The Present and Future's Safety of Web

1. OWASP AppSec Washington DC 2009 The Present and Future's Safety of Web • 杭州安恒信息技术有限公司 • www.dbappsecurity.com.cn

2. Introduction • Frank CEO and CTO of DBAPPSecurityCo.Ltd • Graduated from the University of California Computer Science • More than ten years technical R&D and project management in the international famous security company • Has a very senior experience in Application security , Database Security,Audit and compliance(SOX,PCI,ISO17799/27001) • The first one on the black hat security conference speech of the Chinese people • CISSP,CISA,GCIH,GCIA • vice president Of China OWASP branch • 2008 Beijing Olympic security group member • Director of Zhejiang Information Security Association Security Services Committee • Be most influential people on cyber warfare special in 2009

3. catalogue The WEB Application Security Present Situation The WEB Application Security Studies Cloud computing and Cloud security The WEB Application Security future development trends and challenges

4. Application Range Any based on B/S architecture (browser) of the information system application sites、e-mail system、enterprise network office system

5. General Framework • browser • applications • database • server software

6. Application Features • Universality：Applications Extensive，overlaid every trade • Importance: internal information, Organization propaganda portal • Vulnerability: faces the user directly, Invasion of internal network through application sisterm

7. The risks overview of WEB application facing • System Level-a lower version of IIS, Apache, lack of patch in windows • Application Level • SQL Injection • XSS(Phishing Attack • Form Flaw • Upload Attack • Website Trojan(Malicious Code) • …… • Networking Level- ARP Spoofing Attacks

8. The current situation of online security is alarming • Network Security Report in the first half of 2010

9. Network security threats already from the traditional host attack and cyber attack turned to application attack.

10. 组建僵尸网络 盗取网上银行账户 入侵企业服务器 批量入侵门户网站 出售 获取金钱 Hackers industry chain 窃取机密信息(图纸、财务报表等） 盗取虚拟财产 盗取个人信息 出售 盗取证券交易账户 洗钱 发送垃圾邮件 收费传播流氓软件 主动攻击勒索网站 拒绝服务攻击 受雇攻击收取佣金

11. There are lots of application security incident endlessly • MYSQL.com and sun.com was invaded in March 2011 The attacker through the MySQL. Check out the user page com into, get to the database, table and user password storage dump data. More seriously, the attacker user password data announced on the Internet so that others to crack. Worse MySQL products of the person in charge of the password has been cracked (unexpectedly is 4 digits: safety consciousness).

12. There are lots of application security incident endlessly • SONY data server was invaded in April 2011 SONY of Japan holded news release conference on May 1 in Tokyo, they apologized for their company network game customer information t hat was stolen.Meanwhile, they also admitted that 10 million credit card data may be leaked, have asked the federal bureau of investigation (FBI) to investigate.

13. There are lots of application security incident endlessly • Gmail was hacked in June 2011

14. There are lots of application security incident endlessly • SinaWeibo was attacked by hacker in June 2011

15. There are lots of application security incident endlessly • One operators was was hacked to trade information about 14 million users

16. The attacks were quiet Web服务器 防火墙 数据库 Sensitive App Data Privileges/Roles Authentication OS file Access Data Dictionary Buffer overflow DOS

17. catalogue The WEB Application Security Present Situation The WEB Application Security Studies Cloud computing and Cloud security The WEB Application Security future development trends and challenges

18. The WEB Application Security Studies • WebMailXSS vulnerability attacks frequently • In early 2011, a domestic famous professional security, application security and database company safety research service team in monitoring the mainstream WEB attack means of hackers, found that WebMail XSS vulnerability against frequent, caused many Internet users be attacked。 In order to secure more internet user from attarck, the safety company security research service team initiative study many domestic famous large WebMail system exists XSS holes。They feedback the relative problem to Tencent, Netease，etc.It kept them from harm .

25. The WEB Application Security Studies • In the software of WEB security • The software of WEB related to the content has also increased.Such as ： • Through the ActiveX expand the browser function • Software embedded in the browser • Call remote WEB page • … … • A domestic famous professional security, application security and database company safety research service team on these aspects into the security research, and found a lot of relative security hole and security problems

26. ActiveX contral extended function causing safety problems • One bank contral destroyed the client arbitrary files, the broken boot/ini files

27. ActiveX control overflow • a stack overflow of IBM Appscan Licensing

28. This was a cause of WEB security threat that Software information was leaked • A Li Wangwang Open WEB port which leak single point login information.

29. XSS frequently • Neteasemail local cross site lightning, in the regional authority executive script scripts

30. Software embedded WEB page being security problems Grand ET speech, invoked the remote WEB page exist cross site, influence software security

31. catalogue The WEB Application Security Present Situation The WEB Application Security Studies Cloud computing and Cloud security The WEB Application Security future development trends and challenges

32. Cloud computing and Cloud security • Cloud computing, is a web based method, in this way, the sharing of software and hardware resources and information can provide according to the needs for computer and other equipment. The whole operation mode is very much like the grid. • Cloud computing • Cloud computing is-in the 1980 s large computer to the client/server big change after another kind of change. Users no longer need to know "cloud" in the infrastructure of the details, don't have to have the corresponding professional knowledge, also need not directly control. Cloud computing describes a web based new IT service increase, use and delivery model, usually involves through the Internet to provide dynamic easy expansion and is often take resources. Cloud is actually network, the Internet a metaphor. Because in the past in the picture are often used to represent telecommunication network clouds, and used to say the Internet and the underlying infrastructure of abstract. The typical cloud computing providers often provide a common network business application, can through the browser software or other Web services to access, and software and data are stored on the server. Cloud computing key elements, including individual user experience. • Cloud computing can think including the following several levels of service: infrastructure as a service IaaS), the platform as a service (PaaS) and software as a service (SaaS). Cloud computing services usually provide general through the browser visit online business application, software and data can be stored in the data center

