SlideShare a Scribd company logo

Web Applications Security Assessment In The Portuguese World Wide Web Panorama

Download as PPTX, PDF
N
nfteodoro

This document outlines a plan to conduct a web application security assessment of Portuguese websites. It will analyze assessment methodologies, select target applications, and apply an assessment methodology. The methodology involves discovery, attacks, and documenting results. Legal authorization is needed to avoid liability. The goal is to produce a report on vulnerabilities for each application to help improve security.

1 of 22
Web Applications Security Assessment in the Portuguese WWW Panorama Carlos Serrão Nuno Teodoro carlos.serrao@iscte.pt carlos.j.serrao@gmail.com http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao nuno.filipe.teodoro@gmail.com nfteodoro@hotmail.com http://www.linkedin.com/in/nunoteodoro ISCTE-IUL/DCTI Instituto Superior do Trabalho e da Empresa Instituto Universitário de Lisboa Departamento de Ciências e Tecnologias de Informação
Motivation Iberic Web Application Security Conference 2009 2 ,[object Object]
Great academic interest
Original study in Portugal
Important in the Portuguese community - Recent events expose the Portuguese network insecurity ,[object Object],[object Object]
Web application security assessment methodologies analysis Iberic Web Application Security Conference 2009 4 What do we have to start with? Online Access to te Web Application? Source code? Inside knowledge about the Web Application? What we can’t do What we can do - Application Security Architecture Review - Automated Source Code Analysis - Manual Security-Focused Code Review - Automated External Application Scanning - Manual Penetration Testing
Vulnerabilities identification Iberic Web Application Security Conference 2009 5
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 6 Main critical areas to assess Public Administration Services Banks Most representative set Most representative set
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 7 Banks Public Administration Services Finances Health Care Social Security Citizens’ Portal
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 8 Why were these Web Applications chosen? Critical operations Portuguese domain Massive utilization Interesting in the Portuguese WWW panorama
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 9 Critical operations Finances IVA IES IRS Citizens Confirm TOC IRC Open Activity Companies IMI IMT Circulation Tax Public entities Change NIB Ask NIF Other entities
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 10 Critical operations Health Care Citizens Pay services Register Public entities Health entities
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 11 Critical operations Social Security Penalties Register Payments Companies Family pensions Unemployed pensions Employees Retirement Pensions Others
Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 12 Critical operations Citizen’ Portal Companies Create company General services Citizens
Web applications security assessment methodology Iberic Web Application Security Conference 2009 13 Penetration Testing Passive Mode Active Mode
Web applications security assessment methodology Iberic Web Application Security Conference 2009 14 Discovery Document and analysis of the Discovery results Create attack simulations on the target entity Analysis of each attack Document the results of the Attacks Solutions to mitigate the problems Presentation of the results to the entity
Apply the methodology to the web‐applications Iberic Web Application Security Conference 2009 15 OWASP Testing Guide WASC Threat Classification Why combine both? Two important organizations Bigger Issues Coverage
Tests results Iberic Web Application Security Conference 2009 16 The aim is to produce a report for each tested Web Application ,[object Object]
The techniques and tools attackers will rely to conduct these attacks
Which exploits attackers will use
Data they are being exposed from the web application,[object Object]
Getting the target entity to clearly agree that we are not liable foranything going wrong ,[object Object],be signed ,[object Object],[object Object]

Recommended

Securing chemical production and digital networks
Securing chemical production and digital networksSecuring chemical production and digital networks
Securing chemical production and digital networksSleepros
 
CompTIA PenTest+ BETA EXAM CODE PT1-001
CompTIA PenTest+ BETA EXAM CODE PT1-001CompTIA PenTest+ BETA EXAM CODE PT1-001
CompTIA PenTest+ BETA EXAM CODE PT1-001Joseph Holbrook, Chief Learning Officer (CLO)
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationWeb Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationEryk Budi Pratama
 
What are top 7 cyber security trends for 2020
What are top 7 cyber security trends for 2020What are top 7 cyber security trends for 2020
What are top 7 cyber security trends for 2020TestingXperts
 
The Internet of Things Training, IoT Training From Tonex Experts
The Internet of Things Training, IoT Training From Tonex ExpertsThe Internet of Things Training, IoT Training From Tonex Experts
The Internet of Things Training, IoT Training From Tonex ExpertsBryan Len
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 

