Imperva, profile picture
Uploaded byImperva
PDF, PPTX637 views

The State of Application Security: What Hackers Break

The document discusses the state of application security, highlighting the prevalence of web vulnerabilities and the need for prioritizing defenses against automated attacks. Key findings include identifying common attack methods, notably SQL injection and cross-site scripting, and emphasizing the importance of deploying real-time security solutions based on hacker activity. Additionally, it points out that the U.S. is a significant source of cyber attacks, raising concerns about the discrepancy between security spending and the ongoing threat landscape.

Embed presentation

Download as PDF, PPTX
The State of Application Security: What Hackers Break Amichai Shulman, CTO, Imperva
Agenda  The current state of Web vulnerabilities  Studying hackers + Why? Prioritizing defenses + How? Methodology  Analyzing real-life attack traffic + Key findings + Take-aways  Technical recommendations 2
Imperva Overview Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses 3
Today’s Presenter Amichai Shulman – CTO Imperva  Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks and financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
WhiteHat Security Top Ten—2010 Percentage likelihood of a website having at least one vulnerability sorted by class
The Situation Today # of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 1% 821,771,600 vulnerabilities in active circulation
The Situation Today # of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 But which will be exploited? 1% 821,771,600 vulnerabilities in active circulation
Studying Hackers  Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Devise new defenses based on real data + Reduce guess work
Understanding the Threat Landscape: Methodology  Analyze hacker tools and activity  Tap into hacker forums  Record and monitor hacker activity + Categorized attacks across 30 applications + Monitored TOR traffic + Recorded over 10M suspicious requests + 6 months: December 2010-May 2011
Lesson #1: Automation is Prevailing  Attacks are automated + Botnets + Mass SQL Injection attacks + Google dorks
Lesson #1: Automation is Prevailing  Tools and kits exist for everything
Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second On Average: 27 attacks per hour ≈ 1 attack per 2 min.
Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second Take-away: On Average: 27 attacks per hour Get ready to fight automation ≈ 1 attack per 2 minutes
Lesson #2: The ―Unfab‖ Four
Lesson #2A: The ―Unfab‖ Four SQL Injection
Lesson #2B: The ―Unfab‖ Four Remote File Inclusion
Lesson #2B: The ―Unfab‖ Four Remote File Inclusion Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
Lesson #2C: The ―Unfab‖ Four Directory Traversal
Lesson #2C: The ―Unfab‖ Four Directory Traversal
Lesson #2D: The ―Unfab‖ Four Cross Site Scripting
Lesson #2D: The ―Unfab‖ Four Cross Site Scripting
Lesson #2D: The ―Unfab‖ Four Cross Site Scripting – Zooming into Search Engine Poisoning http://HighRankingWebSite+PopularKeywords+XSS … http://HighRankingWebSite+PopularKeywords+XSS
Lesson #2D: The ―Unfab‖ Four Cross Site Scripting New Search Engine Indexing Cycle
Lesson #2: The ―Unfab‖ Four Take-away: Protect against these common attacks These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
Directory Traversal Missing from OWASP Top 10?  OWASP Rationale: Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference.  ―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
Remote File Inclusion Missing from OWASP Top 10?  A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010.  OWASP Rationale: REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
Lesson #3: The U.S. is the Source of Most Attacks We witnessed 29% of attack events originating from 10 sources.
Lesson #3: The U.S. is the Source of Most Attacks Take-away: Sort traffic based on reputation We witnessed 29% of attack events originating from 10 sources.
Organizations like these Funded a $27B Security Market in 2010… …All had major breaches in 2011. What’s wrong?
Threat vs. Spending Market Dislocation  The data theft industry is estimated at $1 trillion annually  Organized crime is responsible for 85% of data breaches 1 Threats Spending ― Yet well over 90% of the ― In 2010, 76% of all data $27 billion spent on breached was security from servers products was and ‖ on traditional applications1 ‖ security2 1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
Summary Deploy security solutions that deter automated attacks Detect known vulnerability attacks Acquire intelligence on malicious sources and apply it in real time Participate in a security community and share data on attacks
Summary ―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1 1 Sun Tzu – The art of war
Imperva: Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link
Questions - CONFIDENTIAL -
Thank You - CONFIDENTIAL -

