The Present and

knowledgeextrasmallΑποθήκευση

11 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

210 εμφανίσεις

The OWASP Foundation

http://www.owasp.org

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP AppSec

Washington DC 2009

The Present and
Future's Safety of Web

杭州安恒信息技
术有限公司

www.dbappsecurity.com.cn

Frank CEO and CTO of
DBAPPSecurity

Co.Ltd



Graduated from the University of California Computer Science


More than ten years technical R&D and project management in the international
famous security company


Has a very senior experience in Application security , Database
Security,Audit

and
compliance(SOX,PCI,ISO17799/27001)


The first one on the black hat security conference speech of the Chinese people


CISSP,CISA,GCIH,GCIA


vice president Of China OWASP branch


2008 Beijing Olympic security group member


Director of Zhejiang Information Security Association Security Services Committee


Be most influential people on cyber warfare special in 2009

3

catalogue

The WEB Application Security Present Situation

The WEB Application Security Studies

Cloud computing and Cloud security

The WEB Application Security future development
trends and challenges

Application Range

Any based on B/S architecture (browser) of the information system

application sites

e
-
mail system

enterprise network office system

General Framework

browser

applications

database

server software



Application Features

Universality

Applications Extensive

overlaid every trade

Importance: internal information, Organization propaganda portal

Vulnerability: faces the user directly, Invasion of internal network through
application
sisterm


The risks overview of WEB application facing


System Level
-
a lower version of IIS, Apache, lack of patch in
windows

Application Level


SQL Injection


XSS(Phishing Attack


Form Flaw


Upload Attack


Website Trojan(Malicious Code)


……

Networking Level
-

ARP Spoofing Attacks



The current situation of online security is alarming

Network Security Report in the first half of 2010


Network security threats already from the traditional host
attack and cyber attack turned to application attack.



主机
攻击

网络
攻击

应用
攻击

Hackers industry chain

入侵企业
服务器

出售

收费传播流
氓软件

获取
金钱

拒绝服务攻


发送垃圾邮


盗取网上银行账户

组建僵尸网络

主动攻击勒
索网站

受雇攻击收
取佣金

批量入侵
门户网站

盗取虚拟财产

窃取机密信息
(
图纸、财务报
表等)

盗取个人信息

盗取证券交易账户

出售

洗钱


MYSQL.com and sun.com was invaded in March 2011

There are lots of application security incident endlessly


The attacker through the
MySQL
. Check out the user page com into, get to the
database, table and user password storage dump data. More seriously, the attacker
user password data announced on the Internet so that others to crack. Worse
MySQL

products of the person in charge of the password has been cracked
(unexpectedly is 4 digits:
safety consciousness
).


SONY data server was invaded in April 2011

SONY of Japan
holded

news release
conference on May 1 in Tokyo, they
apologized for their company network
game customer information t hat was
stolen.Meanwhile
, they also admitted
that 10 million credit card data may be
leaked, have asked the federal bureau of
investigation (FBI) to investigate.

There are lots of application security incident endlessly



Gmail was hacked in June 2011

There are lots of application security incident endlessly



Sina

Weibo

was attacked by hacker in June 2011

There are lots of application security incident endlessly



One operators was
was

hacked to trade information about 14 million users

There are lots of application security incident endlessly


The attacks were quiet

Web
服务器

数据库

Authentication

Data Dictionary

Privileges/Roles

Sensitive App Data

OS file Access

Buffer overflow

DOS

防火墙

17

catalogue

The WEB Application Security Present Situation

The WEB Application Security Studies

Cloud computing and Cloud security

The WEB Application Security future development
trends and challenges

18

In early 2011, a domestic famous professional security, application security and
database company safety research service team in monitoring the mainstream
WEB attack means of hackers, found that
WebMail

XSS vulnerability against
frequent, caused many Internet users be attacked


In order to secure more internet user from
attarck
, the safety company security
research service team initiative study many domestic famous large
WebMail

system exists XSS holes

They feedback the relative problem to
Tencent
,
Netease


etc.It

kept them from harm .


WebMail

XSS vulnerability attacks frequently

The WEB Application Security Studies

The WEB Application Security Studies


In the software of WEB security


The software of WEB related to the content has also
increased.Such

as



Through the ActiveX expand the browser function


Software embedded in the browser


Call remote WEB page






A domestic famous professional security, application security
and database company safety research service team on these
aspects into the security research, and found a lot of relative
security hole and security problems


ActiveX
contral

extended function causing safety problems

One bank
contral

destroyed the client arbitrary files, the broken
boot/
ini

files




ActiveX control overflow

a stack overflow of IBM
Appscan

Licensing





This was a cause of WEB security threat that Software
information was leaked

A Li
Wangwang

Open WEB port which leak single point login
information.



XSS frequently

Netease

mail local cross site lightning, in the regional authority executive
script scripts




Software embedded WEB page being security problems

Grand ET speech, invoked the remote WEB page exist cross site,
influence software security

31

catalogue

The WEB Application Security Present Situation

The WEB Application Security Studies

Cloud computing and Cloud security

The WEB Application Security future development
trends and challenges

Cloud computing and Cloud security


Cloud computing



Cloud computing, is a web based method, in this way, the sharing of software and
hardware resources and information can provide according to the needs for computer and
other equipment. The whole operation mode is very much like the grid.


Cloud computing is
-
in the 1980 s large computer to the client/server big change after
another kind of change. Users no longer need to know "cloud" in the infrastructure of the
details, don't have to have the corresponding professional knowledge, also need not
directly control. Cloud computing describes a web based new IT service increase, use and
delivery model, usually involves through the Internet to provide dynamic easy expansion
and is often take resources. Cloud is actually network, the Internet a metaphor. Because in
the past in the picture are often used to represent telecommunication network clouds, and
used to say the Internet and the underlying infrastructure of abstract. The typical cloud
computing providers often provide a common network business application, can through
the browser software or other Web services to access, and software and data are stored on
the server. Cloud computing key elements, including individual user experience.