Recommended

Securing chemical production and digital networks
Securing chemical production and digital networksSecuring chemical production and digital networks
Securing chemical production and digital networksSleepros
 
CompTIA PenTest+ BETA EXAM CODE PT1-001
CompTIA PenTest+ BETA EXAM CODE PT1-001CompTIA PenTest+ BETA EXAM CODE PT1-001
CompTIA PenTest+ BETA EXAM CODE PT1-001Joseph Holbrook, Chief Learning Officer (CLO)
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationWeb Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationEryk Budi Pratama
 
What are top 7 cyber security trends for 2020
What are top 7 cyber security trends for 2020What are top 7 cyber security trends for 2020
What are top 7 cyber security trends for 2020TestingXperts
 
The Internet of Things Training, IoT Training From Tonex Experts
The Internet of Things Training, IoT Training From Tonex ExpertsThe Internet of Things Training, IoT Training From Tonex Experts
The Internet of Things Training, IoT Training From Tonex ExpertsBryan Len
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
Lan & Wan
Lan & WanLan & Wan
Lan & WanLan & Wan Solutions
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsSTAG Software Private Limited
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationGMP EDUCATION : Not for Profit Organization
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk AssessmentLeanleaders.org
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech applicationnimbleappgenie
 
Government Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldGovernment Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldFranciel
 

More Related Content

Viewers also liked

BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsSTAG Software Private Limited
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk AssessmentLeanleaders.org
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 

Viewers also liked (20)

BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related Measurements
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & Qualifcation
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk Assessment
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 

Similar to Web Applications Security Assessment In The Portuguese World Wide Web Panorama

How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech applicationnimbleappgenie
 
Government Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldGovernment Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldFranciel
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
application-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodeapplication-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodesciccone
 
Trends and transients_2019_cigdem_sengul
Trends and transients_2019_cigdem_sengulTrends and transients_2019_cigdem_sengul
Trends and transients_2019_cigdem_sengulCigdem Sengul
 
IRJET- Phishing Attack based on Visual Cryptography
IRJET- Phishing Attack based on Visual CryptographyIRJET- Phishing Attack based on Visual Cryptography
IRJET- Phishing Attack based on Visual CryptographyIRJET Journal
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays
 
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...apidays
 
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...openi_ict
 
As an IT analyst for Ballot a company providing.docx
As an IT analyst for Ballot a company providing.docxAs an IT analyst for Ballot a company providing.docx
As an IT analyst for Ballot a company providing.docx4934bk
 
As an IT analyst for a company providing voting.docx
As an IT analyst for a company providing voting.docxAs an IT analyst for a company providing voting.docx
As an IT analyst for a company providing voting.docx4934bk
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONJohn Pinson
 
Crime Record Management system with React Native and Google Cloud Services(Be...
Crime Record Management system with React Native and Google Cloud Services(Be...Crime Record Management system with React Native and Google Cloud Services(Be...
Crime Record Management system with React Native and Google Cloud Services(Be...IRJET Journal
 
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...Adomas Svirskas
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityDistil Networks
 
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...Deepak Dudhate
 
As an IT analyst for Ballot Online, a company providing voting s.docx
As an IT analyst for Ballot Online, a company providing voting s.docxAs an IT analyst for Ballot Online, a company providing voting s.docx
As an IT analyst for Ballot Online, a company providing voting s.docxalisondakintxt
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 

Similar to Web Applications Security Assessment In The Portuguese World Wide Web Panorama (20)

How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
 
Government Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 WorldGovernment Policy Needs in a Web 2.0 World
Government Policy Needs in a Web 2.0 World
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
application-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodeapplication-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracode
 
Trends and transients_2019_cigdem_sengul
Trends and transients_2019_cigdem_sengulTrends and transients_2019_cigdem_sengul
Trends and transients_2019_cigdem_sengul
 
IRJET- Phishing Attack based on Visual Cryptography
IRJET- Phishing Attack based on Visual CryptographyIRJET- Phishing Attack based on Visual Cryptography
IRJET- Phishing Attack based on Visual Cryptography
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
 
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...
apidays LIVE New York 2021 - API Economy in Financial Services by Giovanni Le...
 
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...
FIA Dublin Presentations: Mobile Innovation Economics: What's the future of p...
 
