This document discusses hybrid website security which combines automated scanning with manual penetration testing. It begins by covering the business and security landscape for websites, noting the increasing threats they face. It then discusses both automated and manual scanning, explaining that while automated scans can find technical vulnerabilities, manual testing is needed to find logical flaws. Some challenges of automated scanning like infinite website structures and multi-step processes are outlined. The document proposes a hybrid model of security that leverages both approaches. Examples of logical vulnerabilities that could be found through manual testing are provided. Finally, the benefits of the hybrid approach like complete coverage and identifying complex issues are summarized.
2. AGENDA
Websites – Business & Security Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website Security
Examples of Logical Checks
Benefits
02
www.indusface.com | Indusface, Proprietary
3. Websites – Business
and Security Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website Security
Examples of Logical Checks
Benefits
03
www.indusface.com | Indusface, Proprietary
3
4. Websites and Web Applications for Everything!
Websites and Web
Applications contain
valuable data which can be
misused if accessed by the
wrong people!
04
www.indusface.com | Indusface, Proprietary
Hence ensuring comprehensive
security of a website and web
application, which checks for
technical
and
logical
vulnerabilities is of utmost
importance!
5. Websites and Web Applications Are Vulnerable
75% of all attacks are targeted towards the application layer. Gartner
More than 90 % of web applications containing some type of security vulnerability. Imperva
Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be
detectable via security monitoring. Gartner
13%
More than
of all reviewed sites can be compromised completely automatically. The
most wide spread vulnerabilities were Cross-site Scripting, different types of Information
Leakage, SQL Injection, and HTTP Response Splitting. WASC
73%
of organizations have been hacked at least once in the past two years through insecure
websites and web applications. Ponemon Institute
Automation is not always effective without manual configuration or testing activity; manual
testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner
05
www.indusface.com | Indusface, Proprietary
6. Mind Block
Website is secured as it has been scanned by state of the art scanning
software
Firewalls and SSL are adequate security for a web application
IDS protects the web server and databases
Frequent software updates and new website functionality increases the
potential for new web application vulnerabilities
Security holes in the web application layer can make a perfectly patched
and firewalled server completely vulnerable.
Security assessment of an application is never complete without
involvement of a application security expert
06
www.indusface.com | Indusface, Proprietary
7. Websites – Business & Security
Landscape
Website Security
Approach
Challenges for Automated Scanning
Hybrid Website Security
Examples of Logical Checks
Benefits
07
www.indusface.com | Indusface, Proprietary
7
8. The Importance of Website Scanning
1
Increasing threats, regulations, and the changing IT landscape has made dynamic software security
testing important.
2
Web applications are now an integral part of any business
3
Web applications have become increasingly complex, having tremendous amounts of sensitive
data which can be used in unexpected ways, abused, stolen, and attacked.
4
Vulnerabilities in applications lead to security breaches which are a threat to brand reputation.
5
The best web application security coverage is the combination of using automated scanning and
manual penetration testing.
Comprehensive Website Security Scanning is Mandatory!
08
www.indusface.com | Indusface, Proprietary
Source: Gartner
9. Automated and Manual Website Scanning
Automated Scanning
Manual Scanning
•
Easily identifies technical vulnerabilities.
•
Intervention of a subject matter expert
•
Very thorough in the testing process.
•
Identifies logical flaws and complex
weaknesses
•
Opportunity to increase the frequency of
scans (daily).
•
Ability to co-relate multiple vulnerabilities
to create a bigger impact
Proactive approach of detecting a
vulnerability in less time
•
Ability to pass steps where a human
intervention is needed
Confidence booster to business/app
owners
•
Ability to concentrate on test cases based
on critical threats to business
•
•
Human intelligence assessments and automated scanners are required for complete
vulnerability coverage when it comes to web applications.
09
www.indusface.com | Indusface, Proprietary
10. Technical Flaws versus Logical Flaws
TECHNICAL FLAWS
Confidential Information Disclosure
Known Directory
Known CGI File
Configuration File Disclosure
Backup File Disclosure
Application Input Manipulation
SQL Injection
Cross-Site/In-Line Scripting
Buffer Overflow
OS Command Injection
Meta Character Injection
Directory Traversal
Null Injection
Extension Manipulation
Frame Spoofing
LOGICAL FLAWS
Session Management
Brute/Reverse Force
Session Hi-Jacking
Session Replay
Session Forging
Password Recovery
Logical Vulnerabilities
Disclosure
Verbose Error Messages
HTML Comments
Application Input Manipulation
User-Agent Manipulation
Referrer Manipulation
Debug Commands
Logical Flaws
Account Privilege Escalation
Page Sequencing
User Impersonation
Improper Session Handling
Confidential Information
To detect logical flaws, human intelligence intervention is required.
010 www.indusface.com | Indusface, Proprietary
11. Websites – Business & Security
Landscape
Website Security Approach
Challenges for
Automated Scanning
Hybrid Website Security
Examples of Logical Checks
Benefits
011 www.indusface.com | Indusface, Proprietary
11
12. Challenges for Automated Scanning
1
Infinite Website Structure
2
Multi-Step Process
3
Authentication and Authorization
012 www.indusface.com | Indusface, Proprietary
13. Infinite Website Structure
Complex and dynamic websites are impossible to get comprehensively scanned in
an automatic manner.
