Application Security

  • TYPE: Combined Session DATE: Thursday, May 15, 2014 TIME: 15:30-16:30 LOCATION: AMMERSEE I
Track

Sessions:

Successfully attacking an IT system requires exploitable vulnerabilities. Software always contains such vulnerabilities. As all networking and security to some extent is based on software, such as firewalls, encryption, intrusion detection and protection systems, security infrastructure should be seen as a threat in itself. This has been shown by multi-level systematic security tests on a wide range of security products. The need for patching after security products are delivered is minimised by a comprehensive security test process.

In this talk, Prof. Dr. Pohl will guide you through the cases, of a Web Application Firewall (WAF) ModSecurity, showing that even security software can contain vulnerabilities that might be exploited by attackers and thus is open to attack.

WAFs operate with black and white list and filter the http transfer between servers and clients. The advantage this has over regular firewalls is that a WAF does not filter at the lower network levels, but at the application level – level 7 according to the OSI model. Conventional firewalls generally operate at level 3 (network layer) or level 4 (transport layer), which enables them to filter in-coming requests for IP addresses or ports. A WAF, on the other hand, also examines the content of the in-coming packet and is thus able to defend against attacks such as SQL injections and cross-site scripting, which will not be recognised by conventional firewalls. Web application firewalls examine only http packets and therefore serve to prevent exploitation of vulnerabilities especially in web applications. For this purpose, they make use of certain defined rules, which operate with regular terms in order to block malicious http enquiries using the black-and-white listing method.

Because the WAF ModSecurity itself contained a vulnerability, it was able, for example, to put the web server out of operation by means of simple http enquiries with XML content due to a denial-of-service vulnerability.

This shows that security software can be a double-edged sword: while firewalls on the one hand increase the security level, by filtering the traffic and thus protect servers, computers and web applications from attacks; on the other hand, however, they must themselves be free of vulnerabilities. Otherwise the firewall itself can be attacked. In addition, it is always necessary to patch security software promptly and have it generally configured correctly if the security level is to be increased to meet the relevant threat.

To ensure that security software never becomes a conduit for threats it should be examined to ascertain any vulnerabilities as part of a multi-level systematic security test process by means of Threat Modelling, Static Source Code Analysis, Penetration Testing and Dynamic Analysis – Fuzzing. Only in this way can it be guaranteed that security software is really secure.


Speaker:



Speaker:

Peter is the Partner responsible for Deloitte’s cyber risk services delivering services to our global and regional customers. He has a strong track record of implementation projects for security governance organizations and the technical and organizational review of complex operating...


Everything we talk about during this conference, is based on software. Even more, we see clear trends towards a "Software Defined EVerything", replacing specialized hardware with software solutions. Therefore, to protect your business against espionage, attacks and data breaches, you must address applications security challenges. In this expert panel, we will draw an outline of an application security program leading your enterprise through the age of  cloud, mobile, social.  


Speakers:

Peter is the Partner responsible for Deloitte’s cyber risk services delivering services to our global and regional customers. He has a strong track record of implementation projects for security governance organizations and the technical and organizational review of complex operating...



Log in to download presentations:  

Moderators:

Session Links

Quick Links

Stay Connected

Information

Congress

European Identity & Cloud Conference 2014

Language:
English
Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
lk@kuppingercole.com
  • May 13 - 16, 2014 Munich, Germany

Partners

The European Identity & Cloud Conference 2014 is proud to present a large number of partners
Learn more

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00