Web security is important because there are over 2.7 billion internet users whose privacy must be protected in order to maintain trust. Web attacks occur prominently every week. Security is difficult because software is complex, the web was not designed to be secure, and casual users are often oblivious to security risks. Developers must consider security throughout the entire lifecycle of software and avoid writing their own security controls which can lead to vulnerabilities. Various tools like WebGoat, THC-Hydra, webscarab, Nessus, w3af, and xsssniper can be used to automate attacks and help developers understand common vulnerabilities.

1. Web Security

2. Why?
2.7B worldwide Internet users
Protect user’s privacy is critical
Lost of trust: If we leak, users will leave

3. Prominent web attacks every week

5. Why Security is difficult
“A system is secure if it behaves precisely in
the manner intended and does nothing more”

6. Why Security is difficult
1. Software is complex
● Difficult to analyze in complex real world scenarios

7. Why Security is difficult
2. The web was not designed to be secure
● Targeted originally to provide unlimited access
● Its speed of ascent brought design flaws that remained
until present days

8. Know who (really) are your users
“The most striking property of web browsers is
that most people who use them are
overwhelmingly unskilled”

9. Know who (really) are your users
Research #1
● Casual users are oblivious to signals that make perfect
sense to a developer.
● Good phishing websites fooled 90% of participants

10. Know who (really) are your users
Research #2
● The ‘green URL bar’ security indicator

11. Who’s responsible for security
Avoid the “Security Department” excuse
We are the first line of defense
Keep maintainable Security strategies

12. Maintainable Security strategies
Consider Security during the whole lifecycle
● For each new release, the potential for new security
issues increases.

13. User Stories?
“As an employee, I can search for
other employees by their last
name”

14. Add EVIL User Stories

15. Add EVIL User Stories
“As a hacker I can send bad data in
HTTP headers, so I can access
data and functions for which I’m not
authorized.”

16. OWASP List

17. OWASP 2013 List
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting
A4 - Insecure Object Reference
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards

18. Automated attacks
Unlike the tedious hours spent hacking a network’s
perimeter, attacks against Web applications can be easily
automated

19. Prevention
Don’t write your own security controls!
Reinventing the wheel leads to wasted time and massive
security holes.
Understand and use the tools that the attackers use

20. Demo time
https://github.com/tomasperezv/web-security-tools

21. Demo time: WebGoat

22. Demo time: THC-Hydra

23. Demo time: webscarab

24. Demo time: Nessus

25. Demo time: w3af

26. Demo time: xsssniper

27. Conclusion
● We are responsible of the security of our web
applications
● Include the EVIL user stories
● Is easy to perform attacks using automated tools
● Don’t write your own security controls!

28. Questions
https://github.com/tomasperezv/web-security-tools