Cloud computing can think including the following several levels of service: infrastructure
as a service
IaaS
), the platform as a service (
PaaS
) and software as a service (
SaaS
). Cloud
computing services usually provide general through the browser visit online business
application, software and data can be stored in the data center


Cloud computing


service scale, intensive and specialization changed information resources in a
repeat the disperse and the safety equipment hard to manage difficult control
pattern, which fundamentally changed the whole security pattern, the safety
management and control should be beneficial. But, cloud computing is not in order
to solve the security problem new weapons. As a web based calculation mode,
cloud computing in the service of also will inevitably may appear such as holes, the
virus, the attack and information leakage, both in the information system of
common
common

security. Therefore, the traditional information security
technology will continue to application in the cloud computing center itself on the
safety management, and cloud computing itself information security technology in
the development of a manner.

Cloud computing and Cloud security


Cloud security




Should emphasize point out is, people of concern to the cloud security, and its
essence is the data have party and storage service party of trust between
management. Cloud computing model is the core of service, the service is the
premise of users and provide service of establishing trust. That is, is data have party
and storage service between party formed certain data using agreed, through the
both sides of the credit and double constraints means, to solve the reasonable and
legitimate use data and not be abused. Safety and trusted computing clouds of all
kinds of users of is, the provider, and community interaction and evolution of the
accumulated out an inherent quality. Establish the cloud computing services users
need to trust and social relations, the basic and the most important is the guarantee
of the democracy of the Internet by the formation of the power from the bottom up,
or in the community interaction and evolution reflect the credit. How better to
abstract, application in the community in the evolution of the quality of the
emerging trust, is in the cloud security trust management key problem. Cloud
computing in the trust set up, maintain and management can through the social and
technological means to assist the way of the combination of the system of trust.

Cloud computing and Cloud security

35


Security itself also can become a kind of service. We can build computing clouds
security center, specialized service for customers, like the hotel security, the truth is
the special hiring the same. Through the cloud computing security center, which can
realize intensive and professional security service, to change the current everyone
in the patch, each one in the condition of the virus killed. So basically, the scale,
intensive, professional computing clouds form on the security is good, not bad.

36


Should emphasize point out is, people of concern to the cloud security, and its
essence is the data have party and storage service party of trust between
management. Cloud computing model is the core of service, the service is the
premise of users and provide service of establishing trust. That is, is data have party
and storage service between party formed certain data using agreed, through the
both sides of the credit and double constraints means, to solve the reasonable and
legitimate use data and not be abused. Safety and trusted computing clouds of all
kinds of users of is, the provider, and community interaction and evolution of the
accumulated out an inherent quality

37


Should emphasize point out is, people of concern to the cloud security, and its
essence is the data have party and storage service party of trust between
management. Cloud computing model is the core of service, the service is the
premise of users and provide service of establishing trust. That is, is data have party
and storage service between party formed certain data using agreed, through the
both sides of the credit and double constraints means, to solve the reasonable and
legitimate use data and not be abused. Safety and trusted computing clouds of all
kinds of users of is, the provider, and community interaction and evolution of the
accumulated out an inherent quality

38

2009


2010



he mailbox “Google Gmail” broke out the global fault, the time of
the service interrupted is as long as 4 hours.


Azure
--------
The Microsoft’s cloud computing platform stopped
working about 22 hours


Back space suffered from the serious cloud service outage


Almost 68000 Saleforce.com users went through 1 hour downtime at least


VMware’s partner
-------
Terremark

has happened about 7 hours downtime
affair so that many users begun to suspect its enterprise
-
class’s
vCloud

Express
service


Intuit’s online bookkeeping and develop service went through the great crash,
included its own page’s online products was on the paralysis stage nearly this
two days.


Microsoft broke out the BPOS service disruption events

Cloud computing and Cloud security

39

2011


……


In march of 2011

Google mail broke out large
-
scale user data spills again

About 150000 Gmail users found their all email and chat records have been
deleted on Sunday morning

Some users find their accounts are reset

Google said users affected by the problem accounts for about 0.08% of the
total number of users


On April 22, 2011

Amazon cloud data center server extensive downtime

The incident is believed to be the most serious cloud computing security
events in the history of the
amazon

Cloud computing and Cloud security


The cloud safety accident occurred frequently


……

40

catalogue

The WEB Application Security Present Situation

The WEB Application Security Studies

Cloud computing and Cloud security

The WEB Application Security future development
trends and challenges

41

The
Botnet

gang Launch turf war.

The attack Based on Web 2.0 become more complex
and popular.

Smart phones are the next inevitable.

The complex mixed attack Will hold dominant In the
domestic

At the same time E
-
mail and Web also
increasingly being included in the mixed attack.

The future development trends and challenges

云安全云检测



Core Internet application is facing serious challenges



--

such as online banking, online business hall, online shopping, online
game ,etc. Many malicious attacks to attack Web server for the purpose of
bad, Through various means to obtain others' personal account information
to seek interests
.


Hackers quantity rapid growth, Hackers attack technology rapid
development, Attacking infinite change.


The current Security defense method can not solve the unknown
vulnerabilities and the back door

42

The future development trends and challenges

The future development trends and challenges


Network war upgrades


In May 2010, the US army network
command to start dealing with net
work attack


Various countries set up organizati
on of dealing with network attack


Chinese hackers threat to upgrade

The future development trends and challenges