware and
compromise user endpoints cover security over Web
Browsers
• Browser Security considerations
Copyright © we45 Solutions India Pvt. Ltd.
15. In Conclusion...
• Threats are multifold and evolve
constantly
• Organizations have to test often to
avoid being a vulnerability statistic
• Tests have to encompass these
elements during the year based on
applicability
• Testers should be chosen carefully
based on skills and not tools
• Reporting should be clear and
prescriptive, not vague and generic
Copyright © we45 Solutions India Pvt. Ltd.
16. &ank Y#
• URL: www.we45.com
• Email: abhay@we45.com
• Twitter: @abhaybhargav
• abhaybhargav.com
Copyright © we45 Solutions India Pvt. Ltd.
Notes de l'éditeur \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n