Application Security
Facebook Twitter LinkedIn

Application Security

Combined Session
Thursday, May 15, 2014 15:30—16:30
Location: AMMERSEE I

Security Software as a Risk

Successfully attacking an IT system requires exploitable vulnerabilities. Software always contains such vulnerabilities. As all networking and security to some extent is based on software, such as firewalls, encryption, intrusion detection and protection systems, security infrastructure should be seen as a threat in itself. This has been shown by multi-level systematic security tests on a wide range of security products. The need for patching after security products are delivered is minimised by a comprehensive security test process.

In this talk, Prof. Dr. Pohl will guide you through the cases, of a Web Application Firewall (WAF) ModSecurity, showing that even security software can contain vulnerabilities that might be exploited by attackers and thus is open to attack.

WAFs operate with black and white list and filter the http transfer between servers and clients. The advantage this has over regular firewalls is that a WAF does not filter at the lower network levels, but at the application level – level 7 according to the OSI model. Conventional firewalls generally operate at level 3 (network layer) or level 4 (transport layer), which enables them to filter in-coming requests for IP addresses or ports. A WAF, on the other hand, also examines the content of the in-coming packet and is thus able to defend against attacks such as SQL injections and cross-site scripting, which will not be recognised by conventional firewalls. Web application firewalls examine only http packets and therefore serve to prevent exploitation of vulnerabilities especially in web applications. For this purpose, they make use of certain defined rules, which operate with regular terms in order to block malicious http enquiries using the black-and-white listing method.

Because the WAF ModSecurity itself contained a vulnerability, it was able, for example, to put the web server out of operation by means of simple http enquiries with XML content due to a denial-of-service vulnerability.

This shows that security software can be a double-edged sword: while firewalls on the one hand increase the security level, by filtering the traffic and thus protect servers, computers and web applications from attacks; on the other hand, however, they must themselves be free of vulnerabilities. Otherwise the firewall itself can be attacked. In addition, it is always necessary to patch security software promptly and have it generally configured correctly if the security level is to be increased to meet the relevant threat.

To ensure that security software never becomes a conduit for threats it should be examined to ascertain any vulnerabilities as part of a multi-level systematic security test process by means of Threat Modelling, Static Source Code Analysis, Penetration Testing and Dynamic Analysis – Fuzzing. Only in this way can it be guaranteed that security software is really secure.

Security Software as a Risk
Presentation deck
Security Software as a Risk
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Prof. Dr. Hartmut Pohl
Prof. Dr. Hartmut Pohl
softScheck GmbH
Hartmut Pohl is Professor for Information Security at Bonn University, and CEO/Founder of softScheck, a Security Consulting Firm.

Application Security – Beyond Secure Configurations and Access Controls.

Application Security – Beyond Secure Configurations and Access Controls.
Presentation deck
Application Security – Beyond Secure Configurations and Access Controls.
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Peter J. Wirnsperger
Peter J. Wirnsperger
Deloitte
Peter is the Partner responsible for Deloitte’s cyber risk services delivering services to our global and regional customers. He has a strong track record of implementation projects for...

Protecting your Applications Against the Threat of Attacks and Data Breaches

Everything we talk about during this conference, is based on software. Even more, we see clear trends towards a "Software Defined EVerything", replacing specialized hardware with software solutions. Therefore, to protect your business against espionage, attacks and data breaches, you must address applications security challenges. In this expert panel, we will draw an outline of an application security program leading your enterprise through the age of  cloud, mobile, social.  

Prof. Dr. Hartmut Pohl
Prof. Dr. Hartmut Pohl
softScheck GmbH
Hartmut Pohl is Professor for Information Security at Bonn University, and CEO/Founder of softScheck, a Security Consulting Firm.
Juergen Vollmer
Juergen Vollmer
Security & Quality Software GmbH
In his role he consults companies to exhilarate development time and reduce software development and maintenance cost, while improving internal & external security and quality polices....
Peter J. Wirnsperger
Peter J. Wirnsperger
Deloitte
Peter is the Partner responsible for Deloitte’s cyber risk services delivering services to our global and regional customers. He has a strong track record of implementation projects for...
Subscribe for updates
Please provide your email address