SlideShare uma empresa Scribd logo

WebAppSec: Assessment and Defense

A
ajitdhumale

Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016 Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.

Software
1 de 26
Baixar para ler offline
WebAppSec Assessment and Defense Ajit Dhumale adhumale@qualys.com OWASP Pune Chapter Meetup 21st April 2016
WebApp eco-system OS/VM/Docker Web Server App Container WepApp Network Stack DB NoSQL … Browser UserInternet FW NAT LB Data Center App
Assessment and Defense • Assessment – Test if web app has vulnerabilities • Defense – Protect against known and unknown vulnerabilities
Assessment BlackBox Vs WhiteBox
BlackBox vs WhiteBox Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)
DAST (BlackBox) • Easy logistics • (Fairly) low FP rate* DAST: Dynamic Application Security Testing WebAppHTTP(s)://
DAST: How it works? Crawl: Get links, forms and AJAX requests to test Test (mostly fuzzing): Send malformed/evil variants of the crawled requests and see how the web app responds
DAST: Concerns – Coverage • Is the entire web app crawled? • Auto form filling • Authentication – Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html • http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html • http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html • http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html • Thousands of similar links – Less direct help to developers
SAST (WhiteBox) Source Code SAST: Static Application Security Testing Images: in.mathworks.com
SAST • High FP • Difficult Logistics – Access to source code – Confidentiality/trust issues • Provides direct help to developers • Programming language dependent – News languages, templating, runtime binding  problems • (opaque) 3rd party libraries, external systems
IAST • Co-relatedDASTandSASTresults OR • Insertmonitoringagentinapplicationruntime. • ObserverappbehaviorwhiledrivingtheappusingDAST • TunetheDASTtests(automatically)basedonmonitoring Provides • Bettercoverage,accuracyandefficiency • Betterdirecthelptodevelopers IAST:Interactive/integratedApplicationSecurityTesting I DAST SAST T
Assessment Manual Vs Automated
Automated vs Manual Lower accuracy Higher FP High accuracy* Low FP* Fast Hours to days per web app Slower Weeks to months per web app Bad at business logic flaw detection Good at business logic flaw detection* Lower cost Very (very) high cost * Subject to expertise of the manual pen tester(s)
Automated and Manual Automated with manual assistance Manual verification Best of both worlds
We found vulnerabilities now what?
Fix the vulnerabilities …but what till the fix is available? Patch in on the way …
WebAppFirewall • Protects production web apps from attacks
WAF: How it works • Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist • Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields W A F
Deploying WAF (phases) • Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline • Notification – Apply rules, notify violation – (manually) tune the rules • Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
WAF Concerns • Installation needs network changes – SSL termination • Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration • Potential performance impact • Point of failure • Incorrect rule  blocks legit traffic  business impact
WAF bypass • Naïve pattern based filtering can be bypassed
RASP Runtime Application Self-Protection • Installs runtime agent within the application binary (runtime dependency) • Analyzes input, event flow and application behavior at runtime • Alerts or stops malicious execution
WAF vs RASP External Internal One for many apps One (agent) per app Technology* Independent Technology* Dependent *Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
Trends/Future • Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – … • DAST – JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2 • Secure coding/development – Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops • SAST + DAST + WAF + RASP
? Questions
Credits • Images: – Icons: https://icons8.com – Images: http://www.freedigitalphotos.net/

Recomendados

Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverSachin-QA
 
Automation Tool Overview
Automation Tool OverviewAutomation Tool Overview
Automation Tool OverviewANKUR-BA
 
C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010Marker Studio
 
I3 - for Web & J2EE
I3 - for Web & J2EEI3 - for Web & J2EE
I3 - for Web & J2EEsebastian.guerrero
 
Sql injection brief for slideshare
Sql injection brief for slideshareSql injection brief for slideshare
Sql injection brief for slideshareFrank Rietta
 
Securing broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSecuring broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSuraj Khetani
 

Recomendados

Automation Test Framework
Automation Test FrameworkAutomation Test Framework
Automation Test FrameworkSachin-QA
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverSachin-QA
 
Automation Tool Overview
Automation Tool OverviewAutomation Tool Overview
Automation Tool OverviewANKUR-BA
 
C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010C:\fakepath\alpha jax.codecamp2010
C:\fakepath\alpha jax.codecamp2010Marker Studio
 
I3 - for Web & J2EE
I3 - for Web & J2EEI3 - for Web & J2EE
I3 - for Web & J2EEsebastian.guerrero
 
Sql injection brief for slideshare
Sql injection brief for slideshareSql injection brief for slideshare
Sql injection brief for slideshareFrank Rietta
 
