Powerpoint Slides

WebSec 101
Presented By
Mike Andrews
[email protected]
[email protected]
Copyright © 2008, McAfee, Inc.
Intro Music by DoKashiteru via CCMixter
► About
The way the world is
► The
wheel of IT
► More software being pushed to the web
● Netcraft Webserver Survey
► Systems
are getting more complex
Bad news…
► It
seems to be getting much easier to find
vulns in web-based software
● 63% of all vulns disclosed
2008 were in web apps
[Symantec Internet Security Threat Report Trends for 2008]
► Where
are the vulns?
► Why?
The total number of publicly reported web application vulnerabilities has risen sharply,
to the point where they have overtaken buffer overflows. This is probably due to ease
of detection and exploitation of web vulnerabilities, combined with the proliferation
of low-grade software applications written by inexperienced developers. In 2005 and
2006, cross-site scripting (XSS) was number 1, and SQL injection was number 2.
…Good news
► Window
► The
of exposure
“instant service pack”
Traditional App
Web App
…The somewhat better news
► Vendors
are securing systems “out the box”
► Developers are starting to hear about the
► Lots more info in the main IT press
● SQL injection and XSS
● Cross-site request forgery is hardly being talked
about! (save this for another webcast)
No silver bullet?
► Jack
► Are
and the beanstalk…
there silver bullets?
● Education
− TM, CR, PT, Policy, Sec response, …
● Frameworks
The purpose of this webcast is to…
Generate more awareness of the main issues in
having secure web apps
● Webapps are the most common dev platform
● “That’s where the money is” – Willie Sutton
● We’re still making stupid/simple mistakes
Looking at auditing webapps for basic security
mistakes. Black-box, mostly for two reasons
Is how most people are testing (security or otherwise for
good or bad)
Try to be language/system agnostic, although will mostly
focus on LAMP and WISA
Knowledge transfer
Generate discussion on trends/news
Short! -- ~20 minutes.
Bugs vs. Flaws vs. “Top N’s”
► In
(web)appsec we’ve focused a lot on “bugs”
► Flaws are just (more?) important, and harder
to find
► Top-N
lists are “bug parades”
● Useful for awareness/education
● Can change quickly (and miss things)
● Only scratch the surface
► Taxonomies
or frameworks?
● Best practices
General Structure
Follow a “security frame”
User management
Session management
Data (more than one webcasts on this topic)
[ your choice… ]
Some “other” topics
Techniques - Automated vs. Manual testing
Technologies, and what they are good for (e.g. WAF’s)
Consulting, outsourcing, etc, (insider knowledge on how to use/manage)
May move into things like SDL (given enough interest)
Keep this going into code?
Each topic should…
● Introduce the basics of the area/attack/technology
− Will not be “all you need to know”, but more of a starting point
− Attacks always get better, they never get worse
− It’s an infinite space, and your own brain in your best tool
Discuss why it’s a good/bad thing
Mitigation techniques (if appropriate)
Point to some of what I think are the seminal
articles/posts/papers that you should follow up with
I’m up for going back and either re-recording or
writing follow-up posts with more detail if needed
► Some
homework if anyone is interested :)
● http://www.securitybloggers.net/
● http://www.securosis.com/blog/new-release-building-aweb-application-security-program
● http://ha.ckers.org
● http://jeremiahgrossman.blogspot.com
“How to Break Web Software” - Mike Andrews & James Whittaker
“XSS Exploits: Cross Site Scripting Attacks and Defense” - Seth Fogie et al
“Hacking Exposed - Web Applications” – Joel Scambray et al
“Innocent Code” – Sverre Huseby
“19 Deadly Sins of Software Security” – Michael Howard et al
“Improving Web Application Security: Threats and Countermeasures” - J.D.
Meier et al
Next Up: Configuration
► Number
of servers on the internet
● http://news.netcraft.com/archives/web_server_su
► Window
of exposure
● http://www.schneier.com/crypto-gram-0009.html
injection and XSS mentions
● www.google.com/trends
► http://www.bsi-mm.com

similar documents