Scribd
Upload
49 views23 pages

Week 1 Introduction

The document discusses the critical need for web application security due to increasing reliance on these applications and the sensitive information they store. It highlights significant data breaches, including the Anonymous Sudan attack and the Yahoo data breach, emphasizing the consequences of such incidents on user trust and organizational integrity. The document also outlines various web application threats, security standards, and resources like OWASP and the Web Security Testing Guide to help improve web application security practices.

Uploaded by

Blueprint Mih
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views23 pages

Week 1 Introduction

The document discusses the critical need for web application security due to increasing reliance on these applications and the sensitive information they store. It highlights significant data breaches, including the Anonymous Sudan attack and the Yahoo data breach, emphasizing the consequences of such incidents on user trust and organizational integrity. The document also outlines various web application threats, security standards, and resources like OWASP and the Web Security Testing Guide to help improve web application security practices.

Uploaded by

Blueprint Mih
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Web Application Security

Benard Gavuna
Need for Security
• There is an increasing reliance on web applications in our
daily lives

• These web applications store sensitive information of its


users

• If this information is leaked, the risk impact could range from


minor, moderate, major and catastrophic
Anonymous Sudan (July 2023)
 Approximately 3 billion user accounts were affected,
making it one of the largest data breaches in history.
 This attack disrupted access to more than 5,000 online government
services in Kenya, affecting crucial functions such as visa, passport,
and driver's license applications and renewals.

 The assault also crippled online train booking systems and mobile
money transactions.
December 2023
 Israeli-linked hackers disrupted approximately 70% of gas stations in
Iran.

 Hackers claimed the attack was in retaliation for aggressive actions


by Iran and its proxies in the region.

 Pumps restored operation the next day, but payment issues


continued for several days.
November 2023
 Trinidad and Tobago’s Prime Minister Dr. Keith Rowley declared the
latest ransomware attack against the country’s telecommunications
service to be a “national security threat.”

 Hackers stole an estimated six gigabytes of data, including email


addresses, national ID numbers, and phone numbers.
October 2023
 Hacktivists stole 3,000 documents from NATO, the second time in three
months that hacktivists have breached NATO’s cybersecurity defenses.

 Hackers described themselves as “gay furry hackers” and announced their


attack was retaliation against NATO countries’ human rights abuses.

 NATO alleges the attack did not impact NATO missions, operations, or
military deployments.
Yahoo Data Breach (2013-2014)
Scope
 Approximately 3 billion user accounts were affected, making
it one of the largest data breaches in history.

 The compromised information included names, email


addresses, telephone numbers, dates of birth, hashed
passwords, and, in some cases, encrypted or unencrypted
security questions and answers.
Yahoo Data Breach (2013-2014)
How it Happened

 The attackers gained unauthorized access to Yahoo's


internal systems and stole sensitive user information.

 The initial disclosure indicated that the intrusion was


likely state-sponsored.
Yahoo Data Breach (2013-2014)
Consequences

 The breach had significant consequences for Yahoo,


including a decline in user trust and a negative impact on
its acquisition deal with Verizon.

 Yahoo later reduced the purchase price for its internet


business by $350 million in light of the security incidents.
Yahoo Data Breach (2013-2014)
Response

 Yahoo took various steps to address the breach, including


notifying affected users, resetting passwords, and
enhancing security measures.

 The incident led to increased awareness of cybersecurity


issues and the importance of securing user data..
Top 10 2021 - The Open Web Application Security Project (OWASP)
5 year review of Top 10 Web Security Vulnerabilities (2021, OWASP)
Distribution of web application critical vulnerabilities (2022)
Top 10 2023
Definition & Importance
• Web Application Security refers to the measures and practices taken
to protect web applications from various security threats.

• Importance of Web Application Security

 Protecting sensitive data

 Preventing unauthorized access

 Ensuring the integrity of the application

 Maintaining user trust


Basic Information Security Concepts
Hackers Mindset
Securing your Web Application
 Creating a Web application is easy, but creating a secure Web
application is hard and tedious.

 Because of the multi-tiered architecture, security flaws may


appear at many levels.

 You need to secure your database, your server, your application,


and your network.

 To create a secure Web application, you need to examine every


layer.
Standard Web Application Architecture
Web Application Threats
Application-Layer Network-Layer
• SQL Injection • Packet Sniffing
• Cross-Site-Scripting (XSS) • Man-In-The-Middle Attacks
• Cross-Site Request Forgery (CSRF) (MITM)
• Authentication Breakdown
• Unvalidated Input
User-Layer
Server-Layer
• Phishing
• Denial-of-Service (DoS)
• Key-logging
• OS Exploitation
• DNS Attack
Web Security Standards
 Specifies coding standards and basic security practices that must
be followed when developing and improving websites and web
applications e.g OWASP, WASC e.t.c
Open Web Application Security Project (OWASP)
 The Open Web Application Security Project (OWASP) is a nonprofit
foundation that works to improve the security of software.

 It works to improve the security of software through its


community-led open source software projects, hundreds of
chapters worldwide, tens of thousands of members, and by
hosting local and global conferences.
The Web Security Testing Guide (WSTG)
 The Web Security Testing Guide (WSTG) Project produces the premier
cybersecurity testing resource for web application developers and
security professionals.

 The WSTG is a comprehensive guide to testing the security of web


applications and web services.

 Created by the collaborative efforts of cybersecurity professionals and


dedicated volunteers, the WSTG provides a framework of best practices
used by penetration testers and organizations all over the world.

You might also like