Sunteți pe pagina 1din 22

In the Line of Fire:

Defending Highly Visible Targets

Jeremy Poteet, CISSP


Chief Security Officer, appDefense
jpoteet@appdefense.com
636.294.2774
OWASP
AppSec
DC
October 2005 Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License.

The OWASP
http://www.owasp.org/
Foundation
Introduction

What is a highly visible application?


Begin at the beginning
Stories from the trenches
Hope - it can be done
OWASP

OWASP AppSec DC 2005 2


You might be a highly visible site if …

 … the press shows up for the deployment of your app

 … any error message shows up in hundreds of blogs

 … you can’t count the number of sites whose sole


purpose is to list attack plans and provide tools for
breaking into your application

 … every hacker, security want-to-be and activist would


love to use your site to make a statement

 … CNN displays when your site is sluggish on their


tickertape

OWASP AppSec DC 2005 3


What makes a highly visible site

Crown Jewels
Money
Data
Notoriety
What it Represents
Making a Statement
Users + Focus

OWASP AppSec DC 2005 4


Signature of a highly visible site

Complex Systems
Multiples
Technologies
Developers
Servers
Applications
Highly volatile
Something to lose

OWASP AppSec DC 2005 5


Highly visible is the same

Still web applications


Same issues still apply
In ideal world, it doesn’t matter
Applications don’t always start as highly
visible
Best practices still apply

OWASP AppSec DC 2005 6


Highly visible is different

Time to Impact
Coordination
Number of Cooks
External Visibility
Cascading

OWASP AppSec DC 2005 7


Begin at the Beginning

Learn from the past


Only as strong as the foundation
Know what is expected
Information is your best friend
Prepare for failure

OWASP AppSec DC 2005 8


Dealing With Application Complexity

Team based system


Geographic systems
Custom PDF Generation
File Upload and Downloads
Memory Leak, Scalability or DOS?
Powerful apps = High promotion
Quick resolution to issues

OWASP AppSec DC 2005 9


The Debates

Highest volume
Visibility
Outward - Press
Outward - Voters
Inward - Staff
Large volume of data
Real time responses
Debate timeline changes

OWASP AppSec DC 2005 10


Walling off failure

 Isolating Systems From Impacting Each Other


 Database Segregation
 Application Separation
 Access Toggling
 Additional Monitoring
 Scalability

OWASP AppSec DC 2005 11


Volume of Attacks

High Volume usage goes with High Volume


attacks
Cover
Visibility
Assist in attacks
Convention/Debate/Elections
Maximum Impact

OWASP AppSec DC 2005 12


Caching

Minimize data access and processing


Bleed over
Client vs. Server
Shifting of responsibility
Level of Control

OWASP AppSec DC 2005 13


Complete Architecture Shift

Rapid Switch
Rules Reset
Configure Rather than Recode
Assume Nothing
Contingency Plan

OWASP AppSec DC 2005 14


Perception

Worst Case Scenario


Rising Visibility
Increased and Focused Attacks
Gut Check
Perception is Everything

OWASP AppSec DC 2005 15


No site is an island

Branding
Integrated Tools
Integrated Sites
Feeds
Applications are wide ranging
Perception and reality must meet

OWASP AppSec DC 2005 16


Beneath the noise

Constant Attacks
High Volume Pages
Concentrated Volume
Sub-Pages - Understanding how the
application functions
Coordinated Attacks

OWASP AppSec DC 2005 17


Out of Your Control

Emails from application systematically


spammed
Data is the system
Pandora’s Box
Containment
Damage Control

OWASP AppSec DC 2005 18


Data Mines

Elaborate system of mines


Access
Mechanism Used
Timestamp
Monitoring
Tracking
Allows the weak link to be located quickly

OWASP AppSec DC 2005 19


Hope - It Can Be Done

No Silver Bullet


Requires
Creativity
Commitment
Diligence
Begin With the Basics
Information is Key

OWASP AppSec DC 2005 20


OWASP

Guide
Top 10
Specific Tools
Put Back In
Take the Advantage

OWASP AppSec DC 2005 21


In the Line of Fire:
Defending Highly Visible Targets

Jeremy Poteet, CISSP


Chief Security Officer, appDefense
jpoteet@appdefense.com
636.294.2774
OWASP
AppSec
DC
October 2005 Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License.

The OWASP
http://www.owasp.org/
Foundation

S-ar putea să vă placă și