JN
Uploaded byJudy Ngure
PPTX, PDF176 views

Application security [appsec]

Application security involves protecting all components of an application, including the user interface, database, web server, and application server. It addresses common vulnerabilities like injections, session hijacking, unauthorized access, and broken authentication. An application security engineer needs to secure files, directories, protocols, ports, accounts, patches, updates, and services to protect a modern web application against attacks like server-side request forgery, XML external entity injection, cross-site scripting, information disclosure, and server-side template injection.

Download to read offline
Application Security [Appsec] By judy Ngure Twitter@judy_infosec
What is Appsec Before we get to understand application security lets understand the most common components of any application Application User interface Application Database Web Server Application server Server sideClient side Internet
Appsec Application security involves the process of protecting all this components that affect the application one way or the other. So what type of vulnerabilities do you need to protect your application against: (This is where OWASP top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) comes in handy) - Injections (SQL , XSS, XML ) - Session hijacking - Unauthorized access - Broken Authentication - XML External Entities (XEE) - Security Misconfiguration - Insecure Deserialization - Using Components With Known Vulnerabilities - Insecure communication
So what runs : Application user interface Html, javascript css The user interface runs the following programming languages. When the users send a request E.g if a web application has a submit button the language used to display a submit button is html, however the language used to send the submit request is different. At this end javascript can be manipulated if not properly coded USER
servers Web Server Application server Http request GET request Application logic On this end security issues are populated during the http requests and during application logic process e.g A post request is used to include new data into the web server and end user can introduce data that shouldn't be submitted. Reflected XSS tests use this logic to test using scripts.
So What does an Appsec engineer need to secure? - Files - Directories - Protocols - Ports - Registry - Accounts - Patches - Updates - Services
Web headers ⦿ They define HTTP requests to and from the server. ⦿ They include but not limited to: › Methods used › Resources consumed › Sender and destination information › Type of content being sent/received
Methods ⦿ While making a request, certain methods are used to do this. They determine the type of request and response to be received from a server. › PUT › DELETE › GET › TRACE › POST etc...
Status codes ⦿ Depending on the request, a web server may respond differently using certain codes, dubbed ‘status codes’. › 100 - informational › 200 - ok/success › 300 - redirection › 400 - client error › 500 - server error
Common web vulnerabilities for modern web apps With new technologies, comes new attack vectors... › Server-Side Request Forgery (SSRF) › XML external entities (XXE) › Cross site scripting (XXS) › Information disclosure › Server Side Template injection
SSRF ⦿ Is an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. ⦿ E.g.
SSRF (cont...)

More Related Content

PPT
Application Security
byReggie Niccolo Santos
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Web application security
byKapil Sharma
 
PPT
Application Security
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Web application attacks
byhruth
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
Application Security
byReggie Niccolo Santos
 
Secure code practices
byHina Rawal
 
Web application security
byKapil Sharma
 
Application Security
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
A5: Security Misconfiguration
byTariq Islam
 
Application Security - Your Success Depends on it
byWSO2
 
Web application attacks
byhruth
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 

What's hot

PDF
Cyber security and demonstration of security tools
byVicky Fernandes
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
cloud security ppt
byDevyani Vaidya
 
PPT
Application Security
byflorinc
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
ODP
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Security Code Review 101
byPaul Ionescu
 
PPTX
Owasp
bypenetration Tester
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Cyber security and demonstration of security tools
byVicky Fernandes
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
cloud security ppt
byDevyani Vaidya
 
Application Security
byflorinc
 
Secure coding practices
byMohammed Danish Amber
 
OWASP API Security Top 10 - API World
by42Crunch
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
Api security-testing
byn|u - The Open Security Community
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Security Code Review 101
byPaul Ionescu
 
Owasp
bypenetration Tester
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 

Similar to Application security [appsec]

PPTX
QA Lab: тестирование ПО. Владимир Гарбуз: "Application Security 101"
byGeeksLab Odessa
 
PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PPTX
Prevoty NYC Java SIG 20150730
bychadtindel
 
PDF
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
byjtmelton
 
PDF
Application security 101
byVlad Garbuz
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
Zane lackey. security at scale. web application security in a continuous depl...
byYury Chemerkin
 
PPTX
00. introduction to app sec v3
byEoin Keary
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
PDF
Web Application Penetration Testing Course in 2025.pdf
bydaksh908982
 
