1
00:00:00,840 --> 00:00:02,370
Issues of Web security.

2
00:00:03,730 --> 00:00:06,650
So I'll tell you, applications run the world right?

3
00:00:07,150 --> 00:00:13,750
They are at the center of the information technology system from where we sit in the network at least.

4
00:00:15,090 --> 00:00:22,440
Today, the World Wide Web is almost unrecognizable when you compare it with its earlier concept form.

5
00:00:23,570 --> 00:00:29,660
So I don't have the intention to tell you about the history of the Internet and the Web and all that,

6
00:00:30,140 --> 00:00:36,500
but I do want to tell you, in the last decade, we have seen how webdesign moved away from simple Web

7
00:00:36,500 --> 00:00:40,340
sites to interactive Web applications.

8
00:00:41,690 --> 00:00:48,650
So not only are there, you know, design elements, but the technology stack behind the Web and the

9
00:00:48,650 --> 00:00:51,980
Web applications will have improved dramatically.

10
00:00:53,380 --> 00:01:00,970
So when you look into your pockets or onto your screens, you're going to see the result that this improvement

11
00:01:00,970 --> 00:01:02,170
is pretty obvious.

12
00:01:03,700 --> 00:01:08,410
So think of your everyday life use, I don't know how many apps during the day.

13
00:01:09,640 --> 00:01:16,600
I don't mean only Web apps either, but the biggest portion of your time belongs to apps from social

14
00:01:16,600 --> 00:01:18,720
media to business applications.

15
00:01:19,180 --> 00:01:24,340
Almost every organization has a Web application and does business online.

16
00:01:25,150 --> 00:01:30,030
So in other words, we see a wide range of applications being delivered every day.

17
00:01:30,550 --> 00:01:34,990
Even my little cousin started his own personal Web application just a few days ago.

18
00:01:35,740 --> 00:01:39,060
Of course, it must be great having me as an uncle, but that's beside the point.

19
00:01:40,960 --> 00:01:47,260
So Web applications are everywhere across public and private networks, right, you get the point.

20
00:01:48,700 --> 00:01:55,300
They bring as many services, such as financial transactions, searching, shopping and a host of others.

21
00:01:56,990 --> 00:02:03,050
They have the capability to register and authenticate us, so you see where I'm going with this.

22
00:02:04,010 --> 00:02:09,650
The content is generated dynamically and it's mostly specific to users.

23
00:02:10,860 --> 00:02:17,790
Even today, Web applications can reach your geolocation information to send you notifications.

24
00:02:18,980 --> 00:02:25,580
I know you know this already, but what I mean is that much of the information that they process is

25
00:02:26,000 --> 00:02:29,360
highly sensitive and actually private.

26
00:02:30,950 --> 00:02:35,210
So that's why this makes security a big issue.

27
00:02:36,650 --> 00:02:42,290
If an attacker can compromise a Web application, then you may be able to steal personal information

28
00:02:42,290 --> 00:02:47,270
and carry out financial fraud and perform malicious actions against other users.

29
00:02:48,340 --> 00:02:56,350
So these data breaches makes me think that there might be a clue in how the Web applications have actually

30
00:02:56,350 --> 00:02:59,290
become a precious source for hacking.

31
00:03:01,240 --> 00:03:03,490
So there are many resources on the web right.

32
00:03:03,490 --> 00:03:06,010
To search for data breaches and hacking news.

33
00:03:07,450 --> 00:03:15,070
What I do is I'm going to use have I been owned dotcom to show you how versatile data breaches are.

34
00:03:16,100 --> 00:03:21,770
So here there's a list of hacked organizations and companies, and if you scroll down, you're going

35
00:03:21,770 --> 00:03:24,860
to see the list is not very short at all.

36
00:03:26,520 --> 00:03:29,730
And this is only a portion of what we already know.

37
00:03:31,060 --> 00:03:37,990
You can get some quick info about the breaches on this list here, see, and there are links to public

38
00:03:37,990 --> 00:03:38,680
announcements.

39
00:03:39,750 --> 00:03:44,550
So let me click on here to see if it fit data breach announcement.

