SlideShare a Scribd company logo

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

Download as PPTX, PDF
S
Spiceworks

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Founder & CEO, Firehost

Technology
1 of 22
Open Source Websites : Protection Chris Davis Director of Security and Compliance 1
Open Source Websites : Protection Open Source Powered Websites Protect Your Enterprise and Yourself 2
Open Source Websites : Protection This is not a DISCLAIMER • Learn from our findings and apply to your environment • This is a very serious problem and it’s only getting worse Sales Pitch 3
Open Source Websites : Protection HOW BAD IS IT? 82% of Websites have at least one security issue 63% have issues of high, critical or urgent severity 70% of the top 100 most popular web sites either hosted malicious content or contained a masked redirect to malicious sites WhiteHat Security, 2008 Websense, 2009 4
Open Source Websites : Protection Verizon / United States Secret Service Data Breach Investigation Report, 2010 54% of attacks are on the web application layer 92% of web application attacks resulted in over 90% of record access WEB APPLICATIONS – THE LARGEST THREAT
Open Source Websites : Protection OPEN SOURCE ON THE RISE 6
Open Source Websites : Protection THE GAME HAS CHANGED • Web, HTTPS (SSL) & XML Vulnerabilities • SQL Injection • Session Hijacking • Cross Site Scripting (XSS) • Form Field Tampering • Known Worms • Zero Day Web Worms • Buffer Overflow • Cookie Poisoning • Denial of Service • Web Server & Operating System Attacks • Directory Traversal • Anonymous Proxy • Open Source Vulnerabilities • OS Command Injection • Cross-Site Request Forgery • Google Hacking • Remote File Inclusion • Illegal Encoding • Malicious Robots • Parameter Tampering • Brute Force Login • Malicious Encoding • Site Recon • Illegal Encoding • Credit Card Exposure • Patient Data Disclosure • Phishing • Data Destruction • US SSN Leakage Rise in Application Level Attacks (Port 80 and 443 – Unblocked by Firewalls) Strict Compliance Requirements (U.S. and Abroad) U.S. Department of Health & Human Services Policy of Responding to Breaches of Personally Identifiable Information (PII) HHS-OCIO-2008-0001.002 – April 15, 2008 7
Open Source Websites : Protection HACKER PROFILES (Two Types) Egomaniac CriminalTHE THE 8
Open Source Websites : Protection 9
Open Source Websites : Protection • TextPattern CMS • Co-wrote book on Textpattern = No Rookie • SEO Bots = “Spammy” Links • Users = Normal but with display:none list of links NATHAN SMITH Static & CMS-Powered Website Hacked on Cloud Hosting 10
Open Source Websites : Protection 11
Open Source Websites : Protection • WordPress CMS - Hacked • During Migration we gained access to over 1000 Websites • Yes… we had Karl report the hack  KARL SWEDBERG WordPress Hacked 12
Open Source Websites : Protection 13
Open Source Websites : Protection SECURITY IS ABOUT THE ECOSYSTEM Network Routers / Firewalls Operating Systems Windows / Linux / OS X Applications Open Source / Commercial Database Oracle / MySQL / MS SQL Web Server Apache / Microsoft IIS 3rd Party Web Applications Open Source / Commercial Custom Web Applications PHP / ASP.NET / Java Physical / Virtual Access / Social Engineering Responsibility Solution Managed Hosting Responsibility Yours or FireHost Firewall, Virus Protection, Patches, IDS, etc. App Level or WAF 14
Open Source Websites : Protection Humans The Biggest Security Vulnerability 15
Open Source Websites : Protection WHAT CAN YOU DO? • Security isn’t convenient • Choose only leading CMS platforms • Stay up-to-date with core updates • Decent security plug-ins out there • Use a secure hosting provider Be Smart About It 16
Open Source Websites : Protection THE REALITIES OF MODULES/PLUGINS Keep Them Under Control 17
Open Source Websites : Protection LOVE YOUR MODULES Website Enhancements • Only download from trusted sources • Check bug reports • Only activate one at a time • Three dirty letters – DEV • Don’t install unless it supports your core version or higher • Search “x hacked” first and read results 18
Open Source Websites : Protection YOU AND YOUR ADMIN Don’t Be Afraid • SSL – It’s not just for shopping carts • Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name • Don’t trust your connection Especially WiFi ARP Poisoning is easy 19
Open Source Websites : Protection THE DATABASE What Are You Exposing? • Logins MySQL UN/PW different from Root Login • Sharing Do not share your database with other apps • Change Table Prefixes Obfuscate table names to something unknown only to you • Non-Public Remove DB from public access • Segment Segment where appropriate to limit scope of access • Back Up! Not much to say here 20
Open Source Websites : Protection • Network Firewalls • VPN Access • Anti-Virus • SSL Certificates • Isolated Environments (Web/DB – Prod/Dev) • Web Application Firewalls • Two-Factor Authentication • Vulnerability Monitoring • Intrusion Detection • Log Management • Scrubbing Centers • Disk Encryption YOUR HOSTING ENVIRONMENT 21
Open Source Websites : Protection Thank You Questions? Email chris.davis@firehost.com Twitter twitter.com/davischrism Chris Davis 22

