SlideShare a Scribd company logo

Top Application Security Threats

C
ColumnInformationSecurity

The following slides present an application security checklist — a look at how your company can counter the impact of seven top application security threats.

Services
1 of 12
Download to read offline
Top Application Security Threats And How To Counter Them
Web- and cloud-based applications are being developed at a breakneck pace as technology advances more quickly than ever before. Companies that aren’t first to market often are left behind, but putting speed above security has led to a serious consequence: Many applications are fundamentally flawed, making it possible for hackers to steal critical data, hijack user inputs or deny service entirely. Better security isn’t impossible. The following slides present an application security checklist — a look at how your company can counter the impact of seven top application security threats.
If your application lives on the Internet, hackers will try to break in. Unfortunately, your own code provides the easiest access into most applications. The problem is timid testing. Don’t take for granted that threat actors will overlook your apps just because yours isn’t a high-profile enterprise application and you aren’t connected to a critical database. Hackers are opportunists looking for the easiest way into ANY network — and the median number of app vulnerabilities has climbed from just six in 2013 to 20. While protecting applications from all malicious actors likely is impossible, you can significantly reduce the chance of a successful attack with comprehensive testing. Test everything. Data inputs. Data outputs. Give developers the time and resources to “break” their applications and see what happens. Hire third parties to claw their way in and cause trouble. When it comes to code, never take anything for granted. Threat No. 1 | Timid Testing
Threat No. 2 | DoS and DDoS A Denial of Service (DoS) attack is one of the quickest ways to sideline your application. Hackers can interrupt or disable access to web- or cloud-based applications by flooding them with access requests or strings of random characters. It gets worse: Many cybercriminals now use multiple infected machines — a “botnet” — to conduct what’s known as a distributed denial of service attack (DDoS). These attacks happen much faster, are harder to predict and can shut down sites or applications within minutes. More recent variants leveraged Internet of Things-connected devices such as cameras and routers to deliver DDoS speeds of up to a terabyte per second, more than any application or site can reasonably handle.
Threat No. 2 | DoS and DDoS (continued) To handle DoS and DDoS threats, first recognize you’re not alone: 53 percent of IT security pros said in a survey that DoS ranks among their top concerns. But there are tools you can add to do the following: Detect a sudden uptick in access requests. Shut down multiple requests from the same IP. Send alerts to administrators if potential DDoS activity is detected.
Threat No. 3 | SQL Injection Many apps now include “username” and “password” fields that use structured query language (SQL) to make a database request, typically using the “SELECT” query. But many apps don’t block the use of other SQL commands in these fields, making it possible for hackers to exploit common access points to gain total database control. This is especially problematic thanks to the rise of automated tools that can spam apps with SQL requests to see what works. At least one estimate says 60 percent of all web apps are vulnerable to SQL injection. 60% Vulnerable of all web apps are
Threat No. 3 | SQL Injection (continued) Solving the problem starts with cleaning up your app. It’s a good idea to include code strings that force the application to replace all single apostrophes with double apostrophes, making it impossible for hackers to use it as a string delimiter. Next, eliminate any debugging information pushed to the user in the event of an application error, since this could give them valuable database knowledge. Finally, lock down account permissions tied to executable web app code.
Threat No. 4 | XSS Attacks It’s estimated that more than half of all web applications contain cross-site scripting (XSS) vulnerabilities. Attackers try to alter the function of an app by injecting new “script” and forcing the application to execute it, in turn giving them control of a website or application and all content seen by users. While some programming languages come with controls such as the “same origin policy” to curtail the use of outside code, XSS attacks may be able to bypass this requirement. Cutting off cross-site scripting means adopting a number of key defensive strategies, such as developing a content security policy that determines which web-based scripts can and can’t be loaded by an app. It’s also a good idea to employ input validation and output encoding to help mitigate this threat. Input validation ensures that data entry matches an expected format, while output encoding mandates that specific characters are treated as display text instead of executable code.
Threat No. 5 | Stock Permissions and APIs To make creating apps easier, many developers rely on application programming interfaces (APIs). Why re-create work that’s already been done by someone else? But there’s a problem: While enterprises are taking steps to control API use, 65 percent say they have no processes for overall API security. As a result, if hackers can find vulnerabilities in the APIs used to create your app, they may also have access to your code. The same goes for stock permissions — the “standard” username and password many developers build into their testing apps but never remove when the code goes live. With just a bit of brute-force effort, hackers may easily breach your app. Best practices to fight this: • Use more encryption than you think is necessary • Build in code delays. Examples of code delays would be using email verifications or increasing time spans between each unsuccessful login attempt. This would deter hackers who use automated bots to fish for username and password combinations. 65%no process for overall API security
Threat No. 6 | Hijacking Sessions To ensure users enjoy an optimal app experience, many developers build in a session ID, a unique identifier for individual application sessions. A new ID is generated for each subsequent visit so data from a previous session can’t be used to corrupt a current connection. The problem is that hackers able to intrude on a session in progress may also be able to hijack session IDs (often stored in “cookies”) and take user-end control. There may be no foolproof way to prevent this. It’s recommended that you do not turn off “cookies,” since this lowers overall security. Ideally, you want session IDs that are randomly generated and encrypted to be paired with an application that’s able to detect hacking attempts.
Threat No. 7 | Zero-Day Attacks These occur when your app hits the ground running and attackers immediately exploit a flaw overlooked during testing. Given the sheer number of apps in development and the amount of code that is reused from application to application, it’s no surprise hackers are often able to predict some of the common code developers use to empower popular web app functions. Ways to limit the impact of zero-day efforts include: • Produce in-house code not publicly available from open-source developers. • Build in specific security measures that hackers won’t be expecting. • Pull the app, do a deep dive and fix the problem if the vulnerability is severe enough.
Presented by Column Information Security www.columninfosec.com For questions or to schedule a consultation, please contact us at info@columninfosec.com

