Soumettre la recherche
Mettre en ligne
Securing Custom Web Apps as an Entry to Internal Networks
•
Télécharger en tant que PPTX, PDF
•
0 j'aime
•
95 vues
Titre amélioré par l'IA
T
Trish McGinity, CCSK
Suivre
Andrew Useckas Csa presentation hacking custom webapps 4 3
Lire moins
Lire la suite
Technologie
Affichage du diaporama
Signaler
Partager
Affichage du diaporama
Signaler
Partager
1 sur 15
Télécharger maintenant
Recommandé
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
Imperva
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
The Non-Advanced Persistent Threat
The Non-Advanced Persistent Threat
Imperva
Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security Threats
Bitglass
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
Imperva
All your files now belong to us
All your files now belong to us
Peter Wood
Recommandé
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
Imperva
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
The Non-Advanced Persistent Threat
The Non-Advanced Persistent Threat
Imperva
Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security Threats
Bitglass
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
Imperva
All your files now belong to us
All your files now belong to us
Peter Wood
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
Imperva
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
Why current security solutions fail
Why current security solutions fail
DaveEdwards12
More databases. More hackers.
More databases. More hackers.
Imperva
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
Imperva
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
Bitglass
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
Man in the Cloud Attacks
Man in the Cloud Attacks
Imperva
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
Imperva
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
Imperva
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
Skybox Security
Zero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
PureSec
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
Skybox Security
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
Pawel Zorzan Urban
Salomon 7e
Salomon 7e
IE Simona Duque
Contenu connexe
Tendances
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
Imperva
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
Why current security solutions fail
Why current security solutions fail
DaveEdwards12
More databases. More hackers.
More databases. More hackers.
Imperva
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
Imperva
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
Bitglass
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
Man in the Cloud Attacks
Man in the Cloud Attacks
Imperva
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
Imperva
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
Imperva
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
Skybox Security
Zero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
PureSec
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
Skybox Security
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
Tendances
(20)
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Why current security solutions fail
Why current security solutions fail
More databases. More hackers.
More databases. More hackers.
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
Man in the Cloud Attacks
Man in the Cloud Attacks
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
Zero trust in a hybrid architecture
Zero trust in a hybrid architecture
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
En vedette
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
Pawel Zorzan Urban
Salomon 7e
Salomon 7e
IE Simona Duque
<img src="xx">
<img src="xx">
testslidesha12
One pagepdf
One pagepdf
testslidesha12
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba
4_C_CEM_2016
4_C_CEM_2016
Alexis Rodriguez
Ed Rios - New ncc brief
Ed Rios - New ncc brief
Trish McGinity, CCSK
Resultados finales municipio_de_giraldo
Resultados finales municipio_de_giraldo
alcaldiagiraldo antioquia
Underground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & Eventi
Pawel Zorzan Urban
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Pawel Zorzan Urban
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
Trish McGinity, CCSK
Hrvatska u napoleonovo doba
Hrvatska u napoleonovo doba
Škola Futura
Napoleon bonaparte
Napoleon bonaparte
Škola Futura
Engleska u 18. stoljeću
Engleska u 18. stoljeću
batica1
Diseño e innovación
Diseño e innovación
R. Sosa
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
David Nickelson, PsyD, JD
Ready
Ready
Agus Cahyo
En vedette
(17)
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
Salomon 7e
Salomon 7e
<img src="xx">
<img src="xx">
One pagepdf
One pagepdf
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
4_C_CEM_2016
4_C_CEM_2016
Ed Rios - New ncc brief
Ed Rios - New ncc brief
Resultados finales municipio_de_giraldo
Resultados finales municipio_de_giraldo
Underground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & Eventi
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
Hrvatska u napoleonovo doba
Hrvatska u napoleonovo doba
Napoleon bonaparte
Napoleon bonaparte
Engleska u 18. stoljeću
Engleska u 18. stoljeću
Diseño e innovación
Diseño e innovación
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Ready
Ready
Similaire à Securing Custom Web Apps as an Entry to Internal Networks
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
Cloud security
Cloud security
Tushar Kayande
Presd1 10
Presd1 10
Niels Groeneveld
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
Insecurity in security products 2013
Insecurity in security products 2013
DaveEdwards12
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
Ivanti
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
Imperva Incapsula
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Imperva Incapsula
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
John Moran
Realities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
Mark Williams
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
Similaire à Securing Custom Web Apps as an Entry to Internal Networks
(20)
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Cloud security
Cloud security
Presd1 10
Presd1 10
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Insecurity in security products 2013
Insecurity in security products 2013
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Top Application Security Trends of 2012
Top Application Security Trends of 2012
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Realities of Security in the Cloud
Realities of Security in the Cloud
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Plus de Trish McGinity, CCSK
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
Privacy 101
Privacy 101
Trish McGinity, CCSK
Cloud Seeding
Cloud Seeding
Trish McGinity, CCSK
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure Web
Trish McGinity, CCSK
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
Trish McGinity, CCSK
GDPR Overview
GDPR Overview
Trish McGinity, CCSK
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
Trish McGinity, CCSK
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
Trish McGinity, CCSK
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
Trish McGinity, CCSK
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
Davitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
Trish McGinity, CCSK
Plus de Trish McGinity, CCSK
(14)
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Privacy 101
Privacy 101
Cloud Seeding
Cloud Seeding
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure Web
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
GDPR Overview
GDPR Overview
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Davitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
Dernier
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
Dernier
(20)
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Securing Custom Web Apps as an Entry to Internal Networks
1.
