SlideShare une entreprise Scribd logo

So Your Company Hired A Pentester

Télécharger en tant que PPTX, PDF
N
NorthBayWeb
Technologie
1  sur  20
 The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
No Really! Don‟t Panic!
Facebook WordPress
• The Internet is BIG • No, no no The Internet is REALLY REALLY BIG • To go along with this really big internet we have a really big Codebase • To add to this really big codebase, just like we learned in our first programming class there are a thousand ways to do just about anything . • Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation. • Now you must be thinking what's a low hanging fruit?
• OWASP top Ten • OWASP is the open Web Application Security Project. • Every few years they put out a report of the top ten vulnerabilities found on the internet. • They Also have some great tools for testing your Web Applications. • If you want an Idea of how to prepare for a Security Audit OWASP is a great resource.
Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
 Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures),  Bind variables allow the interpreter to distinguish between code and data 3. Encode all user input before passing it to the interpreter  Always perform „white list‟ input validation on all user supplied input  Always minimize database privileges to reduce the impact of a flaw
Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
 Recommendations  Eliminate Flaw  Don‟t include user supplied input in the output page  Defend Against the Flaw  Primary Recommendation: Output encode all user supplied input  Perform „white list‟ input validation on all user input to be included in page  For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
Web applications rely on a secure foundation •Everywhere from the OS up through the App Server •Don‟t forget all the libraries you are using!! Is your source code a secret? •Think of all the places your source code goes •Security should not require secret source code CM must extend to all parts of the application •All credentials should change in production Typical Impact •Install backdoor through missing OS or server patch •XSS flaw exploits due to missing application framework patches •Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
 Verify your system‟s configuration management  Secure configuration “hardening” guideline  Automation is REALLY USEFUL here  Must cover entire platform and application  Keep up with patches for ALL components  This includes software libraries, not just OS and Server applications  Analyze security effects of changes  Can you “dump” the application configuration  Build reporting into your process  If you can‟t verify it, it isn‟t secure  Verify the implementation  Scanning finds generic configuration and missing patch problems
PKI VPN SSH/SFTP SSL
Does •Third Party Authentication •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
Does •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
Does •PKI encryption •Connects to your server for quick secure file management •Allows you to issue commands to your server Does Not •Help the Client •Provide any code sanitization What It Replaces •FTP •God forbid Telnet When You Should Use It. •Anytime you connect to your server •All File transfer for source code •Editing any source on host
Email: carlton.sue@fishnetsecurity.com Twitter: @iamcobolt Web: http://www.fishnetsecurity.com/Blogs Personal: http://www.carlsue.com • https://www.owasp.org • Web Application Hackers Handbook • The Tangled Web – No Starch Press • SQL Injection Attacks and Defense Thanks For Having Me!

Recommandé

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 

Recommandé

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
CSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoCSF18 - How to Block Ransomware - Sami Laiho
CSF18 - How to Block Ransomware - Sami LaihoNCCOMMS
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzzChristopher Frenz
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter EvasionNipun Jaswal
 
Software compliance
Software complianceSoftware compliance
Software complianceS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile PaymentsNorthBayWeb
 
Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineDataWorks Summit
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPNMindfire Solutions
 

Contenu connexe

Tendances

When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter EvasionNipun Jaswal
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 

Tendances (19)

When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser Attacks
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Basics of Meterpreter Evasion
Basics of Meterpreter EvasionBasics of Meterpreter Evasion
Basics of Meterpreter Evasion
 
Software compliance
Software complianceSoftware compliance
Software compliance
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 

En vedette

Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineDataWorks Summit
 
Evolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupEvolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupDeepak Nadig
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajH2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajSri Ambati
 
Legal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceLegal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceMahyuddin Khalid
 
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenH2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenSri Ambati
 
Tabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsTabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsFitri Ishak
 
PayPal Real Time Analytics
PayPal Real Time AnalyticsPayPal Real Time Analytics
PayPal Real Time AnalyticsAnil Madan
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopDataWorks Summit
 
Ctu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingCtu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingNor Ila Che Man
 
MongoDB at eBay
MongoDB at eBayMongoDB at eBay
MongoDB at eBayMongoDB
 
PayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyPayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyShalee Blackmer
 