As an IT analyst for Ballot a company providing.docx
As an IT analyst for Ballot a company providing.docxAs an IT analyst for Ballot a company providing.docx
As an IT analyst for Ballot a company providing.docx
 
As an IT analyst for a company providing voting.docx
As an IT analyst for a company providing voting.docxAs an IT analyst for a company providing voting.docx
As an IT analyst for a company providing voting.docx
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
 
Crime Record Management system with React Native and Google Cloud Services(Be...
Crime Record Management system with React Native and Google Cloud Services(Be...Crime Record Management system with React Native and Google Cloud Services(Be...
Crime Record Management system with React Native and Google Cloud Services(Be...
 
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...
eGovernment for Citizen: Leveraging Open SOA Standards and Interoperability ...
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data Security
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...
Industry 4.0 Implementation, Challenges And Opportunities Of Industry 4.0 : C...
 
As an IT analyst for Ballot Online, a company providing voting s.docx
As an IT analyst for Ballot Online, a company providing voting s.docxAs an IT analyst for Ballot Online, a company providing voting s.docx
As an IT analyst for Ballot Online, a company providing voting s.docx
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 

Web Applications Security Assessment In The Portuguese World Wide Web Panorama

  • 1. Web Applications Security Assessment in the Portuguese WWW Panorama Carlos Serrão Nuno Teodoro carlos.serrao@iscte.pt carlos.j.serrao@gmail.com http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao nuno.filipe.teodoro@gmail.com nfteodoro@hotmail.com http://www.linkedin.com/in/nunoteodoro ISCTE-IUL/DCTI Instituto Superior do Trabalho e da Empresa Instituto Universitário de Lisboa Departamento de Ciências e Tecnologias de Informação
  • 2.
  • 5.
  • 6. Web application security assessment methodologies analysis Iberic Web Application Security Conference 2009 4 What do we have to start with? Online Access to te Web Application? Source code? Inside knowledge about the Web Application? What we can’t do What we can do - Application Security Architecture Review - Automated Source Code Analysis - Manual Security-Focused Code Review - Automated External Application Scanning - Manual Penetration Testing
  • 7. Vulnerabilities identification Iberic Web Application Security Conference 2009 5
  • 8. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 6 Main critical areas to assess Public Administration Services Banks Most representative set Most representative set
  • 9. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 7 Banks Public Administration Services Finances Health Care Social Security Citizens’ Portal
  • 10. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 8 Why were these Web Applications chosen? Critical operations Portuguese domain Massive utilization Interesting in the Portuguese WWW panorama
  • 11. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 9 Critical operations Finances IVA IES IRS Citizens Confirm TOC IRC Open Activity Companies IMI IMT Circulation Tax Public entities Change NIB Ask NIF Other entities
  • 12. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 10 Critical operations Health Care Citizens Pay services Register Public entities Health entities
  • 13. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 11 Critical operations Social Security Penalties Register Payments Companies Family pensions Unemployed pensions Employees Retirement Pensions Others
  • 14. Selection of the Web applications to be tested Iberic Web Application Security Conference 2009 12 Critical operations Citizen’ Portal Companies Create company General services Citizens
  • 15. Web applications security assessment methodology Iberic Web Application Security Conference 2009 13 Penetration Testing Passive Mode Active Mode
  • 16. Web applications security assessment methodology Iberic Web Application Security Conference 2009 14 Discovery Document and analysis of the Discovery results Create attack simulations on the target entity Analysis of each attack Document the results of the Attacks Solutions to mitigate the problems Presentation of the results to the entity
  • 17. Apply the methodology to the web‐applications Iberic Web Application Security Conference 2009 15 OWASP Testing Guide WASC Threat Classification Why combine both? Two important organizations Bigger Issues Coverage
  • 18.
  • 19. The techniques and tools attackers will rely to conduct these attacks
  • 21.
  • 22.
  • 23. Legal constraints Iberic Web Application Security Conference 2009 19 Presents crutial point in this work Can lead to work invalidation if permissions are denied Can lead to entire work scope change
  • 24. Legal constraints Iberic Web Application Security Conference 2009 20 Mitigate legal constraints Change target entities Lost of some interest… ?
  • 25.
  • 26. Better understand the government services and identify processes workflows
  • 27. Get better insight on tools, processes, methodologies, etc, to perform these assessments
  • 28.