Web Security Insights

Transcript

1. WEB SECURITY INSIGHTS By Tracy Magoma

2. WHOAMI Senior Officer, Cybersecurity Assurance at Safaricom PLC Volunteer –

   ISACA Kenya Chapter, Member - SheHacksKE CTF Player Nature lover Foodie Books

3. TOPICS TO BE COVERED 1. What is Web Security? 2.

   Principles of Web Security (CIA Triad) 3. Importance of Web Security 4. Most Common Web Application Security Threats (OWASP Top 10) 5. DevSecOps 6. Tools 7. Demo

4. WHAT IS WEB SECURITY? • Web security involves implementing protective

   measures and practices to safeguard web-based systems, applications, and data. • It aims to prevent unauthorized access, manipulation, and exploitation of web resources including web applications, web servers and web browsers. • Web security measures help identify and mitigate vulnerabilities in web technologies, such as software bugs, misconfigurations, and design flaws, which could be exploited by attackers. • It involves securing the communication channels used over the internet, such as encryption techniques to protect data transmitted between clients and servers.

5. PRINCIPLES OF WEB SECURITY (CIA TRIAD)

6. IMPORTANCE OF WEB SECURITY 1. Protection of Sensitive Data 2.

   Prevention of Cyber Attacks 3. Maintenance of User Trust 4. Compliance with Regulations 5. Business Continuity and Resilience

7. MOST COMMON WEB APPLICATION SECURITY THREATS (OWASP TOP 10) Threat

   Description Mitigations 1. Broken Access Control Failure to enforce access controls properly - Implement proper authorization mechanisms - Enforce least privilege 2. Cryptographic Failures Inadequate protection of sensitive data - Encrypt sensitive data at rest strong encryption algorithms - Encrypt data in transit using secure protocols like TLS 3. Injection Untrusted data execution in interpreters or queries - Use parameterized queries or prepared statements - Implement input validation and sanitization - Escape special characters

8. MOST COMMON WEB APPLICATION SECURITY THREATS (OWASP TOP 10) Threat

   Description Mitigations 4. Insecure Design Focuses on risks related to design and architectural flaws - Implement threat modeling - Establish a secure software development lifecycle - Integrate security concerns and controls into all user stories 5. Security Misconfigurations Incorrect implementation of security settings - Follow secure configuration guidelines - Regularly update and patch software 6. Vulnerable and Outdated Components Includes vulnerabilities resulting from unsupported or outdated software - Remove unused dependencies, features, components, and files from applications - Continuously scan libraries and their dependencies for vulnerable components

9. MOST COMMON WEB APPLICATION SECURITY THREATS (OWASP TOP 10) Threat

   Description Mitigations 7. Identification and Authentication Failures Incorrect implementation of authentication mechanisms - Implement multi-factor authentication (MFA) - Use strong password policies - Secure Session management 8. Software and Data Integrity Failures Involves code and infrastructure that are vulnerable to integrity violations. - Use digital signatures to verify software or data is from the expected source - Ensure libraries and dependencies are pulling from trusted repositories - Establish a review process for code and configuration changes - Ensure that your CI/CD pipeline has proper configuration and access controls

10. MOST COMMON WEB APPLICATION SECURITY THREATS (OWASP TOP 10) Threat

    Description Mitigations 9. Security Logging and Monitoring Failures Failure to sufficiently log, monitor, or report security events - Implement logging mechanisms - Ensure logs contain enough context to identify suspicious behavior and enable in- depth forensic analysis - Monitor logs for suspicious activities 10. Server-Side Request Forgery The server is manipulated into making unauthorized requests to other internal or external systems. - implement proper input validation and sanitization - restrict access to sensitive resources - Use “deny by default” firewall policies to block unwanted Internet traffic

11. DEVSECOPS • It is the integration of security practices into

    the DevOps process. • Emphasizes building security into every stage of the software development lifecycle. • Use automated security testing tools to identify vulnerabilities early. • Integrate security checks into the CI/CD pipeline. • Shift-Left: Move security practices earlier in the development process to catch issues sooner. • Security Scans – SAST, DAST and SCA

12. DEVSECOPS Static Application Security Testing (SAST) • Involves analyzing the

    source code to identify potential security vulnerabilities. • It scans the codebase without executing the application. Dynamic Application Security Testing (DAST) • Involves testing an application while it is running to identify vulnerabilities from the outside, simulating real-world attacks. Software Composition Analysis (SCA) • Involves scanning third-party and open-source components used in an application. • Analyzes dependencies, libraries, and frameworks to ensure that they do not introduce security vulnerabilities.

13. TOOLS 1. Snyk 2. Veracode 3. OWASP Dependency Checker 4.

    OWASP ZAP 5. Burp Suite 6. Acunetix 7. Nessus

14. DEMO

15. THANK YOU