Recommended

TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
Sadmind Viruses
Sadmind VirusesSadmind Viruses
Sadmind VirusesCodyMM
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 

Recommended

TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
Sadmind Viruses
Sadmind VirusesSadmind Viruses
Sadmind VirusesCodyMM
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...Spiceworks
 
SpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu JaegerSpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu JaegerSpiceworks
 
Run & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using SpiceworksRun & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using SpiceworksSpiceworks
 
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...Spiceworks
 
Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...Spiceworks
 
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...Spiceworks
 
Intro to inventory
Intro to inventoryIntro to inventory
Intro to inventorySpiceworks
 
Understanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & ReportingUnderstanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & ReportingSpiceworks
 
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key PitfallsVoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key PitfallsSpiceworks
 
Understanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & ReportsUnderstanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & ReportsSpiceworks
 
Spiceworks Intro
Spiceworks IntroSpiceworks Intro
Spiceworks IntroSpiceworks
 
Inventory & Troubleshooting
Inventory & TroubleshootingInventory & Troubleshooting
Inventory & TroubleshootingSpiceworks
 
Extending Spiceworks
Extending SpiceworksExtending Spiceworks
Extending SpiceworksSpiceworks
 
Getting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter SecurityGetting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter SecuritySpiceworks
 
The Spicies 2008 Vendors
The Spicies 2008 VendorsThe Spicies 2008 Vendors
The Spicies 2008 VendorsSpiceworks
 
Introduction to The Spiceworks Inventory
Introduction to The Spiceworks InventoryIntroduction to The Spiceworks Inventory
Introduction to The Spiceworks InventorySpiceworks
 
The Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of SpiceworksThe Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of SpiceworksSpiceworks
 
The Spicies 2008 Favorite Clips
The Spicies 2008 Favorite ClipsThe Spicies 2008 Favorite Clips
The Spicies 2008 Favorite ClipsSpiceworks
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
Spiceworks Monitor & Alerts
Spiceworks Monitor & AlertsSpiceworks Monitor & Alerts
Spiceworks Monitor & AlertsSpiceworks
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 

More Related Content

Viewers also liked

Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...Spiceworks
 
SpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu JaegerSpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu JaegerSpiceworks
 
Run & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using SpiceworksRun & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using SpiceworksSpiceworks
 
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...Spiceworks
 
Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...Spiceworks
 
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...Spiceworks
 
Intro to inventory
Intro to inventoryIntro to inventory
Intro to inventorySpiceworks
 
Understanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & ReportingUnderstanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & ReportingSpiceworks
 
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key PitfallsVoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key PitfallsSpiceworks
 
Understanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & ReportsUnderstanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & ReportsSpiceworks
 
Spiceworks Intro
Spiceworks IntroSpiceworks Intro
Spiceworks IntroSpiceworks
 
Inventory & Troubleshooting
Inventory & TroubleshootingInventory & Troubleshooting
Inventory & TroubleshootingSpiceworks
 
Extending Spiceworks
Extending SpiceworksExtending Spiceworks
Extending SpiceworksSpiceworks
 
Getting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter SecurityGetting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter SecuritySpiceworks
 
The Spicies 2008 Vendors
The Spicies 2008 VendorsThe Spicies 2008 Vendors
The Spicies 2008 VendorsSpiceworks
 
Introduction to The Spiceworks Inventory
Introduction to The Spiceworks InventoryIntroduction to The Spiceworks Inventory
Introduction to The Spiceworks InventorySpiceworks
 
The Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of SpiceworksThe Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of SpiceworksSpiceworks
 
The Spicies 2008 Favorite Clips
The Spicies 2008 Favorite ClipsThe Spicies 2008 Favorite Clips
The Spicies 2008 Favorite ClipsSpiceworks
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
Spiceworks Monitor & Alerts
Spiceworks Monitor & AlertsSpiceworks Monitor & Alerts
Spiceworks Monitor & AlertsSpiceworks
 

Viewers also liked (20)

Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
Virtualization: A Case Study from the IT Trenches - Darren Schoen, Broward Ce...
 
SpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu JaegerSpiceWorld London 2012 Presentation Matthieu Jaeger
SpiceWorld London 2012 Presentation Matthieu Jaeger
 
Run & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using SpiceworksRun & Share Useful IT Reports Using Spiceworks
Run & Share Useful IT Reports Using Spiceworks
 
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
Keep IT Simple (& Get IT All Done!) with Spiceworks - Paul Luciano, Expand In...
 
Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...Power Protection and Management from the Desktop to the Data Center - Keith W...
Power Protection and Management from the Desktop to the Data Center - Keith W...
 
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
Can't Do It with Spiceworks? You Can Build an Extension for That! - Scott Con...
 
Intro to inventory
Intro to inventoryIntro to inventory
Intro to inventory
 
Understanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & ReportingUnderstanding & Using Spiceworks Monitoring, Alerting & Reporting
Understanding & Using Spiceworks Monitoring, Alerting & Reporting
 
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key PitfallsVoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
VoIP Phone Rollouts: Smoothing the Transition & Avoiding Key Pitfalls
 
Understanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & ReportsUnderstanding & Using Spiceworks Monitors, Alerts & Reports
Understanding & Using Spiceworks Monitors, Alerts & Reports
 
Spiceworks Intro
Spiceworks IntroSpiceworks Intro
Spiceworks Intro
 
Inventory & Troubleshooting
Inventory & TroubleshootingInventory & Troubleshooting
Inventory & Troubleshooting
 
Extending Spiceworks
Extending SpiceworksExtending Spiceworks
Extending Spiceworks
 
Getting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter SecurityGetting Connected: Configuring Internet Access & Perimeter Security
Getting Connected: Configuring Internet Access & Perimeter Security
 
The Spicies 2008 Vendors
The Spicies 2008 VendorsThe Spicies 2008 Vendors
The Spicies 2008 Vendors
 
Introduction to The Spiceworks Inventory
Introduction to The Spiceworks InventoryIntroduction to The Spiceworks Inventory
Introduction to The Spiceworks Inventory
 
The Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of SpiceworksThe Next Frontier: The Future of Spiceworks
The Next Frontier: The Future of Spiceworks
 
The Spicies 2008 Favorite Clips
The Spicies 2008 Favorite ClipsThe Spicies 2008 Favorite Clips
The Spicies 2008 Favorite Clips
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NAS
 
Spiceworks Monitor & Alerts
Spiceworks Monitor & AlertsSpiceworks Monitor & Alerts
Spiceworks Monitor & Alerts
 

Similar to Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security MindsetAdam W. Warner
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 

Similar to Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat Intelligence
 
Web Security
Web SecurityWeb Security
Web Security
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
The Personal and Website Security Mindset
The Personal and Website Security MindsetThe Personal and Website Security Mindset
The Personal and Website Security Mindset
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 

More from Spiceworks

Checking your back ups without batting an eye
Checking your back ups without batting an eyeChecking your back ups without batting an eye
Checking your back ups without batting an eyeSpiceworks
 
SpiceWorld London 2012 presentation Eaton
SpiceWorld London 2012 presentation EatonSpiceWorld London 2012 presentation Eaton
SpiceWorld London 2012 presentation EatonSpiceworks
 
Spice world london 2012 Grey Howe
Spice world london 2012 Grey HoweSpice world london 2012 Grey Howe
Spice world london 2012 Grey HoweSpiceworks
 
Spice world london 2012 Ben Snape
Spice world london 2012 Ben SnapeSpice world london 2012 Ben Snape
Spice world london 2012 Ben SnapeSpiceworks
 
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...Spiceworks
 
Bringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksBringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksSpiceworks
 
Introducing....Office 365
Introducing....Office 365Introducing....Office 365
Introducing....Office 365Spiceworks
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the CloudSpiceworks
 
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Spiceworks
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Spiceworks
 
