Introduction to Web Application Security Professor Larry Heimann Web - - PowerPoint PPT Presentation

Introduction to Web Application Security

Professor Larry Heimann Web Application Security Information Systems

Course Business

• Course site: https://67327.cmuis.net
• Schedule
• Reading
• Assignments
• in-class labs -- laptops w/ 272 technology required
• summary exercise -- no collaboration at all
• final exam
• Office Hours

The Bad News (2014)

78% of enterprises faced cyber attacks 69% of attacks on web applications

Reportedly, most companies spent more on coffee in 2014 than they did on web application security.

Problems Reported to Apple (2016)

155 web app security problems reported to Apple in a 12 month period

Breakdown of issues:

• 83 cross-site scripting (XSS)
• 12 information disclosure
• 10 injection-related
• 12 server configuration
• 2 path traversals
• 1 cross-site request forgery

Threat changes from 2013 to 2017

Triage method for dealing with software risks

Low Moderate High Minimal

C C B

Moderate

C B A

Catastrophic

B A A

Likelihood of Risk Realized Impact of Risk Realized

Key Lessons

• 1. Web application security is hard
• 2. Securing web applications is a never-ending battle
• 3. Admit mistakes and quickly correct them
• 4. Some threats are worse than others
• 5. Simple threats can still be deadly

“You cannot defend against threats you cannot see.”

• - Mr. H, chess coach

“You cannot defend against threats you cannot see.”

• - Prof. H, 67-327

Comic of the Day...