More Related Content

PDF
A new way to prevent Botnet Attack
byyennhi2812
 
PPTX
Cyber Influence Operations
byPapadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
PDF
Selex ES at Le Bourget 2013 Cyber Partnership
byLeonardo
 
PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
PDF
Cyber Security and the National Central Banks
byCommunity Protection Forum
 
PDF
Cybercriminals and security attacks
byGFI Software
 
PDF
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
byKnowledge Group
 
PDF
A Look Into Cyber Security
byGTreasury
 
A new way to prevent Botnet Attack
byyennhi2812
 
Cyber Influence Operations
byPapadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
Selex ES at Le Bourget 2013 Cyber Partnership
byLeonardo
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
Cyber Security and the National Central Banks
byCommunity Protection Forum
 
Cybercriminals and security attacks
byGFI Software
 
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
byKnowledge Group
 
A Look Into Cyber Security
byGTreasury
 

What's hot

DOCX
Cyber defence sebagai garda terdepan ketahanan nasional
byEdi Suryadi
 
PDF
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
byNetpluz Asia Pte Ltd
 
PDF
Outlook Briefing 2016: Cyber Security
byMastel Indonesia
 
PDF
Data Safety And Security
byConstantine Karbaliotis
 
PDF
Hakin9 interview w Prof Sood
byZsolt Nemeth
 
PDF
Cybersecurity concepts & Defense best practises
byWAJAHAT IQBAL
 
PPTX
Cyber security
byManjushree Mashal
 
PDF
Advanced persistent threats(APT)
byNetwork Intelligence India
 
PDF
Microsoft Cyber Defense Operation Center Strategy
byIoannis Aligizakis, M.Sc.
 
PPTX
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
PPT
The Future of Cyber Security
byStephen Lahanas
 
PDF
Cyber Security - awareness, vulnerabilities and solutions
byinLabFIB
 
PPTX
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
byNUS-ISS
 
PPTX
Cyber Security: A Common Problem 2018
byjoshquarrie
 
DOCX
Hot Cyber Security Technologies
byRuchikaSachdeva4
 
PDF
Basics of Cyber Security
byNikunj Thakkar
 
PDF
Cyber of things 2.0
byDeepak Kumar (D3)
 
PPTX
Models of Escalation and De-escalation in Cyber Conflict
byZsolt Nemeth
 
PPTX
Risks and Security of Internet and System
byParam Nanavati
 
PDF
Icit analysis-identity-access-management
byMark Gibson
 
Cyber defence sebagai garda terdepan ketahanan nasional
byEdi Suryadi
 
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
byNetpluz Asia Pte Ltd
 
Outlook Briefing 2016: Cyber Security
byMastel Indonesia
 
Data Safety And Security
byConstantine Karbaliotis
 
Hakin9 interview w Prof Sood
byZsolt Nemeth
 
Cybersecurity concepts & Defense best practises
byWAJAHAT IQBAL
 
Cyber security
byManjushree Mashal
 
Advanced persistent threats(APT)
byNetwork Intelligence India
 
Microsoft Cyber Defense Operation Center Strategy
byIoannis Aligizakis, M.Sc.
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
The Future of Cyber Security
byStephen Lahanas
 
Cyber Security - awareness, vulnerabilities and solutions
byinLabFIB
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
byNUS-ISS
 
Cyber Security: A Common Problem 2018
byjoshquarrie
 
Hot Cyber Security Technologies
byRuchikaSachdeva4
 
Basics of Cyber Security
byNikunj Thakkar
 
Cyber of things 2.0
byDeepak Kumar (D3)
 
Models of Escalation and De-escalation in Cyber Conflict
byZsolt Nemeth
 
Risks and Security of Internet and System
byParam Nanavati
 
Icit analysis-identity-access-management
byMark Gibson
 

Similar to The State of Application Security: What Hackers Break

PDF
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 
PDF
SQL Injection - The Unknown Story
byImperva
 
PDF
Top Security Trends for 2013
byImperva
 
PDF
11th Website Security Statistics -- Presentation Slides (Q1 2011)
byJeremiah Grossman
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PPTX
State of the information security nation
bySensePost
 
