Professional Documents
Culture Documents
Robert Rachwald
Imperva
OWASP Director, Security Strategy
OWASP
Why Data Security?
OWASP
The Underground Markets
OWASP
The Underground Markets
OWASP
Website Access Up for Sale
OWASP
Website Access Up for Sale
OWASP
THE CURRENT STATE OF
WEB APPLICATION
SECURITY
OWASP
WhiteHat Security Top 10 - 2010
OWASP
Situation Today
# of websites : 357,292,065
(estimated: July 2011)
# of x
vulnerabilities : 230
1%
821,771,600
vulnerabilities in active circulation
OWASP
Situation Today
# of websites : 357,292,065
(estimated: July 2011)
# of x
vulnerabilities : 230
But which will
1%be exploited?
821,771,600
vulnerabilities in active circulation
OWASP
Studying Hackers
• Focus on actual threats
– Focus on what hackers want, helping good guys
prioritize
– Technical insight into hacker activity
– Business trends of hacker activity
– Future directions of hacker activity
• Eliminate uncertainties
– Active attack sources
– Explicit attack vectors
– Spam content
• Devise new defenses based on real data
– Reduce guess work OWASP
Understanding the
Threat Landscape - Methodology
OWASP
What are Hackers Hacking?
OWASP
General Topics: Hacker Forum Analysis
Beginner Hacking
3%
2%
3% 2% Hacking Tutorials
5% 8% 25%
Website and Forum
3% Hacking
6%
Hacking Tools and
22% Programs
21% Proxies and Socks
Cryptography
Dates: 2007- 2011
OWASP
Top 7 Attack Techniques: Hacker Forum Analysis
9% 16%
12% spam
dos/ddos
12% 22% SQL Injection
zero-day
10% shell code
19% brute-force
HTML Injection
1600
1400
1200
1000
800
600
2010
400
200 2009
0 2008
2007
1400
1200
1000
800 12 months
More than a year ago
600
400
200
0
iPhone Android Blackberry Nokia
OWASP
What are Hackers Hacking?
SQLMap
Havij OWASP
Attacks from Automated Tools
OWASP
Low Orbit Ion Cannon
OWASP
Low Orbit Ion Cannon
OWASP
Low Orbit Ion Cannon
OWASP
DDoS 2.0
OWASP
DDoS 2.0
1 Compromised Server =
3000 PC- Based Bots
OWASP
What are Hackers Hacking?
OWASP
Lesson #1: Automation is Prevailing
80,000
OWASP
Lesson #1: Automation is Prevailing
OWASP
Lesson #2: The Unfab Four
OWASP
Lesson #2A: The Unfab Four, SQL Injection
OWASP
Lesson #2A: The Unfab Four, SQL Injection
OWASP
Lesson #2B: The Unfab Four, RFI
OWASP
Lesson #2B: The Unfab Four, RFI
Lesson #2B: The Unfab Four, RFI
OWASP
Lesson #2C: The Unfab Four, Directory
Traversal
OWASP
Lesson #2D: The Unfab Four, XSS
OWASP
Lesson #2D: The Unfab Four, XSS
OWASP
Lesson #2D: The Unfab Four
XSS: Zooming into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
…
http://HighRankingWebSite+PopularKeywords+XSS
OWASP
Lesson #2D: The Unfab Four, XSS
OWASP
Lesson #3: Repeating Offenders
10 40 25
SQL Directory
RFI
Injection Traversal
OWASP
Lesson #3: Repeating Offenders
Attacks from…
From
29%
10 Sources
OWASP
MITIGATION
OWASP
Step 1: Dork Yourself (for SQL injection)
OWASP 49
WAFs in Reality
OWASP 50
WAFs in Reality
OWASP 51
Step 4: WAF + Vulnerability Scanner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
OWASP - -
52
Virtual
Step 4: Patching through Scanner
WAF + Vulnerability Integration
Scanner
OWASP
Step 5: Stop Automated Attacks
Detecting protocol
anomalies even if they are
not considered malicious
Slowing down an attack is
most often the best way to
make it ineffective (e.g.
CAPTCHA, computational
challenges)
Feed the client with bogus
information (e.g hidden
links)
OWASP
Step 6: Code Fixing
Positives:
Root cause fixed
Earlier is cheaper
Issues
Expensive, time
consuming.
Never-ending process.
OWASP
Summary: The Anti-Hack Stack
Dork Yourself
Blacklist
WAF
WAF + VA
Stop Automated
Attacks
Code Fixing OWASP 56
QUESTIONS?
OWASP
THANK YOU!
OWASP