The Analysis of Alipay
The Analysis of AlipayThe Analysis of Alipay
The Analysis of Alipayabby0531
 
Framework of islamic financial system
Framework of islamic financial systemFramework of islamic financial system
Framework of islamic financial systemAdy Ismail
 
Alipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesAlipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesL'Atelier BNP Paribas
 
Paytm auto taxi training ppt
Paytm auto taxi training pptPaytm auto taxi training ppt
Paytm auto taxi training pptOyster Learning
 
Online Security and Payment System - PayPal
Online Security and Payment System - PayPalOnline Security and Payment System - PayPal
Online Security and Payment System - PayPalgaschan
 

En vedette (20)

Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
 
Building a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data PipelineBuilding a Hadoop Powered Commerce Data Pipeline
Building a Hadoop Powered Commerce Data Pipeline
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
Evolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API MeetupEvolution of PayPal API Platform at API Meetup
Evolution of PayPal API Platform at API Meetup
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian BharadwajH2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
H2O World - Solving Customer Churn with Machine Learning - Julian Bharadwaj
 
Legal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and FinanceLegal Documentation for Islamic Banking and Finance
Legal Documentation for Islamic Banking and Finance
 
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi RenH2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
H2O World - Machine Learning at Comcast - Andrew Leamon & Chushi Ren
 
Tabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial InstitutionsTabung Haji as Islamic Financial Institutions
Tabung Haji as Islamic Financial Institutions
 
PayPal Real Time Analytics
PayPal Real Time AnalyticsPayPal Real Time Analytics
PayPal Real Time Analytics
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using Hadoop
 
Ctu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic bankingCtu 351 bab 2 framework of islamic banking
Ctu 351 bab 2 framework of islamic banking
 
MongoDB at eBay
MongoDB at eBayMongoDB at eBay
MongoDB at eBay
 
PayPal Digital Marketing Strategy
PayPal Digital Marketing StrategyPayPal Digital Marketing Strategy
PayPal Digital Marketing Strategy
 
The Analysis of Alipay
The Analysis of AlipayThe Analysis of Alipay
The Analysis of Alipay
 
Framework of islamic financial system
Framework of islamic financial systemFramework of islamic financial system
Framework of islamic financial system
 
Alipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's storesAlipay brings mobile wallet to china's stores
Alipay brings mobile wallet to china's stores
 
Lecture 7 financial_engineering
Lecture 7 financial_engineeringLecture 7 financial_engineering
Lecture 7 financial_engineering
 
Paytm auto taxi training ppt
Paytm auto taxi training pptPaytm auto taxi training ppt
Paytm auto taxi training ppt
 
Online Security and Payment System - PayPal
Online Security and Payment System - PayPalOnline Security and Payment System - PayPal
Online Security and Payment System - PayPal
 

Similaire à So Your Company Hired A Pentester

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 

Similaire à So Your Company Hired A Pentester (20)

Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 

Plus de NorthBayWeb

The laws & the internets, Chris Stoll
The laws & the internets, Chris StollThe laws & the internets, Chris Stoll
The laws & the internets, Chris StollNorthBayWeb
 
Content Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesContent Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesNorthBayWeb
 
Michael Slater Mobile Opportunity
Michael Slater Mobile OpportunityMichael Slater Mobile Opportunity
Michael Slater Mobile OpportunityNorthBayWeb
 
Modern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekModern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekNorthBayWeb
 
Michael Slater High Technology
Michael Slater High TechnologyMichael Slater High Technology
Michael Slater High TechnologyNorthBayWeb
 
Melissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationMelissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationNorthBayWeb
 
Cole Geissinger Development Talk
Cole Geissinger Development TalkCole Geissinger Development Talk
Cole Geissinger Development TalkNorthBayWeb
 
Cole melissa - design & development
Cole melissa - design & developmentCole melissa - design & development
Cole melissa - design & developmentNorthBayWeb
 

Plus de NorthBayWeb (8)

The laws & the internets, Chris Stoll
The laws & the internets, Chris StollThe laws & the internets, Chris Stoll
The laws & the internets, Chris Stoll
 
