Strategies for Web Application Security at Scale (Jeremiah Grossman Presentation at Hacker Halted)

Strategies for Web Application Security at Scale (Jeremiah Grossman Presentation at Hacker Halted)

Henry Dalziel | Information Security Conferences, Latest InfoSec News | November 3, 2012

As already mentioned a few days ago, we were at Hacker Halted in Miami and thoroughly enjoyed it. We heard a lot of very talented and brilliant speakers present – here is a list.

One talk we thought to share was given by Jeremiah Grossman titled: “Strategies for Web Application Security at Scale”. Jeremiah likely needs no introduction since he is very well known in the community. Before writing this post I checked out Jeremiah’s security blog and the following excerpt from one of his previous talks caught my eye, it reads:

“Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually.”

“And do you know why?”

“Because hacking is easy. Because hacking works.”

More accurate and honest words were never said – now more than ever.

Anyways – back to the presentation: Jeremiah kicked off giving us all a low-down of what White Hat Security is (that’s the company he founded) and saying that he is a kinda old hat in the profession having worked at Yahoo! during the Mafia Boy days back in 2000.

One initial point he made was that as “hacking” becomes more prevalent so does the relentless release of new and innovative code – meaning that there is too much code to be tested.

He then went on to dish out some stats, the most notable being that according to his research eight out of ten websites are vulnerable to attack, meaning that data can be exploited and therefore stolen.

He made a good point: “Everybody has something to steal” – that is very true.

His research confirms that SQL Injection remains a common form of attack from hackers and was used in 83% of all reported hacks from 2005 to 2011.

The retail sector remains the most vulnerable to data intrusion whilst banks remain relatively low – perhaps due to Government regulation?

Aside from injection attacks another common web vulnerability is cross site scripting – representing some 55% of all attacks from 2005 to 2011. XSS cross site scripting vulnerability will remain to be a massive concern as the attack allows the hacker to, amongst other things, spoof content and brute force. However – in summary – SQL injection causes “the most pain.”

Hardly surprising Jeremiah spoke about the importance of InfoSec Training and certifications – qualifications like being a CISSP professional or getting Security+ Certified or becoming a Certified Ethical Hacker all certainly help. Interestingly he mentioned that his team use gamification to learn some information security practices and/ or latest skills. The skills included “Elevation of privilege, (EoP), how to prevent spoofing, tampering, etc.

He also said that his team organizes a “capture the flag” contest. He introduced a peer pressure notice board system whereby everyone in his team can see each others performance – something he recommends all penetration security organizations adopt. He also recommends watching OWASP tutorials on YouTube.

He concluded the information security training section of his talk by saying what we all know – that there is a shortage of qualified security people. If you are interested in that subject – check out Winn’s talk here titled: Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search, which is in a video format for you to watch.

Leave a comment or reply below...thanks!