PDF
Web Security
byKHOANGUYNNGANH
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
Effective approaches to web application security
byZane Lackey
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
Ajax Security
bydrkimsky
 
PDF
C01461422
byIOSR Journals
 
PPT
Web Application Security
byColin English
 
QA Lab: тестирование ПО. Владимир Гарбуз: "Application Security 101"
byGeeksLab Odessa
 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Prevoty NYC Java SIG 20150730
bychadtindel
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
byjtmelton
 
Application security 101
byVlad Garbuz
 
Owasp top 10 2013
byEdouard de Lansalut
 
Zane lackey. security at scale. web application security in a continuous depl...
byYury Chemerkin
 
00. introduction to app sec v3
byEoin Keary
 
Intro to Web Application Security
byRob Ragan
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
Web Application Penetration Testing Course in 2025.pdf
bydaksh908982
 
Web Security
byKHOANGUYNNGANH
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Effective approaches to web application security
byZane Lackey
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Ajax Security
bydrkimsky
 
C01461422
byIOSR Journals
 
Web Application Security
byColin English
 

Recently uploaded

PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PPTX
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
PPTX
xCapture v3: Efficient, Always-On Thread Level Observability with eBPF by Tan...
byScyllaDB
 
PDF
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
PDF
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PDF
Poster: Generalizable Image Repair for Robust Visual Control
byIvan Ruchkin
 
PDF
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
PDF
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
DOCX
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
CymruSec 2025 - Wales' Inaugural Cyber Summit
byRay Bugg
 
PDF
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
PDF
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PPTX
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
xCapture v3: Efficient, Always-On Thread Level Observability with eBPF by Tan...
byScyllaDB
 
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
Poster: Generalizable Image Repair for Robust Visual Control
byIvan Ruchkin
 
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
Top-10-Cloud-Service-Companies-in-2025-Market-Leaders-and-Innovators.pdf
byArtjoker Software Development Company
 
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
CymruSec 2025 - Wales' Inaugural Cyber Summit
byRay Bugg
 
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 

Application security [appsec]

  • 1.
    Application Security [Appsec] By judyNgure Twitter@judy_infosec
  • 2.
    What is Appsec Beforewe get to understand application security lets understand the most common components of any application Application User interface Application Database Web Server Application server Server sideClient side Internet
  • 3.
    Appsec Application security involvesthe process of protecting all this components that affect the application one way or the other. So what type of vulnerabilities do you need to protect your application against: (This is where OWASP top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) comes in handy) - Injections (SQL , XSS, XML ) - Session hijacking - Unauthorized access - Broken Authentication - XML External Entities (XEE) - Security Misconfiguration - Insecure Deserialization - Using Components With Known Vulnerabilities - Insecure communication
  • 4.
    So what runs: Application user interface Html, javascript css The user interface runs the following programming languages. When the users send a request E.g if a web application has a submit button the language used to display a submit button is html, however the language used to send the submit request is different. At this end javascript can be manipulated if not properly coded USER
  • 5.
    servers Web Server Application server Http request GET request Application logic Onthis end security issues are populated during the http requests and during application logic process e.g A post request is used to include new data into the web server and end user can introduce data that shouldn't be submitted. Reflected XSS tests use this logic to test using scripts.
  • 6.
    So What doesan Appsec engineer need to secure? - Files - Directories - Protocols - Ports - Registry - Accounts - Patches - Updates - Services
  • 7.
    Web headers ⦿ Theydefine HTTP requests to and from the server. ⦿ They include but not limited to: › Methods used › Resources consumed › Sender and destination information › Type of content being sent/received
  • 8.
    Methods ⦿ While makinga request, certain methods are used to do this. They determine the type of request and response to be received from a server. › PUT › DELETE › GET › TRACE › POST etc...
  • 9.
    Status codes ⦿ Dependingon the request, a web server may respond differently using certain codes, dubbed ‘status codes’. › 100 - informational › 200 - ok/success › 300 - redirection › 400 - client error › 500 - server error
  • 10.
    Common web vulnerabilities formodern web apps With new technologies, comes new attack vectors... › Server-Side Request Forgery (SSRF) › XML external entities (XXE) › Cross site scripting (XXS) › Information disclosure › Server Side Template injection
  • 11.
    SSRF ⦿ Is anattack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. ⦿ E.g.
  • 12.