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...Spiceworks
 
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...Spiceworks
 
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...Spiceworks
 
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...Spiceworks
 
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...Spiceworks
 
Using Spiceworks for Change Control - Justin Davison, R J Lee Group
Using Spiceworks for Change Control - Justin Davison, R J Lee GroupUsing Spiceworks for Change Control - Justin Davison, R J Lee Group
Using Spiceworks for Change Control - Justin Davison, R J Lee GroupSpiceworks
 
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...Spiceworks
 
Less IT and More SaaS & Cloud - Andy Schroepfer, Rackspace
Less IT and More SaaS & Cloud - Andy Schroepfer, RackspaceLess IT and More SaaS & Cloud - Andy Schroepfer, Rackspace
Less IT and More SaaS & Cloud - Andy Schroepfer, RackspaceSpiceworks
 
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, Buffalo
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, BuffaloCost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, Buffalo
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, BuffaloSpiceworks
 
The Spicies Awards - Jay
The Spicies Awards - JayThe Spicies Awards - Jay
The Spicies Awards - JaySpiceworks
 

More from Spiceworks (20)

Checking your back ups without batting an eye
Checking your back ups without batting an eyeChecking your back ups without batting an eye
Checking your back ups without batting an eye
 
SpiceWorld London 2012 presentation Eaton
SpiceWorld London 2012 presentation EatonSpiceWorld London 2012 presentation Eaton
SpiceWorld London 2012 presentation Eaton
 
Spice world london 2012 Grey Howe
Spice world london 2012 Grey HoweSpice world london 2012 Grey Howe
Spice world london 2012 Grey Howe
 
Spice world london 2012 Ben Snape
Spice world london 2012 Ben SnapeSpice world london 2012 Ben Snape
Spice world london 2012 Ben Snape
 
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...
EatonVirtualization, Connectivity and the Cloud — Trends Driving the Future o...
 
Bringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksBringing Patch Management to Spiceworks
Bringing Patch Management to Spiceworks
 
Introducing....Office 365
Introducing....Office 365Introducing....Office 365
Introducing....Office 365
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the Cloud
 
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...
Raising the Bar on Remote Site Management - Francis Sullivan & Stephen Chudle...
 
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...
A Whole New Way to Keep Track of Your People & IT Purchasing - Justin Perkins...
 
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...
Going the Extra Mile in Network Monitoring & Management - Greg Kattawar, Spic...
 
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...
Getting More Nitty-gritty Details on Your Network - Brian Gugliemetti, Spicew...
 
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...
How to Take an Enterprise Approach in a SMB World - Jeff Shuron, Sports Physi...
 
Using Spiceworks for Change Control - Justin Davison, R J Lee Group
Using Spiceworks for Change Control - Justin Davison, R J Lee GroupUsing Spiceworks for Change Control - Justin Davison, R J Lee Group
Using Spiceworks for Change Control - Justin Davison, R J Lee Group
 
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...
Back-up Solutions: Where to Cut Corners & Where Not To - Daniel Kimberlin, En...
 
Less IT and More SaaS & Cloud - Andy Schroepfer, Rackspace
Less IT and More SaaS & Cloud - Andy Schroepfer, RackspaceLess IT and More SaaS & Cloud - Andy Schroepfer, Rackspace
Less IT and More SaaS & Cloud - Andy Schroepfer, Rackspace
 
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, Buffalo
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, BuffaloCost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, Buffalo
Cost-Effective Business Backup and Disaster Recovery - Brian Verenkoff, Buffalo
 
The Spicies Awards - Jay
The Spicies Awards - JayThe Spicies Awards - Jay
The Spicies Awards - Jay
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

