8
eb Application Security Implementation - © 2007 GIA Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007

Web Application Security Implementation

  • Upload
    damali

  • View
    33

  • Download
    0

Embed Size (px)

DESCRIPTION

Web Application Security Implementation. SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007. Introduction. Website vulnerability used to copy customer data to foreign host. Senior management to acquire services of penetration team. Not available for immediate needs. - PowerPoint PPT Presentation

Citation preview

Page 1: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Web Application Security Implementation

SANS MSISE GDWPKevin Bong

John BrozyckiJuly 26, 2007

Page 2: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Introduction• Website vulnerability used to copy

customer data to foreign host.• Senior management to acquire

services of penetration team. Not available for immediate needs.

• Post incident,we are tasked with creation of a web application security assessment program, to implement within a few days.

Page 3: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Web Assessment Process

Inventory

Automated Vulnerability Scan

Manual Web Server Audit

Manual Web Application Audit

Conduct Interviews

Report Findings

http://images.google.com/imgres?imgurl=http://www.rsscanadaimmigration.com/share/images/news/interview.jpg&imgrefurl=http://billinman.wordpress.com/2006/11/&h=289&w=425&sz=75&hl=en&start=3&tbnid=jrpPVMXGXcxa5M:&tbnh=86&tbnw=126&prev=/images%3Fq%3DInterview%26gbv%3D2%26svnum%3D10%26hl%3Den
http://images.google.com/imgres?imgurl=http://www.funadvice.com/photo/image/5661/Bender.png&imgrefurl=http://www.funadvice.com/photos/view/5661&h=637&w=485&sz=27&hl=en&start=3&um=1&tbnid=CyCy_pJ7AjUqkM:&tbnh=137&tbnw=104&prev=/images%3Fq%3Dbender%26svnum%3D10%26um%3D1%26hl%3Den
Page 4: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Web Service Inventory

• Need to know what is legitimate and necessary. (Programs, services, ports)

• Need to know where the data lives and how it is accessed.

• Rate assets (web servers/services) to focus resources and set priorities.

Page 5: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Performing Automated Scans

• Verify the inventory by confirming the existence of services.

• Identify additional, unneeded processes and check for common vulnerabilities and misconfigurations for both the necessary and unnecessary processes and services.

• Quickly identify the low hanging fruit.

Page 6: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Manual Audit of Web Server Security

• Review if best practices are followed– Is defense in depth employed?– Configuration of web server and web

development frameworks– User and service accounts and rights– Error messages, other information leakage– Do log files store appropriate information?

• Review change processes for ports and services through interviews

Page 7: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Manual Audit of Web Applications

• Based on inventory, focus on potentially vulnerable code

• Specific tests to be performed against each dynamic page

• Interview developers to determine if processes prevent new vulnerabilities

Page 8: Web Application Security Implementation

Web Application Security Implementation - © 2007 GIAC

Deliverables for the Senior Management Team

• Reports and recommendations delivered within days.

• Results of inventory, scans, and manual audits used to provide action items that can be given to implementation team.

• Additional recommendations from tiger team to management to minimize reoccurrences.


INFORMATION SECURITY PLANNING & IMPLEMENTATION

INFORMATION SECURITY PLANNING & IMPLEMENTATION

Documents
Implementation and Security Evaluation of User-Customized ...1334227/FULLTEXT01.pdf · possibilities, a security evaluation case study on the application is performed. The results

Implementation and Security Evaluation of User-Customized ...1334227/FULLTEXT01.pdf · possibilities, a security evaluation case study on the application is performed. The results

Documents
Application Security

Application Security

Technology
Implementation of Portion Approach in Distributed Firewall Application for Network Security

Implementation of Portion Approach in Distributed Firewall Application for Network Security

Documents
IPV6 - Security and Implementation

IPV6 - Security and Implementation

Documents
CTPView Security Implementation Guide

CTPView Security Implementation Guide

Documents
Cognos Security Implementation

Cognos Security Implementation

Documents
TPR1: Web Application Security From Incident to Implementation

TPR1: Web Application Security From Incident to Implementation

Documents
North American Railroad Industry Security Plan ... · Security Plan, Implementation, and Priorities . May 2016 . 1 5/10/2016 . ... – Exercises – Application of lessons learned