Human intelligence can define finite test cases for finite threats.
DYNAMIC WEB SITES:
•
•
•
•
Rate of addition
Rate of decay
Very large database of
500,000 items + links
Dynamic URL creation
013 www.indusface.com | Indusface, Proprietary
14. Multi-Step Process
• Multi-step process requires
human intervention to
complete the process
• An automated approach
can never find all flaws or
complete the process to
find logical weakness
014 www.indusface.com | Indusface, Proprietary
16. Websites – Business & Security
Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website
Security
Examples of Logical Checks
Benefits
016 www.indusface.com | Indusface, Proprietary
16
17. Hybrid Website Security = Automated + Manual
Hybrid model ensuring the best of automated scanning combined with manual
testing, covering an internal and external assessment of vulnerabilities
AUTOMATED
Daily scans provide a
proactive approach on
identifying technical
vulnerabilities on a
daily basis
MANUAL
Checks for logical flaws
and performs session
based checks using
security experts
IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily,
automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware.
017 www.indusface.com | Indusface, Proprietary
18. Comprehensive Automated and Manual Website
Security
Complete, Actionable
Reporting
Detailed Remediation
Guidelines
Unlimited Expert
Support
Web service
API
Flexible
Notification
Manual
Revalidation
Flexible
Management of
Websites
Zero False Positives
Business Logic
Testing
Role Based Access
Control
Test
Database
Test Case
Developme
nt
CUSTOMER WEB APPLICATION
Manual Feedback
Test Execution
Application
Review
Module
Enumeration
Draft Test Report
Case Validation
018 www.indusface.com | Indusface, Proprietary
19. Websites – Business & Security
Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website Security
Examples of Logical
Checks
Benefits
019 www.indusface.com | Indusface, Confidential and Proprietary
20. Online Travel Portal
A Travel portal is designed to follow a business logic of allowing its consumers to book a
flight ticket online with the price listed as shown
$ 1000/changed
to $ 100/-
$ 1000/-
A malicious user trying to
book an online ticket
An online travel company can
lose
millions
if
the
application is not able to
handle and identify such
online frauds. A flaw in their
business logic was identified.
Selects the itenary with
the listed price
The same user exploits the
application vulnerability to modify
the listed price to a much lesser
price
$ 100/charged
Travel portal accepts the
transaction as successful and
issues a ticket to the consumer
020 www.indusface.com | Indusface, Proprietary
Payment gateways verifies the
transaction as valid
21. Online Voting System
An Online Voting portal has a feature which allows the user to cast a vote only after entering
the One Time Password (OTP) sent on the user’s registered mobile number
A malicious user logs into the
application and selects the candidate
for whom he wants to cast the vote
Now application will ask the user to enter the OTP which was sent to his registered
mobile number.
Now, if an attacker gets
the access to a valid user’s
username and password, he can
cast the vote a number of times
without entering the OTP
021 www.indusface.com | Indusface, Proprietary
After some manipulation , the
attacker is successful in casting the
vote without entering the OTP
22. Websites – Business & Security
Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website Security
Examples of Logical Checks
Benefits
022 www.indusface.com | Indusface, Confidential and Proprietary
23. Benefits of Hybrid Website Security
Automated + Manual
•
•
•
•
•
•
•
Complete coverage on website and web application security assessment
Zero false positives
Involvement of subject matter expert
Proactive approach in finding vulnerabilities on a daily basis using automated
scans
Evidence of exploit for business owners to create a business impact
Ability to identify complex logical weaknesses
Ability to assess complex, huge and dynamic websites
This powerful combination of technology and
human intelligence is required to ensure a
comprehensive security coverage is provided
to a web application.
023 www.indusface.com | Indusface, Proprietary
24. Thank You
Sales : sales@indusface.com
Marketing : marketing@indusface.com
Technical : support@indusface.com
VADODARA, INDIA
A/2-3, 3rd Floor, Status Plaza
Opp Relish Resort
Atladara Old Padra Road
Vadodara – 390020
Gujarat, India
BANGALORE, INDIA
408, 2nd Floor
Regency Enclave
4, Magrath Road
Bangalore – 560025
Karnataka, India
MUMBAI, INDIA
1357 / 1359, Regus Serviced
Offices, Level 13, Platinum
Techno Park 17 & 18, Sector 30,
Vashi, Navi Mumbai – 400705
Maharashtra, India.
T:
F:
T:
T : +91 22 61214961
+91 265 3933000
+91 265 2355820
F :
+91 80 65608570
+91 80 65608571
+91 80 41129296
DELHI, INDIA
Regus Serviced Office
2F Elegance, Jasola District
Center, Old Mathura Road,
New Delhi – 110025, India
T : +91 9974090400
024 www.indusface.com | Indusface, Confidential and Proprietary