×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Resolving*Applica/on* Vulnerabili/es* Blending(App(Scanners,(WAF’s,( and(Code(Instrumenta:on(
Slide 2
Slide 2 text
Agenda( • The(Problem( • Iden:fying(Risk( – Web(App(Scanning( – Code(Review( • Mi:ga:ng(Risks( – Code(Patches( – Web(Applica:on(Firewall( • A(Blended(Solu:on(
Slide 3
Slide 3 text
The(Problem( • Web(apps(have(security(vulnerabili:es( ( • Feature(deadlines( • Inexperienced( developers( • Poor(system( administra:on( • Insecure(defaults( • Vulnerable(libraries(
Slide 4
Slide 4 text
The(Threat(Is(Increasing( AHackers(techniques(&(toolkits(have(advanced(
Slide 5
Slide 5 text
CrossKEyed(( Scrip:ng( ( Click(Jacking( ( GIFAR( ( Deblaze( ( (
Slide 6
Slide 6 text
Recent(AHacks(
Slide 7
Slide 7 text
Common(Approaches( Iden:fica:on( – Web(Applica:on(Scanning( – Code(Review( ( Remedia:on( – Web(Applica:on(Firewall( – Code(Patches( (
Slide 8
Slide 8 text
Iden:fica:on(
Slide 9
Slide 9 text
Web(App(Scanning(K(Strengths( • Easily(finds(common( vulnerabili:es( • Language(/(PlaTorm( independent( • Fast(and(Repeatable( • CostKeffec:ve(( • Consistent(Repor:ng(
Slide 10
Slide 10 text
Web(App(Scanning(K(Weaknesses( • AHack(Surface(Coverage( • Detec:ng(complex(&( unique(flaws( ( • Pinpoint(vulnerable(code( loca:on( • Providing(specific( recommenda:ons(
Slide 11
Slide 11 text
Code(Review(K(Strengths( • Iden:fy(logic(flaws( • Uncover(hard(to( discover(bugs( • Code(coverage( • Pinpoints(vulnerable( code(loca:on(
Slide 12
Slide 12 text
Code(Review(K(Weaknesses( • Resource(Intensive( • Expensive( • Slow( • Requires(source(code( • Requires(tuning(and( configura:on(
Slide 13
Slide 13 text
Mi:ga:on(Techniques(
Slide 14
Slide 14 text
Web(App(Firewall(K(Strengths( • Cost(Effec:ve( • Reduces(vulnerability( exposure(( • Provides(breathing( room(for(fixes( • Dynamic(Patching(
Slide 15
Slide 15 text
Web(App(Firewall(K(Weaknesses( • Advanced(configura:on( requires(manual(tuning( • May(lead(to(false(sense( of(security( • Another(device/ Applica:on(to(manage(
Slide 16
Slide 16 text
Code(Patches(K(Strengths( • Solves(the(root(cause(of( the(issue( • Raises(developers( security(awareness( • Increases(applica:on( reliability(
Slide 17
Slide 17 text
Code(Patches(K(Weaknesses( • Resource(intensive( • Costly( • Slow( • Third(Party(Developers( • Legacy(Apps(
Slide 18
Slide 18 text
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall(
Slide 19
Slide 19 text
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on(
Slide 20
Slide 20 text
How(It(Works(–(Instrumenta:on( • Aspect(Orientated(Programming((AOP)( – Apply(security(checks(and(controls(across(an( applica:on(without(modifying(the(source(code( Input( Output( Target(Applica:on( AOP(Checks(and( controls( on(entry(and(end(points((
Slide 21
Slide 21 text
AOP(Advice( • Input/output(valida:on( • Logging( • Access(control( • Error(handling( • Transac:on(management( • Session(management( Method( AOP(Advice( Method(
Slide 22
Slide 22 text
AOP(as(a(WAF( • Intercept(HTTP(requests(and(responses( – Input(valida:on( – Session(Management( – Output(encoding( – Filter(informa:on(leakage(
Slide 23
Slide 23 text
Blended(Approach( Web(App(Scanner( App(Server( Instrumenta:on( App(Firewall( Provides(input(variables( Coverage(&(data(flow(( Provides(dynamic(patch(info( Retest(verifies(fixes( Intercepts(( Requests(&(Responses(
Slide 24
Slide 24 text
Applica:on(Instrumenta:on( • Provide(aHack(surface(details(to(Applica:on( Scanner( • Iden:fy(Scanner(code(coverage( • Generate(dynamic(patches(based(on(scanner( results(
Slide 25
Slide 25 text
Similar(Solu:ons(
Slide 26
Slide 26 text
Next(Steps( • Further(research(on( applying(AOP( Instrumenta:on( • AOP(based(WAF( • Integrate(Scanner( technology(
Slide 27
Slide 27 text
Conclusion( • Blended(App(Scanner,(WAF,(and( Instrumenta:on(provides:( – Cost(effec:ve( – Efficient( – Comprehensive( – Scalable( – Repeatable( – Consistent(results(
Slide 28
Slide 28 text
Ques:ons((
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
Introspec:on(
Slide 31
Slide 31 text
Addi:onal(Checks( • Regularly(checks(config( file(for(insecure(seangs( • Monitor(files(in(the( webroot( • Determines(all( applica:on(input(by( evalua:ng(applica:on( code( • Trace(SQL( • Intercepts(all(requests/ responses( • Basic(WAF(capability(