• No results found

A Network Administrator s Guide to Web App Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "A Network Administrator s Guide to Web App Security"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

Orion Cassetto, Product Marketing Manager, Incapsula

A Network Administrator’s Guide to

Web App Security

Moderator:

Rich Nass, OpenSystems Media

(2)

Agenda

Housekeeping

Presentation

Questions and Answers

(3)

Presented by:

Orion Cassetto, Sr. Product Marketing Manager, Incapsula

A Network Administrator’s Guide to Web

App Security

(4)

Incapsula Webinar

Thanks for joining!

The webinar is about 30 minutes long

Questions will be answered during and after the

session

Please submit your questions using the chat

window

(5)

Speaker Bio – Orion Cassetto

• Sr. Product Marketing Manager for Incapsula

• Previously held product marketing positions at Imperva and Armorize Technologies

• Experienced in Web app security, and SaaS security solutions

• Holds degrees in Asian Studies, and Chinese Language from Washington State University

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

(6)

Overview

• Recent web security events

• Web Applications Threats and Common Attack Types

• How to defend your website against Today’s common Threats • Automated tools to secure to help you simplify website

(7)

Major Hacks of 2014

(8)

Heartbleed – the Epic SSL Crisis of 2014

• Heartbleed is a security bug that was disclosed in April of 2014

• It was present in the widely used Open SSL Cryptography

• When disclosed, around 17% of

the Internet's secure web servers was vulnerable • Why do I care?

> The vulnerability allowed for the theft of the servers' private

keys and users' session cookies and passwords

Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.

(9)

Shellshock Vulnerability

What is it?

1. Shellshock is a vulnerability that affects Bash (a.k.a Bourne-again Shell), the

most common command-line shell on Linux / Unix / Mac OS systems

2. Allows unauthenticated attacks to remotely execute code on affected

machines

What damage could this cause

your website?

• Hackers remotely executing code on your systems can result in

> Data theft

> Malware injection > Server hijacking

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

(10)

Distributed Denial Of Service (DDoS) Attacks

• DDoS attack are attacks where many infected computers band together to attack a single target

• These attacks exhaust network connections and server resources causing website outages

(11)

Web App Threats and Common attack Types

(12)

Use of Stolen Credentials Reigns Supreme

Use of stolen authentication

credentials by hackers is the number

one threat of 2013

Once stolen hackers can use

credentials at other websites to

increase the impact of a breach

Automated tools combined with

stolen password lists become a

dangerous combination

(13)

Websites Have Many Vulnerabilities

96%

of web applications

have vulnerabilities

96

%

WEB

APP

Sources:Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013

13%

of websites can be

compromised automatically

(14)

SQL Injection – What it is and why it matters

• What is SQL Injection?

> SQL Injection attacks attempt to use application code to access or

corrupt database content

> It is accomplished by embedding SQL statements in user supplied Data > Example:

• What happens if a hacker exploits this vulnerability?

> They can access your database and it’s data.

• Basic Rule

> If it is going into your database, clean it up first!

'OR “=” The application was

expecting my name, but I entered an SQL Statement

(15)

Cross Site Scripting (XSS) – What it is and why it matters

• What is XSS?

> A type of attack in which hackers

inject scripts (like JavaScript) into otherwise trusted websites

• What happens if a hacker exploits an XSS vuln on my website?

> Stolen cookies or sessions

> Redirection to a malicious page

• Basic Rule

> If user supplied data is going into

your application, clean it up first!

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

15

Attacker inserts malicious

unfiltered code into an application

1

User visits the web page and malicious code is returned with the web page

2

Attacker gains control over user data or system via injected exploit

(16)

How DDoS Attacks Bring Down Websites

• DDoS attacks make your website completely inaccessible

Legitimate Traffic

Your Site

Your Internet Connection

• If website availability is important to you, then DDoS protection should be too

• Any application without a DDoS mitigation strategy is at risk

DDoS Traffic

(17)

Automated Clients are the Majority of Web Traffic

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

17

Over

61%

of all website traffic is non-human.

61.5%

Non-Human Traffic

38.5%

Human Traffic

(18)

The Impact of Bots on Website Security

• DDoS

• Site Scraping

• Comment Spam

• SEO Spam

• Fraud

• Vulnerability scanning

• Search Engine Crawling

• Website Health Monitoring

• Vulnerability Scanning

(19)

Defending your Websites and Applications

(20)

Use Multi-factor Authentication for Admin Areas

Problem

• Lost or stolen passwords allow hackers to bypass your security measure

Solution

• Secure Admin areas with multi-factor authentication

> Email

> SMS

> Google Authenticator

(21)

Identify Vulnerabilities

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

21

White-box and Black-box tools

(22)

Manual Code

Review

The White-box Approach

The white-box approach to finding vulnerabilities is to

Review Application Code

for vulnerabilities.