Content Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better WebsitesContent Strategy: A Road Map For Delivering Better Websites
Content Strategy: A Road Map For Delivering Better Websites
 
Michael Slater Mobile Opportunity
Michael Slater Mobile OpportunityMichael Slater Mobile Opportunity
Michael Slater Mobile Opportunity
 
Modern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben KlocekModern Web Design & Development Workflow: Ben Klocek
Modern Web Design & Development Workflow: Ben Klocek
 
Michael Slater High Technology
Michael Slater High TechnologyMichael Slater High Technology
Michael Slater High Technology
 
Melissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of InspirationMelissa Crain Design Deliverables & A Dose Of Inspiration
Melissa Crain Design Deliverables & A Dose Of Inspiration
 
Cole Geissinger Development Talk
Cole Geissinger Development TalkCole Geissinger Development Talk
Cole Geissinger Development Talk
 
Cole melissa - design & development
Cole melissa - design & developmentCole melissa - design & development
Cole melissa - design & development
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

So Your Company Hired A Pentester

  • 1.
  • 2. The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.
  • 3. No Really! Don‟t Panic!
  • 4.
  • 5. Facebook WordPress
  • 6. • The Internet is BIG • No, no no The Internet is REALLY REALLY BIG • To go along with this really big internet we have a really big Codebase • To add to this really big codebase, just like we learned in our first programming class there are a thousand ways to do just about anything . • Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation. • Now you must be thinking what's a low hanging fruit?
  • 7. • OWASP top Ten • OWASP is the open Web Application Security Project. • Every few years they put out a report of the top ten vulnerabilities found on the internet. • They Also have some great tools for testing your Web Applications. • If you want an Idea of how to prepare for a Security Audit OWASP is a great resource.
  • 8.
  • 9. Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
  • 10.  Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared statements, or stored procedures),  Bind variables allow the interpreter to distinguish between code and data 3. Encode all user input before passing it to the interpreter  Always perform „white list‟ input validation on all user supplied input  Always minimize database privileges to reduce the impact of a flaw
  • 11. Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
  • 12.  Recommendations  Eliminate Flaw  Don‟t include user supplied input in the output page  Defend Against the Flaw  Primary Recommendation: Output encode all user supplied input  Perform „white list‟ input validation on all user input to be included in page  For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe
  • 13. Web applications rely on a secure foundation •Everywhere from the OS up through the App Server •Don‟t forget all the libraries you are using!! Is your source code a secret? •Think of all the places your source code goes •Security should not require secret source code CM must extend to all parts of the application •All credentials should change in production Typical Impact •Install backdoor through missing OS or server patch •XSS flaw exploits due to missing application framework patches •Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
  • 14.  Verify your system‟s configuration management  Secure configuration “hardening” guideline  Automation is REALLY USEFUL here  Must cover entire platform and application  Keep up with patches for ALL components  This includes software libraries, not just OS and Server applications  Analyze security effects of changes  Can you “dump” the application configuration  Build reporting into your process  If you can‟t verify it, it isn‟t secure  Verify the implementation  Scanning finds generic configuration and missing patch problems
  • 15. PKI VPN SSH/SFTP SSL
  • 16.
  • 17. Does •Third Party Authentication •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
  • 18. Does •PKI encryption •Keeps the conversation between the client and the host Does Not •Protect the client from malware snooping or interference •Remove malicious code. Why Its not standard •Encryption is process heavy •The internet is old When you should use it. •Always… •When dynamic code is used •At least when logins are in use anywhere on the site.
  • 19. Does •PKI encryption •Connects to your server for quick secure file management •Allows you to issue commands to your server Does Not •Help the Client •Provide any code sanitization What It Replaces •FTP •God forbid Telnet When You Should Use It. •Anytime you connect to your server •All File transfer for source code •Editing any source on host
  • 20. Email: carlton.sue@fishnetsecurity.com Twitter: @iamcobolt Web: http://www.fishnetsecurity.com/Blogs Personal: http://www.carlsue.com • https://www.owasp.org • Web Application Hackers Handbook • The Tangled Web – No Starch Press • SQL Injection Attacks and Defense Thanks For Having Me!