  • 1. Open Source Websites : Protection Chris Davis Director of Security and Compliance 1
  • 2. Open Source Websites : Protection Open Source Powered Websites Protect Your Enterprise and Yourself 2
  • 3. Open Source Websites : Protection This is not a DISCLAIMER • Learn from our findings and apply to your environment • This is a very serious problem and it’s only getting worse Sales Pitch 3
  • 4. Open Source Websites : Protection HOW BAD IS IT? 82% of Websites have at least one security issue 63% have issues of high, critical or urgent severity 70% of the top 100 most popular web sites either hosted malicious content or contained a masked redirect to malicious sites WhiteHat Security, 2008 Websense, 2009 4
  • 5. Open Source Websites : Protection Verizon / United States Secret Service Data Breach Investigation Report, 2010 54% of attacks are on the web application layer 92% of web application attacks resulted in over 90% of record access WEB APPLICATIONS – THE LARGEST THREAT
  • 6. Open Source Websites : Protection OPEN SOURCE ON THE RISE 6
  • 7. Open Source Websites : Protection THE GAME HAS CHANGED • Web, HTTPS (SSL) & XML Vulnerabilities • SQL Injection • Session Hijacking • Cross Site Scripting (XSS) • Form Field Tampering • Known Worms • Zero Day Web Worms • Buffer Overflow • Cookie Poisoning • Denial of Service • Web Server & Operating System Attacks • Directory Traversal • Anonymous Proxy • Open Source Vulnerabilities • OS Command Injection • Cross-Site Request Forgery • Google Hacking • Remote File Inclusion • Illegal Encoding • Malicious Robots • Parameter Tampering • Brute Force Login • Malicious Encoding • Site Recon • Illegal Encoding • Credit Card Exposure • Patient Data Disclosure • Phishing • Data Destruction • US SSN Leakage Rise in Application Level Attacks (Port 80 and 443 – Unblocked by Firewalls) Strict Compliance Requirements (U.S. and Abroad) U.S. Department of Health & Human Services Policy of Responding to Breaches of Personally Identifiable Information (PII) HHS-OCIO-2008-0001.002 – April 15, 2008 7
  • 8. Open Source Websites : Protection HACKER PROFILES (Two Types) Egomaniac CriminalTHE THE 8
  • 9. Open Source Websites : Protection 9
  • 10. Open Source Websites : Protection • TextPattern CMS • Co-wrote book on Textpattern = No Rookie • SEO Bots = “Spammy” Links • Users = Normal but with display:none list of links NATHAN SMITH Static & CMS-Powered Website Hacked on Cloud Hosting 10
  • 11. Open Source Websites : Protection 11
  • 12. Open Source Websites : Protection • WordPress CMS - Hacked • During Migration we gained access to over 1000 Websites • Yes… we had Karl report the hack  KARL SWEDBERG WordPress Hacked 12
  • 13. Open Source Websites : Protection 13
  • 14. Open Source Websites : Protection SECURITY IS ABOUT THE ECOSYSTEM Network Routers / Firewalls Operating Systems Windows / Linux / OS X Applications Open Source / Commercial Database Oracle / MySQL / MS SQL Web Server Apache / Microsoft IIS 3rd Party Web Applications Open Source / Commercial Custom Web Applications PHP / ASP.NET / Java Physical / Virtual Access / Social Engineering Responsibility Solution Managed Hosting Responsibility Yours or FireHost Firewall, Virus Protection, Patches, IDS, etc. App Level or WAF 14
  • 15. Open Source Websites : Protection Humans The Biggest Security Vulnerability 15
  • 16. Open Source Websites : Protection WHAT CAN YOU DO? • Security isn’t convenient • Choose only leading CMS platforms • Stay up-to-date with core updates • Decent security plug-ins out there • Use a secure hosting provider Be Smart About It 16
  • 17. Open Source Websites : Protection THE REALITIES OF MODULES/PLUGINS Keep Them Under Control 17
  • 18. Open Source Websites : Protection LOVE YOUR MODULES Website Enhancements • Only download from trusted sources • Check bug reports • Only activate one at a time • Three dirty letters – DEV • Don’t install unless it supports your core version or higher • Search “x hacked” first and read results 18
  • 19. Open Source Websites : Protection YOU AND YOUR ADMIN Don’t Be Afraid • SSL – It’s not just for shopping carts • Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name • Don’t trust your connection Especially WiFi ARP Poisoning is easy 19
  • 20. Open Source Websites : Protection THE DATABASE What Are You Exposing? • Logins MySQL UN/PW different from Root Login • Sharing Do not share your database with other apps • Change Table Prefixes Obfuscate table names to something unknown only to you • Non-Public Remove DB from public access • Segment Segment where appropriate to limit scope of access • Back Up! Not much to say here 20
  • 21. Open Source Websites : Protection • Network Firewalls • VPN Access • Anti-Virus • SSL Certificates • Isolated Environments (Web/DB – Prod/Dev) • Web Application Firewalls • Two-Factor Authentication • Vulnerability Monitoring • Intrusion Detection • Log Management • Scrubbing Centers • Disk Encryption YOUR HOSTING ENVIRONMENT 21
  • 22. Open Source Websites : Protection Thank You Questions? Email chris.davis@firehost.com Twitter twitter.com/davischrism Chris Davis 22