Recommended

Cloud Security Myths Vs Facts
Cloud Security Myths Vs FactsCloud Security Myths Vs Facts
Cloud Security Myths Vs FactsOPAQ
 
Disaster recovery glossary
Disaster recovery glossaryDisaster recovery glossary
Disaster recovery glossarysinglehopsn
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationQualys
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareQualys
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 

Recommended

Cloud Security Myths Vs Facts
Cloud Security Myths Vs FactsCloud Security Myths Vs Facts
Cloud Security Myths Vs FactsOPAQ
 
Disaster recovery glossary
Disaster recovery glossaryDisaster recovery glossary
Disaster recovery glossarysinglehopsn
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationQualys
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareQualys
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - KloudlearnKloudLearn
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Protecting Your Data In Office 365
Protecting Your Data In Office 365Protecting Your Data In Office 365
Protecting Your Data In Office 365Elastica Inc.
 
Can Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network SecurityCan Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network SecurityEC-Council
 
How to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within BoxHow to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within BoxElastica Inc.
 
Protecting your Data in Google Apps
Protecting your Data in Google AppsProtecting your Data in Google Apps
Protecting your Data in Google AppsElastica Inc.
 
Shadow Data Exposed
Shadow Data ExposedShadow Data Exposed
Shadow Data ExposedElastica Inc.
 
Cloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco EvangelistCloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco EvangelistRavi namboori
 
Reasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy WorldReasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy WorldElastica Inc.
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security DemoCheah Eng Soon
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate BrochureQualys
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecuritySusanne Tedrick
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security firesKristin Helgeson
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Enabling Dropbox for Business
Enabling Dropbox for BusinessEnabling Dropbox for Business
Enabling Dropbox for BusinessElastica Inc.
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2rpark31
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
Research Paper
Research PaperResearch Paper
Research PaperDavid Chaponniere
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 

More Related Content

What's hot

The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - KloudlearnKloudLearn
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Protecting Your Data In Office 365
Protecting Your Data In Office 365Protecting Your Data In Office 365
Protecting Your Data In Office 365Elastica Inc.
 
Can Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network SecurityCan Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network SecurityEC-Council
 
How to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within BoxHow to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within BoxElastica Inc.
 
Protecting your Data in Google Apps
Protecting your Data in Google AppsProtecting your Data in Google Apps
Protecting your Data in Google AppsElastica Inc.
 
Cloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco EvangelistCloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco EvangelistRavi namboori
 
Reasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy WorldReasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy WorldElastica Inc.
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate BrochureQualys
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecuritySusanne Tedrick
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security firesKristin Helgeson
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Enabling Dropbox for Business
Enabling Dropbox for BusinessEnabling Dropbox for Business
Enabling Dropbox for BusinessElastica Inc.
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2rpark31
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 

What's hot (20)

The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your Data
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - Kloudlearn
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
Protecting Your Data In Office 365
Protecting Your Data In Office 365Protecting Your Data In Office 365
Protecting Your Data In Office 365
 
Can Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network SecurityCan Cloud Solutions Transform Network Security
Can Cloud Solutions Transform Network Security
 
How to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within BoxHow to Extend Security and Compliance Within Box
How to Extend Security and Compliance Within Box
 
Protecting your Data in Google Apps
Protecting your Data in Google AppsProtecting your Data in Google Apps
Protecting your Data in Google Apps
 
Shadow Data Exposed
Shadow Data ExposedShadow Data Exposed
Shadow Data Exposed
 
Cloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco EvangelistCloud Computing Risks by Ravi Namboori Cisco Evangelist
Cloud Computing Risks by Ravi Namboori Cisco Evangelist
 
Reasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy WorldReasoning About Enterprise Application Security in a Cloudy World
Reasoning About Enterprise Application Security in a Cloudy World
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security Demo
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate Brochure
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security fires
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Enabling Dropbox for Business
Enabling Dropbox for BusinessEnabling Dropbox for Business
Enabling Dropbox for Business
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2Security automation in virtual and cloud environments v2
Security automation in virtual and cloud environments v2
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 

Similar to Top Application Security Threats

Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingShivamSharma909
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 

Similar to Top Application Security Threats (20)

Research Paper
Research PaperResearch Paper
Research Paper
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development Vulnerabilities
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
C01461422
C01461422C01461422
C01461422
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
 
CEH Domain 5.pdf
CEH Domain 5.pdfCEH Domain 5.pdf
CEH Domain 5.pdf
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 

Recently uploaded

Protecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesProtecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesStartech Engineering
 
Boost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaBoost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaWAFI Media Marketing Solutions
 
ADMI: Bridging Dealer & OEM - Capabilities Deck
ADMI: Bridging Dealer & OEM - Capabilities DeckADMI: Bridging Dealer & OEM - Capabilities Deck
ADMI: Bridging Dealer & OEM - Capabilities DeckADMI
 
10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptxBoobalanBala12
 
Create a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerCreate a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerStartech Engineering
 
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661safdarjungdelhi1
 
Top SEO Services In India | Paid | Organic Search Results | Egiz Solution
Top SEO Services In India | Paid | Organic Search Results | Egiz SolutionTop SEO Services In India | Paid | Organic Search Results | Egiz Solution
Top SEO Services In India | Paid | Organic Search Results | Egiz SolutionEgiz Solution
 
What are the major challenges while integrating Salesforce
What are the major challenges while integrating SalesforceWhat are the major challenges while integrating Salesforce
What are the major challenges while integrating SalesforceNaresh Gupta
 
Customize Your Positioning System with Partner Solutions.ppt
Customize Your Positioning System with Partner Solutions.pptCustomize Your Positioning System with Partner Solutions.ppt
Customize Your Positioning System with Partner Solutions.pptUbiTrack UK
 
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Service
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts ServiceBook Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Service
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Servicemonikaservice1
 
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuine
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For GenuineCall Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuine
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuinedelhincr993
 
High Class Escort Service in Marina +971509430017 Marina Escorts Service
High Class Escort Service in Marina +971509430017 Marina Escorts ServiceHigh Class Escort Service in Marina +971509430017 Marina Escorts Service
High Class Escort Service in Marina +971509430017 Marina Escorts Servicetajaga2345
 
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKreativan Technologies
 
Online Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard YouOnline Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard Youaffordablebackgroundchecks
 
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts ServiceJustdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Servicesafdarjungdelhi1
 
_Al Afnan Steel Industrial Company _LLC_
_Al Afnan Steel Industrial Company _LLC__Al Afnan Steel Industrial Company _LLC_
_Al Afnan Steel Industrial Company _LLC_alafnanmetals
 
Dubai Call Girls Riri O525547819 Call Girls Dubai
Dubai Call Girls Riri O525547819 Call Girls DubaiDubai Call Girls Riri O525547819 Call Girls Dubai
Dubai Call Girls Riri O525547819 Call Girls Dubaikojalkojal131
 
High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts ServiceHigh Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts Servicetajaga2345
 
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts ServiceCall Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Servicemonikaservice1
 

Recently uploaded (20)

Protecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codesProtecting your business: staying compliant with NFPA codes
Protecting your business: staying compliant with NFPA codes
 
Search Engine optimization and its types
Search Engine optimization and its typesSearch Engine optimization and its types
Search Engine optimization and its types
 
Boost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in NoidaBoost Your Brand with Professional Digital Marketing Company in Noida
Boost Your Brand with Professional Digital Marketing Company in Noida
 
