Web application Security tools

Post on 07-Jan-2017

595 Views

Category:

Software

0 Downloads

Preview:

Click to see full reader

Transcript

Web Application Security Tools

(GEIT-862)Information Risk Assessment and Security Management

I am Nico PenaredondoSoftware Developer @ UP-ITDC

Web Application Security

is a branch of Information Security that deals specifically with security of websites, web applications and web services.

2013 OWASP Top 10 # 2010 2013

1 Injection Injection

2 Cross-Site Scripting(XSS)

Broken Authentication &

Session Management

3Broken

Authentication & Session

Management

Cross-Site Scripting(XSS)

4 Insecure Direct Object Reference

Insecure Direct Object Reference

5 Cross-Site Request Forgery(CSRF)

Security Misconfiguration

Source : https://www.owasp.org/index.php/Top_10_2013-Top_10

2013 OWASP Top 10 # 2010 2013

6 Security Misconfiguration

Sensitivate Data Exposure

7Insecure

Cryptographic Storage

Missing Function Level Access

Control

8 Failued to Restrict URL Access

Cross-Site Request Forgery(CSRF)

9Insufficiend

Transport Layer Protection

Using Components w/ known

vulnerabilities

10Unvalidated

Forwards and Redirects

Unvalidated Forwards and

RedirectsSource : https://www.owasp.org/index.php/Top_10_2013-Top_10

(OWASP)Open Web Application Security

Projectis a worldwide non-profit charitable organization focused on

improving the security of software

Web Application Attack Statistics

Source : https://www.owasp.org/index.php/Top_10_2013-Top_10

$3,100,000/yrAverage Cost of

Web Application AttacksSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-

infographic.pdf

78%Organizations that have had web applications

COMPROMISEDSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-

infographic.pdf

69% Said that a web application firewall (WAF)

is necessary or criticalSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-

infographic.pdf

Top 3 Reasons to Secure Web Applications

Protection ofData

RevenueLoss

Compliance

Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf

Number of full-time employees needed to manage a web application firewall

Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf

117,339Average security incidents around the world per day

(2014)Source :http://www.cgma.org/magazine/news/pages/201411089.aspx

This slide is intentionally left blank

(ZAP)Zed Attack Proxy

is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and

functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

AcunetixAutomatically crawls and scans off-the-shelf and custom-

built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 500 other web

vulnerabilities.

 Acunetix is a fully automated web browser that can understand and interact with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML,

JSON, Google Web Toolkit (GWT) and CRUD operations just like a regular browser would.

Acunetix can crawl complex web application architectures including JavaScript-heavy HTML5 Single Page Applications while being able to scan restricted areas automatically and

with ease.

Vega is a free and open source scanner and testing platform to

test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS),

inadvertently disclosed sensitive information, and other vulnerabilities.

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other

vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner

finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in

the language of the web: Javascript.

Thank you

top related

Wireless Security Tools
Documents
Security Assurance Tools
Documents
Data Security Tools
Documents
SHIELDS: metrics, tools and Internet services to improve...
Documents
Auditing Web Applications - NASACT...OWASP OWASP provides...
Documents
Information Security 1 Information Security: Security Tools....
Documents
What application security tools vendors don‟t want you to....
Documents
Application & Tools
Documents
Developing a Mobile Security Strategy...2012/04/27  ·...
Documents
Security Tools Foss
Technology
Security , hacking, threats & tools for security ·...
Documents
Cyber Security Tools
Documents
Security Audit and Security Tools
Technology
Real Application Security - Integrated Cloud Applications...
Documents
Data and Application Security for Distributed Application...
Documents
Using Free Tools To Test Web Application...
Documents