Infosec for web apps 2014_18november2014
•Transferir como PPTX, PDF•
1 gostou•579 visualizações
presentasi diskusi public session 2
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a Infosec for web apps 2014_18november2014
Semelhante a Infosec for web apps 2014_18november2014 (20)
Mais de Directorate of Information Security | Ditjen Aptika
Mais de Directorate of Information Security | Ditjen Aptika (20)
Último
Último (20)
Infosec for web apps 2014_18november2014
- 1. Keamanan informasi untuk aplikasi berbasis web Bogor, 18 November 2014
- 2. Tentang Pembicara Ivano Aviandi MSc 10+ tahun pengalaman IT security: IBM Global security services Unisys PriceWaterhouse Coopers Founder dan CEO dari Digital Security Global, PT Enterprise IT Security Solutions Cybertech Solusindo, CyberDefense Academy, Proctiv Dosen MTI di Universitas Indonesia Keamanan Informasi dan Manajemen Risiko
- 3. Konsep Keamanan Informasi Informasi Kerahasiaan Integritas Ketersediaan
- 4. Insiden Keamanan Informasi Lebih dari 40% dari insiden keamanan siber berawal dari kelemahan dari sisi aplikasi berbasis web
- 7. Apakah selalu industri finansial?
- 8. Penting adanya acuan / referensi dalam pengamanan aplikasi berbasis web yang selalu ter-update
- 10. OWASP bukan standard..namun adalah sebuah Referensi
- 11. Keluaran OWASP adalah Top 10 kelemahan aplikasi berbasis web
- 12. Top 10 OWASP…
- 13. Pembahasan didalam dokumen OWASP…
- 14. Firewall App Server Web Server Hardened OS Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions HTTP request SQL query DB Table HTTP response "SELECT * FROM Account Summary accounts WHERE acct=‘’ OR 1=1-- Account: Account: SKU: SKU: Acct:5424-6066-2134-4334 Acct:4128-7574-’" 3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user 14
- 15. Recommendations • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw References •For more details, read the https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 15
- 16. Bagaimana menggunakan OWASP? Dokumen OWASP dapat di download di OWASP.ORG Didalam dokumen OWASP terdapat: Ancaman-ancaman terkini Penilaian resiko Penanganan terhadap ancaman Kontributor
- 17. OWASP berguna sebagai referensi dalam membuat aplikasi berbasi web yang aman
- 18. 1st – Risks Assessment 2nd – Security Requirements 3rd - Security Testing 4th Continuous Monitoring & Review SDLC STAGES Design Construction S I T U A T Socialization Instal TSD PIR SECURITY CONSIDERATION Security requirements in Apps development stages OWASP requirements
- 19. Pengguna OWASP Web Apps Developers Software Quality Assurance Database administrator Web administrator IT security Security Admin Konsultan IT
- 20. OWASP tidak mengenal pangsa pasar spesifik
- 21. OWASP diadopsi pada.. Standard PCI – DSS OSSTMM ISSAF OpenSAMM Vulnerability scanners seperti: Nessus Qualys Rapid7 dll