ADMI: Bridging Dealer & OEM - Capabilities Deck
ADMI: Bridging Dealer & OEM - Capabilities DeckADMI: Bridging Dealer & OEM - Capabilities Deck
ADMI: Bridging Dealer & OEM - Capabilities Deck
 
10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx10.National Rural Employment Programme.pptx
10.National Rural Employment Programme.pptx
 
Create a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineerCreate a fire prevention plan with a suppression engineer
Create a fire prevention plan with a suppression engineer
 
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661
Tibetan Call Girls In Majnu Ka Tilla Delhi 9911107661
 
Top SEO Services In India | Paid | Organic Search Results | Egiz Solution
Top SEO Services In India | Paid | Organic Search Results | Egiz SolutionTop SEO Services In India | Paid | Organic Search Results | Egiz Solution
Top SEO Services In India | Paid | Organic Search Results | Egiz Solution
 
What are the major challenges while integrating Salesforce
What are the major challenges while integrating SalesforceWhat are the major challenges while integrating Salesforce
What are the major challenges while integrating Salesforce
 
Customize Your Positioning System with Partner Solutions.ppt
Customize Your Positioning System with Partner Solutions.pptCustomize Your Positioning System with Partner Solutions.ppt
Customize Your Positioning System with Partner Solutions.ppt
 
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Service
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts ServiceBook Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Service
Book Call Girls In Gurgaon Sector 29 Call 8800357707 Escorts Service
 
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuine
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For GenuineCall Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuine
Call Girls In Goa North Goa 9899855202 Direct Cash 0nline Payment For Genuine
 
High Class Escort Service in Marina +971509430017 Marina Escorts Service
High Class Escort Service in Marina +971509430017 Marina Escorts ServiceHigh Class Escort Service in Marina +971509430017 Marina Escorts Service
High Class Escort Service in Marina +971509430017 Marina Escorts Service
 
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARHKREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
KREATIVAN TECHNOLOGY IS THE BEST DIGITAL COMPANY IN CHANDIGARH
 
Online Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard YouOnline Dating Precautions How Background Checks Can Safeguard You
Online Dating Precautions How Background Checks Can Safeguard You
 
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts ServiceJustdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
Justdial Call Girls In Moolchand Metro Delhi 9911191017 Escorts Service
 
_Al Afnan Steel Industrial Company _LLC_
_Al Afnan Steel Industrial Company _LLC__Al Afnan Steel Industrial Company _LLC_
_Al Afnan Steel Industrial Company _LLC_
 
Dubai Call Girls Riri O525547819 Call Girls Dubai
Dubai Call Girls Riri O525547819 Call Girls DubaiDubai Call Girls Riri O525547819 Call Girls Dubai
Dubai Call Girls Riri O525547819 Call Girls Dubai
 
High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts ServiceHigh Class Escort Service in Ajman +971509430017 Ajman Escorts Service
High Class Escort Service in Ajman +971509430017 Ajman Escorts Service
 
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts ServiceCall Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
Call Girls In Noida Sector 15 Metro꧁❤ 8800357707 ❤꧂Escorts Service
 

