Presented at ToorCon San Diego 13 (2011)
Oct. 9, 2011, 5 p.m.
A compromised website can result in bad public relations, media glare and loss of consumer confidence. Internally accessible HR portals contain sensitive personally identifiable information (PII) information such as social security numbers, identification data, salaries and other information that could help identify employees or allow a rogue employee or contractor to steal corporate secrets. Because of the increasing threat posed by web applications, authorities and government have intervened to provide guidelines and compliance standards. It has become more important than ever for companies to have a robust web application penetration testing (WAPT) process, guidelines and methodology in order to protect them from cybercrime and to meet compliance requirements. These requirements are often industry specific. For instance, applications that store, process or transmit credit cards need to comply with the Payment Card Industry Data Security Standard (PCI DSS)1. Financial companies need to comply with Gramm Leach Bliley Act (GLBA)2 while the health care industry must worry about Health Insurance Portability and Accountability Act (HIPAA)3 compliance. Many of these regulations are complex and go beyond just individual web applications. It is however vital to gain a good understanding of the requirements as they pertain to your application portfolio.
Organizations deploy business critical web applications ranging from externally facing corporate websites and customer portals to internally facing Human Resources (HR) portals. The external facing websites may not only process sensitive information such as credit card data but also serve as the home of the organization on the Internet. With technologies such as AJAX, web applications are becoming even richer and more pervasive. Many thick client applications have been replaced by web applications any many computing functions now happen over the web. There is also a trend towards Web Services using technologies such as Windows Communication Framework (WCF) and HTML5 brings its own rich functionality. Company websites represent the brand name and consumer confidence associated with it.
Based out of New York office, Narainder is a Senior Security Consultant at Foundstone where he specializes in software security such as web applications, code reviews and network penetration tests across all major industries.