SlideShare a Scribd company logo

Application security

Download as PPTX, PDF
Hagar Alaa el-din
Hagar Alaa el-din

The document provides definitions and concepts related to application security including assets, threats, vulnerabilities, attacks, and security controls. It discusses how application security aims to secure the confidentiality, integrity, and availability of data by protecting against vulnerabilities like SQL injection and cross-site scripting. The document demonstrates how attackers can exploit vulnerabilities in multiple phases, from information gathering to maintaining access. It recommends best practices for developers like following security standards, conducting audits, implementing logging, and keeping software updated. Finally, it discusses Facebook's response to the Cambridge Analytica data privacy scandal.

1 of 18
Downloaded 47 times
Application security
We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
• Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
Application security
Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.
Application security
Ad

Recommended

Microsoft Azure Cost Optimization and improve efficiency
Microsoft Azure Cost Optimization and improve efficiencyMicrosoft Azure Cost Optimization and improve efficiency
Microsoft Azure Cost Optimization and improve efficiency
Kushan Lahiru Perera
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Network security
Network securityNetwork security
Network security
hajra azam
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
Juan Fabian
 
Azure Cloud Governance
Azure Cloud GovernanceAzure Cloud Governance
Azure Cloud Governance
Jonathan Wade
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...
Edureka!
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
n|u - The Open Security Community
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdfPenetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Ad

More Related Content

What's hot (20)

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...
Edureka!
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
n|u - The Open Security Community
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...
Edureka!
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
n|u - The Open Security Community
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 

Similar to Application security (20)

Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdfPenetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
Komalah Nair
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
Afour tech
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
Umang Gupta
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
deanmtaylor1545
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptx
youfanlimboo
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
Bule Hora University
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Cyber Sequrity.pptx is life of cyber security
Cyber Sequrity.pptx is life of cyber securityCyber Sequrity.pptx is life of cyber security
Cyber Sequrity.pptx is life of cyber security
perweeng31
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptxCommon Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdfPenetration Testing Services_ Comprehensive Guide 2024.pdf
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
Komalah Nair
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
Afour tech
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
Umang Gupta
 
Student NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docxStudent NameCYB110Playbook Runbook Parts 1-3S.docx
Student NameCYB110Playbook Runbook Parts 1-3S.docx
deanmtaylor1545
 
Introduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptxIntroduction to Pre-Cybersecurity.pptx
Introduction to Pre-Cybersecurity.pptx
youfanlimboo
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
Bule Hora University
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Cyber Sequrity.pptx is life of cyber security
Cyber Sequrity.pptx is life of cyber securityCyber Sequrity.pptx is life of cyber security
Cyber Sequrity.pptx is life of cyber security
perweeng31
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptxCommon Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Ad

Recently uploaded (20)

some basics electrical and electronics knowledge
some basics electrical and electronics knowledgesome basics electrical and electronics knowledge
some basics electrical and electronics knowledge
nguyentrungdo88
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
Avnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights FlyerAvnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights Flyer
WillDavies22
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
π0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalizationπ0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalization
NABLAS株式会社
 
Smart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptxSmart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptx
rushikeshnavghare94
 
Smart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineeringSmart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineering
rushikeshnavghare94
 
Value Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous SecurityValue Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous Security
Marc Hornbeek
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
Degree_of_Automation.pdf for Instrumentation and industrial specialist
Degree_of_Automation.pdf for Instrumentation and industrial specialistDegree_of_Automation.pdf for Instrumentation and industrial specialist
Degree_of_Automation.pdf for Instrumentation and industrial specialist
shreyabhosale19
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITYADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ijscai
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
some basics electrical and electronics knowledge
some basics electrical and electronics knowledgesome basics electrical and electronics knowledge
some basics electrical and electronics knowledge
nguyentrungdo88
 
Introduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptxIntroduction to Zoomlion Earthmoving.pptx
Introduction to Zoomlion Earthmoving.pptx
AS1920
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
Avnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights FlyerAvnet Silica's PCIM 2025 Highlights Flyer
Avnet Silica's PCIM 2025 Highlights Flyer
WillDavies22
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
π0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalizationπ0.5: a Vision-Language-Action Model with Open-World Generalization
π0.5: a Vision-Language-Action Model with Open-World Generalization
NABLAS株式会社
 