Top Application Security Threats

  • 1. Top Application Security Threats And How To Counter Them
  • 2. Web- and cloud-based applications are being developed at a breakneck pace as technology advances more quickly than ever before. Companies that aren’t first to market often are left behind, but putting speed above security has led to a serious consequence: Many applications are fundamentally flawed, making it possible for hackers to steal critical data, hijack user inputs or deny service entirely. Better security isn’t impossible. The following slides present an application security checklist — a look at how your company can counter the impact of seven top application security threats.
  • 3. If your application lives on the Internet, hackers will try to break in. Unfortunately, your own code provides the easiest access into most applications. The problem is timid testing. Don’t take for granted that threat actors will overlook your apps just because yours isn’t a high-profile enterprise application and you aren’t connected to a critical database. Hackers are opportunists looking for the easiest way into ANY network — and the median number of app vulnerabilities has climbed from just six in 2013 to 20. While protecting applications from all malicious actors likely is impossible, you can significantly reduce the chance of a successful attack with comprehensive testing. Test everything. Data inputs. Data outputs. Give developers the time and resources to “break” their applications and see what happens. Hire third parties to claw their way in and cause trouble. When it comes to code, never take anything for granted. Threat No. 1 | Timid Testing
  • 4. Threat No. 2 | DoS and DDoS A Denial of Service (DoS) attack is one of the quickest ways to sideline your application. Hackers can interrupt or disable access to web- or cloud-based applications by flooding them with access requests or strings of random characters. It gets worse: Many cybercriminals now use multiple infected machines — a “botnet” — to conduct what’s known as a distributed denial of service attack (DDoS). These attacks happen much faster, are harder to predict and can shut down sites or applications within minutes. More recent variants leveraged Internet of Things-connected devices such as cameras and routers to deliver DDoS speeds of up to a terabyte per second, more than any application or site can reasonably handle.
  • 5. Threat No. 2 | DoS and DDoS (continued) To handle DoS and DDoS threats, first recognize you’re not alone: 53 percent of IT security pros said in a survey that DoS ranks among their top concerns. But there are tools you can add to do the following: Detect a sudden uptick in access requests. Shut down multiple requests from the same IP. Send alerts to administrators if potential DDoS activity is detected.
  • 6. Threat No. 3 | SQL Injection Many apps now include “username” and “password” fields that use structured query language (SQL) to make a database request, typically using the “SELECT” query. But many apps don’t block the use of other SQL commands in these fields, making it possible for hackers to exploit common access points to gain total database control. This is especially problematic thanks to the rise of automated tools that can spam apps with SQL requests to see what works. At least one estimate says 60 percent of all web apps are vulnerable to SQL injection. 60% Vulnerable of all web apps are
  • 7. Threat No. 3 | SQL Injection (continued) Solving the problem starts with cleaning up your app. It’s a good idea to include code strings that force the application to replace all single apostrophes with double apostrophes, making it impossible for hackers to use it as a string delimiter. Next, eliminate any debugging information pushed to the user in the event of an application error, since this could give them valuable database knowledge. Finally, lock down account permissions tied to executable web app code.
  • 8. Threat No. 4 | XSS Attacks It’s estimated that more than half of all web applications contain cross-site scripting (XSS) vulnerabilities. Attackers try to alter the function of an app by injecting new “script” and forcing the application to execute it, in turn giving them control of a website or application and all content seen by users. While some programming languages come with controls such as the “same origin policy” to curtail the use of outside code, XSS attacks may be able to bypass this requirement. Cutting off cross-site scripting means adopting a number of key defensive strategies, such as developing a content security policy that determines which web-based scripts can and can’t be loaded by an app. It’s also a good idea to employ input validation and output encoding to help mitigate this threat. Input validation ensures that data entry matches an expected format, while output encoding mandates that specific characters are treated as display text instead of executable code.
  • 9. Threat No. 5 | Stock Permissions and APIs To make creating apps easier, many developers rely on application programming interfaces (APIs). Why re-create work that’s already been done by someone else? But there’s a problem: While enterprises are taking steps to control API use, 65 percent say they have no processes for overall API security. As a result, if hackers can find vulnerabilities in the APIs used to create your app, they may also have access to your code. The same goes for stock permissions — the “standard” username and password many developers build into their testing apps but never remove when the code goes live. With just a bit of brute-force effort, hackers may easily breach your app. Best practices to fight this: • Use more encryption than you think is necessary • Build in code delays. Examples of code delays would be using email verifications or increasing time spans between each unsuccessful login attempt. This would deter hackers who use automated bots to fish for username and password combinations. 65%no process for overall API security
  • 10. Threat No. 6 | Hijacking Sessions To ensure users enjoy an optimal app experience, many developers build in a session ID, a unique identifier for individual application sessions. A new ID is generated for each subsequent visit so data from a previous session can’t be used to corrupt a current connection. The problem is that hackers able to intrude on a session in progress may also be able to hijack session IDs (often stored in “cookies”) and take user-end control. There may be no foolproof way to prevent this. It’s recommended that you do not turn off “cookies,” since this lowers overall security. Ideally, you want session IDs that are randomly generated and encrypted to be paired with an application that’s able to detect hacking attempts.
  • 11. Threat No. 7 | Zero-Day Attacks These occur when your app hits the ground running and attackers immediately exploit a flaw overlooked during testing. Given the sheer number of apps in development and the amount of code that is reused from application to application, it’s no surprise hackers are often able to predict some of the common code developers use to empower popular web app functions. Ways to limit the impact of zero-day efforts include: • Produce in-house code not publicly available from open-source developers. • Build in specific security measures that hackers won’t be expecting. • Pull the app, do a deep dive and fix the problem if the vulnerability is severe enough.
  • 12. Presented by Column Information Security www.columninfosec.com For questions or to schedule a consultation, please contact us at info@columninfosec.com