Outpost24 webinar - Demystifying Web Application Security with Attack Surface Visibility
Download as PPTX, PDF0 likes55 views
The document outlines strategies for enhancing web application security by identifying and measuring attack surfaces. It emphasizes the importance of continuous security assessments and using various security tools, best practices, and metrics to evaluate potential vulnerabilities. The authors encourage adopting a dynamic application security program to effectively mitigate risks.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface Visibility
- 1. Demystify Web application Security with attack surface visibility Simon Roe and John Stock, Outpost24 27th January 2021
- 2. Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Complete Application security for DevSecOps Crest certificated penetration testing.
- 4. Why should you care 4
- 5. 5 • Pen testing, DAST scanning, SAST, SCA, IAST • DevSecOps • WAF, RASP • So many buzz words, different products, • Where do we start Overwhelming choice
- 6. 6 • What you know (your Ecommerce system) • What you don’t know • IOT devices • Benefits • Marketing campaigns • Acquisitions • Other 3rd party sites (employee benefits) • These make up your addressable attack surface How to identify your application attack surface score
- 7. Retail analysis – An example 7
- 8. 8 • Assess each application using OSINT techniques to identity potential areas of risk. • We’ll look at the how and why next Then What
- 9. Mapping your application attack surface John Stock 9
- 10. 10 • Basic understanding of the web application • Don’t need to understand DEVOPS or be an Appsec Guru • Mostly what we would call ‘Basic security best practice’ Where to start…
- 11. 11 • Basic understanding of the web application • Don’t need to understand DEVOPS or be an Appsec Guru • Mostly what we would call ‘Basic security best practice’ • Available tools include: • Maltego • theHarvester • ShodanHQ • But as its out site, we can also just use the most powerful tool available… A web browser! What tools do I need?
- 12. Security Mechanism Two main things to consider • Use of TLS • Is there any input validation? 12
- 13. 13 How was the page created? • Static HTTP • Or dynamic content, eg PHP, ASP, JSP… Page Creation Method
- 14. Degree of Distribution • Cross domain is always harder to secure • The greater the number of second level and sub domains, the higher the risk 14
- 15. 15 • Is there authentication? • Is it email & password? • Any signs of 2FA? Authentication
- 16. Input Vectors How many opportunities are there for data input? • Forms • Hidden parameters • URL parameters • Search 16
- 17. Active Content • JavaScript, external JavaScript, Server Side Scripting, AJAX, Java, Flash, External Flash, RSS feed…… Oh boy! • Does it make use of a plugin or helper app? Active! 17
- 18. 18 Everyone loves cookies! • Number of cookies • both external (foreign) • internal (local) • Type of cookie: • Tracking • Session Management • Authentication Cookies
- 19. Scoring your attack surface and beyond 19
- 20. • Turn those attack vectors into scores 20 Scoring your application attack surface SM PCM DOD AUT IV ACT CS 9.95 100 91.18 33.33 29.04 100 0
- 21. Translate scores to a visual Attack surface summary 21 0.00 0.20 0.40 0.60 0.80 1.00 V1: Security Mechanisms V2: Page Creation Method V3: Degree of Distribution V4: Authentication V5: Input Vectors V6: Active Content V7: Cookies Attack Surface Radar AS Score: 33.48 of 42.19
- 22. Overall Application attack surface score card jQuery 1.12.4 jQuery Migrate 1.4.1 PHP/5.6.40 Apache/2.4.6 Findings: Scope: www.Outpost24.com AS Score: 39. 16 of 42.00 SM PCM DOD AUT IV ACT CS 9.95 100 91.18 33.33 29.04 100 0 Alexa Ranking: #413,480 in global internet engagement Vulnerable Vulnerable WordPress 5.2.6 DOS, Vulnerable Vulnerable OK Over the past 90 days 0.00 0.20 0.40 0.60 0.80 1.00 V1: Security Mechanisms V2: Page Creation Method V3: Degree of Distribution V4: Authentication V5: Input Vectors V6: Active Content V7: Cookies Attack Surface Radar <- Screenshot of app
- 23. Leads to informed choice of tools • Make informed choices about tools, solutions and services • Critical applications : Continuous hybrid application testing • Less critical : DAST scanning + one time penetration test • Identify IOT devices, turn off access or block with firewall • Start to inform development decisions • SCA for 3rd party components • SAST or IAT for code improvements • Build a continuous application security assessment program 23
- 24. Adopt a continuous approach to application security 24
- 25. Takeaways • Applications continues to be a prime vector for breaches. • Measuring the right attack vectors gives you a comprehensive view of an applications attack surface • This in turn gives you a sense of the risk the application poses • Using this information can help drive your application security program (ASP) • Your ASP should be dynamic and continuous, not one time and done 25
- 26. Simon Roe, [email protected] John Stock, [email protected] Let’s start an application security program today!