Smart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptxSmart_Storage_Systems_Production_Engineering.pptx
Smart_Storage_Systems_Production_Engineering.pptx
rushikeshnavghare94
 
Smart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineeringSmart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineering
rushikeshnavghare94
 
Value Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous SecurityValue Stream Mapping Worskshops for Intelligent Continuous Security
Value Stream Mapping Worskshops for Intelligent Continuous Security
Marc Hornbeek
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E..."Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
"Boiler Feed Pump (BFP): Working, Applications, Advantages, and Limitations E...
Infopitaara
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
Degree_of_Automation.pdf for Instrumentation and industrial specialist
Degree_of_Automation.pdf for Instrumentation and industrial specialistDegree_of_Automation.pdf for Instrumentation and industrial specialist
Degree_of_Automation.pdf for Instrumentation and industrial specialist
shreyabhosale19
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
Compiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptxCompiler Design Unit1 PPT Phases of Compiler.pptx
Compiler Design Unit1 PPT Phases of Compiler.pptx
RushaliDeshmukh2
 
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITYADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ADVXAI IN MALWARE ANALYSIS FRAMEWORK: BALANCING EXPLAINABILITY WITH SECURITY
ijscai
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
Ad

Application security

  • 2. We will cover: • Some basic definitions • Application Security meaning • CIA • Vulnerabilities • Demo attack • Countermeasures • Best practice to build a secure app. • Facebook on Spot
  • 3. Basic definitions Asset: Resources of value need to be protected Threat: undesired event that may compromise an asset or object , or produce undesired outcome Vulnerability: is the weakness in your system , or in security control, that makes an exploit harm Attack: is an action that utilizes one or more vulnerabilities to realize a threat. Security Control: process or policy put togther to minimize security threats to an acceptable level.
  • 4. is the use of software, hardware, and procedural methods to protect applications from external threats. Attacks Shift Towards Application Layer % of Dollars 75% “attacks” Application Security
  • 5. Confidentiality Malware can be written to do directed searches and send confidential data to specific parties Integrity viruses attached and keep themselves resident in the system which allow attacker to completely control a system, this may erase data files, or interfere with application data over time in such a way that data integrity is compromised and data may become completely useless. Availability malware can compromise programs and data to the point where they are no longer available, sometimes this can be a direct denial of service (DoS) attack, and sometimes it is a side effect of the activity of the malware. Application Security aims to secure:
  • 6. Application Vulnerability A software “vulnerability” leads to process critical data in an insecure way. By exploiting these “holes” in applications, cybercriminals can gain entry into an organization’s systems and steal confidential data. Common software vulnerabilities: • SQL injection • Cross-Site Scripting (XSS). And almost every application has vulnerabilities. about 70% of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types. Commercial software, financial services software, software written by government agencies … all are vulnerable.
  • 7. Application Vulnerability - Demo Attack Phases of hacker attacks 1-Information • Fingerprinting • Vulnerability DB • Bulletin Boards • ……. 2-Infrastructure • Phishing • Pharming • XSS • ….. 3-Exploit • ….. 4-Keep Access • Backdoor • Trojan • Rootkits • ….. 5-Delete Fingerprints • Destroy evidences • Steganography • Tunneling
  • 8. Phase 1 (Information) SQL Injection 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database 3. Hacker found vulnerability Search for (specific) user Find additional information about user 4. Needs information for next phase of attack Application Vulnerability - Demo Attack
  • 9. Phase 2 (Infrastructure) Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server 4. User receives e-Mail 5. e-mail is unsuspicious to user Topic Originator 6. Included XSS sends all cookies to hacker’s web site Application Vulnerability - Demo Attack
  • 10. Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights o XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site Now hacker has logged in to your banking site with your access right. That was just the beginning Application Vulnerability - Demo Attack
  • 11. • Attacker can implement a sniffer to capture all network traffic • Use a backdoor or trojan to gain repeated access. • May install rootkits in the kernel to get superuser access at the operating system level. • They can then use their access to steal data, consume CPU cycles and exchange confidential information or even resort to extortion. • They can maintain control of their system for a long time by "hardening the system" against other attackers Application Vulnerability - Demo Attack Phase 5 – Delete Fingerprints Phase 4 – Keep Access • Trojans such as ps or netcat are useful to destroy the evidence in the registry files or replace the system binaries with them. • Steganography, is the process of hiding data, for example, in images and sound files. • Tunneling, takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (unused bits) in the TCP and IP headers can be used to hide information
