SlideShare uma empresa Scribd logo

SPI Dynamics web application security 101

Transferir como PPTX, PDF
Wade Malone
Wade Malone

Web application security 101 explained by SPI Dynamics.

Tecnologia
1 de 19
Web Application Security
security. protection. intelligence. Q: Where Do Your Current Security Measures Fail? A: Your Proprietary, Custom written Web Applications
security. protection. intelligence. Today over 70% of attacks against a company‟s Web site or Web application come at the „Application Layer‟ not the Network or System layer. A complete security solution requires attention at each potential point of attack.
security. protection. intelligence. A: Enact policies requiring your developers to write secure code. Q: So how do we remedy this situation? •Verify all request parameters are in proper format (via through a standard library) •Any unknown or incorrect user data should be logged and terminated.
security. protection. intelligence. But if you instituted this policy, how would you effectively enforce it? What measures would you have in place to make sure that they comply? “A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”
security. protection. intelligence. Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities? A: No, and this is why.
security. protection. intelligence. Where Today’s Security Measures Fail
security. protection. intelligence. A: Because other Scanners are a security Broadsword, where ours is a Security Scalpel WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them. Q: How can SPI Dynamics do all of this and the others can’t?
security. protection. intelligence. How SPI Solves The Problem
security. protection. intelligence. WebInspectTM scans the whole site: Web server Web pages Scripts Proprietary applications Cookies Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
security. protection. intelligence. WebInspectTM Scans authentication codes Assesses security procedures Carves into confidential data … Just like a hacker would Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
security. protection. intelligence. WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems. WebInspect™
security. protection. intelligence. WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go. WebInspect™
security. protection. intelligence. WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation. WebInspect™
security. protection. intelligence. Features & Benefits of WebInspectTM Unique Focus: Your proprietary Web site or Web application Superior Scanning: Products codify our security expertise Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments Automated: Continuously maintain your security integrity Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature Simple & Cost Effective: Licensed per IP address or per consultant Risk-Free: Offered on a trial basis at no cost
security. protection. intelligence. How does WebInspectTM do this? Hidden Manipulation Parameter Tampering Cookie Poisoning Stealth Commanding Forceful Browsing Backdoor/Debug Options Configuration Subversion Vendor–Assisted Hacking
security. protection. intelligence. The SPI Works Product Suite Use WebInspectTM to assess current Web sites or Web applications. Use WebInspectTM to QA new applications during development prior to release into production. Available now Know your vulnerabilities Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application. Use LogAlertTM after you have been attacked for Web log forensic analysis. Available now Know if you have been attacked Use WebDefendTM to proactively stop Web site or Web application intrusions. Available Q2 2002 Proactively stop attacks WebInspect Application Assessment WebDefend Application Intrusion Protection LogAlert Application Log Audit TM TM TM
security. protection. intelligence. Our Company Founded in April 2000 by recognized Information Security industry experts Released WebInspectTM in April 2001 HQ in Atlanta, Georgia Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London SPI serves clients in each of the following vertical industries: HealthCare Insurance Financial Services Government Global Enterprise Consulting
security. protection. intelligence. SPI Dynamics is the leading provider of automated Web Application security products. SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code. The embedded “hacker logic” enables our software to think for the end-user, making their job easier.

Recomendados

Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of Hacker
Priyanka Aash
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
Tjylen Veselyj
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 

Recomendados

Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of HackerEfficacy Of Layered Application Security Through The Lens Of Hacker
Efficacy Of Layered Application Security Through The Lens Of Hacker
Priyanka Aash
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
 
Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016Waratek presentation for RANT November 2016
Waratek presentation for RANT November 2016
Waratek Ltd
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
Tjylen Veselyj
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
Skycure
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
Skycure
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
tswong
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
Katherine Golovinova
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
Jay Li
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMM
Skycure
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
SafeDK
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​
Zoho Corporation
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 

