Securing Web Applications

18/08/2014

Mark Garratt

Introduction

• Was: UH Student - Graduated 2012• Now: Full Stack Developer at Cyber-Duck• Things I do:

– Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc.

– System Administrator: Linux server management– Security Tester: Reviewing and testing web apps

• Things I use:– TDD / BDD– Continuous Integration (Jenkins/Travis)– Vagrant + Docker

Knowledge Transfer Partnerships

“A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner

currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a

company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner.

Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.”

WHEN YOU GRADUATE APPLY FOR THESE

This talk…

• A bit about Cyber-Duck• Some example projects• Why security is important• Security testing process

About Cyber-Duck

Our Clients

Why bother securing web apps?

• The data we store:– Personal data– Payment data– Business critical data– Copyright material

• Compliance with the law and standards– Data Protection Act 1988– Copyright / Trademark law– PCI / DSS Compliance– ISO27k series

Losing data has consequences

• Breach of contract• Can result in legal proceedings

– Data Protection– Financial Regulations

• Lasting damage to reputation

How to protect data

• Training and Awareness• Regular security reviews

– Evaluate Risks– Define Policies– Implement Controls– Test– Repeat (automate where possible)

• Secure programming practices– Sanitise inputs– Avoid unsafe functions e.g. eval()– OWASP Secure Coding Practices

Amateurs hack systems, professionals hack people. — Bruce Schneier“

Identifying Vulnerabilities

• Static review– Read code– Observe practices

• Automated testing• Penetration testing

Penetration Test – Ethical Hacking

Attacking your own or a client’s systems (with proper permission).

1. Pre-Engagement Interactions2. Intelligence Gathering3. Threat Modelling4. Vulnerability Analysis5. Exploitation6. Post Exploitation7. Reporting (Executive Summary)8. Reporting (Technical Summary)

Hacking is not this…

1. Pre-Engagement Interactions

• Scoping• Goals• Testing Terms and Definitions• Establishing Lines of Communication• Rules of Engagement• Capabilities and Technologies Implemented• Protect Yourself

2. Intelligence Gathering

• Target Selection• Open Source Intelligence (OSINT)• Covert Gathering• Human Intelligence (HUMINT)• Foot-printing• Identify Protection Mechanisms

3. Threat Modelling

• Business Asset Analysis• Business Process Analysis• Threat Agents/Community Analysis• Threat Capability Analysis• Analyse Available Compromise Data

4. Vulnerability Analysis

• Testing• Validation• Research

5. Exploitation

• Detect countermeasures• Evasion techniques• Precision strikes• Tailored Expolits• Zero-day attacks

6. Post Exploitation

• Infrastructure Analysis• High Value/Profile Targets• Pillaging• Persistence• Further Penetration Testing Into Infrastructure• Clean-up

7. Reporting (Executive Summary)

• Background• Overall Posture• Risk/Ranking• General Findings• Strategic Roadmap• Recommendations

8. Reporting (Technical Report)

• Introduction• Information Gathering Intelligence• Vulnerability Assessment• Exploitation/Vulnerability Validation• Risk/Exposure• Conclusion

Questions?

Contact

Mark Garrattmark@cyber-duck.co.uk

@MGarratt88http://www.cyber-duck.co.uk

Securing Web Applications

Internet

CNIT 129S: Securing Web Applications › 129S › lec › ch4.pdfCNIT 129S: Securing Web Applications Ch 4: Mapping the Application Mapping • Enumerate application's content and

Securing Web Applications with Token Authentication

Securing Grails Applications

Securing ASP.NET web applications

Securing PHP Applications

SAFEWEB: A Middleware for Securing Ruby-based Web Applications

Clarice Technologies - Securing Web Applications- A Complete Solution

CNIT 129S: Securing Web Applications › 129S › lec › 129s-ch3.pdfCNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 1-24-18 HTTP Hypertext Transfer

CNIT 129S: Securing Web Applications · CNIT 129S: Securing Web Applications Ch 11: Attacking Application Logic . Logic Flaws ... and application functions Avoiding Logic Flaws. Title:

Riverbed Securing Cloud Applications with a Distributed Web Application Firewall

4828EN Chapter14 Securing Fusion Web Applications

Securing your web applications a pragmatic approach

SAFEWEB: A Middleware for Securing Ruby-Based Web Applications€¦ · SAFEWEB: A Middleware for Securing Ruby-Based Web Applications Petr Hosek 1, Matteo Migliavacca , Ioannis Papagiannis

Securing Web Services and Applications using Captcha Security

Securing Cloud Applications with a Distributed Web Application

CNIT 129S: Securing Web Applications - samsclass.info · CNIT 129S: Securing Web Applications Ch 6: Attacking Authentication. Authentication Technologies • Over 90% of apps use

Securing Web Applications with ModSecurity€¦ · OWASP 4 Problem: web applications are not secure (2)

Securing Web Applications with Information Flow Tracking

Securing JavaScript applications within the Spotify web player753576/FULLTEXT01.pdf · Securing JavaScript applications within the Spotify web player ... Within a room all users’

Securing Android Applications