Embed Size (px)
Citation preview
18/08/2014
Securing Web Applications
Mark Garratt
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
2
Introduction
• Was: UH Student - Graduated 2012• Now: Full Stack Developer at Cyber-Duck• Things I do:
– Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc.
– System Administrator: Linux server management– Security Tester: Reviewing and testing web apps
• Things I use:– TDD / BDD– Continuous Integration (Jenkins/Travis)– Vagrant + Docker
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
3
Knowledge Transfer Partnerships
“A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner
currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a
company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner.
Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.”
WHEN YOU GRADUATE APPLY FOR THESE
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
4
This talk…
• A bit about Cyber-Duck• Some example projects• Why security is important• Security testing process
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
5
About Cyber-Duck
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
6
Our Clients
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
7
Why bother securing web apps?
• The data we store:– Personal data– Payment data– Business critical data– Copyright material
• Compliance with the law and standards– Data Protection Act 1988– Copyright / Trademark law– PCI / DSS Compliance– ISO27k series
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
8
Losing data has consequences
• Breach of contract• Can result in legal proceedings
– Data Protection– Financial Regulations
• Lasting damage to reputation
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
9
How to protect data
• Training and Awareness• Regular security reviews
– Evaluate Risks– Define Policies– Implement Controls– Test– Repeat (automate where possible)
• Secure programming practices– Sanitise inputs– Avoid unsafe functions e.g. eval()– OWASP Secure Coding Practices
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
10
Amateurs hack systems, professionals hack people. — Bruce Schneier“
”
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
11
Identifying Vulnerabilities
• Static review– Read code– Observe practices
• Automated testing• Penetration testing
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
12
Penetration Test – Ethical Hacking
Attacking your own or a client’s systems (with proper permission).
1. Pre-Engagement Interactions2. Intelligence Gathering3. Threat Modelling4. Vulnerability Analysis5. Exploitation6. Post Exploitation7. Reporting (Executive Summary)8. Reporting (Technical Summary)
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
13
Hacking is not this…
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
14
1. Pre-Engagement Interactions
• Scoping• Goals• Testing Terms and Definitions• Establishing Lines of Communication• Rules of Engagement• Capabilities and Technologies Implemented• Protect Yourself
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
15
2. Intelligence Gathering
• Target Selection• Open Source Intelligence (OSINT)• Covert Gathering• Human Intelligence (HUMINT)• Foot-printing• Identify Protection Mechanisms
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
16
3. Threat Modelling
• Business Asset Analysis• Business Process Analysis• Threat Agents/Community Analysis• Threat Capability Analysis• Analyse Available Compromise Data
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
17
4. Vulnerability Analysis
• Testing• Validation• Research
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
18
5. Exploitation
• Detect countermeasures• Evasion techniques• Precision strikes• Tailored Expolits• Zero-day attacks
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
19
6. Post Exploitation
• Infrastructure Analysis• High Value/Profile Targets• Pillaging• Persistence• Further Penetration Testing Into Infrastructure• Clean-up
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
20
7. Reporting (Executive Summary)
• Background• Overall Posture• Risk/Ranking• General Findings• Strategic Roadmap• Recommendations
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
21
8. Reporting (Technical Report)
• Introduction• Information Gathering Intelligence• Vulnerability Assessment• Exploitation/Vulnerability Validation• Risk/Exposure• Conclusion
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
22
Questions?
Contact
Mark [email protected]
@MGarratt88http://www.cyber-duck.co.uk
