Professional Documents
Culture Documents
Author
Preventing Web Attacks with Apache
Confidential
Confidential
Session Outline
The Challenge of Risk Analysis for Web Applications
Risk Rating Methodology
How to quantify risk?
WASC Web Hacking Incident Database (WHID)
What is it?
Goals
Recent Project Changes and Updates
2010 Semiannual Report (July December)
Incidents By Attacked Entity Field
Incidents By Outcome
Incidents By Attack Methods
Incidents By Application Weakness
Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of Interest
Conclusion
Copyright Trustwave 2010
Confidential
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Copyright Trustwave 2010
Confidential
Confidential
The Challenge of
Risk Analysis for
Web Applications:
Analyzing Public Incidents
Confidential
https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
Copyright Trustwave 2010
Confidential
Confidential
Confidential
Web Hacking
Incident Database
(WHID)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Copyright Trustwave 2010
Confidential
Confidential
WHID Goals
Raise awareness of real-world, web application security
incidents
Provide data for the following Risk Rating steps:
#Step 2: Factors for Estimating Likelihood
What application weaknesses are actively being
targeted?
#Step 3: Factors for Estimating Impact
What outcome are you worried about?
#Step 5: Deciding What to Fix
Prioritized listing of remediation issues
#Step 6: Customizing Your Risk Rating Model
Customized view based on your vertical-market
Copyright Trustwave 2010
Confidential
WHID Data
Inclusion Criteria
Only publicly disclosed, web related incidents
Incidents of interest
Defacements of High Profile sites are included
Confidential
http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
Copyright Trustwave 2010
Confidential
Additional information:
A unique identifier: WHID
200x-yy
Dates of occurrence and
reporting
Description
Internet references
Confidential
Real-Time Statistics
Browse real-time data
Drill down in to incident
details
Pivot on key variables
(year/vertical market)
http://projects.webappsec.org/Web-Hacking-Incident-Database
Copyright Trustwave 2010
Confidential
Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
Attack method
Outcome
Source geography
and many more
http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
Copyright Trustwave 2010
Confidential
Geographic Views
Confidential
http://projects.webappsec.org/Web-Hacking-IncidentDatabase#RSSFeed
@wascwhid
Confidential
Confidential
Confidential
Confidential
Confidential
WHID Top 10
Injection
CSRF
Security Misconfiguration
1
0
Confidential
Top Trends
Denial of Service
Confidential
Confidential
http://www.cert.org/reports/dsit_workshop.pdf
34
Copyright Trustwave 2010
Confidential
Confidential
Confidential
http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Banking Trojans
Confidential
Questions?