Upload
meda-conferences
View
533
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Cyber-Proofing your Data from Application Attacks
Irene AbezgauzProduct Manager
© 2005-2011. All Rights Reserved to Seeker Security Ltd.© 2005-2012. All Rights Reserved to Seeker Security Ltd.
Introduction
• Cyber-Proofing – Application Security vs.
Data Security
• Current Application Security Approach
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Vulnerability vs. Risk
• Technique vs. Goal
• Adaptive Approach for Application Security
About Myself
• Over 8 Years in Information Security
• Application Threats Expert
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Hands-on Penetration Testing, Research and
Vulnerability Disclosure
• Speaker at Security Conferences
The Problem
• Cyber Threats – Focused, Persistent Attacks
• Evolution of Information Security – YOU are
being Targeted
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
being Targeted
• Find as Many Vulnerabilities as Possible – is
that really the Goal?
The Problem
• Influence of Application Vulnerabilities on
Information Security
• Dealing with Security Information Overload
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Dealing with Security Information Overload
• Remediation Prioritization - “Critical”, “Very
High”, “The Rest”
• The Need for Manageable Results
Current Approach
• Approach is Too Technical
• Focus on Technical Aspects
• Examine it from the Vulnerability Perspective
• Focus on Injections & Technical Problems
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Focus on Injections & Technical Problems
• Analysis of Code rather than Application
• Ignoring Application Data
• Focus on Technology instead of Risk
Too Many Vulnerabilities…
SQL Injection
Cross Site Request Forgery
Session Riding
LDAP Injection
Directory TraversalOS Commanding
Session Hijacking
Flow Bypassing
Director Listing
File Inclusion
Buffer Overflow
No SSL
Session Fixation
URL Encoding
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Cross Site Scripting
Parameter Tampering
Forceful Browsing
Hidden Field Manipulation
Cookie PoisoningCRLF Injection
HTTP Response Splitting
XPath Injection
Directory TraversalOS Commanding
Insecure Redirect
Insecure Password Storage
File Inclusion
No User Lockout
Unauthenticated Access
Detailed Error Messages
Misconfiguration
Information Leakage
Example – Unauthorized Data Modification
• The Attack is Data Modification
• Can be Performed in Various Ways
• Parameter Tampering
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Parameter Tampering
• Flow Bypassing
• SQL Injection
• Cross Site Scripting
• Cross Site Request Forgery
The Problem – Take II
• Low Security ROI
• Spending on solutions not focused on risk
• Spending on professional services trying
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Spending on professional services trying
to simplify hay-stacks that resemble
needles
• Spending on R&D hours of fixing
unnecessary issues
Going back to the Roots
• Risk Based Approach
• CIA
• Confidentiality
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Confidentiality
• Integrity
• Availability
• Assess Application Vulnerabilities Based on
Data Risk
Data Oriented Approach
• Taking a Data Oriented Approach to
Application Security Testing
• Logical vs. Technical
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Logical vs. Technical
• Business Impact
• Level of Exploitability
• Risk, Risk, Risk
The Solution – Data Centric Application
Security
• Analysis of Actual Data Handling
• Automatic Data Classification
• Sensitivity
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Ownership
• Accessibility
• Identifying Vulnerabilities that Pose a Real
Threat
• Verification of Actual Risk Level
Automatic Classification of Risk
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Visualization of Risk
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Summary
• Cyber-Proofing!
• Identify More Vulnerabilities
• Focus on Real Threats
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
• Focus on Real Threats
• Holistic Approach
• Integrate into SDLC
• Efficient, Practical, Focused, Better ROI
Thank You!
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Thank You!