html5-img
1 / 28

New Technologies New Risks

New Technologies New Risks. Technology and Security Evolution Mainframe. Technology Single host Limited Trusted users. Security Internal user authentication Access Control List on single host. Technology and Security Evolution Network. Technology Multiple Trusted hosts

summer
Télécharger la présentation

New Technologies New Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New TechnologiesNew Risks

  2. Technology and Security EvolutionMainframe Technology Single host Limited Trusted users Security Internal user authentication Access Control List on single host

  3. Technology and Security EvolutionNetwork Technology Multiple Trusted hosts Multiple Trusted users Security Access Control Lists on multiple trusted hosts Internal user authentication Network segmentation

  4. Technology and Security EvolutionInternet Technology Large number of untrusted users Untrusted network Complexity Network Configuration Security Access Control Lists on multiple untrusted hosts External user authentication Network segmentation and filtering (Firewalls)

  5. Technology Evolution E-commerce and Web services Critical Data Complexity Network Configuration Development Business 2 Business (B2B) Business 2 Clients (B2C)

  6. E-commerce and Web servicesNew Risks

  7. Access to Critical data over trusted communication ports

  8. Rapid development Complex Development Framework • Competitive Market • Development Cost • Automation Tools

  9. High level language for complex tasks • New languages hide complexity • Development Complexity is hidden • Template and Wizards • Distributed Programming Architecture

  10. Scripting language • Not compiled • Process flow can be modified at run time • Rely on compiled languages • Used in untrusted environment to access critical data

  11. Dynamic Environment • High level of customization • Different integration requirements • Custom development

  12. How web application works?

  13. Web Application Process

  14. Terminology Script Argument http://somesite.com/script?argument1=somedata Script Argument Data http://somesite.com/script?argument1=somedata1

  15. Web communication • GET • Most widely used request method used. • Simplest request method. • Consist of resource and argument • Example: • http://server/file? • argument1=data • POST • Used to transfer data with server. • Mostly used in conjunction with HTML form

  16. Current Attack Methods

  17. SQL Injection • SQL injection is the process of modifying the internal SQL query of the server side script to perform actions not intended by the developers. • SQL injection can have serious security implications from data loss to full infiltration of your internal network. • Widely used and most documented type of web application attack • Can be used against most language used to develop web applications • Only impact application using back end SQL server to store data

  18. Code Injection • Code injection is the process of injecting code that will be processed by the server. • Code injection is extremely dangerous since the remote attacker can make the server run is code.. • Code injection is not widely used and is cause by file access abstraction. • Not all programming language are affected.

  19. Application Discovery with Program Error • Like normal applications, web application will display error messages when something goes wrong • Error messages will often display a lot of information on the environment and the cause of the error. • Often the information displayed give to much information • Error messages are often used by attackers to help them gain a better understanding of the environment they are attacking and can help them construct very precise attacks.

  20. Error Reporting Example

  21. Development Considerationsto Prevent Attacks

  22. Dealing with Hostile Environment • All incoming data should be threaded as potentially invalid • All outgoing data should be documented and all undocumented data should not be sent to the client • All error messages should be standardized

  23. Dealing with Error Reporting • All error should be catched by the application • When an error occur, the user should be directed to a standard page indicating an that an error as occurred. • The full error message should be sent to the development team.

  24. Programming Language - Application Programming Interface • Developers and Software engineer should review all functions used and the full impact they might have. • A detailed list of valid characters should be made and all other should be rejected.

  25. Platform Configuration • Administrators should read the documentation of the specified platform used to run the web applications. • Administrators and developers should be aware of the types of internal and external communication it may use with other applications (single sign on, data base, LDAP, ...).

  26. Network Configuration • Only port used by your web server (often 80(HTTP) and 443(HTTP-SSL) should be allowed as incoming communication. • Outgoing communication should be restricted to limit many types of attack. • All communication between the various servers used in your environment should be documented and all other types of communication should be restricted. • For added security, all traffic between servers that should not be talking to each other should be flagged and investigated immediately.

  27. PricewaterhouseCoopers GRMS

  28. GRMS - Information Security Solutions Web Application Assessment Input Validation Configuration Assessment of platform Attack and Penetration Network Security Assessment Penetration Tests Host Security Assessment Source Code review Security Architecture review Identification of vulnerable functions calls Integrity

More Related