Web security common security threats and hacking
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Web Security Common security threats and hacking PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on
  • Presentation posted in: General

Web Security Common security threats and hacking . Nahidul Kibria Co-Leader, OWASP Bangladesh , Senior Software Engineer, KAZ Software Ltd.    Twitter:@nahidupa. Writing code for fun and food. And security enthusiastic. Shahee Mirza # Certified Ethical Hacker (C|EH).

Download Presentation

Web Security Common security threats and hacking

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web security common security threats and hacking

Web Security Common security threats and hacking


Web security common security threats and hacking

NahidulKibria

Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.   

Twitter:@nahidupa

Writing code for fun and food. And security enthusiastic


Web security common security threats and hacking

Shahee Mirza

# Certified Ethical Hacker (C|EH).

# Microsoft® Certified Systems Administrator.

#Information Security Consultant, Nexus IT Zone.

http://www.shaheemirza.com

FB:shaheemirzaTwitter: @shaheemirza


Why should we care

Why should we care?


Web security common security threats and hacking

NOT SECURE


Web security common security threats and hacking

  • Most sites are not secure!

    • Attacker can access unauthorized data!

    • They use your web site to attack your users!


Web security common security threats and hacking

  • Historically the web wasn’t designed to be secure

    • Built for static, read only pages

    • Almost no intrinsic security

    • A few security features were “bolted-on” later


Web security common security threats and hacking

  • What does that mean?

  • Cookie based sessions can be hijacked

  • No separation of logic and data

  • All client supplied data cannot be trusted


Web security common security threats and hacking

The vast majority of web applications have serious security vulnerabilities!

Most developers not aware of the issues.


Web application threat surface

Web Application threat surface

XSS

XML Injection

Parameter tempering /sniffing

Click jacking

Directory Traversal

CSRF

SQL Injection

DIRECT OBJECT REFERENCE

FORGED TOKEN


Web security common security threats and hacking

Ajax

Flash

Silverlight

Applets

The attack surface is growing!


Some incident example

Some incident example


Web security common security threats and hacking

Study: Global cybercrime costs more than illegal drugs

http://www.dnaindia.com/mumbai/report_cyber-crime-costs-india-rs34110-crore-per-year_1588917

Global drug trade—about $288 billion

INSECURE-Mag-31


Common question is i m inocent why should i will be target

Common question is I’m inocent why should I will be target?

I don’t have any sensitive data.

I’m not even serve any important data.

I have no enemy


Answer is

Answer is

  • You have resource...

  • May be a Multi-core processor...Bandwidth

  • Attacker weaponize your pc to attack other or use you resource ...

Turn your pc to zombie


Botnet just in brief

Botnet-Just in brief


Web security common security threats and hacking

This is a problem


Network security and others

Network security and others


But developers

But developers


Web security common security threats and hacking

S e c u r ity


Quick resource guide

Quick Resource Guide


About owasp

About OWASP

  • OWASP’s mission is “to make application security visible, so that people and organizations can make informed decisions about true application”

Attacker not use black art to exploit your application


220 chapters

220 Chapters


Owasp bangladesh chapter

OWASP Bangladesh Chapter

Bangladeshi community of Security professional

Globally recognized

Open for all

Free for all

What do we have to offer?

Monthly Meetings

Mailing List

Presentations & Groups

Open Forums for Discussion

Vendor Neutral Environments


Owasp top 10 web application security risks 2010 edition

OWASP Top 10 Web Application Security Risks (2010 Edition)

http://www.owasp.org/index.php/Top_10


Application developers

Application Developers

  • New attacks/ defense guideline

  • Cheat Sheets

  • Web Goat-emulator-designed to teach

  • web application security lessons


The owasp enterprise security api

Existing Enterprise Security Services/Libraries

The OWASP Enterprise Security API


Application testers and quality assurance

Application Testers and Quality Assurance

Tools

Testing guide/pentester

Application Security Verification Standard Project


Owasp zap proxy webscarab

OWASP ZAP Proxy/ WebScarab


Owasp csrftester

OWASP CSRFTester


Application project management and staff

Application Project Management and Staff

Define the process

SDLC

Code Review


Owasp code review project

OWASP Code Review Project

Code review tool

http://codecrawler.codeplex.com/Release/ProjectReleases.aspx

http://orizon.sourceforge.net


Owasp testing framework

OWASP Testing Framework

  • 4.2 Information Gathering

  • 4.3 Configuration Management Testing

  • 4.4 Business logic testing

  • 4.5 Authentication Testing

  • 4.6 Authorization Testing

  • 4.7 Session Management Testing

  • 4.8 Data Validation Testing

  • 4.9 Testing for Denial of Service

  • 4.10 Web Services Testing

  • 4.11 Ajax Testing

http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents


Web security common security threats and hacking

  • Myth-

    “The developer will provide me with a secure solution without me asking”


Download

Download

Get OWASP Books


Coolest jobs in information security

Coolest Jobs in Information Security

#1 Information Security Crime Investigator/Forensics Expert

#2 System, Network, and/or Web Penetration Tester

#3 Forensic Analyst

#4 Incident Responder

#5 Security Architect

#6 Malware Analyst

#7 Network Security Engineer

#8 Security Analyst

#9 Computer Crime Investigator

#10 CISO/ISO or Director of Security

#11 Application Penetration Tester

#12 Security Operations Center Analyst

#13 Prosecutor Specializing in Information Security Crime

#14 Technical Director and Deputy CISO

#15 Intrusion Analyst

#16 Vulnerability Researcher/ Exploit Developer

#17 Security Auditor

#18 Security-savvy Software Developer

#19 Security Maven in an Application Developer Organization

#20 Disaster Recovery/Business Continuity Analyst/Manager


Web security common security threats and hacking

Subscribe mailing list

https://www.owasp.org/index.php/Bangladesh

https://www.facebook.com/OWASP.Bangladesh

Keep up to date!

Twitter:@nahidupa

Twitter:@owaspbangladesh


  • Login