SlideShare uma empresa Scribd logo

Hybrid website security from Indusface

Infosys
Infosys

This document discusses hybrid website security which combines automated scanning with manual penetration testing. It begins by covering the business and security landscape for websites, noting the increasing threats they face. It then discusses both automated and manual scanning, explaining that while automated scans can find technical vulnerabilities, manual testing is needed to find logical flaws. Some challenges of automated scanning like infinite website structures and multi-step processes are outlined. The document proposes a hybrid model of security that leverages both approaches. Examples of logical vulnerabilities that could be found through manual testing are provided. Finally, the benefits of the hybrid approach like complete coverage and identifying complex issues are summarized.

Tecnologia
1 de 24
Baixar para ler offline
HYBRID WEBSITE SECURITY 01 www.indusface.com | Indusface, Proprietary
AGENDA Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 02 www.indusface.com | Indusface, Proprietary
Websites – Business and Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 03 www.indusface.com | Indusface, Proprietary 3
Websites and Web Applications for Everything! Websites and Web Applications contain valuable data which can be misused if accessed by the wrong people! 04 www.indusface.com | Indusface, Proprietary Hence ensuring comprehensive security of a website and web application, which checks for technical and logical vulnerabilities is of utmost importance!
Websites and Web Applications Are Vulnerable 75% of all attacks are targeted towards the application layer. Gartner More than 90 % of web applications containing some type of security vulnerability. Imperva Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. Gartner 13% More than of all reviewed sites can be compromised completely automatically. The most wide spread vulnerabilities were Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. WASC 73% of organizations have been hacked at least once in the past two years through insecure websites and web applications. Ponemon Institute Automation is not always effective without manual configuration or testing activity; manual testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner 05 www.indusface.com | Indusface, Proprietary
Mind Block Website is secured as it has been scanned by state of the art scanning software Firewalls and SSL are adequate security for a web application IDS protects the web server and databases Frequent software updates and new website functionality increases the potential for new web application vulnerabilities Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. Security assessment of an application is never complete without involvement of a application security expert 06 www.indusface.com | Indusface, Proprietary
Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 07 www.indusface.com | Indusface, Proprietary 7
The Importance of Website Scanning 1 Increasing threats, regulations, and the changing IT landscape has made dynamic software security testing important. 2 Web applications are now an integral part of any business 3 Web applications have become increasingly complex, having tremendous amounts of sensitive data which can be used in unexpected ways, abused, stolen, and attacked. 4 Vulnerabilities in applications lead to security breaches which are a threat to brand reputation. 5 The best web application security coverage is the combination of using automated scanning and manual penetration testing. Comprehensive Website Security Scanning is Mandatory! 08 www.indusface.com | Indusface, Proprietary Source: Gartner
Automated and Manual Website Scanning Automated Scanning Manual Scanning • Easily identifies technical vulnerabilities. • Intervention of a subject matter expert • Very thorough in the testing process. • Identifies logical flaws and complex weaknesses • Opportunity to increase the frequency of scans (daily). • Ability to co-relate multiple vulnerabilities to create a bigger impact Proactive approach of detecting a vulnerability in less time • Ability to pass steps where a human intervention is needed Confidence booster to business/app owners • Ability to concentrate on test cases based on critical threats to business • • Human intelligence assessments and automated scanners are required for complete vulnerability coverage when it comes to web applications. 09 www.indusface.com | Indusface, Proprietary
Technical Flaws versus Logical Flaws TECHNICAL FLAWS Confidential Information Disclosure Known Directory Known CGI File Configuration File Disclosure Backup File Disclosure Application Input Manipulation SQL Injection Cross-Site/In-Line Scripting Buffer Overflow OS Command Injection Meta Character Injection Directory Traversal Null Injection Extension Manipulation Frame Spoofing LOGICAL FLAWS Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forging Password Recovery Logical Vulnerabilities Disclosure Verbose Error Messages HTML Comments Application Input Manipulation User-Agent Manipulation Referrer Manipulation Debug Commands Logical Flaws Account Privilege Escalation Page Sequencing User Impersonation Improper Session Handling Confidential Information To detect logical flaws, human intelligence intervention is required. 010 www.indusface.com | Indusface, Proprietary
Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 011 www.indusface.com | Indusface, Proprietary 11
Challenges for Automated Scanning 1 Infinite Website Structure 2 Multi-Step Process 3 Authentication and Authorization 012 www.indusface.com | Indusface, Proprietary
Infinite Website Structure Complex and dynamic websites are impossible to get comprehensively scanned in an automatic manner. Human intelligence can define finite test cases for finite threats. DYNAMIC WEB SITES: • • • • Rate of addition Rate of decay Very large database of 500,000 items + links Dynamic URL creation 013 www.indusface.com | Indusface, Proprietary
Multi-Step Process • Multi-step process requires human intervention to complete the process • An automated approach can never find all flaws or complete the process to find logical weakness 014 www.indusface.com | Indusface, Proprietary
Authentication and Authorization Authentication and authorization are complex in nature 015 www.indusface.com | Indusface, Proprietary
Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 016 www.indusface.com | Indusface, Proprietary 16
Hybrid Website Security = Automated + Manual Hybrid model ensuring the best of automated scanning combined with manual testing, covering an internal and external assessment of vulnerabilities AUTOMATED Daily scans provide a proactive approach on identifying technical vulnerabilities on a daily basis MANUAL Checks for logical flaws and performs session based checks using security experts IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware. 017 www.indusface.com | Indusface, Proprietary
Comprehensive Automated and Manual Website Security Complete, Actionable Reporting Detailed Remediation Guidelines Unlimited Expert Support Web service API Flexible Notification Manual Revalidation Flexible Management of Websites Zero False Positives Business Logic Testing Role Based Access Control Test Database Test Case Developme nt CUSTOMER WEB APPLICATION Manual Feedback Test Execution Application Review Module Enumeration Draft Test Report Case Validation 018 www.indusface.com | Indusface, Proprietary
Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 019 www.indusface.com | Indusface, Confidential and Proprietary
Online Travel Portal A Travel portal is designed to follow a business logic of allowing its consumers to book a flight ticket online with the price listed as shown $ 1000/changed to $ 100/- $ 1000/- A malicious user trying to book an online ticket An online travel company can lose millions if the application is not able to handle and identify such online frauds. A flaw in their business logic was identified. Selects the itenary with the listed price The same user exploits the application vulnerability to modify the listed price to a much lesser price $ 100/charged Travel portal accepts the transaction as successful and issues a ticket to the consumer 020 www.indusface.com | Indusface, Proprietary Payment gateways verifies the transaction as valid
Online Voting System An Online Voting portal has a feature which allows the user to cast a vote only after entering the One Time Password (OTP) sent on the user’s registered mobile number A malicious user logs into the application and selects the candidate for whom he wants to cast the vote Now application will ask the user to enter the OTP which was sent to his registered mobile number. Now, if an attacker gets the access to a valid user’s username and password, he can cast the vote a number of times without entering the OTP 021 www.indusface.com | Indusface, Proprietary After some manipulation , the attacker is successful in casting the vote without entering the OTP
Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 022 www.indusface.com | Indusface, Confidential and Proprietary
Benefits of Hybrid Website Security Automated + Manual • • • • • • • Complete coverage on website and web application security assessment Zero false positives Involvement of subject matter expert Proactive approach in finding vulnerabilities on a daily basis using automated scans Evidence of exploit for business owners to create a business impact Ability to identify complex logical weaknesses Ability to assess complex, huge and dynamic websites This powerful combination of technology and human intelligence is required to ensure a comprehensive security coverage is provided to a web application. 023 www.indusface.com | Indusface, Proprietary
Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA A/2-3, 3rd Floor, Status Plaza Opp Relish Resort Atladara Old Padra Road Vadodara – 390020 Gujarat, India BANGALORE, INDIA 408, 2nd Floor Regency Enclave 4, Magrath Road Bangalore – 560025 Karnataka, India MUMBAI, INDIA 1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705 Maharashtra, India. T: F: T: T : +91 22 61214961 +91 265 3933000 +91 265 2355820 F : +91 80 65608570 +91 80 65608571 +91 80 41129296 DELHI, INDIA Regus Serviced Office 2F Elegance, Jasola District Center, Old Mathura Road, New Delhi – 110025, India T : +91 9974090400 024 www.indusface.com | Indusface, Confidential and Proprietary

