Hybrid website security from Indusface

01 www.indusface.com | Indusface, Proprietary

HYBRID WEBSITE

SECURITY


AGENDA

Websites – Business & Security Landscape

Website Security Approach

Challenges for Automated Scanning

Hybrid Website Security

Benefits

Examples of Logical Checks

03 www.indusface.com | Indusface, Proprietary 3

Websites – Business and Security Landscape

Website Security Approach Challenges for Automated Scanning

Hybrid Website Security Examples of Logical Checks

Benefits


Websites and Web Applications for Everything!

Websites and Web Applications contain

valuable data which can be misused if accessed by the

wrong people!

Hence ensuring comprehensive security of a website and web application, which checks for technical and logical vulnerabilities is of utmost importance!


Websites and Web Applications Are Vulnerable

75% of all attacks are targeted towards the application layer. Gartner

More than 90 % of web applications containing some type of security vulnerability. Imperva

Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be

detectable via security monitoring. Gartner

More than 13% of all reviewed sites can be compromised completely automatically. The

most wide spread vulnerabilities were Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. WASC

73% of organizations have been hacked at least once in the past two years through insecure

websites and web applications. Ponemon Institute Automation is not always effective without manual configuration or testing activity; manual testing can uncover flaws that are difficult or impossible to find with automated tools. Gartner


Mind Block

Website is secured as it has been scanned by state of the art scanning software Firewalls and SSL are adequate security for a web application IDS protects the web server and databases

Frequent software updates and new website functionality increases the potential for new web application vulnerabilities Security holes in the web application layer can make a perfectly patched and firewalled server completely vulnerable. Security assessment of an application is never complete without involvement of a application security expert



Challenges for Automated Scanning Hybrid Website Security

Examples of Logical Checks Benefits



The Importance of Website Scanning

Comprehensive Website Security Scanning is Mandatory!

Source: Gartner

1

2

3

4

Increasing threats, regulations, and the changing IT landscape has made dynamic software security testing important. Web applications are now an integral part of any business Web applications have become increasingly complex, having tremendous amounts of sensitive data which can be used in unexpected ways, abused, stolen, and attacked. Vulnerabilities in applications lead to security breaches which are a threat to brand reputation. The best web application security coverage is the combination of using automated scanning and manual penetration testing.

5


Automated and Manual Website Scanning

Human intelligence assessments and automated scanners are required for complete vulnerability coverage when it comes to web applications.

• Easily identifies technical vulnerabilities.

• Very thorough in the testing process.

• Opportunity to increase the frequency of scans (daily).

• Proactive approach of detecting a vulnerability in less time

• Confidence booster to business/app owners

Automated Scanning

• Intervention of a subject matter expert

• Identifies logical flaws and complex weaknesses

• Ability to co-relate multiple vulnerabilities to create a bigger impact

• Ability to pass steps where a human intervention is needed

• Ability to concentrate on test cases based on critical threats to business

Manual Scanning


Technical Flaws versus Logical Flaws

To detect logical flaws, human intelligence intervention is required.

Confidential Information Disclosure Known Directory Known CGI File Configuration File Disclosure Backup File Disclosure

Application Input Manipulation SQL Injection Cross-Site/In-Line Scripting Buffer Overflow OS Command Injection Meta Character Injection Directory Traversal Null Injection Extension Manipulation Frame Spoofing

Session Management Brute/Reverse Force Session Hi-Jacking Session Replay Session Forging Password Recovery

Logical Vulnerabilities Logical Flaws Account Privilege Escalation Page Sequencing User Impersonation Improper Session Handling

Confidential Information

Disclosure Verbose Error Messages HTML Comments

Application Input Manipulation User-Agent Manipulation Referrer Manipulation Debug Commands

LOGICAL FLAWS TECHNICAL FLAWS




Benefits





Authentication and Authorization 3

1 Infinite Website Structure

2 Multi-Step Process


DYNAMIC WEB SITES:

Infinite Website Structure Complex and dynamic websites are impossible to get comprehensively scanned in an automatic manner. Human intelligence can define finite test cases for finite threats.

