SlideShare une entreprise Scribd logo

Don’t let Your Website Spread Malware – a New Approach to Web App Security

Sasha Nunke
Sasha Nunke
Technologie
1  sur  15
Télécharger pour lire hors ligne
Cecilia Zuvic Jason Kent Will Bechtel Webcast Series – May 2013 Don’t let Your Website Spread Malware – a New Approach to Web App Security Transforming IT Security & Compliance
Agenda • Website Malware Risk • Detecting Website Malware • How Malware is Different • Better Website Security • Summary 2
Identifying Malware with Web Application Scanning Website Malware Risk • 2012 Verizon Data Breach Investigations Report (DBIR) – Involvement of Malware in Data Breaches is increasing – 2011 - 69% incorporated malware (+20%) – 2011 - Associated with breaches that involved 95% of records compromised • 2013 Symantec Internet Security Threat Report (ISTR) – Web-based Malware Attacks on the Rise: “We have seen the number of Web-based attacks increase by almost a third. “ – Lurking Danger: “silently infect enterprise and consumer users when they visit a compromised website” – Hard to Detect: “rendering enterprises that rely on signature-based antivirus – protection unable to protect themselves against these silent attacks” 3
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 4 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 5 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 6 *Verizon 2012 Data Breach Investigations Report
Identifying Malware with Web Application Scanning What happens if your site and users are infected? Users are infected, and blame your organization Your organization website is blacklisted. You spend time trying to get off the blacklist Reputation Damage & Lost Revenue 7
Identifying Malware with Web Application Scanning How does an attacker get malware on a website? Victim Website Web Application or Indirect Vulnerability • Known vulnerability in an app or platform component • Discovered vulnerability in developed application (XSS, etc) Phishing, spyware or social engineering • Steal password or execute other attack to gain access Paying to host an advertisement that contains the infection • Malvertizing - legitimate websites can infect users without being directly compromised 8
Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach Signature Based Detection on systems/web gateways 9 Malware is identified and Analyzed (typically after many infections) Signature is created Signature is distributed to end points/gateways Zero Day Protection Gap
Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach Advantage Disadvantage 10
Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach • Identify reference to site that is known to host malware • Instrument a system- watch for exploitation • detect zero day • For common scripting techniques, etc. • For downloadable documents like PDFs Antivirus Heuristic Reputation Check Behavioral Analysis 11
Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach 12 Setup a vulnerable browsing platform on a VM Instrument the browser using API hooking Input parameters, return values, and data logged in various points within the browser and OS. Watch for exploitation When done scanning or when compromised, destroy VM and start another
Identifying Malware with Web Application Scanning How Malware is Different • Malware Distribution – Unlike vulnerabilities which are accidental software flaws, attackers try to place malware in high traffic areas – OWASP type vulnerabilities should be distributed randomly (XSS, SQLi) – Malware will typically be positioned to infect all users (not just authenticated) • Malware detection does not have the impact – Detection uses ‘passive’ and not ‘active’ techniques – Safe for daily scans 13
Identifying Malware with Web Application Scanning Better Website Security • Detect both OWASP vulnerabilities and website malware – Run daily passive scans on websites to identify malware, notify immediately – Perform active scans on a regular basis to identify OWASP vulnerabilities • How you benefit – Identify and fix vulnerabilities hackers could exploit or malware distributors could use to infect your site and other users – Protect your revenue, brand reputation and users from malware impact – Ensure you are covered from both threats, making it hard for attackers to exploit 14
Thank You jkent@qualys.com czuvic@qualys.com Transforming IT Security & Compliance

Recommandé

Cyber Vulnerabilities & How companies can test them
Cyber Vulnerabilities & How companies can test themCyber Vulnerabilities & How companies can test them
Cyber Vulnerabilities & How companies can test them
24by7Security Inc
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
Samvel Gevorgyan
 
5 must-have security testing tools for your pentesting tasks
5 must-have security testing tools for your pentesting tasks5 must-have security testing tools for your pentesting tasks
5 must-have security testing tools for your pentesting tasks
Pentest-Tools.com
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
Yassine Aboukir
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
Alert Logic
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware Infographic
Cisco Security
 
ATP
ATPATP
ATP
Lan & Wan Solutions
 

Recommandé

Cyber Vulnerabilities & How companies can test them
Cyber Vulnerabilities & How companies can test themCyber Vulnerabilities & How companies can test them
Cyber Vulnerabilities & How companies can test them
24by7Security Inc
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
Samvel Gevorgyan
 
5 must-have security testing tools for your pentesting tasks
5 must-have security testing tools for your pentesting tasks5 must-have security testing tools for your pentesting tasks
5 must-have security testing tools for your pentesting tasks
Pentest-Tools.com
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
Yassine Aboukir
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
Alert Logic
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware Infographic
Cisco Security
 
ATP
ATPATP
ATP
Lan & Wan Solutions
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
Judy Nowak, OSCP, GCIH, CISSP
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
Valery Yelanin
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
Cisco Canada
 