Recomendados

The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaKrishna Murari
 

Recomendados

The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaKrishna Murari
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)IndusfacePvtLtd
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationIBM Danmark
 
How AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 VulnerabilitiesHow AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 VulnerabilitiesIshan Mathur
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10Arthur Shvetsov
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...IJECEIAES
 
Corp cultures
Corp culturesCorp cultures
Corp culturesAmany1910
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 

Mais conteúdo relacionado

Mais procurados

A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)IndusfacePvtLtd
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationIBM Danmark
 
How AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 VulnerabilitiesHow AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 VulnerabilitiesIshan Mathur
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...IJECEIAES
 

Mais procurados (20)

C01461422
C01461422C01461422
C01461422
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your Organisation
 
How AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 VulnerabilitiesHow AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
How AppTrana helps Protect Against OWASP Top 10 Vulnerabilities
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Security testing
Security testingSecurity testing
Security testing
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
 
Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...Fingereye: improvising security and optimizing ATM transaction time based on ...
Fingereye: improvising security and optimizing ATM transaction time based on ...
 

Destaque

Corp cultures
Corp culturesCorp cultures
Corp culturesAmany1910
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
Spawn the shell
Spawn the shellSpawn the shell
Spawn the shellInfosys
 
Megashopping_proiecte print
Megashopping_proiecte printMegashopping_proiecte print
Megashopping_proiecte printneagust_mirela
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Destaque (6)

Corp cultures
Corp culturesCorp cultures
Corp cultures
 
Android forensics
Android forensicsAndroid forensics
Android forensics
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android Applications
 
Spawn the shell
Spawn the shellSpawn the shell
Spawn the shell
 
Megashopping_proiecte print
Megashopping_proiecte printMegashopping_proiecte print
Megashopping_proiecte print
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Semelhante a Hybrid website security from Indusface

Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startupsKesava Reddy
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityDistil Networks
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxQACraft
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteIBM Security
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery, Inc.
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTechWell
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksImperva
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET Journal
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)IndusfacePvtLtd
 

Semelhante a Hybrid website security from Indusface (20)

Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startups
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data Security
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docx
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security Study
 
Testing Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche ExposedTesting Application Security: The Hacker Psyche Exposed
Testing Application Security: The Hacker Psyche Exposed
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing Websites
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Hybrid website security from Indusface