• Rate of addition

• Rate of decay

• Very large database of 500,000 items + links

• Dynamic URL creation


Multi-Step Process

• Multi-step process requires human intervention to complete the process

• An automated approach can never find all flaws or complete the process to find logical weakness


Authentication and authorization are complex in nature

Authentication and Authorization



Examples of Logical Checks Benefits




Hybrid Website Security = Automated + Manual Hybrid model ensuring the best of automated scanning combined with manual testing, covering an internal and external assessment of vulnerabilities

IndusGuard by Indusface is a zero touch, non- intrusive, cloud based solution which safeguards websites by daily, automatic and comprehensive scanning of websites for systems and application vulnerabilities, and malware.

AUTOMATED

Daily scans provide a proactive approach on identifying technical vulnerabilities on a daily basis

MANUAL

Checks for logical flaws and performs session based checks using security experts


Comprehensive Automated and Manual Website Security

CUSTOMER WEB APPLICATION

Manual Feedback

Module Enumeration

Application Review

Test Case Developme

nt

Case Validation

Draft Test Report

Test Database

Test Execution

Role Based Access Control

Complete, Actionable Reporting

Detailed Remediation Guidelines

Flexible Management of

Websites

Zero False Positives Business Logic Testing

Unlimited Expert Support

Web service API

Flexible Notification

Manual Revalidation

019 www.indusface.com | Indusface, Confidential and Proprietary

Examples of Logical Checks

Benefits





A Travel portal is designed to follow a business logic of allowing its consumers to book a flight ticket online with the price listed as shown

Online Travel Portal

A malicious user trying to book an online ticket

Travel portal accepts the transaction as successful and

issues a ticket to the consumer

An online travel company can lose millions if the application is not able to handle and identify such online frauds. A flaw in their business logic was identified.

Selects the itenary with the listed price

$ 1000/-

$ 100/- charged

Payment gateways verifies the transaction as valid

The same user exploits the application vulnerability to modify

the listed price to a much lesser price

$ 1000/- changed

to $ 100/-


An Online Voting portal has a feature which allows the user to cast a vote only after entering the One Time Password (OTP) sent on the user’s registered mobile number

Online Voting System

A malicious user logs into the application and selects the candidate

for whom he wants to cast the vote

After some manipulation , the attacker is successful in casting the

vote without entering the OTP

Now application will ask the user to enter the OTP which was sent to his registered mobile number.

Now, if an attacker gets the access to a valid user’s

username and password, he can cast the vote a number of times

without entering the OTP


Benefits





• Complete coverage on website and web application security assessment • Zero false positives • Involvement of subject matter expert • Proactive approach in finding vulnerabilities on a daily basis using automated

scans • Evidence of exploit for business owners to create a business impact • Ability to identify complex logical weaknesses • Ability to assess complex, huge and dynamic websites

Benefits of Hybrid Website Security Automated + Manual

This powerful combination of technology and human intelligence is required to ensure a comprehensive security coverage is provided to a web application.


Thank You

VADODARA, INDIA A/2-3, 3rd Floor, Status Plaza Opp Relish Resort Atladara Old Padra Road Vadodara – 390020 Gujarat, India T : +91 265 3933000 F : +91 265 2355820

BANGALORE, INDIA 408, 2nd Floor Regency Enclave 4, Magrath Road Bangalore – 560025 Karnataka, India T : +91 80 65608570 +91 80 65608571 F : +91 80 41129296

MUMBAI, INDIA 1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705 Maharashtra, India. T : +91 22 61214961

Sales : [email protected]

Marketing : [email protected]

Technical : [email protected]

DELHI, INDIA Regus Serviced Office 2F Elegance, Jasola District Center, Old Mathura Road, New Delhi – 110025, India T : +91 9974090400

Hybrid website security from Indusface

Technology

Transcript of Hybrid website security from Indusface