SlideShare une entreprise Scribd logo

Application security

Télécharger en tant que PPTX, PDF
Hagar Alaa el-din
Hagar Alaa el-din

Introduction in Application security

Ingénierie
1  sur  18
We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
• Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.
Application security

Recommandé

Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
Arzath Areeff
 
Cyber security
Cyber securityCyber security
Cyber security
abithajayavel
 
cyber security
cyber securitycyber security
cyber security
BasineniUdaykumar
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 

Recommandé

Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
Arzath Areeff
 
Cyber security
Cyber securityCyber security
Cyber security
abithajayavel
 
cyber security
cyber securitycyber security
cyber security
BasineniUdaykumar
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For Mankind
Saurabh Kheni
 
Cyber security
Cyber securityCyber security
Cyber security
Pihu Goel
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
Aasim Mushtaq
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
PranjalShah18
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cyber security
Cyber securityCyber security
Cyber security
manoj duli
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Priyanshu Ratnakar
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & Principles
LearningwithRayYT
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 

Contenu connexe

Tendances

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 

Tendances (20)

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For Mankind
 
Cyber security
Cyber securityCyber security
Cyber security
 
What is malware
What is malwareWhat is malware
What is malware
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
 
System hacking
System hackingSystem hacking
System hacking
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Network security
Network securityNetwork security
Network security
 
Application Security
Application SecurityApplication Security
Application Security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Cyber security
Cyber securityCyber security
Cyber security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & Principles
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 

Similaire à Application security

Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
Komalah Nair
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
Umang Gupta
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
deanmtaylor1545
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptx
youfanlimboo
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
Rodrigo Piovesana
 

Similaire à Application security (20)

Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptx
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Information security software security presentation.pptx
Information security software security presentation.pptxInformation security software security presentation.pptx
Information security software security presentation.pptx
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 

Dernier

Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Dernier (20)

Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 

Application security

  • 1.
  • 2. We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
  • 3. Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
  • 4. is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
  • 5. Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
  • 6. Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
  • 7. Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
  • 8. Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
  • 9. Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
  • 10. Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
  • 11. • Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
  • 12. Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
  • 13. Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
  • 14. 5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
  • 15.
  • 16. Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
  • 17. What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.