  • 12. Application Security Countermeasures • Countermeasures are the actions taken to ensure application security • Application Firewall is the most basic software countermeasure that limits the execution of files or the handling of data by specific installed programs. • Router is the most common hardware countermeasure that can prevent the IP address of an individual computer from being directly visible on the Internet. • Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs and biometric authentication systems.
  • 13. Best Practices to Build Secure Applications 1. Follow the OWASP Top Ten it contains the most critical web application security vulnerabilities, these security vulnerabilities target the confidentiality, integrity, and availability of an application, its developers, and its users. They cover such attack vectors as injection attacks, authentication and session management, security misconfiguration, and sensitive data exposure. 2. Get an Application Security Audit people with specific, professional application security experience, who know what to look for, including the obvious and the subtle, as well as the hidden things. They’ll also be abreast of current security issues and be knowledgeable about issues which aren’t common knowledge yet. 3. Implement Proper Logging When something goes wrong at some stage and there is a bug that no one saw (or considered severe enough to warrant particular attention) one that will eventually be exploited. to be able to respond as quickly as possible ; you need to have proper logging implemented before the situation gets out of hand. Doing so provides you with information about what occurred, what lead to the situation in the first place, and what else was going on at the time. 4. Use Real-time Security Monitoring and Protection or Web Application Firewalls To protect your application from a range of perspectives, both internal and external using Firewalls in addition to Runtime Application Self-Protection (RASP) and services
  • 14. 5. Encrypt Everything It’s important to also make sure that data at rest is encrypted as well as in transit. HTTPS makes it next to impossible for Man In The Middle (MITM) attacks to occur. 6. Harden Everything you need to ensure that everything is sufficiently hardened from operating systems to software development frameworks 7. Keep Your Servers Up to Date make sure that your servers are set to update to the latest security releases as they become available. 8. Keep Your Software Up to Date Applications frameworks and third party software libraries, just like operating systems, have vulnerabilities. If they’re properly supported, then they will also be rapidly patched and improved. So it’s important to ensure that you’re using the latest stable version. 9. Stay Abreast of the Latest Vulnerabilities there are a range of ways in which we can get updated with the number of attack vectors in play today, vectors such as Cross-site scripting, code injection, SQL injection, insecure direct object references, and cross-site request forgery 10. Never Stop Learning that way, you’ll always have it as a key consideration, and be far less likely to fall victim to security or data breaches. Best Practices to Build Secure Applications
  • 16. Data privacy is a part of information Security & Cyber Security , and any kind of hole in IDOR (Missing Access Control Level) or Data Leakage which exist in GraphQL Wrapper Implementation & Facebook APIs is able to destroy an empire like Facebook IS this related to Information Security!! In USA elections , a quiz app is developed by Kogan for USA residents, and it was aiming to collect users data and their friends, and it did collected data for 50 millions users.
  • 17. What Facebook Information Security Team will do?! • Review our platform. We will investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access, and we will conduct a full audit of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them from our platform. • Tell people about data misuse. We will tell people affected by apps that have misused their data. This includes building a way for people to know if their data might have been accessed via “thisisyourdigitallife.” Moving forward, if we remove an app for misusing data, we will tell everyone who used it. • Turn off access for unused apps. If someone hasn’t used an app within the last three months, we will turn off the app’s access to their information. • Restrict Facebook Login data. We are changing Login, so that in the next version, we will reduce the data that an app can request without app review to include only name, profile photo and email address. Requesting any other data will require our approval. • Encourage people to manage the apps they use. We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. Going forward, we’re going to make these choices more prominent and easier to manage. • Reward people who find vulnerabilities. In the coming weeks we will expand Facebook’s bug bounty program so that people can also report to us if they find misuses of data by app developers.