Mais conteúdo relacionado

Mais procurados

Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
tswong
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 

Mais procurados (20)

Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMM
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
 
Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​Decrypting the security mystery with SIEM (Part 2) ​
Decrypting the security mystery with SIEM (Part 2) ​
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 

Semelhante a SPI Dynamics web application security 101

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 

Semelhante a SPI Dynamics web application security 101 (20)

IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
IKare Vulnerability Scanner - Datasheet EN
IKare Vulnerability Scanner - Datasheet ENIKare Vulnerability Scanner - Datasheet EN
IKare Vulnerability Scanner - Datasheet EN
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

SPI Dynamics web application security 101

  • 2. security. protection. intelligence. Q: Where Do Your Current Security Measures Fail? A: Your Proprietary, Custom written Web Applications
  • 3. security. protection. intelligence. Today over 70% of attacks against a company‟s Web site or Web application come at the „Application Layer‟ not the Network or System layer. A complete security solution requires attention at each potential point of attack.
  • 4. security. protection. intelligence. A: Enact policies requiring your developers to write secure code. Q: So how do we remedy this situation? •Verify all request parameters are in proper format (via through a standard library) •Any unknown or incorrect user data should be logged and terminated.
  • 5. security. protection. intelligence. But if you instituted this policy, how would you effectively enforce it? What measures would you have in place to make sure that they comply? “A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”
  • 6. security. protection. intelligence. Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities? A: No, and this is why.
  • 7. security. protection. intelligence. Where Today’s Security Measures Fail
  • 8. security. protection. intelligence. A: Because other Scanners are a security Broadsword, where ours is a Security Scalpel WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them. Q: How can SPI Dynamics do all of this and the others can’t?
  • 10. security. protection. intelligence. WebInspectTM scans the whole site: Web server Web pages Scripts Proprietary applications Cookies Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
  • 11. security. protection. intelligence. WebInspectTM Scans authentication codes Assesses security procedures Carves into confidential data … Just like a hacker would Database Server Internet IDS Firewall CC#’s Database Users Database Web Server
  • 12. security. protection. intelligence. WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems. WebInspect™
  • 13. security. protection. intelligence. WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go. WebInspect™
  • 14. security. protection. intelligence. WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation. WebInspect™
  • 15. security. protection. intelligence. Features & Benefits of WebInspectTM Unique Focus: Your proprietary Web site or Web application Superior Scanning: Products codify our security expertise Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments Automated: Continuously maintain your security integrity Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature Simple & Cost Effective: Licensed per IP address or per consultant Risk-Free: Offered on a trial basis at no cost
  • 16. security. protection. intelligence. How does WebInspectTM do this? Hidden Manipulation Parameter Tampering Cookie Poisoning Stealth Commanding Forceful Browsing Backdoor/Debug Options Configuration Subversion Vendor–Assisted Hacking
  • 17. security. protection. intelligence. The SPI Works Product Suite Use WebInspectTM to assess current Web sites or Web applications. Use WebInspectTM to QA new applications during development prior to release into production. Available now Know your vulnerabilities Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application. Use LogAlertTM after you have been attacked for Web log forensic analysis. Available now Know if you have been attacked Use WebDefendTM to proactively stop Web site or Web application intrusions. Available Q2 2002 Proactively stop attacks WebInspect Application Assessment WebDefend Application Intrusion Protection LogAlert Application Log Audit TM TM TM
  • 18. security. protection. intelligence. Our Company Founded in April 2000 by recognized Information Security industry experts Released WebInspectTM in April 2001 HQ in Atlanta, Georgia Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London SPI serves clients in each of the following vertical industries: HealthCare Insurance Financial Services Government Global Enterprise Consulting
  • 19. security. protection. intelligence. SPI Dynamics is the leading provider of automated Web Application security products. SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code. The embedded “hacker logic” enables our software to think for the end-user, making their job easier.