Hybrid website security from Indusface
-
Upload
indusface -
Category
Technology
-
view
401 -
download
0
description
Transcript of Hybrid website security from Indusface
01 www.indusface.com | Indusface, Proprietary
HYBRID WEBSITE
SECURITY
02 www.indusface.com | Indusface, Proprietary
AGENDA
Websites – Business & Security Landscape
Website Security Approach
Challenges for Automated Scanning
Hybrid Website Security
Benefits
Examples of Logical Checks
03 www.indusface.com | Indusface, Proprietary 3
Websites – Business and Security Landscape
Website Security Approach Challenges for Automated Scanning
Hybrid Website Security Examples of Logical Checks
Benefits
04 www.indusface.com | Indusface, Proprietary
Websites and Web Applications for Everything!
Websites and Web Applications contain
valuable data which can be misused if accessed by the
wrong people!
Hence ensuring comprehensive security of a website and web application, which checks for technical and logical vulnerabilities is of utmost importance!
05 www.indusface.com | Indusface, Proprietary
Websites and Web Applications Are Vulnerable
75% of all attacks are targeted towards the application layer. Gartner
More than 90 % of web applications containing some type of security vulnerability. Imperva
Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be
detectable via security monitoring. Gartner
More than 13% of all reviewed sites can be compromised completely automatically. The
most wide spread vulnerabilities were Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. WASC
73% of organizations have been hacked at least once in the past two years through insecure
websites and web applications. Ponemon Institute Automation is not always effective without manual configuration or testing activity; manual testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner
06 www.indusface.com | Indusface, Proprietary
Mind Block
Website is secured as it has been scanned by state of the art scanning software Firewalls and SSL are adequate security for a web application IDS protects the web server and databases
Frequent software updates and new website functionality increases the potential for new web application vulnerabilities Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. Security assessment of an application is never complete without involvement of a application security expert
07 www.indusface.com | Indusface, Proprietary 7
Website Security Approach
Challenges for Automated Scanning Hybrid Website Security
Examples of Logical Checks Benefits
Websites – Business & Security Landscape
08 www.indusface.com | Indusface, Proprietary
The Importance of Website Scanning
Comprehensive Website Security Scanning is Mandatory!
Source: Gartner
1
2
3
4
Increasing threats, regulations, and the changing IT landscape has made dynamic software security testing important. Web applications are now an integral part of any business Web applications have become increasingly complex, having tremendous amounts of sensitive data which can be used in unexpected ways, abused, stolen, and attacked. Vulnerabilities in applications lead to security breaches which are a threat to brand reputation. The best web application security coverage is the combination of using automated scanning and manual penetration testing.
5
09 www.indusface.com | Indusface, Proprietary
Automated and Manual Website Scanning
Human intelligence assessments and automated scanners are required for complete vulnerability coverage when it comes to web applications.
• Easily identifies technical vulnerabilities.
• Very thorough in the testing process.
• Opportunity to increase the frequency of scans (daily).
• Proactive approach of detecting a vulnerability in less time
• Confidence booster to business/app owners
Automated Scanning
• Intervention of a subject matter expert
• Identifies logical flaws and complex weaknesses
• Ability to co-relate multiple vulnerabilities to create a bigger impact
• Ability to pass steps where a human intervention is needed
• Ability to concentrate on test cases based on critical threats to business
Manual Scanning
010 www.indusface.com | Indusface, Proprietary
Technical Flaws versus Logical Flaws
To detect logical flaws, human intelligence intervention is required.
Confidential Information Disclosure Known Directory Known CGI File Configuration File Disclosure Backup File Disclosure
Application Input Manipulation SQL Injection Cross-Site/In-Line Scripting Buffer Overflow OS Command Injection Meta Character Injection Directory Traversal Null Injection Extension Manipulation Frame Spoofing
Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forging Password Recovery
Logical Vulnerabilities Logical Flaws Account Privilege Escalation Page Sequencing User Impersonation Improper Session Handling
Confidential Information
Disclosure Verbose Error Messages HTML Comments
Application Input Manipulation User-Agent Manipulation Referrer Manipulation Debug Commands
LOGICAL FLAWS TECHNICAL FLAWS
011 www.indusface.com | Indusface, Proprietary 11
Challenges for Automated Scanning
Hybrid Website Security Examples of Logical Checks
Benefits
Websites – Business & Security Landscape
Website Security Approach
012 www.indusface.com | Indusface, Proprietary
Challenges for Automated Scanning
Authentication and Authorization 3
1 Infinite Website Structure
2 Multi-Step Process
013 www.indusface.com | Indusface, Proprietary
DYNAMIC WEB SITES:
Infinite Website Structure Complex and dynamic websites are impossible to get comprehensively scanned in an automatic manner. Human intelligence can define finite test cases for finite threats.
