Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Web Application Security 101 by SPI Dynamics

No description
by

Wade Malone

on 29 August 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Web Application Security 101 by SPI Dynamics

SPI Dynamics Web Application Security 101
Where Today’s Security Measures Fail

security. protection. intelligence.

Web Application Security

How SPI Solves The Problem

security. protection. intelligence.

A complete security solution requires attention at each potential point of attack.

Today over 70% of attacks against a company’s Web site or Web application come at the ‘Application Layer’ not the Network or System layer.

security. protection. intelligence.

A: Your Proprietary, Custom written Web Applications

Q: Where Do Your Current Security Measures Fail?

security. protection. intelligence.


SPI develops “hands-off” security products that contain the knowledge and expertise of an information security professional embedded in the code.

The embedded “hacker logic” enables our software to think for the end-user, making their job easier.

SPI Dynamics is the leading provider of automated Web Application security products.

security. protection. intelligence.

WebInspect™

WebInspect™ is easy to understand. The Vulnerability Report is listed in order of severity and contains HTML links for navigation.

security. protection. intelligence.

A: No, and this is why.

Q: But I use XYZ Scanner, won’t it discover these types of vulnerabilities?

security. protection. intelligence.

Verify all request parameters are in proper format (via through a standard library)

Any unknown or incorrect user data should be logged and terminated.


Q: So how do we remedy this situation?

A: Enact policies requiring your developers to write secure code.

security. protection. intelligence.

Government
Global Enterprise
Consulting

HealthCare
Insurance
Financial Services


Founded in April 2000 by recognized Information Security industry experts
Released WebInspectTM in April 2001
HQ in Atlanta, Georgia
Resellers in New York, Chicago, Washington D.C., Knoxville, Miami, London
SPI serves clients in each of the following vertical industries:



Our Company

security. protection. intelligence.

Hidden Manipulation
Parameter Tampering
Cookie Poisoning
Stealth Commanding
Forceful Browsing
Backdoor/Debug Options
Configuration Subversion
Vendor–Assisted Hacking

How does WebInspectTM do this?

security. protection. intelligence.

Unique Focus: Your proprietary Web site or Web application
Superior Scanning: Products codify our security expertise
Extremely Fast: WebInspectTM runs in minutes/ hours vs. days/ weeks it takes to complete traditional vulnerability assessments
Automated: Continuously maintain your security integrity
Updated: Continuously keep up to date on the latest vulnerabilities with the online update feature
Simple & Cost Effective: Licensed per IP address or per consultant
Risk-Free: Offered on a trial basis at no cost

Features & Benefits of WebInspectTM

security. protection. intelligence.

WebInspect™

WebInspect™ is easy to use. Simply enter the URL of the Web site or Web application you wish to scan and click go.

security. protection. intelligence.

WebInspect™

WebInspect™, automates our security expertise so that customers can simulate an advanced web-application attack on their own. WebInspect™ detects holes in both standard and proprietary applications, and crawls over the entire website in search of potential security problems.


security. protection. intelligence.

Q: How can SPI Dynamics do all of this and the others can’t?

WebInspect is NOT meant to replace any tools that are
currently being used, instead it complements them.

A: Because other Scanners are a security Broadsword,
where ours is a Security Scalpel

security. protection. intelligence.

“A unenforceable policy, or one with out a process to determine the outlined specifications, is just as good, as no policy at all.”

What measures would you have in place to make sure that they comply?

But if you instituted this policy, how would you effectively enforce it?

security. protection. intelligence.

Web Server

Users Database

CC#’s Database

Firewall

IDS

Internet

Database Server

WebInspectTM scans the whole site:
Web server
Web pages
Scripts
Proprietary applications
Cookies

security. protection. intelligence.

TM

TM

TM

Application Log Audit

LogAlert

Application Intrusion Protection

WebDefend

Application Assessment

WebInspect

Proactively stop attacks

Use WebDefendTM to proactively stop Web site or Web application intrusions.
Available Q2 2002

Know if you have been attacked

Use LogAlertTM to audit Web logs to know if an attacker has successfully compromised your Web site or Web application.
Use LogAlertTM after you have been attacked for Web log forensic analysis.
Available now

Know your vulnerabilities

Use WebInspectTM to assess current Web sites or Web applications.
Use WebInspectTM to QA new applications during development prior to release into production.
Available now

The SPI Works Product Suite

security. protection. intelligence.

Web Server

Users Database

CC#’s Database

Firewall

IDS

Internet

Database Server

WebInspectTM
Scans authentication codes
Assesses security procedures
Carves into confidential data
… Just like a hacker would


security. protection. intelligence.
Full transcript