33. Cloud computing and Cloud security • Cloud computing • service scale, intensive and specialization changed information resources in a repeat the disperse and the safety equipment hard to manage difficult control pattern, which fundamentally changed the whole security pattern, the safety management and control should be beneficial. But, cloud computing is not in order to solve the security problem new weapons. As a web based calculation mode, cloud computing in the service of also will inevitably may appear such as holes, the virus, the attack and information leakage, both in the information system of common common security. Therefore, the traditional information security technology will continue to application in the cloud computing center itself on the safety management, and cloud computing itself information security technology in the development of a manner.

34. Cloud computing and Cloud security • Cloud security • Should emphasize point out is, people of concern to the cloud security, and its essence is the data have party and storage service party of trust between management. Cloud computing model is the core of service, the service is the premise of users and provide service of establishing trust. That is, is data have party and storage service between party formed certain data using agreed, through the both sides of the credit and double constraints means, to solve the reasonable and legitimate use data and not be abused. Safety and trusted computing clouds of all kinds of users of is, the provider, and community interaction and evolution of the accumulated out an inherent quality. Establish the cloud computing services users need to trust and social relations, the basic and the most important is the guarantee of the democracy of the Internet by the formation of the power from the bottom up, or in the community interaction and evolution reflect the credit. How better to abstract, application in the community in the evolution of the quality of the emerging trust, is in the cloud security trust management key problem. Cloud computing in the trust set up, maintain and management can through the social and technological means to assist the way of the combination of the system of trust.

35. Security itself also can become a kind of service. We can build computing clouds security center, specialized service for customers, like the hotel security, the truth is the special hiring the same. Through the cloud computing security center, which can realize intensive and professional security service, to change the current everyone in the patch, each one in the condition of the virus killed. So basically, the scale, intensive, professional computing clouds form on the security is good, not bad.

36. Should emphasize point out is, people of concern to the cloud security, and its essence is the data have party and storage service party of trust between management. Cloud computing model is the core of service, the service is the premise of users and provide service of establishing trust. That is, is data have party and storage service between party formed certain data using agreed, through the both sides of the credit and double constraints means, to solve the reasonable and legitimate use data and not be abused. Safety and trusted computing clouds of all kinds of users of is, the provider, and community interaction and evolution of the accumulated out an inherent quality

37. Should emphasize point out is, people of concern to the cloud security, and its essence is the data have party and storage service party of trust between management. Cloud computing model is the core of service, the service is the premise of users and provide service of establishing trust. That is, is data have party and storage service between party formed certain data using agreed, through the both sides of the credit and double constraints means, to solve the reasonable and legitimate use data and not be abused. Safety and trusted computing clouds of all kinds of users of is, the provider, and community interaction and evolution of the accumulated out an inherent quality

38. 2009年 2010年 • Cloud computing and Cloud security • he mailbox “Google Gmail” broke out the global fault, the time of the service interrupted is as long as 4 hours. • Azure--------The Microsoft’s cloud computing platform stopped working about 22 hours • Back space suffered from the serious cloud service outage • Almost 68000 Saleforce.com users went through 1 hour downtime at least • VMware’s partner-------Terremark has happened about 7 hours downtime affair so that many users begun to suspect its enterprise-class’s vCloud Express service • Intuit’s online bookkeeping and develop service went through the great crash, included its own page’s online products was on the paralysis stage nearly this two days. • Microsoft broke out the BPOS service disruption events

39. 2011年 …… • Cloud computing and Cloud security • The cloud safety accident occurred frequently • In march of 2011，Google mail broke out large-scale user data spills again，About 150000 Gmail users found their all email and chat records have been deleted on Sunday morning，Some users find their accounts are reset，Google said users affected by the problem accounts for about 0.08% of the total number of users • On April 22, 2011，Amazon cloud data center server extensive downtime，The incident is believed to be the most serious cloud computing security events in the history of the amazon • ……

40. catalogue The WEB Application Security Present Situation The WEB Application Security Studies Cloud computing and Cloud security The WEB Application Security future development trends and challenges

41. The future development trends and challenges The attack Based on Web 2.0 become more complex and popular. The Botnet gang Launch turf war. The complex mixed attack Will hold dominant In the domestic，At the same time E-mail and Web also increasingly being included in the mixed attack. Smart phones are the next inevitable. • 云安全云检测

42. The future development trends and challenges • 42 • Core Internet application is facing serious challenges， -- such as online banking, online business hall, online shopping, online game ,etc. Many malicious attacks to attack Web server for the purpose of bad, Through various means to obtain others' personal account information to seek interests. • Hackers quantity rapid growth, Hackers attack technology rapid development, Attacking infinite change. • The current Security defense method can not solve the unknown vulnerabilities and the back door

43. The future development trends and challenges • Network war upgrades • In May 2010, the US army network command to start dealing with network attack • Various countries set up organization of dealing with network attack • Chinese hackers threat to upgrade

44. The future development trends and challenges

45. Thank You！