Soroush Dalili 9 Dec. 2008 Computer Security MSc. of Birmingham University

sweetlipscasteSecurity

Nov 2, 2013 (4 years and 10 days ago)

62 views

Soroush Dalili

9 Dec. 2008

Computer Security MSc. of Birmingham University

Which part of network should be
more secure than the others?




By the risk assessment?


is

like

a

chain
;



is

only

as

strong

as

the

weakest

link
.

Web Server

Database

DNS

Mail Server

Security

RAS Server

Some interesting facts


95% of websites are vulnerable
[1]


Average of 7 vulnerabilities per website
[2]


No one wants to use a web application if
there is a possibility of information
compromise to unauthorized people


On average, more than 10 security
vulnerabilities in web applications are
published everyday.


Gartner Rule

Web
Applications

Network
Servers

75%

25%

90%

10%

Only

Key Problem Factors
[4]


Immature Security Awareness


In
-
House Development


Deceptive Simplicity


Rapidly Evolving Threat Profile


Resource and Time Constraints



Solution


SSL, Firewall, or any specific tools? NO!



Secure Design


Secure Programming


Periodic Penetration Tests


Source Code Audit



The best free web applications
security reference



WWW.OWASP.ORG


The Open Web Application Security Project


Focused on improving the security of
application software.


More than 100 categorized vulnerabilities in
the web applications!

Yesterday’s News about

web application security
(8
-
12
-
2008)
[5]



SquirrelMail


Insecure

Cookie

Disclosure

Weakness



“IBM

Rational

ClearQuest


Web

Multiple

Unspecified

Cross

Site

Scripting

Vulnerabilities



“Apple

iPhone

Configuration

Web

Utility”

for

Windows

Directory

Traversal

Vulnerability




TikiWiki


Multiple

Unspecified

Vulnerabilities



“Secure

Downloads

for

vBulletin


'fileinfo
.
php'

SQL

Injection

Vulnerability



“XOOPS”

Local

File

Include

and

HTML

Injection

Vulnerabilities





Thank you
very
much

Questions?


References

[
1
]

Studies

from

numerous

penetration

tests

by

Imperva
,

http
:
//www
.
imperva
.
com/application_defense_center/pa
pers/how_safe_is_it
.
html

[
2
]

Jeremiah

Grossman,

“Website

Vulnerabilities

Revealed
:

What

everyone

knew,

but

afraid

to

believe”,

WhiteHat

Security

2008

[
3
]

Gartner,

Nov

2005
,

http
:
//gartner
.
com

[
4
]

Stuttard

Dafydd
,

Pinto

Marcus,

"The

Web

Application

Hacker's

Handbook

Discovering

and

Exploiting

Security

Flaws",

Wiley

Publishing

Inc
.
,

2008

[
5
]

Http
:
//www
.
securityfocus
.
com