www.cloudsecurityalliance.org Custom web applications as
a way into your internal network Andrew Useckas Copyright © 2016 Cloud Security Alliance
2.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Introduction • Securing custom web applications is more challenging than most people realize: - Security is often overlooked during design and development - As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world - There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud - No “security patch” for custom WebApps (vs. infrastructure) • It’s simply not as difficult to compromise a web application as most people think - You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
3.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Me • CTO at Threat X working on a new approach to Web Application security. • Over 15 years of experience in penetration testing / ethical hacking. • Author and architect of multiple security sensors. • Consulted for multiple enterprises in technical and compliance aspects of security.
4.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Agenda • Basic overview of hacker’s mindset. • Overview of most currently popular security measures. • Web Application Attacks • Authentication • Session Management • Access Controls • Client Side checks • Server Side checks
5.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Who is the target? • According to Verizon 2016 DBIR Report: • 40% of confirmed breaches were Web App Attacks. • 95% of confirmed WebApp breaches financially motivated. • Top Industries attacked: Finance, Information, Retail. • Higher percentage of confirmed data disclosure as security measures are lacking. • Botnets. Is my company too small to be attacked? • My perimeter is secure – we run quarterly scans.
6.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The wild west of WebApps • Security is often an afterthought. Time to market is more important than security. • Developer education on safe coding techniques is lacking. • Traditional Layer 3 firewall does nothing for WebApp Security. • IDS / IPS systems do very little as the focus is more on the network applications. • New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors). • Piping all the logs to a SIEM tool may overwhelm the administrators. • Most of these tools are useless in a cloud deployment model.
7.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Tools • Browser – Firefox • Intercepting Proxy – Burpsuite • SQLMap • Target apps – Bodgeit from Google
8.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Authentication • Login forms are often the first thing a hacker will try to break. • Common issues: • Weak or default passwords • Default pages • Guessable protected URIs • Navigation tree leaks in JS • Lack of proper server side sanitization
9.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Session Management • Sessions are used to track users • First line of defense • Common attacks • Session hijacking • Missing idle session timeouts • Session riding (CSRF) • Cookie manipulation
10.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Access Controls • Defective access controls are often used after the initial penetration. • Hidden information in HTML • Information leaks through JS • Horizontal privilege escalation • Vertical privilege escalation
11.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Client Side Checks • Validation of input fields before they are passed to the server • Usually based on JS • Can be easily bypassed with transparent proxy
12.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Server Side Checks • Server side usually talking to a database engine such as MySql. • User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi). • SQLi can be used to • Bypass authentication controls • Bypass access controls • Execute full database dumps • Write script files to the remote file system. Scripts can then be executed from the browser giving an attacker shell access to the remote system
13.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Further Exploits • It is possible to upload server side scripts via backends such as MySQL. • Scripts can then be executed from the browser giving shell access. • Sample injection: UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
14.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Parting Recommendations • Secure development and QA • Next-generation Web Application Firewall • Pen testing
15.
www.cloudsecurityalliance.orgCopyright © 2011
Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance References • Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights- lab/dbir/
Notes de l'éditeur
40 mins.
Télécharger maintenant