PDF
Web Application Attack Report (Edition #1 - July 2011)
byImperva
 
PDF
Thy myth of hacking Oracle
byErmando
 
PDF
Solving the enterprise security challenge - Derek holt
byRoopa Nadkarni
 
PPT
Security Lifecycle Management Process
byBill Ross
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
PPTX
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
PDF
The Darkside of Mobile Applications
byWirehead Technology
 
PDF
Web Application Security: Connecting the Dots
byInnoTech
 
PPT
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
byIBM Danmark
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
PDF
Lessons Learned From the Yahoo! Hack
byImperva
 
PDF
Keynote oracle entitlement-driven idm
byNormand Sauve
 
PPTX
What Makes Web Applications Desirable For Hackers
byJaime Manteiga
 
PDF
Trustwave 2012 Global Güvenlik Raporu
byErol Dizdar
 
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 
SQL Injection - The Unknown Story
byImperva
 
Top Security Trends for 2013
byImperva
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
byJeremiah Grossman
 
Top Application Security Trends of 2012
byDaveEdwards12
 
State of the information security nation
bySensePost
 
Web Application Attack Report (Edition #1 - July 2011)
byImperva
 
Thy myth of hacking Oracle
byErmando
 
Solving the enterprise security challenge - Derek holt
byRoopa Nadkarni
 
Security Lifecycle Management Process
byBill Ross
 
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
The Darkside of Mobile Applications
byWirehead Technology
 
Web Application Security: Connecting the Dots
byInnoTech
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
byIBM Danmark
 
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
Lessons Learned From the Yahoo! Hack
byImperva
 
Keynote oracle entitlement-driven idm
byNormand Sauve
 
What Makes Web Applications Desirable For Hackers
byJaime Manteiga
 
Trustwave 2012 Global Güvenlik Raporu
byErol Dizdar
 

More from Imperva

PPTX
Cybersecurity and Healthcare - HIMSS 2018 Survey
byImperva
 
PPTX
API Security Survey
byImperva
 
PPTX
Imperva ppt
byImperva
 
PPTX
Beyond takeover: stories from a hacked account
byImperva
 
PPTX
Research: From zero to phishing in 60 seconds
byImperva
 
PDF
Making Sense of Web Attacks: From Alerts to Narratives
byImperva
 
PDF
How We Blocked a 650Gb DDoS Attack Over Lunch
byImperva
 
PPTX
Survey: Insider Threats and Cyber Security
byImperva
 
PPTX
Companies Aware, but Not Prepared for GDPR
byImperva
 
PPTX
Rise of Ransomware
byImperva
 
PDF
7 Tips to Protect Your Data from Contractors and Privileged Vendors
byImperva
 
PDF
SEO Botnet Sophistication
byImperva
 
PDF
Phishing Made Easy
byImperva
 
PDF
Imperva 2017 Cyber Threat Defense Report
byImperva
 
PDF
Combat Payment Card Attacks with WAF and Threat Intelligence
byImperva
 
PDF
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
byImperva
 
PDF
Get Going With Your GDPR Plan
byImperva
 
PDF
Cyber Criminal's Path To Your Data
byImperva
 
PDF
Combat Today's Threats With A Single Platform For App and Data Security
byImperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
byImperva
 
API Security Survey
byImperva
 
Imperva ppt
byImperva
 
Beyond takeover: stories from a hacked account
byImperva
 
Research: From zero to phishing in 60 seconds
byImperva
 
Making Sense of Web Attacks: From Alerts to Narratives
byImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
byImperva
 
Survey: Insider Threats and Cyber Security
byImperva
 
Companies Aware, but Not Prepared for GDPR
byImperva
 
Rise of Ransomware
byImperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
byImperva
 
SEO Botnet Sophistication
byImperva
 
Phishing Made Easy
byImperva
 
Imperva 2017 Cyber Threat Defense Report
byImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
byImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
byImperva
 
Get Going With Your GDPR Plan
byImperva
 
Cyber Criminal's Path To Your Data
byImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
byImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 

Recently uploaded

PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
MathML Core in WebKit
byIgalia
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 

