SlideShare a Scribd company logo

Application Security Workshop

Priyanka Aash
Priyanka Aash

Application Security Workshop (Web Attack Chaining,Understanding IAST/RASP,Realtime Polymorphism)

Technology
1 of 29
The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis
Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection
DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times
WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection
RASP Protection configured inside the application
IAST Place instrumentation inside the app to confirm vulnerabilities
Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection
SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10
How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  
How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!
Let us talk about some Science!!!
Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration
Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine
How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class
How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat
How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs
Byte Code Manipulation (Class File format)
Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields
Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)
Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted
Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted
Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted
Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected
Example Taint Propagation Rules 26
Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives
Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST
QA

Recommended

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application SecurityPriyanka Aash
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 

Recommended

From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application SecurityPriyanka Aash
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesSathyanarayana Panduranga
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through InjectionsNazar Tymoshyk, CEH, Ph.D.
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 

More Related Content

What's hot

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 

What's hot (20)

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 

Viewers also liked

What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 

Viewers also liked (6)

What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 

Similar to Application Security Workshop

Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Architecting For The Windows Azure Platform
Architecting For The Windows Azure PlatformArchitecting For The Windows Azure Platform
Architecting For The Windows Azure PlatformDavid Chou
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop OverviewShubhra Kar
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)Rahul Singh
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scaleBalvinder Hira
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead Nitesh Dasari
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profilemoseskhedi
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profileelenarys
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
 
Power of ONE Automation through Web Services
Power of ONE Automation through Web ServicesPower of ONE Automation through Web Services
Power of ONE Automation through Web ServicesCA | Automic Software
 
aip-developer-intro_pag2015
aip-developer-intro_pag2015aip-developer-intro_pag2015
aip-developer-intro_pag2015Matthew Vaughn
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 

Similar to Application Security Workshop (20)

Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Architecting For The Windows Azure Platform
Architecting For The Windows Azure PlatformArchitecting For The Windows Azure Platform
Architecting For The Windows Azure Platform
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop Overview
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scale
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead Nitesh_Sr._Java_developer_Lead
Nitesh_Sr._Java_developer_Lead
 
Rajeev_Resume
Rajeev_ResumeRajeev_Resume
Rajeev_Resume
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should Know
 
Power of ONE Automation through Web Services
Power of ONE Automation through Web ServicesPower of ONE Automation through Web Services
Power of ONE Automation through Web Services
 
aip-developer-intro_pag2015
aip-developer-intro_pag2015aip-developer-intro_pag2015
aip-developer-intro_pag2015
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
KASSAHUNSolomonResume
KASSAHUNSolomonResumeKASSAHUNSolomonResume
KASSAHUNSolomonResume
 
gofortution
gofortutiongofortution
gofortution
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Application Security Workshop

  • 1. The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis
  • 2. Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A
  • 3. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection
  • 4. DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times
  • 5. WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities
  • 6. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection
  • 9. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection
  • 10. SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10
  • 11. How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  
  • 12. How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!
  • 13. Let us talk about some Science!!!
  • 14. Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration
  • 15. Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine
  • 16. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class
  • 17. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat
  • 18. How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs
  • 20. Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields
  • 21. Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)
  • 22. Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted
  • 23. Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted
  • 24. Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted
  • 25. Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected
  • 27. Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives
  • 28. Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST
  • 29. QA