North American Railroad Industry Security Plan ... · Security Plan, Implementation, and Priorities . May 2016 . 1 5/10/2016 . ... – Exercises – Application of lessons learned

Documents
Application Security by Design - Security Innovation · PDF fileApplication Security by Design ... and implementation to testing and deployment, security must be integrated throughout

Application Security by Design - Security Innovation · PDF fileApplication Security by Design ... and implementation to testing and deployment, security must be integrated throughout

Documents
E5 Security Implementation Guide

E5 Security Implementation Guide

Documents
Oracle SPARC SuperCluster Security Technical ... · PDF fileOracle SuperCluster Security Technical Implementation ... successful STIG application and testing of a live Oracle ... that

Oracle SPARC SuperCluster Security Technical ... · PDF fileOracle SuperCluster Security Technical Implementation ... successful STIG application and testing of a live Oracle ... that

Documents
How Application Shielding supports PSD2 - Promon€¦ · HOW APPLICATION SHIELDING SUPPORTS PSD2 5 PSD2 security requirements Article 9 Implementation requirements for PSPs Paragraph

How Application Shielding supports PSD2 - Promon€¦ · HOW APPLICATION SHIELDING SUPPORTS PSD2 5 PSD2 security requirements Article 9 Implementation requirements for PSPs Paragraph

Documents
social security administration post implementation review... Implementation... · social security administration post implementation review template and procedures revised march 31,

social security administration post implementation review... Implementation... · social security administration post implementation review template and procedures revised march 31,

Documents
INF3510 Information Security L12: Application Security · INF3510 Information Security L12: Application Security Audun Jøsang University of Oslo Spring 2017 . Outline • Application

INF3510 Information Security L12: Application Security · INF3510 Information Security L12: Application Security Audun Jøsang University of Oslo Spring 2017 . Outline • Application

Documents
Essbase security implementation

Essbase security implementation

Documents
Security implementation on hadoop

Security implementation on hadoop

Engineering
international.anl.govsupporting the CSC on operational security matters, field training and implementation issues related to the application of the UN Security Management System; and(

international.anl.govsupporting the CSC on operational security matters, field training and implementation issues related to the application of the UN Security Management System; and(

Documents
Essbase security-implementation

Essbase security-implementation

Technology
Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

Documents
Network Security Application Security Security Management

Network Security Application Security Security Management

Documents
implementation of web application security assessment for public

implementation of web application security assessment for public

Documents
Web Application Security with the Application Security Manager (ASM)

Web Application Security with the Application Security Manager (ASM)

Documents
Application Security

Application Security

Documents
MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

Documents
PA DSS Implementation Guide Sierra Server Software Version … PADSS Implementation... · 2015-10-12 · comply with Payment Application – Data Security Standards (PA-DSS). The

PA DSS Implementation Guide Sierra Server Software Version … PADSS Implementation... · 2015-10-12 · comply with Payment Application – Data Security Standards (PA-DSS). The

Documents
Web Application Security ECT 582 Robin Burke. Outline SSL Web appliation flaws configuration application design implementation state management command

Web Application Security ECT 582 Robin Burke. Outline SSL Web appliation flaws configuration application design implementation state management command

Documents
Security Target Lite - Common Criteria · implementation of multi-application projects using the NXP Secure Smart Card Controller P60x144/080y. A Security IC must provide high security

Security Target Lite - Common Criteria · implementation of multi-application projects using the NXP Secure Smart Card Controller P60x144/080y. A Security IC must provide high security

Documents
Let's power higher performance - t-systems.com · e.g. NT, App & Cloud Security, Consulting & Implementation SAP Consulting, Implementation & Transformation, Application Development,

Let's power higher performance - t-systems.com · e.g. NT, App & Cloud Security, Consulting & Implementation SAP Consulting, Implementation & Transformation, Application Development,

Documents
Implementation, Management, and Security

Implementation, Management, and Security

Documents