security webinar: harden the heart of your wordpress sitese
TRANSCRIPT
#wpewebinar
TITLE + CONTENT: IMAGE ON RIGHT
CROP IMAGE TO GRAY BOX
We’ll answer as many questions as we can after the presentation
ASK QUESTIONS AS WE GO
Slides and recording will be made available shortly after the webinar
Use the “Questions” pane throughout the webinar
#wpewebinar
AGENDA: TWO COLUMN
WHAT YOU’LL LEARN:
● What is OWASP?
● What are the OWASP Top Ten?
● How each might affect your website
● How to mitigate risks for each vulnerability
● Q&A
#wpewebinar
TITLE + CONTENT: TWO COLUMN LARGE BULLETS
Security EngineerWP Engine
Justin Dailey
● Background in HW and digital electronics
● Sports enthusiast
● Loves all things outdoors
Security ArchitectWP Engine
Will West
● Made a gatling gun with sonar sensor
● 6’8” Tall
● Does not play basketball
#wpewebinar
PROJECT TEAM SLIDE
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
CROP IMAGE TO GRAY BOX
Injection
OWASP Top 10
Weak authentication and session management
XSS Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
A1 A2 A3 A4 A5
A6 A7 A8 A9 A10
#wpewebinar
Month XX, 2016
DIVIDER 1
Poll: Are you currently doing anything to secure your website against these Top 10 threats?
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A1Injection
Description
• Different types: SQL, LDAP, ORM, XML, XPath, Code Injection, Command
Injection, Buffer Overflows
• Execution of unintended commands
• Unauthorized data access
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A1Injection
Description
• Different types: SQL, LDAP, ORM, XML, XPath, Code Injection, Command
Injection, Buffer Overflows
• Execution of unintended commands
• Unauthorized data access
Protections
• Enforce input type and length
• Ensure special characters are escaped
• Validate all input fields and use an input validation whitelist
• Avoid dynamic queries or commands
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A2Weak authentication and session management
• Attacks take advantage of improper authentication or session
management practices
• Leads to access to sensitive information such as passwords, keys, or
tokens
• Execution of privileged application functions
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A2Weak authentication and session management
• Attacks take advantage of improper authentication or session
management practices
• Leads to access to sensitive information such as passwords, keys, or
tokens
• Execution of privileged application functions
Protections
• Follow standard and recommended practices for user management and
authentication
• Perform user and role validation on all actions
• Use secure session cookie flags
• Always use CSRF tokens with forms
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A3Cross Site Scripting (XSS)
Description
• An application places data from untrusted sources into site content
without performing proper validation and/or escaping
• Allows client side script execution
• Can lead to compromised credentials and sessions, site defacement, and
redirection to malicious sites
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A3Cross Site Scripting (XSS)
Description
• An application places data from untrusted sources into site content
without performing proper validation and/or escaping
• Allows client side script execution
• Can lead to compromised credentials and sessions, site defacement, and
redirection to malicious sites
Protections
• Positive input validation using correct character set
• Sanitize input
• Output encode all user data during upon rendering
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A4Insecure Direct Object References
Description
• Reference to an internal object such as a file, directory, or database key is
exposed
• Leads to unauthorized data access directly or by manipulation
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A4Insecure Direct Object References
Description
• Reference to an internal object such as a file, directory, or database key is
exposed
• Leads to unauthorized data access directly or by manipulation
Protections
• Ensure access control checks are performed when using direct object
references
• Use reference maps instead of direct reference such as IDs
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A5Security Misconfiguration
• Insecure server or application configurations that allow unintended access
to data or application functions
• Can be a result of naive configurations, default configurations, outdated
software
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A5Security Misconfiguration
• Insecure server or application configurations that allow unintended access
to data or application functions
• Can be a result of naive configurations, default configurations, outdated