Securing broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSecuring broken access controls on Oracle E-business suite
Securing broken access controls on Oracle E-business suiteSuraj Khetani
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
Dependency check
Dependency checkDependency check
Dependency checkDavid Karlsen
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Adin Ermie
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access FirewallBalaBhaskaraRao CEH,CCNA Security,CHFI,Qualys Specialist
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Jim McKeeth
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAmazon Web Services
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 

Mais conteúdo relacionado

Destaque

Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 

Destaque (7)

Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation Fails
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metrics
 
Dependency check
Dependency checkDependency check
Dependency check
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 

Semelhante a WebAppSec: Assessment and Defense

2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Adin Ermie
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Jim McKeeth
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAmazon Web Services
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksAmazon Web Services
 
Cross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaCross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaSoftware Guru
 

Semelhante a WebAppSec: Assessment and Defense (20)

2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
Global Azure Bootcamp 2017 - Performance and Health Management for Modern App...
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Web Access Firewall
Web Access FirewallWeb Access Firewall
Web Access Firewall
 
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
Accessing REST & Backend as a Service (BaaS) - Developer Direct - Mobile Summ...
 
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel AvivAWS WAF introduction and live demo - Pop-up Loft Tel Aviv
AWS WAF introduction and live demo - Pop-up Loft Tel Aviv
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Web assembly with PWA
Web assembly with PWA Web assembly with PWA
Web assembly with PWA
 
Cross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficienciaCross Browser Testing: El reto de la eficiencia
Cross Browser Testing: El reto de la eficiencia
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 

Último

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 

Último (20)

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 

WebAppSec: Assessment and Defense

  • 1. WebAppSec Assessment and Defense Ajit Dhumale adhumale@qualys.com OWASP Pune Chapter Meetup 21st April 2016
  • 2. WebApp eco-system OS/VM/Docker Web Server App Container WepApp Network Stack DB NoSQL … Browser UserInternet FW NAT LB Data Center App
  • 3. Assessment and Defense • Assessment – Test if web app has vulnerabilities • Defense – Protect against known and unknown vulnerabilities
  • 5. BlackBox vs WhiteBox Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)
  • 6. DAST (BlackBox) • Easy logistics • (Fairly) low FP rate* DAST: Dynamic Application Security Testing WebAppHTTP(s)://
  • 7. DAST: How it works? Crawl: Get links, forms and AJAX requests to test Test (mostly fuzzing): Send malformed/evil variants of the crawled requests and see how the web app responds
  • 8. DAST: Concerns – Coverage • Is the entire web app crawled? • Auto form filling • Authentication – Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html • http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html • http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html • http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html • Thousands of similar links – Less direct help to developers
  • 9. SAST (WhiteBox) Source Code SAST: Static Application Security Testing Images: in.mathworks.com
  • 10. SAST • High FP • Difficult Logistics – Access to source code – Confidentiality/trust issues • Provides direct help to developers • Programming language dependent – News languages, templating, runtime binding  problems • (opaque) 3rd party libraries, external systems
  • 11. IAST • Co-relatedDASTandSASTresults OR • Insertmonitoringagentinapplicationruntime. • ObserverappbehaviorwhiledrivingtheappusingDAST • TunetheDASTtests(automatically)basedonmonitoring Provides • Bettercoverage,accuracyandefficiency • Betterdirecthelptodevelopers IAST:Interactive/integratedApplicationSecurityTesting I DAST SAST T
  • 13. Automated vs Manual Lower accuracy Higher FP High accuracy* Low FP* Fast Hours to days per web app Slower Weeks to months per web app Bad at business logic flaw detection Good at business logic flaw detection* Lower cost Very (very) high cost * Subject to expertise of the manual pen tester(s)
  • 14. Automated and Manual Automated with manual assistance Manual verification Best of both worlds
  • 16. Fix the vulnerabilities …but what till the fix is available? Patch in on the way …
  • 17. WebAppFirewall • Protects production web apps from attacks
  • 18. WAF: How it works • Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist • Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields W A F
  • 19. Deploying WAF (phases) • Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline • Notification – Apply rules, notify violation – (manually) tune the rules • Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
  • 20. WAF Concerns • Installation needs network changes – SSL termination • Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration • Potential performance impact • Point of failure • Incorrect rule  blocks legit traffic  business impact
  • 21. WAF bypass • Naïve pattern based filtering can be bypassed
  • 22. RASP Runtime Application Self-Protection • Installs runtime agent within the application binary (runtime dependency) • Analyzes input, event flow and application behavior at runtime • Alerts or stops malicious execution
  • 23. WAF vs RASP External Internal One for many apps One (agent) per app Technology* Independent Technology* Dependent *Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
  • 24. Trends/Future • Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – … • DAST – JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2 • Secure coding/development – Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops • SAST + DAST + WAF + RASP
  • 26. Credits • Images: – Icons: https://icons8.com – Images: http://www.freedigitalphotos.net/