Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Web Application Security Implementation SANS MSISE GDWP Kevin Bong

advertisement 
Web Application Security
Implementation
SANS MSISE GDWP
Kevin Bong
John Brozycki
July 26, 2007
Web Application Security Implementation - © 2007 GIAC
Introduction
• Website vulnerability used to copy
customer data to foreign host.
• Senior management to acquire services
of penetration team. Not available for
immediate needs.
• Post incident,we are tasked with
creation of a web application security
assessment program, to implement
within a few days.
Web Application Security Implementation - © 2007 GIAC
Web Assessment Process
Manual Web
Server Audit
Inventory
Conduct
Interviews
Automated
Vulnerability Scan
Manual Web
Application Audit
Report
Findings
Web Application Security Implementation - © 2007 GIAC
Web Service Inventory
• Need to know what is legitimate and
necessary. (Programs, services, ports)
• Need to know where the data lives and
how it is accessed.
• Rate assets (web servers/services) to
focus resources and set priorities.
Web Application Security Implementation - © 2007 GIAC
Performing Automated Scans
• Verify the inventory by confirming the
existence of services.
• Identify additional, unneeded processes
and check for common vulnerabilities
and misconfigurations for both the
necessary and unnecessary processes
and services.
• Quickly identify the low hanging fruit.
Web Application Security Implementation - © 2007 GIAC
Manual Audit of Web Server
Security
• Review if best practices are followed
– Is defense in depth employed?
– Configuration of web server and web
development frameworks
– User and service accounts and rights
– Error messages, other information leakage
– Do log files store appropriate information?
• Review change processes for ports and
services through interviews
Web Application Security Implementation - © 2007 GIAC
Manual Audit of Web Applications
• Based on inventory, focus on potentially
vulnerable code
• Specific tests to be performed against
each dynamic page
• Interview developers to determine if
processes prevent new vulnerabilities
Web Application Security Implementation - © 2007 GIAC
Deliverables for the Senior
Management Team
• Reports and recommendations delivered
within days.
• Results of inventory, scans, and manual
audits used to provide action items that
can be given to implementation team.
• Additional recommendations from tiger
team to management to minimize
reoccurrences.
Web Application Security Implementation - © 2007 GIAC
Related documents
ISPRS IGU CIG SIPT
ISPRS IGU CIG SIPT
The University of Texas at Austin PhD in Translational Science
The University of Texas at Austin PhD in Translational Science
This is a GIAC Gold Template
This is a GIAC Gold Template
The ending inventory for CBCR Co. was overstated by $2001... effect did the error have on
The ending inventory for CBCR Co. was overstated by $2001... effect did the error have on
View sample resume
View sample resume
Global Information Assurance Certification (GIAC) develops and
Global Information Assurance Certification (GIAC) develops and
Internet Security Handbook Minimum Levels of Due Diligence
Internet Security Handbook Minimum Levels of Due Diligence
Download
advertisement