Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

WebSecurity_Commonsecuritythreats_and_hacking

advertisement

Web Security

Common security threats and hacking

The OWASP Foundation http://www.owasp.org

Nahidul Kibria

Co-Leader, OWASP Bangladesh ,

Senior Software Engineer, KAZ Software Ltd.

Twitter:@nahidupa

Writing code for fun and food. And security enthusiastic

The OWASP Foundation http://www.owasp.org

Shahee Mirza

# Certified Ethical Hacker (C|EH).

# Microsoft® Certified Systems Administrator.

#Information Security Consultant, Nexus IT Zone.

http://www.shaheemirza.com

FB: shaheemirza Twitter: @shaheemirza

Why should we care?

5

Most sites are not secure!

•Attacker can access unauthorized data!

•They use your web site to attack your users!

6

Historically the web wasn’t designed to be secure

•Built for static, read only pages

•Almost no intrinsic security

•A few security features were “bolted-on” later

7

What does that mean?

•Cookie based sessions can be hijacked

•No separation of logic and data

•All client supplied data cannot be trusted

8

The vast majority of web applications have serious security vulnerabilities!

Most developers not aware of the issues.

9

10

11

Web Application threat surface

XSS

Parameter tempering /sniffing

XML Injection

Click jacking

CSRF

Directory

Traversal

SQL Injection

FORGED

TOKEN

DIRECT

OBJECT

REFERENCE

12

Ajax

Flash

Silverlight

Applets

The attack surface is growing!

13

Some incident example

14

Study: Global cybercrime costs more than illegal drugs

INSECURE-Mag-31 http://www.dnaindia.com/mumbai/report_cyber-crime-costs-india-rs34110-crore-per-year_1588917

Global drug trade —about $288 billion

Common question is I’m inocent why should I will be target?

I don’t have any sensitive data.

I’m not even serve any important data.

I have no enemy

16

You have resource...

Answer is

May be a Multi-core processor...Bandwidth

Attacker weaponize your pc to attack other or use you resource ...

Turn your pc to zombie

17

Botnet-Just in brief

18

This is a problem

19

Network security and others

20

But developers

21

22

Quick Resource Guide

23

About OWASP

OWASP’s mission is “to make application security visible , so that people and organizations can make informed decisions about true application”

Attacker not use black art to exploit your application

220 Chapters

25

The OWASP Foundation http://www.owasp.org

OWASP Bangladesh Chapter

• Bangladeshi community of Security professional

• Globally recognized

• Open for all

• Free for all

What do we have to offer?

Monthly Meetings

Mailing List

Presentations & Groups

Open Forums for Discussion

Vendor Neutral Environments

OWASP Top 10 Web Application

Security Risks

(2010 Edition) http://www.owasp.org/index.php/Top_10

Application Developers

New attacks/ defense guideline

Cheat Sheets

Web Goat-emulator-designed to teach web application security lessons

28

The OWASP Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Existing Enterprise Security Services/Libraries

29

Application Testers and Quality

Assurance

Tools

Testing guide/pentester

Application Security Verification Standard Project

30

OWASP ZAP Proxy/ WebScarab

31

OWASP CSRFTester

32

Application Project Management and

Staff

Define the process

SDLC

Code Review

33

OWASP Code Review

Project

Code review tool http://codecrawler.codeplex.com/Release/ProjectReleases.aspx

http://orizon.sourceforge.net

OWASP Testing

4.3 Configuration Management Testing

4.4 Business logic testing

4.5 Authentication Testing

4.6 Authorization Testing

4.7 Session Management Testing

4.8 Data Validation Testing

4.9 Testing for Denial of Service

4.10 Web Services Testing

4.11 Ajax Testing http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Myth-

“The developer will provide me with a secure solution without me asking”

36

Download

Get OWASP Books

Coolest Jobs in Information Security

#1 Information Security Crime Investigator/Forensics Expert

#2 System, Network, and/or Web Penetration Tester

#3 Forensic Analyst

#4 Incident Responder

#5 Security Architect

#6 Malware Analyst

#7 Network Security Engineer

#8 Security Analyst

#9 Computer Crime Investigator

#10 CISO/ISO or Director of Security

#11 Application Penetration Tester

#12 Security Operations Center Analyst

#13 Prosecutor Specializing in Information Security Crime

#14 Technical Director and Deputy CISO

#15 Intrusion Analyst

#16 Vulnerability Researcher/ Exploit Developer

#17 Security Auditor

#18 Security-savvy Software Developer

#19 Security Maven in an Application Developer Organization

#20 Disaster Recovery/Business Continuity Analyst/Manager

38

Subscribe mailing list https://www.owasp.org/index.php/Bangladesh https://www.facebook.com/OWASP.Bangladesh

Keep up to date!

Twitter:@nahidupa

Twitter:@owaspbangladesh

39

Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
IUTGetRoot
IUTGetRoot
Common Web Vulnerabilities
Common Web Vulnerabilities
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Application Security 101
Application Security 101
Training_Instructor_Agreement
Training_Instructor_Agreement
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
Download
advertisement