Rise of the Planet Anonymous - Errazudin Ishak - owasp

bemutefrogtownSecurity

Nov 18, 2013 (3 years and 8 months ago)

111 views

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org


RISE OF THE PLANET OF THE
ANONYMOUS

ERRAZUDIN ISHAK

STAFF ENGINEER

MIMOS
BERHAD, MALAYSIA

errazudin.ishak@mimos.my

+603 89955000

14 April 2012

OWASP

2

OWASP

3

Rise of the Planet of the Anonymous

(and what you should do as a developer,
system wrangler, architect..)


OWASP

4

Agenda

You

Me

Anonymous

Why PHP

PHP Security

Resources



OWASP

5

About You

Name :

Designation :

Day job :

Night job :

OWASP

6

About Me



Staff Engineer @
Mimos

Bhd

Malaysia


Focuses on web application development,
deployment, performance, security and
stability.


OWASP

7

About Me

OWASP

8

About Me


2009


foss.my

,
MyGOSSCON



2010


Entp
. PHP
Techtalk
,
BarcampKL
, PHP



Meetup
, MOSC2010, PHP Northwest UK,


MyGOSSCON



2011


INTAN Tech Update,
Wordpress

Conf. Asia,


Joomla
! Day, MOSC, OWASP Day


OWASP

9

Source : http://goo.gl/GmxVs

OWASP

10

Anonymous hackers
are real people with real
techniques

Source
:
Imperva

http://goo.gl/wmu5f


OWASP

11


Anonymous will try to
steal data first and, if
that fails, attempt a
DDoS

attack


Source
:
Imperva

http://goo.gl/wmu5f


OWASP

12

Volunteers : Skilled ,
Laypeople


Source
:
Imperva

http://goo.gl/wmu5f


OWASP

13

Phases(25 days) :
Recruit,
Reconnaissance and
application attack,
DDoS

Source
:
Imperva

http://goo.gl/wmu5f


OWASP

14

Why So Serious?

OWASP

15

Source :http
://goo.gl/oVjqz

http://goo.gl/oVjqz

91

76

ATTACKED

RECOVERED

News

OWASP

16

“…anonymous
,
uncontrolled, always
on,

and instantly accessible
from
anywhere


Internet

OWASP

17

Evolution..

OWASP

18

..becomes revolution

http://evolutionofweb.appspot.com/

OWASP

19

..oopps

OWASP

20

"Good programmers
write code, great
programmers
reuse,
awesome
programmers.. ?"

Does it apply here? (web security)

OWASP

21

Does it apply here? (web security)

"Good programmers write code,
great programmers reuse, awesome
programmers HACK!"

OWASP

22

Does it apply here? (web security)

Source
: http://xkcd.com/424/

OWASP

23

Completely secure
system is virtually
impossible

Web security

OWASP

24

RISK

USABILITY

Why?

OWASP

25

You

Me

Anonymous

Why PHP

PHP Security

Resources





Agenda : Checkpoint

OWASP

26

“More internet
applications speak PHP
than any other”

Why PHP

OWASP

27

77%

22%

4%

1%

1%

1%

0%

Usage of server
-
side programming
languages for websites

PHP
ASP.NET
Java
ColdFusion
Perl
Ruby
Python
Source :
http://w3techs.com

Why PHP

OWASP

28

PHP Secure?

Developer

PHP

Enterprise

User

OWASP

29

PHP Secure?

PHP is not the culprit,
we (
developer,sys

admin,architect
) are.

OWASP

30

Why PHP


People have to
understand their
systems well to know
where
security
issues
are likely to
appear”

OWASP

31

Agenda

You

Me

Anonymous

Why PHP

PHP Security

Resources





OWASP

32

PHP Security

Secure Ecosystem

OWASP

33

PHP Security

Source:
Datamation

http://goo.gl/UaSWL

OWASP

34

PHP Security

Secure
Ecosystem,
Maintain it!

Dev
/prod environment

Up to date

Secured network

Access (Permissions)

OWASP

35

PHP Security

Secure Operations

OWASP

36

PHP Security

Secure
Operations,
also practice
it!

Human only

User identification

Role based actions

Track/Audit trail

OWASP

37

PHP Security

Secure Programming

OWASP

38

PHP Security

Secure
Programming
, practice it!

Input validation

DB

XSS/CSRF/Session

Access (Permissions)

OWASP

39

PHP Security

Source:
Datamation

http://goo.gl/PjFqQ

OWASP

40

PHP Security


Security take an
ongoing

effort and a
lot of little things
instead of one big
one”

OWASP

41

Security. (Remember Risk


Usability)

Source : xkcd.com

RISK

USABI
LITY

OWASP

42

Detect/Mitigate

Monitor the
trend

Protect your
apps

Last resort =
DDoS


Proact
, love your
‘error messages’
and unusual
pattern:)

Source : http://goo.gl/wmu5f


OWASP

43

Resources

php|architect’s

Guide to PHP Security
http://goo.gl/cUxuB

Pro PHP Security
http://goo.gl/HGIkI

Defcon

19
http://goo.gl/S8Qw4

Artur

Ejsmont’s

blog
http://goo.gl/HGUkg

Imperva

http://
goo.gl/wmu5f


Arachni

http://
arachni
-
scanner.com


Suhosin

http://www.hardened
-
php.net/suhosin
/






OWASP

44

Thank You

* All images, logos and data are the
copyright of their respective owners