software
Protections
• A repeatable and testable hardening process incorporating development,
QA, and production
• Regular update and patching processes
• Periodic scans and audits
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A6Sensitive Data Exposure
Description
• Improper protection and/or encryption of sensitive data such as
personally identifiable information, payment methods, and credentials
• Exposure can occur in rest or in transit
• Can lead to fraud, PR nightmares, and further exploitation
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A6Sensitive Data Exposure
Description
• Improper protection and/or encryption of sensitive data such as
personally identifiable information, payment methods, and credentials
• Exposure can occur in rest or in transit
• Can lead to fraud, PR nightmares, and further exploitation
Protections
• Encrypt all sensitive data at rest and in transit
• Avoid storing sensitive data at all costs
• Use standard and modern cryptography and hashing algorithms
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A7Missing Function Level Access Control
Description
• Authentication verification is performed on the front end (UI) but is not
properly performed on application functions
• Verification must be performed on all functions at all levels
• Allows unauthorized access to functions and data
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A7Missing Function Level Access Control
Description
• Authentication verification is performed on the front end (UI) but is not
properly performed on application functions
• Verification must be performed on all functions at all levels
• Allows unauthorized access to functions and data
Protections
• Perform validations client side AND server side
• Use explicit grants, deny by default
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A8Cross Site Request Forgery
• An attack forcing a logged in victim’s browser to send a forged HTTP
request which includes local session information
• Requests target vulnerable sites that do not perform proper request
validation
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
Description
A8Cross Site Request Forgery
• An attack forcing a logged in victim’s browser to send a forged HTTP
request which includes local session information
• Requests target vulnerable sites that do not perform proper request
validation
Protections
• Include an unpredictable CSRF token in each HTTP request
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A9Using Components with Known Vulnerabilities
Description
• Known vulnerabilities in utilized libraries and frameworks can be
compromised used readily available tools
• Can allow attacks to bypass security measures through exploitation
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A9Using Components with Known Vulnerabilities
Description
• Known vulnerabilities in utilized libraries and frameworks can be
compromised used readily available tools
• Can allow attacks to bypass security measures through exploitation
Protections
• Maintain awareness of the components and versions utilized by your
application
• Monitor the security of these components via public notifications such as
vulnerability mailing lists etc
• Establish and follow policies dictating what software components are
acceptable to use
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A10Unvalidated Redirects and Forwards
Description
• Use of redirects and forwards with untrusted data determining the
destination pages
• Redirection can be exploited to direct users to malicious sites performing
phishing or malware distribution
#wpewebinar
TITLE + CONTENT: LEFT SIDEBAR
A10Unvalidated Redirects and Forwards
Description
• Use of redirects and forwards with untrusted data determining the
destination pages
• Redirection can be exploited to direct users to malicious sites performing
phishing or malware distribution
Protections
• Avoid redirects and forwards if possible
• If they are used, do not include dynamic parameters in calculating the
destination
#wpewebinar
Month XX, 2016
DIVIDER 1
Slides and recording will be made available shortly after the webinar
QUESTIONS AND ANSWERS
#wpewebinar
HIGHLIGHTED TEXT
8 KEY SECURITY QUESTIONS YOUR HOSTING COMPANY SHOULD BE ABLE TO ANSWER
RESOURCES
OWASP TOP 10 2013 PROJECT
OWASP VULNERABLE WEB APPLICATIONS DIRECTORY PROJECT
LIVE INTERVIEW WITH DAVID ENDLER OF MANIFEST ON WEB SECURITY
15 WAYS TO HARDEN THE SECURITY OF YOUR WORDPRESS SITE
RECORDED WEBINAR: TODAY’S WEBSITE SECURITY THREAT LANDSCAPE (FEATURING TONY PEREZ, SUCURI)
#wpewebinar
IMAC MOCKUP SLIDE
CROP IMAGE TO GRAY BOX
NEXT UP...
Register Now:http://wpeng.in/ email
Wednesday, Feb 2211:00 a.m. CST,12:00 p.m. EST, 9:00 a.m. PST, 5:00 p.m. UTC/GMT