What is threat intelligence ?
What is threat intelligence ?What is threat intelligence ?
What is threat intelligence ?
AariyaRathi
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Black Duck by Synopsys
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
Secure Code Warrior
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
Aditya K Sood
 
2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...
NetwayClub
 
Hiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad HashesHiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad Hashes
Tripwire
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
Akash Karwande
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscape
Jisc
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Black Duck by Synopsys
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability upload
Saidah Manan
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
Envision Technology Advisors
 
Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]
guestd4e08
 
My coke
My cokeMy coke
My coke
Pixelis
 

Contenu connexe

Tendances

Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Black Duck by Synopsys
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
Aditya K Sood
 
Hiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad HashesHiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad Hashes
Tripwire
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability upload
Saidah Manan
 

Tendances (20)

BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
Cisco Content Security
Cisco Content SecurityCisco Content Security
Cisco Content Security
 
What is threat intelligence ?
What is threat intelligence ?What is threat intelligence ?
What is threat intelligence ?
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
 
2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...
 
Hiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad HashesHiding In Plain Sight – Protect Against Bad Hashes
Hiding In Plain Sight – Protect Against Bad Hashes
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscape
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability upload
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 

En vedette

Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]
guestd4e08
 
Errenazimenduko pintura. Leonardo.ppt
Errenazimenduko pintura. Leonardo.pptErrenazimenduko pintura. Leonardo.ppt
Errenazimenduko pintura. Leonardo.ppt
asunasenjo
 
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
AndyFuhrman
 
Reviving keynes animal spirits for your business
Reviving keynes animal spirits for your businessReviving keynes animal spirits for your business
Reviving keynes animal spirits for your business
JAYARAMAN IYER
 
Cbi Revenue Recognition Panel Slides 031709 Final
Cbi Revenue Recognition Panel Slides 031709 FinalCbi Revenue Recognition Panel Slides 031709 Final
Cbi Revenue Recognition Panel Slides 031709 Final
thess1121
 
Euro Style Design Ltd The Designs
Euro Style Design Ltd The DesignsEuro Style Design Ltd The Designs
Euro Style Design Ltd The Designs
Roland Laufer
 
Acrp Presentation Jan 2009
Acrp Presentation Jan 2009Acrp Presentation Jan 2009
Acrp Presentation Jan 2009
thess1121
 
Visita biblioteca municipal 2013
Visita biblioteca municipal 2013Visita biblioteca municipal 2013
Visita biblioteca municipal 2013
XXX XXX
 

En vedette (20)

Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]Finlandia 2009 [Autoguardado]
Finlandia 2009 [Autoguardado]
 
My coke
My cokeMy coke
My coke
 
Jornada de puertas abiertas 2016
Jornada de puertas abiertas 2016Jornada de puertas abiertas 2016
Jornada de puertas abiertas 2016
 
jukran sismintir, nomor 162.a tahun 2011
jukran sismintir, nomor 162.a tahun 2011jukran sismintir, nomor 162.a tahun 2011
jukran sismintir, nomor 162.a tahun 2011
 
Portfolio:Summer 09
Portfolio:Summer 09Portfolio:Summer 09
Portfolio:Summer 09
 
Play My Music
Play My MusicPlay My Music
Play My Music
 
Errenazimenduko pintura. Leonardo.ppt
Errenazimenduko pintura. Leonardo.pptErrenazimenduko pintura. Leonardo.ppt
Errenazimenduko pintura. Leonardo.ppt
 
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
White Paper: The Value Of Bim For Lifecycle Management In Critical Facilities...
 
Reviving keynes animal spirits for your business
Reviving keynes animal spirits for your businessReviving keynes animal spirits for your business
Reviving keynes animal spirits for your business
 
Elaboración jabón 2016
Elaboración jabón 2016Elaboración jabón 2016
Elaboración jabón 2016
 
Cbi Revenue Recognition Panel Slides 031709 Final
Cbi Revenue Recognition Panel Slides 031709 FinalCbi Revenue Recognition Panel Slides 031709 Final
Cbi Revenue Recognition Panel Slides 031709 Final
 
Itransition At A Glance 2009
Itransition At A Glance 2009Itransition At A Glance 2009
Itransition At A Glance 2009
 
Focus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitivFocus 1 - construirea unui software functional, utilizabil si intuitiv
Focus 1 - construirea unui software functional, utilizabil si intuitiv
 
Bracciali1
Bracciali1Bracciali1
Bracciali1
 
Euro Style Design Ltd The Designs
Euro Style Design Ltd The DesignsEuro Style Design Ltd The Designs
Euro Style Design Ltd The Designs
 
Acrp Presentation Jan 2009
Acrp Presentation Jan 2009Acrp Presentation Jan 2009
Acrp Presentation Jan 2009
 
Visita biblioteca municipal 2013
Visita biblioteca municipal 2013Visita biblioteca municipal 2013
Visita biblioteca municipal 2013
 
Bloodbaths Website
Bloodbaths WebsiteBloodbaths Website
Bloodbaths Website
 
Beyond Europe: Priorities for Strengthening Agricultural Innovation Capacity ...
Beyond Europe: Priorities for Strengthening Agricultural Innovation Capacity ...Beyond Europe: Priorities for Strengthening Agricultural Innovation Capacity ...
Beyond Europe: Priorities for Strengthening Agricultural Innovation Capacity ...
 