• Rate of addition
• Rate of decay
• Very large database of 500,000 items + links
• Dynamic URL creation
014 www.indusface.com | Indusface, Proprietary
Multi-Step Process
• Multi-step process requires human intervention to complete the process
• An automated approach can never find all flaws or complete the process to find logical weakness
015 www.indusface.com | Indusface, Proprietary
Authentication and authorization are complex in nature
Authentication and Authorization
016 www.indusface.com | Indusface, Proprietary 16
Hybrid Website Security
Examples of Logical Checks Benefits
Websites – Business & Security Landscape
Website Security Approach Challenges for Automated Scanning
017 www.indusface.com | Indusface, Proprietary
Hybrid Website Security = Automated + Manual Hybrid model ensuring the best of automated scanning combined with manual testing, covering an internal and external assessment of vulnerabilities
IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware.
AUTOMATED
Daily scans provide a proactive approach on identifying technical vulnerabilities on a daily basis
MANUAL
Checks for logical flaws and performs session based checks using security experts
018 www.indusface.com | Indusface, Proprietary
Comprehensive Automated and Manual Website Security
CUSTOMER WEB APPLICATION
Manual Feedback
Module Enumeration
Application Review
Test Case Developme
nt
Case Validation
Draft Test Report
Test Database
Test Execution
Role Based Access Control
Complete, Actionable Reporting
Detailed Remediation Guidelines
Flexible Management of
Websites
Zero False Positives Business Logic Testing
Unlimited Expert Support
Web service API
Flexible Notification
Manual Revalidation
019 www.indusface.com | Indusface, Confidential and Proprietary
Examples of Logical Checks
Benefits
Websites – Business & Security Landscape
Website Security Approach Challenges for Automated Scanning
Hybrid Website Security
020 www.indusface.com | Indusface, Proprietary
A Travel portal is designed to follow a business logic of allowing its consumers to book a flight ticket online with the price listed as shown
Online Travel Portal
A malicious user trying to book an online ticket
Travel portal accepts the transaction as successful and
issues a ticket to the consumer
An online travel company can lose millions if the application is not able to handle and identify such online frauds. A flaw in their business logic was identified.
Selects the itenary with the listed price
$ 1000/-
$ 100/- charged
Payment gateways verifies the transaction as valid
The same user exploits the application vulnerability to modify
the listed price to a much lesser price
$ 1000/- changed
to $ 100/-
021 www.indusface.com | Indusface, Proprietary
An Online Voting portal has a feature which allows the user to cast a vote only after entering the One Time Password (OTP) sent on the user’s registered mobile number
Online Voting System
A malicious user logs into the application and selects the candidate
for whom he wants to cast the vote
After some manipulation , the attacker is successful in casting the
vote without entering the OTP
Now application will ask the user to enter the OTP which was sent to his registered mobile number.
Now, if an attacker gets the access to a valid user’s
username and password, he can cast the vote a number of times
without entering the OTP
022 www.indusface.com | Indusface, Confidential and Proprietary
Benefits
Websites – Business & Security Landscape
Website Security Approach Challenges for Automated Scanning
Hybrid Website Security Examples of Logical Checks
023 www.indusface.com | Indusface, Proprietary
• Complete coverage on website and web application security assessment • Zero false positives • Involvement of subject matter expert • Proactive approach in finding vulnerabilities on a daily basis using automated
scans • Evidence of exploit for business owners to create a business impact • Ability to identify complex logical weaknesses • Ability to assess complex, huge and dynamic websites
Benefits of Hybrid Website Security Automated + Manual
This powerful combination of technology and human intelligence is required to ensure a comprehensive security coverage is provided to a web application.
024 www.indusface.com | Indusface, Confidential and Proprietary
Thank You
VADODARA, INDIA A/2-3, 3rd Floor, Status Plaza Opp Relish Resort Atladara Old Padra Road Vadodara – 390020 Gujarat, India T : +91 265 3933000 F : +91 265 2355820
BANGALORE, INDIA 408, 2nd Floor Regency Enclave 4, Magrath Road Bangalore – 560025 Karnataka, India T : +91 80 65608570 +91 80 65608571 F : +91 80 41129296
MUMBAI, INDIA 1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705 Maharashtra, India. T : +91 22 61214961
Sales : [email protected]
Marketing : [email protected]
Technical : [email protected]
DELHI, INDIA Regus Serviced Office 2F Elegance, Jasola District Center, Old Mathura Road, New Delhi – 110025, India T : +91 9974090400