The State of Application Security: What Hackers Break

  • 1.
    The State ofApplication Security: What Hackers Break Amichai Shulman, CTO, Imperva
  • 2.
    Agenda  The currentstate of Web vulnerabilities  Studying hackers + Why? Prioritizing defenses + How? Methodology  Analyzing real-life attack traffic + Key findings + Take-aways  Technical recommendations 2
  • 3.
    Imperva Overview Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses 3
  • 4.
    Today’s Presenter Amichai Shulman– CTO Imperva  Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks and financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
  • 5.
    WhiteHat Security TopTen—2010 Percentage likelihood of a website having at least one vulnerability sorted by class
  • 6.
    The Situation Today #of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 1% 821,771,600 vulnerabilities in active circulation
  • 7.
    The Situation Today #of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 But which will be exploited? 1% 821,771,600 vulnerabilities in active circulation
  • 8.
    Studying Hackers  Focuson actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Devise new defenses based on real data + Reduce guess work
  • 9.
    Understanding the ThreatLandscape: Methodology  Analyze hacker tools and activity  Tap into hacker forums  Record and monitor hacker activity + Categorized attacks across 30 applications + Monitored TOR traffic + Recorded over 10M suspicious requests + 6 months: December 2010-May 2011
  • 10.
    Lesson #1: Automationis Prevailing  Attacks are automated + Botnets + Mass SQL Injection attacks + Google dorks
  • 11.
    Lesson #1: Automationis Prevailing  Tools and kits exist for everything
  • 12.
    Lesson #1: Automationis Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second On Average: 27 attacks per hour ≈ 1 attack per 2 min.
  • 13.
    Lesson #1: Automationis Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second Take-away: On Average: 27 attacks per hour Get ready to fight automation ≈ 1 attack per 2 minutes
  • 14.
    Lesson #2: The―Unfab‖ Four
  • 15.
    Lesson #2A: The―Unfab‖ Four SQL Injection
  • 16.
    Lesson #2B: The―Unfab‖ Four Remote File Inclusion
  • 17.
    Lesson #2B: The―Unfab‖ Four Remote File Inclusion Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
  • 18.
    Lesson #2C: The―Unfab‖ Four Directory Traversal
  • 19.
    Lesson #2C: The―Unfab‖ Four Directory Traversal
  • 20.
    Lesson #2D: The―Unfab‖ Four Cross Site Scripting
  • 21.
    Lesson #2D: The―Unfab‖ Four Cross Site Scripting
  • 22.
    Lesson #2D: The―Unfab‖ Four Cross Site Scripting – Zooming into Search Engine Poisoning http://HighRankingWebSite+PopularKeywords+XSS … http://HighRankingWebSite+PopularKeywords+XSS
  • 23.
    Lesson #2D: The―Unfab‖ Four Cross Site Scripting New Search Engine Indexing Cycle
  • 24.
    Lesson #2: The―Unfab‖ Four Take-away: Protect against these common attacks These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
  • 25.
    Directory Traversal Missingfrom OWASP Top 10?  OWASP Rationale: Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference.  ―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
  • 26.
    Remote File InclusionMissing from OWASP Top 10?  A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010.  OWASP Rationale: REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
  • 27.
    Lesson #3: TheU.S. is the Source of Most Attacks We witnessed 29% of attack events originating from 10 sources.
  • 28.
    Lesson #3: TheU.S. is the Source of Most Attacks Take-away: Sort traffic based on reputation We witnessed 29% of attack events originating from 10 sources.
  • 29.
    Organizations like theseFunded a $27B Security Market in 2010… …All had major breaches in 2011. What’s wrong?
  • 30.
    Threat vs. SpendingMarket Dislocation  The data theft industry is estimated at $1 trillion annually  Organized crime is responsible for 85% of data breaches 1 Threats Spending ― Yet well over 90% of the ― In 2010, 76% of all data $27 billion spent on breached was security from servers products was and ‖ on traditional applications1 ‖ security2 1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
  • 31.
    Summary Deploy security solutionsthat deter automated attacks Detect known vulnerability attacks Acquire intelligence on malicious sources and apply it in real time Participate in a security community and share data on attacks
  • 32.
    Summary ―Foreknowledgecannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1 1 Sun Tzu – The art of war
  • 33.
    Imperva: Our Storyin 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  • 34.
    Webinar Materials GetLinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link
  • 35.
  • 36.