Manually

or

Can be performed:

Source Code

Analysis

(23)

Penetration

Testing

The White-box Approach

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

23

The Black-box approach to finding vulnerabilities is

to

Emulate Hacker Activity

by probing a website

for weaknesses.

Manually

or

Can be performed:

Web

Vulnerability

Scanning

(24)

Remediating Vulnerabilities at a Code Level

Known vulnerabilities should be remediated

What are the requirements for fixing vulnerabilities at the

code level?

> Access to application code

> Coding expertise and knowledge in Security

White-box Black-box

Manual Manual Code Review Penetration Testing

Automated Source Code Analysis VulnerabilityWeb Scanner

List of

(25)

Use a Web Application Firewall (WAF)

• WAFs provide similar protection as traditional network layer firewall but for a web application

• Using a WAF can protect website from application layer hacking attempts

• WAFs should be used in conjunction with traditional firewalls

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

(26)

Defend against DDoS attacks

• DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive

Legitimate Traffic

Your Site

Your Internet Connection

DDoS Traffic

Your ISP

(27)

DDoS Mitigation Requires Specialized Tools or Services

• DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive

• DDoS attacks should be mitigated close to their source (away from your network)

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

27 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service

(28)

Identify and Block Bad Bots

• Implement a solution which can block bad bots to prevent

> Comment Spam > Site Scraping

> Vulnerability Scanning > Automated SEO Poisoning

• Bot Mitigation can be

> Standalone service or appliance > Part of other tools like a WAF

(29)

• Web App Firewall

• DDoS Mitigation

• Bot Mitigation

• Web Vulnerability

Scanner

• Source Code

Analysis

• Manual Code

Review

• Password Security

• 2 Factor

Authentication

• Security

Requirements

• Design

• Architecture

When To Implement Various Security Tools

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

29

PLANNING

CODING

(30)

Finding the Right Tools

Commercial Open Source / Free

WAF

• Incapsula

• Imperva

• F5

• Mod Security

Web Vulnerability Scanner

• Whitehat Security

• Nessus • Acunetix • Nikto • Wapiti • Qualys DDoS Mitigation • Incapsula • Prolexic • Neustar

• Not available /

Not advised

Source Code Analysis

• Fortify

• IBM Appscan

• Parasoft

(31)

Website Security and Performance in Minutes with a

Simple DNS Change

Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.

31

By routing website traffic through the Incapsula network,

malicious traffic is blocked, and legitimate traffic is accelerated.

Incapsula Network Your Website

Legitimate Traffic

For a Free Trial of Incapsula visit us at

(32)

Please send follow up questions to [email protected]

(33)

Audience Q & A

Orion Cassetto,

Product Marketing Manager, Incapsula

(34)

Thanks for joining us

Event archive available at:

http://ecast.opensystemsmedia.com/ E-mail us at: [email protected]

References

Download now ( PDF - 34 Page - 1.83 MB )

Related documents

Writing a Website RFP How-to Guide

The website should have a modern, contemporary design while maintaining the existing Hawaii ASDA logo and color scheme. The new website should use several main navigation links

By: Ge Song Sean T. Kemp. PACE UNIVERSITY June, A Research Fellowship Awarded by GARP (Global Association of Risk Professionals)

This study also finds control variable Sales Growth and control variable Profitability (ROA) are positively associated with the existence of Material Weakness in Internal Control

ORIGINAL ARTICLES. Efficacy of albendazole against the whipworm Trichuris trichiura - a randomised, controlled trial

To test the efficacy of albendazole against the whipworm Trichuris trichiura for school-based deworming in the south-western Cape, South Africa.. A group not infected With worms

Merk/model Model jaar Art. nr. Omschrijving Prijs excl. BTW ASTON MARTIN. Prijs incl. BTW AUDI. Page 1 of 121

This system is designed as styling enhancement, the Milltek system exiting in the original position will offer greater power

The impact of the rising colorectal cancer incidence in young adults on the optimal age to start screening: Microsimulation analysis I to inform the American Cancer Society colorectal cancer screening guideline

In the recently updated USPSTF guidelines, 4 screening was recommended to begin at age 50 years, despite the fact that 2 of 3 colorectal microsimulation models of the

COMPETENCIES PROFILE AS A TOOL USED IN THE PROCESS OF RECRUITMENT AND SELECTION OF MINE WORKFORCE. 1. Introduction. Artur Bator*

In the mining industry competencies profiles shall be a supplement to qualifications, as they show a full characteristics of the employee, thus allowing the development of a precise

Fostering Rural Employment through Creating Rural Non–Farm Activities (RNA) and Household Jobs in Haramaya, Kersa, and Babile Woredas of Eastern Hararghe Zone, Oromia National Regional State, Ethiopia

This study analyses the behavior of rural households on the involvement in rural non-farm formal and informal indigenous handcrafts in off-farm work participation decisions of

Seed Funding Programs in a Comprehensive Liberal Arts and Sciences College

The metrics on which an application is funded is central to the success of the program. From our survey of other deans, most reported that the quality of the current idea was