Pipeline 4 Progress Action Plan Summary
Pipeline 4 Progress Action Plan SummaryPipeline 4 Progress Action Plan Summary
Pipeline 4 Progress Action Plan Summary
 

Similaire à Don’t let Your Website Spread Malware – a New Approach to Web App Security

Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
Chris Taylor
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
Imperva Incapsula
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Symantec
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
NetSPI
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
IOSRjournaljce
 
Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...
UltraUploader
 

Similaire à Don’t let Your Website Spread Malware – a New Approach to Web App Security (20)

Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Spyware
SpywareSpyware
Spyware
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
 
Malware
MalwareMalware
Malware
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...Automated web patrol with strider honey monkeys finding web sites that exploi...
Automated web patrol with strider honey monkeys finding web sites that exploi...
 
Aburajab ndss-13
Aburajab ndss-13Aburajab ndss-13
Aburajab ndss-13
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 

Plus de Sasha Nunke

Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability management
Sasha Nunke
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium Businesses
Sasha Nunke
 

Plus de Sasha Nunke (9)

Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability management
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium Businesses
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
ABC's of Securing Educational Networks
ABC's of Securing Educational NetworksABC's of Securing Educational Networks
ABC's of Securing Educational Networks
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Dernier (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Don’t let Your Website Spread Malware – a New Approach to Web App Security

  • 1. Cecilia Zuvic Jason Kent Will Bechtel Webcast Series – May 2013 Don’t let Your Website Spread Malware – a New Approach to Web App Security Transforming IT Security & Compliance
  • 2. Agenda • Website Malware Risk • Detecting Website Malware • How Malware is Different • Better Website Security • Summary 2
  • 3. Identifying Malware with Web Application Scanning Website Malware Risk • 2012 Verizon Data Breach Investigations Report (DBIR) – Involvement of Malware in Data Breaches is increasing – 2011 - 69% incorporated malware (+20%) – 2011 - Associated with breaches that involved 95% of records compromised • 2013 Symantec Internet Security Threat Report (ISTR) – Web-based Malware Attacks on the Rise: “We have seen the number of Web-based attacks increase by almost a third. “ – Lurking Danger: “silently infect enterprise and consumer users when they visit a compromised website” – Hard to Detect: “rendering enterprises that rely on signature-based antivirus – protection unable to protect themselves against these silent attacks” 3
  • 4. Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 4 *Verizon 2012 Data Breach Investigations Report
  • 5. Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 5 *Verizon 2012 Data Breach Investigations Report
  • 6. Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches 6 *Verizon 2012 Data Breach Investigations Report
  • 7. Identifying Malware with Web Application Scanning What happens if your site and users are infected? Users are infected, and blame your organization Your organization website is blacklisted. You spend time trying to get off the blacklist Reputation Damage & Lost Revenue 7
  • 8. Identifying Malware with Web Application Scanning How does an attacker get malware on a website? Victim Website Web Application or Indirect Vulnerability • Known vulnerability in an app or platform component • Discovered vulnerability in developed application (XSS, etc) Phishing, spyware or social engineering • Steal password or execute other attack to gain access Paying to host an advertisement that contains the infection • Malvertizing - legitimate websites can infect users without being directly compromised 8
  • 9. Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach Signature Based Detection on systems/web gateways 9 Malware is identified and Analyzed (typically after many infections) Signature is created Signature is distributed to end points/gateways Zero Day Protection Gap
  • 10. Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach Advantage Disadvantage 10
  • 11. Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach • Identify reference to site that is known to host malware • Instrument a system- watch for exploitation • detect zero day • For common scripting techniques, etc. • For downloadable documents like PDFs Antivirus Heuristic Reputation Check Behavioral Analysis 11
  • 12. Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach 12 Setup a vulnerable browsing platform on a VM Instrument the browser using API hooking Input parameters, return values, and data logged in various points within the browser and OS. Watch for exploitation When done scanning or when compromised, destroy VM and start another
  • 13. Identifying Malware with Web Application Scanning How Malware is Different • Malware Distribution – Unlike vulnerabilities which are accidental software flaws, attackers try to place malware in high traffic areas – OWASP type vulnerabilities should be distributed randomly (XSS, SQLi) – Malware will typically be positioned to infect all users (not just authenticated) • Malware detection does not have the impact – Detection uses ‘passive’ and not ‘active’ techniques – Safe for daily scans 13
  • 14. Identifying Malware with Web Application Scanning Better Website Security • Detect both OWASP vulnerabilities and website malware – Run daily passive scans on websites to identify malware, notify immediately – Perform active scans on a regular basis to identify OWASP vulnerabilities • How you benefit – Identify and fix vulnerabilities hackers could exploit or malware distributors could use to infect your site and other users – Protect your revenue, brand reputation and users from malware impact – Ensure you are covered from both threats, making it hard for attackers to exploit 14