SlideShare une entreprise Scribd logo

Securing Custom Web Apps as an Entry to Internal Networks

Télécharger en tant que PPTX, PDF
T
Trish McGinity, CCSK

Andrew Useckas Csa presentation hacking custom webapps 4 3

Technologie
1  sur  15
www.cloudsecurityalliance.org Custom web applications as a way into your internal network Andrew Useckas Copyright © 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Introduction • Securing custom web applications is more challenging than most people realize: - Security is often overlooked during design and development - As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world - There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud - No “security patch” for custom WebApps (vs. infrastructure) • It’s simply not as difficult to compromise a web application as most people think - You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Me • CTO at Threat X working on a new approach to Web Application security. • Over 15 years of experience in penetration testing / ethical hacking. • Author and architect of multiple security sensors. • Consulted for multiple enterprises in technical and compliance aspects of security.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Agenda • Basic overview of hacker’s mindset. • Overview of most currently popular security measures. • Web Application Attacks • Authentication • Session Management • Access Controls • Client Side checks • Server Side checks
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Who is the target? • According to Verizon 2016 DBIR Report: • 40% of confirmed breaches were Web App Attacks. • 95% of confirmed WebApp breaches financially motivated. • Top Industries attacked: Finance, Information, Retail. • Higher percentage of confirmed data disclosure as security measures are lacking. • Botnets. Is my company too small to be attacked? • My perimeter is secure – we run quarterly scans.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The wild west of WebApps • Security is often an afterthought. Time to market is more important than security. • Developer education on safe coding techniques is lacking. • Traditional Layer 3 firewall does nothing for WebApp Security. • IDS / IPS systems do very little as the focus is more on the network applications. • New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors). • Piping all the logs to a SIEM tool may overwhelm the administrators. • Most of these tools are useless in a cloud deployment model.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Tools • Browser – Firefox • Intercepting Proxy – Burpsuite • SQLMap • Target apps – Bodgeit from Google
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Authentication • Login forms are often the first thing a hacker will try to break. • Common issues: • Weak or default passwords • Default pages • Guessable protected URIs • Navigation tree leaks in JS • Lack of proper server side sanitization
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Session Management • Sessions are used to track users • First line of defense • Common attacks • Session hijacking • Missing idle session timeouts • Session riding (CSRF) • Cookie manipulation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Access Controls • Defective access controls are often used after the initial penetration. • Hidden information in HTML • Information leaks through JS • Horizontal privilege escalation • Vertical privilege escalation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Client Side Checks • Validation of input fields before they are passed to the server • Usually based on JS • Can be easily bypassed with transparent proxy
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Server Side Checks • Server side usually talking to a database engine such as MySql. • User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi). • SQLi can be used to • Bypass authentication controls • Bypass access controls • Execute full database dumps • Write script files to the remote file system. Scripts can then be executed from the browser giving an attacker shell access to the remote system
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Further Exploits • It is possible to upload server side scripts via backends such as MySQL. • Scripts can then be executed from the browser giving shell access. • Sample injection: UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Parting Recommendations • Secure development and QA • Next-generation Web Application Firewall • Pen testing
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance References • Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights- lab/dbir/

Recommandé

The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatImperva
 
Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsMitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsBitglass
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 

Recommandé

The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
The Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatThe Non-Advanced Persistent Threat
The Non-Advanced Persistent ThreatImperva
 
Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsMitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsBitglass
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusSecureSphere ThreatRadar: Improve Security Team Productivity and Focus
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackImperva
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.Imperva
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformElisabeth Bitsch-Christensen
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudAlert Logic
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of VulnerabilitySkybox Security
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architectureHybrid IT Europe
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceSkybox Security
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementCyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementChad Bowerman
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli DavideI Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli DavidePawel Zorzan Urban
 
Salomon 7e
Salomon 7eSalomon 7e
Salomon 7eIE Simona Duque
 

Contenu connexe

Tendances

An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackImperva
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.Imperva
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Imperva
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudAlert Logic
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of VulnerabilitySkybox Security
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architectureHybrid IT Europe
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceSkybox Security
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementCyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementChad Bowerman
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 

Tendances (20)

An Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS AttackAn Inside Look at a Sophisticated, Multi-vector DDoS Attack
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.
 
Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365Top Five Security Must-Haves for Office 365
Top Five Security Must-Haves for Office 365
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
 
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral MovementCyberArk Cleveland Defend End Point Infection and Lateral Movement
CyberArk Cleveland Defend End Point Infection and Lateral Movement
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 

En vedette

I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli DavideI Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli DavidePawel Zorzan Urban
 
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - PivotagemStartup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - PivotagemStartup Sorocaba
 
Underground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & EventiUnderground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & EventiPawel Zorzan Urban
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Pawel Zorzan Urban
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Hrvatska u napoleonovo doba
Hrvatska u napoleonovo dobaHrvatska u napoleonovo doba
Hrvatska u napoleonovo dobaŠkola Futura
 
Engleska u 18. stoljeću
Engleska u 18. stoljećuEngleska u 18. stoljeću
Engleska u 18. stoljećubatica1
 
Diseño e innovación
Diseño e innovaciónDiseño e innovación
Diseño e innovaciónR. Sosa
 
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714David Nickelson, PsyD, JD
 

En vedette (17)

I Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli DavideI Love Linux - Pawel Zorzan Urban & Bocelli Davide
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
 