  • 2. AGENDA Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 02 www.indusface.com | Indusface, Proprietary
  • 3. Websites – Business and Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 03 www.indusface.com | Indusface, Proprietary 3
  • 4. Websites and Web Applications for Everything! Websites and Web Applications contain valuable data which can be misused if accessed by the wrong people! 04 www.indusface.com | Indusface, Proprietary Hence ensuring comprehensive security of a website and web application, which checks for technical and logical vulnerabilities is of utmost importance!
  • 5. Websites and Web Applications Are Vulnerable 75% of all attacks are targeted towards the application layer. Gartner More than 90 % of web applications containing some type of security vulnerability. Imperva Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. Gartner 13% More than of all reviewed sites can be compromised completely automatically. The most wide spread vulnerabilities were Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. WASC 73% of organizations have been hacked at least once in the past two years through insecure websites and web applications. Ponemon Institute Automation is not always effective without manual configuration or testing activity; manual testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner 05 www.indusface.com | Indusface, Proprietary
  • 6. Mind Block Website is secured as it has been scanned by state of the art scanning software Firewalls and SSL are adequate security for a web application IDS protects the web server and databases Frequent software updates and new website functionality increases the potential for new web application vulnerabilities Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. Security assessment of an application is never complete without involvement of a application security expert 06 www.indusface.com | Indusface, Proprietary
  • 7. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 07 www.indusface.com | Indusface, Proprietary 7
  • 8. The Importance of Website Scanning 1 Increasing threats, regulations, and the changing IT landscape has made dynamic software security testing important. 2 Web applications are now an integral part of any business 3 Web applications have become increasingly complex, having tremendous amounts of sensitive data which can be used in unexpected ways, abused, stolen, and attacked. 4 Vulnerabilities in applications lead to security breaches which are a threat to brand reputation. 5 The best web application security coverage is the combination of using automated scanning and manual penetration testing. Comprehensive Website Security Scanning is Mandatory! 08 www.indusface.com | Indusface, Proprietary Source: Gartner
  • 9. Automated and Manual Website Scanning Automated Scanning Manual Scanning • Easily identifies technical vulnerabilities. • Intervention of a subject matter expert • Very thorough in the testing process. • Identifies logical flaws and complex weaknesses • Opportunity to increase the frequency of scans (daily). • Ability to co-relate multiple vulnerabilities to create a bigger impact Proactive approach of detecting a vulnerability in less time • Ability to pass steps where a human intervention is needed Confidence booster to business/app owners • Ability to concentrate on test cases based on critical threats to business • • Human intelligence assessments and automated scanners are required for complete vulnerability coverage when it comes to web applications. 09 www.indusface.com | Indusface, Proprietary
  • 10. Technical Flaws versus Logical Flaws TECHNICAL FLAWS Confidential Information Disclosure Known Directory Known CGI File Configuration File Disclosure Backup File Disclosure Application Input Manipulation SQL Injection Cross-Site/In-Line Scripting Buffer Overflow OS Command Injection Meta Character Injection Directory Traversal Null Injection Extension Manipulation Frame Spoofing LOGICAL FLAWS Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forging Password Recovery Logical Vulnerabilities Disclosure Verbose Error Messages HTML Comments Application Input Manipulation User-Agent Manipulation Referrer Manipulation Debug Commands Logical Flaws Account Privilege Escalation Page Sequencing User Impersonation Improper Session Handling Confidential Information To detect logical flaws, human intelligence intervention is required. 010 www.indusface.com | Indusface, Proprietary
  • 11. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 011 www.indusface.com | Indusface, Proprietary 11
  • 12. Challenges for Automated Scanning 1 Infinite Website Structure 2 Multi-Step Process 3 Authentication and Authorization 012 www.indusface.com | Indusface, Proprietary
  • 13. Infinite Website Structure Complex and dynamic websites are impossible to get comprehensively scanned in an automatic manner. Human intelligence can define finite test cases for finite threats. DYNAMIC WEB SITES: • • • • Rate of addition Rate of decay Very large database of 500,000 items + links Dynamic URL creation 013 www.indusface.com | Indusface, Proprietary
  • 14. Multi-Step Process • Multi-step process requires human intervention to complete the process • An automated approach can never find all flaws or complete the process to find logical weakness 014 www.indusface.com | Indusface, Proprietary
  • 15. Authentication and Authorization Authentication and authorization are complex in nature 015 www.indusface.com | Indusface, Proprietary
  • 16. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 016 www.indusface.com | Indusface, Proprietary 16
  • 17. Hybrid Website Security = Automated + Manual Hybrid model ensuring the best of automated scanning combined with manual testing, covering an internal and external assessment of vulnerabilities AUTOMATED Daily scans provide a proactive approach on identifying technical vulnerabilities on a daily basis MANUAL Checks for logical flaws and performs session based checks using security experts IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware. 017 www.indusface.com | Indusface, Proprietary
  • 18. Comprehensive Automated and Manual Website Security Complete, Actionable Reporting Detailed Remediation Guidelines Unlimited Expert Support Web service API Flexible Notification Manual Revalidation Flexible Management of Websites Zero False Positives Business Logic Testing Role Based Access Control Test Database Test Case Developme nt CUSTOMER WEB APPLICATION Manual Feedback Test Execution Application Review Module Enumeration Draft Test Report Case Validation 018 www.indusface.com | Indusface, Proprietary
  • 19. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 019 www.indusface.com | Indusface, Confidential and Proprietary
  • 20. Online Travel Portal A Travel portal is designed to follow a business logic of allowing its consumers to book a flight ticket online with the price listed as shown $ 1000/changed to $ 100/- $ 1000/- A malicious user trying to book an online ticket An online travel company can lose millions if the application is not able to handle and identify such online frauds. A flaw in their business logic was identified. Selects the itenary with the listed price The same user exploits the application vulnerability to modify the listed price to a much lesser price $ 100/charged Travel portal accepts the transaction as successful and issues a ticket to the consumer 020 www.indusface.com | Indusface, Proprietary Payment gateways verifies the transaction as valid
  • 21. Online Voting System An Online Voting portal has a feature which allows the user to cast a vote only after entering the One Time Password (OTP) sent on the user’s registered mobile number A malicious user logs into the application and selects the candidate for whom he wants to cast the vote Now application will ask the user to enter the OTP which was sent to his registered mobile number. Now, if an attacker gets the access to a valid user’s username and password, he can cast the vote a number of times without entering the OTP 021 www.indusface.com | Indusface, Proprietary After some manipulation , the attacker is successful in casting the vote without entering the OTP
  • 22. Websites – Business & Security Landscape Website Security Approach Challenges for Automated Scanning Hybrid Website Security Examples of Logical Checks Benefits 022 www.indusface.com | Indusface, Confidential and Proprietary
  • 23. Benefits of Hybrid Website Security Automated + Manual • • • • • • • Complete coverage on website and web application security assessment Zero false positives Involvement of subject matter expert Proactive approach in finding vulnerabilities on a daily basis using automated scans Evidence of exploit for business owners to create a business impact Ability to identify complex logical weaknesses Ability to assess complex, huge and dynamic websites This powerful combination of technology and human intelligence is required to ensure a comprehensive security coverage is provided to a web application. 023 www.indusface.com | Indusface, Proprietary
  • 24. Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA A/2-3, 3rd Floor, Status Plaza Opp Relish Resort Atladara Old Padra Road Vadodara – 390020 Gujarat, India BANGALORE, INDIA 408, 2nd Floor Regency Enclave 4, Magrath Road Bangalore – 560025 Karnataka, India MUMBAI, INDIA 1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705 Maharashtra, India. T: F: T: T : +91 22 61214961 +91 265 3933000 +91 265 2355820 F : +91 80 65608570 +91 80 65608571 +91 80 41129296 DELHI, INDIA Regus Serviced Office 2F Elegance, Jasola District Center, Old Mathura Road, New Delhi – 110025, India T : +91 9974090400 024 www.indusface.com | Indusface, Confidential and Proprietary