View
273
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Web application security 101 explained by SPI Dynamics.
Citation preview
Web Application Security
security. protection. intelligence.
Q: Where Do Your Current Security Measures Fail?
A: Your Proprietary, Custom written Web Applications
security. protection. intelligence.
Today over 70% of attacks against a company’s Web site or Web application come at the ‘Application Layer’ not the
Network or System layer.
A complete security solution requires attention at each potential point of attack.
security. protection. intelligence.
A: Enact policies requiring your developers to write secure code.
Q: So how do we remedy this situation?
• Verify all request parameters are in proper format (via through a standard library)
• Any unknown or incorrect user data should be logged and terminated.
security. protection. intelligence.
But if you instituted this policy, how would you effectively enforce
it? What measures would you have in place to make sure that they
comply?“A unenforceable policy, or one
with out a process to determine the outlined specifications, is just
as good, as no policy at all.”
security. protection. intelligence.
Q: But I use XYZ Scanner, won’t it discover these types of
vulnerabilities?
A: No, and this is why.
security. protection. intelligence.
Where Today’s Security Measures Fail
security. protection. intelligence.
A: Because other Scanners are a security Broadsword,
where ours is a Security Scalpel
WebInspectTM is NOT meant to replace any tools that are currently being used, instead it complements them.
Q: How can SPI Dynamics do all of this and the others can’t?
security. protection. intelligence.
How SPI Solves The Problem
security. protection. intelligence.
WebInspectTM scans the whole
site:
Web server
Web pages
Scripts
Proprietary applications
Cookies
Database Server
Internet IDS
Firewall
CC#’s Database
Users Database
Web Server
security. protection. intelligence.
WebInspectTM
Scans authentication codes
Assesses security procedures
Carves into confidential data
… Just like a hacker would
Database Server
Internet IDS
Firewall
CC#’s Database
Users Database
Web Server
security. protection. intelligence.
WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems.
WebInspect™
security. protection. intelligence.
WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go.
WebInspect™
security. protection. intelligence.
WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation.
WebInspect™
security. protection. intelligence.
Features & Benefits of WebInspectTM
Unique Focus: Your proprietary Web site or Web application
Superior Scanning: Products codify our security expertise
Extremely Fast: WebInspectTM runs in minutes/ hours vs.
days/ weeks it takes to complete traditional vulnerability
assessments
Automated: Continuously maintain your security integrity
Updated: Continuously keep up to date on the latest
vulnerabilities with the online update feature
Simple & Cost Effective: Licensed per IP address or per
consultant
Risk-Free: Offered on a trial basis at no cost
security. protection. intelligence.
How does WebInspectTM do this?
Hidden Manipulation
Parameter Tampering
Cookie Poisoning
Stealth Commanding
Forceful Browsing
Backdoor/Debug Options
Configuration Subversion
Vendor–Assisted Hacking
security. protection. intelligence.
The SPI Works Product Suite
Use WebInspectTM to assess current Web sites or Web applications.
Use WebInspectTM to QA new applications during development prior to release into production.
Available now
Know your vulnerabilities
Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application.
Use LogAlertTM after you have been attacked for Web log forensic analysis.
Available now
Know if you have been attacked
Use WebDefendTM to proactively stop Web site or Web application intrusions.
Available Q2 2002
Proactively stop attacks
WebInspectApplication Assessment
WebDefendApplication Intrusion Protection
LogAlertApplication Log Audit
TM TM
TM
security. protection. intelligence.
Our Company
Founded in April 2000 by recognized Information Security industry experts
Released WebInspectTM in April 2001HQ in Atlanta, Georgia
Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London
SPI serves clients in each of the following vertical industries:
HealthCare
Insurance
Financial Services
Government
Global Enterprise
Consulting
security. protection. intelligence.
SPI Dynamics is the leading provider of automated Web Application security products.
SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code.
The embedded “hacker logic” enables our software to think for the end-user, making their job easier.