Web application hacking (owasp top 10) security day
-
Upload
karina-astudillo -
Category
Technology
-
view
840 -
download
2
description
Transcript of Web application hacking (owasp top 10) security day
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Ing. Karina Astudillo B.
Gerente de IT – Elixircorp S.A.
Copyright 2013 - Karina Astudillo - Este documento se distribuye bajo la licencia 3.0 de Creative Commons Attribution Share Alike
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Co-fundadora de Elixircorp S.A.
• Consultora de Seguridad Informática
Hacking Ético
Cómputo Forense
Networking
Unix/Linux
• Docente de FIEC-ESPOL
• Instructora de Cisco-Espol
• Algunas certificaciones: CEH, Computer Forensics US, CCNA Security, CCNA R&SW, SCSA, Network Security, Internet Security, VmWare VSP, CCAI.
[email protected] Twitter: KAstudilloB
Facebook: Kastudi
Blog: SeguridadInformaticaFacil.com
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• ¿Qué son los riesgos de aplicaciones?
• Evaluación de riesgos
• OWASP Top 10
• Medidas preventivas
• Tipos de auditorías
• Herramientas de software
• Demo
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Open
• Web
• Application
• Security
• Project
• http://www.owasp.org
“El proyecto abierto de seguridad en aplicaciones Web (OWASP por sus siglas en inglés) es una comunidad abierta dedicada a facultar a las organizaciones a desarrollar, adquirir y mantener aplicaciones que pueden ser confiables.”
Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Fuente: OWASP Top 10 - 2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Capacitación para los desarrolladores sobre Codificación Segura de Aplicaciones.
• Incluir la seguridad desde la fase de Diseño.
• Hacer uso de API’s seguras.
• Validar la seguridad de las actualizaciones en un ambiente de pruebas previo al paso a producción.
• Ejecutar auditorías internas y externas periódicas.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Hacking Ético:
Web Application Hacking
Ejecutado por un hacker ético experto
Pruebas de intrusión externas e internas
Formas de ejecución: hacking manual y automático
Entregable: informe de hallazgos y recomendaciones de mejora
• Revisión de código:
Auditoría de codificación segura
Ejecutado por un desarrollador experto en revisión de código
Proceso exhaustivo manual
Se realiza una revisión de todo el código de la aplicación (a veces es necesario realizar ingeniería reversa de librerías)
Entregable: informe de hallazgos y recomendaciones de mejora
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• Hacking Frameworks profesionales. Ej: Core Impact Pro, Metasploit Professional.
• Entornos especializados. Ej.: Samurai Linux, Kali Linux (otrora Bactrack).
• Aplicaciones independientes: W3AF, WebSecurify Suite, Nikto, RAFT, etc.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• Website: http://www.elixircorp.biz
• Blog: http://www.SeguridadInformaticaFacil.com
• Facebook: www.facebook.com/elixircorp
• Twitter: www.twitter.com/elixircorp
• Google+: http://google.com/+SeguridadInformaticaFacil
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
http://www.elixircorp.biz
http://www.facebook.com/elixircorp
Thank you.