WebApp security risks and protection commencement of the classroom!

This article in the original technical team from the city of grapes and starting

Please indicate the source: Grape City's official website , Grape City to provide professional development tools for developers, solutions and services, enabling developers.

 

2018 network security accidents, from data leakage, theft, to DDOS attacks, extortion virus, not only in the total number of threats increased threat situation has become more diverse, the attacker at the same time continue to develop new avenues of attack, but also try to cover their tracks during the attack, the network security has become increasingly difficult. The future is all interconnected era, the only way to grasp the network information security, in order to avoid being hit dimensionality reduction.

In order to repay the community, we invited the city of grape senior architect, security expert Carl share as guest, in the city of grapes open class technology to WebApp security as the starting point, take you to learn more unexpected safety precautions and hacker attacks to help you improve network security awareness, and ultimately learn how to avoid potential risks, prevent cyber security attacks.

The course is divided into three sections, plans to speak as follows:

Section I: broaden their horizons - to enhance safety awareness

Enhance network security awareness of the project team in every role, every process is vital. It also has the only network security awareness before they are willing to invest more time and energy data security. Here, I'll show you part of network security incidents occurred in 2018, these losses caused by the accident, perhaps far beyond your imagination.

2018 Review of network security incidents

Facebook data breaches: in September 2018, due to security vulnerabilities and Facebook hacked, resulting in about 50 million users of information leakage.

Church listed company data, the number of alleged violations of ten billion of Personal Information: Big Data industry leading enterprise data hall in just eight months, the average daily disclosure of personal information of citizens of more than 1.3 million, after a total of about transmission of data compression 4000GB.

Yuantong Express 1 billion information disclosure: 1,000,000,000 were openly sold user data, including data send (income) member name, phone number, address and other private information.

Marriott 500 million users open house information disclosure: Marriott Room Reservations database hacked, approximately 500 million customer information could be leaked.

More data breaches

1. Cathay Pacific data leakage, 9.4 million passengers affected
2. MongoDB database invasion, 11 million pieces of mail was leaked record
3. SHEIN data breach affecting 6.42 million users
4. Loopholes GovPayNet voucher system, 14 million transaction was exposed
5. Millet has leaked product platform about 20 million users of personal privacy data has been leaked
6. …
7. Atlanta City Hall by ransomware attack
8. Baltimore suffered a ransomware attacks, leading to computer-aided dispatch 911 emergency dispatch service (CAD) function dropped
9. TSMC extortion virus incidents, resulting in revenue loss of about 1.76 billion yuan, down 7.8 billion stock market value
10. Many personal computers and small sites have suffered attacks
11. Pyeongchang Winter Olympics opening ceremony of the server was hacked by unknown
12. GitHub was 1.35T level attack traffic
13. CPU data cache mechanism loopholes
14. iOS platform WebView component vulnerabilities (UIWebView / WKWebView) Cross-Domain Access Vulnerability (CNNVD-201801-515)
15. Oracle WebLogic Server WLS core component Remote Code Execution Vulnerability
16. Micro-channel pay SDKXXE Vulnerability
17. Apache Struts2 S2-057 security vulnerabilities

Extortion virus incident

DDoS attacks

Significant gaps in inventory year

Section II: Know thyself - hackers how to attack systems

A typical step hacker attack site, divided into the following five steps:

1. Information gathering and vulnerability scanning
2. Exploit
3. Upload Trojan
4. Gain control over the server
5. Clean up traces

to sum up:

Hacker is not a manual test system vulnerabilities, but there are a lot of powerful tools to automate complete

Hackers exploit a vulnerability is not a system, but to use a series of different levels of vulnerability

Hackers often attack a series of site-volume, select one of the many loopholes, better use of major breakthroughs

Section III: Ten security risk (OWASP Top 10)

Insecure software is destroying our financial, medical, defense, energy and other critical infrastructure. With our software becomes increasingly large, complex, and interrelated, difficult to achieve application security is also growing exponentially. The rapid development of modern software development process, making rapid and accurate recognition software security risks has become increasingly important, OWASP organizations was born.

OWASP, namely open Web Application Security Project (Open Web Application Security Project), as an open-source, non-profit global security organization, which provides impartial information about the computer and Internet applications, practical, cost-effective information , which aims to help individuals, businesses and organizations to find and use reliable software.

OWASP Top 10 is published by the OWASP organization, the most authoritative "Top 10 Most Critical Web Application Security risk warning", the possibility to analyze the threats and vulnerabilities both on security issues, combined with the technical and commercial the results of the impact, output recognized as the most serious of ten categories of Web application security risk ranking. OWASP Top 10 is intended for these risks, propose solutions to help IT companies and development teams standardize application development process and testing process, improve the security of Web products.

OWASP urged all companies OWASP Top 10 documents within their organization, and to ensure that their Web applications to minimize these risks, the use of OWASP Top 10 is probably a cultural shift within the software development of enterprise culture to generate the most effective security codes step.

OWASP Top 10 comprising:

1. injection
2. Authentication failure
3. Disclosure of sensitive information
4. XML external entity (XXE)
5. Broken access control
6. Security configuration error
7. Cross-site scripting (XSS)
8. Unsafe deserialization
9. Using components contain known vulnerabilities

10. The lack of logging and monitoring

Instructors:

Carl (Chen Qing), grape senior city architect, security expert, technical Grape City public course instructor. With 15 years of experience in the development project, focused on the areas of product architecture, programming technology, has a unique insight into network security, Microsoft TechEd served as lecturer, willing to study a variety of cutting-edge technologies and share.

Please click on the address sign Watch live: http://live.vhall.com/137416596

Live miss this field? It does not matter, we'll all live content stored in the grapes open class city page, so you can feel free to watch and learn. We will also follow Carl teacher's content into the article, published in the community, so stay tuned.

“赋能开发者”葡萄城除了为所有开发人员提供免费的开发技巧分享、项目实战经验外，还提供了众多高水准、高品质的开发工具和开发者解决方案，可有效帮助开发人员提高效率，缩短项目周期，使开发人员能更专注于业务逻辑，顺利完成高质量的项目交付，欢迎您深入了解。