Salomon 7e
Salomon 7eSalomon 7e
Salomon 7e
 
&lt;img src="xx">
&lt;img src="xx">&lt;img src="xx">
&lt;img src="xx">
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - PivotagemStartup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
 
4_C_CEM_2016
4_C_CEM_20164_C_CEM_2016
4_C_CEM_2016
 
Ed Rios - New ncc brief
Ed Rios - New ncc briefEd Rios - New ncc brief
Ed Rios - New ncc brief
 
Resultados finales municipio_de_giraldo
Resultados finales municipio_de_giraldoResultados finales municipio_de_giraldo
Resultados finales municipio_de_giraldo
 
Underground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & EventiUnderground hacker Nazionale - Clima & Eventi
Underground hacker Nazionale - Clima & Eventi
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Hrvatska u napoleonovo doba
Hrvatska u napoleonovo dobaHrvatska u napoleonovo doba
Hrvatska u napoleonovo doba
 
Napoleon bonaparte
Napoleon bonaparteNapoleon bonaparte
Napoleon bonaparte
 
Engleska u 18. stoljeću
Engleska u 18. stoljećuEngleska u 18. stoljeću
Engleska u 18. stoljeću
 
Diseño e innovación
Diseño e innovaciónDiseño e innovación
Diseño e innovación
 
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714Understanding the evolving healthcare ecosystem -- Aimia -- 052714
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
 
Ready
ReadyReady
Ready
 

Similaire à Securing Custom Web Apps as an Entry to Internal Networks

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Ivanti
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnJohn Moran
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 

Similaire à Securing Custom Web Apps as an Entry to Internal Networks (20)

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Cloud security
Cloud securityCloud security
Cloud security
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?Application Control - Maintenance Headache or Manageable Solution?
Application Control - Maintenance Headache or Manageable Solution?
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 

Plus de Trish McGinity, CCSK

Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Trish McGinity, CCSK
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebTrish McGinity, CCSK
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Trish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggTrish McGinity, CCSK
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageTrish McGinity, CCSK
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxTrish McGinity, CCSK
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Trish McGinity, CCSK
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionTrish McGinity, CCSK
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 

Plus de Trish McGinity, CCSK (14)

Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure Web
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Securing Custom Web Apps as an Entry to Internal Networks

  • 1. www.cloudsecurityalliance.org Custom web applications as a way into your internal network Andrew Useckas Copyright © 2016 Cloud Security Alliance
  • 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Introduction • Securing custom web applications is more challenging than most people realize: - Security is often overlooked during design and development - As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world - There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud - No “security patch” for custom WebApps (vs. infrastructure) • It’s simply not as difficult to compromise a web application as most people think - You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
  • 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Me • CTO at Threat X working on a new approach to Web Application security. • Over 15 years of experience in penetration testing / ethical hacking. • Author and architect of multiple security sensors. • Consulted for multiple enterprises in technical and compliance aspects of security.
  • 4. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Agenda • Basic overview of hacker’s mindset. • Overview of most currently popular security measures. • Web Application Attacks • Authentication • Session Management • Access Controls • Client Side checks • Server Side checks
  • 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Who is the target? • According to Verizon 2016 DBIR Report: • 40% of confirmed breaches were Web App Attacks. • 95% of confirmed WebApp breaches financially motivated. • Top Industries attacked: Finance, Information, Retail. • Higher percentage of confirmed data disclosure as security measures are lacking. • Botnets. Is my company too small to be attacked? • My perimeter is secure – we run quarterly scans.
  • 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The wild west of WebApps • Security is often an afterthought. Time to market is more important than security. • Developer education on safe coding techniques is lacking. • Traditional Layer 3 firewall does nothing for WebApp Security. • IDS / IPS systems do very little as the focus is more on the network applications. • New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors). • Piping all the logs to a SIEM tool may overwhelm the administrators. • Most of these tools are useless in a cloud deployment model.
  • 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Tools • Browser – Firefox • Intercepting Proxy – Burpsuite • SQLMap • Target apps – Bodgeit from Google
  • 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Authentication • Login forms are often the first thing a hacker will try to break. • Common issues: • Weak or default passwords • Default pages • Guessable protected URIs • Navigation tree leaks in JS • Lack of proper server side sanitization
  • 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Session Management • Sessions are used to track users • First line of defense • Common attacks • Session hijacking • Missing idle session timeouts • Session riding (CSRF) • Cookie manipulation
  • 10. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Access Controls • Defective access controls are often used after the initial penetration. • Hidden information in HTML • Information leaks through JS • Horizontal privilege escalation • Vertical privilege escalation
  • 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Client Side Checks • Validation of input fields before they are passed to the server • Usually based on JS • Can be easily bypassed with transparent proxy
  • 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Server Side Checks • Server side usually talking to a database engine such as MySql. • User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi). • SQLi can be used to • Bypass authentication controls • Bypass access controls • Execute full database dumps • Write script files to the remote file system. Scripts can then be executed from the browser giving an attacker shell access to the remote system
  • 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Further Exploits • It is possible to upload server side scripts via backends such as MySQL. • Scripts can then be executed from the browser giving shell access. • Sample injection: UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
  • 14. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Parting Recommendations • Secure development and QA • Next-generation Web Application Firewall • Pen testing
  • 15. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance References • Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights- lab/dbir/

Notes de l'éditeur

  1. 40 mins.