40
00:03:45,920 --> 00:03:51,650
And it's a notice about the breach and it tells us how it happened and how to protect the users from

41
00:03:51,770 --> 00:03:52,760
the consequences.

42
00:03:53,570 --> 00:03:55,130
OK, so let's return to the list.

43
00:03:56,230 --> 00:04:00,100
As you can see, it goes on and on and it goes way down below.

44
00:04:02,140 --> 00:04:10,660
OK, so another option, if you want to see some fancy graphics and animation, then you can visit information

45
00:04:10,660 --> 00:04:12,070
is beautiful dot net.

46
00:04:13,150 --> 00:04:16,270
And this Web site visualises the information.

47
00:04:18,030 --> 00:04:25,890
So just by glancing over some of this right, we can observe how serious the amount of breaches are,

48
00:04:25,890 --> 00:04:26,090
right.

49
00:04:26,130 --> 00:04:29,030
This is the only ones that have been reported and we know about.

50
00:04:29,820 --> 00:04:35,820
So, again, by clicking on any of the circles, you can get the notice or the news about the breach.

51
00:04:37,790 --> 00:04:43,520
And as you can see, Web applications make an attractive option for attackers.

52
00:04:45,660 --> 00:04:49,080
It only requires a Web browser to interact with a Web application.

53
00:04:50,020 --> 00:04:55,780
Now, comparing it to the skills required to attack operating system based vulnerabilities, hacking

54
00:04:55,780 --> 00:04:58,390
Web applications, it's pretty easy to start with.

55
00:05:00,540 --> 00:05:01,800
And what about statistics?

56
00:05:02,800 --> 00:05:08,710
So I know you hear lots and lots of statistics and you actually need statistics to reinforce your knowledge

57
00:05:08,710 --> 00:05:15,130
when you learn about a topic and for an instructor, you've got to stick in some really good statistics.

58
00:05:15,130 --> 00:05:18,100
Otherwise, the instructor must not know what he's talking about.

59
00:05:18,100 --> 00:05:18,390
Right.

60
00:05:19,400 --> 00:05:24,170
OK, so that means I want to share with you some numbers about application security.

61
00:05:25,300 --> 00:05:30,670
So these numbers will give you a pretty good idea, but I'm not real confident about these numbers because

62
00:05:30,670 --> 00:05:34,240
I don't have much of an opportunity to test their validity.

63
00:05:35,080 --> 00:05:38,140
Can't believe everything you read, write critical thinking.

64
00:05:38,350 --> 00:05:39,070
I advise it.

65
00:05:40,280 --> 00:05:46,730
Anyway, so I read some reports from some reliable sources, and that's where I got these numbers,

66
00:05:47,090 --> 00:05:48,650
so they're pretty reliable.

67
00:05:49,980 --> 00:05:51,240
So let's have a look at the first one.

68
00:05:52,290 --> 00:05:53,530
Sixteen percent.

69
00:05:54,420 --> 00:06:00,840
So this is the percentage of it decision makers whose organizations don't even conduct any penetration

70
00:06:00,840 --> 00:06:03,660
tests, I guess they don't even believe in security.

71
00:06:05,250 --> 00:06:07,590
So the second one is 70 percent.

72
00:06:08,250 --> 00:06:14,550
This is the percentage of organizations that will primarily do pen tests in order to test effectiveness

73
00:06:14,580 --> 00:06:16,140
of their security controls.

74
00:06:16,560 --> 00:06:18,410
And that, my friends, is a good number.

75
00:06:19,020 --> 00:06:21,450
A third one, 84 percent.

76
00:06:22,530 --> 00:06:29,390
This is the percentage of organizations that use red and blue team security testing, good for them,

77
00:06:29,400 --> 00:06:30,270
highly effective.

78
00:06:31,170 --> 00:06:34,090
What about the fourth one, 16 percent?

79
00:06:34,950 --> 00:06:42,210
This is the percentage of security vulnerabilities in tested applications that are medium high or critical

80
00:06:42,210 --> 00:06:42,780
risk.

81
00:06:43,770 --> 00:06:49,230
Therefore, the first point of data breaches start with Web applications.

82
00:06:50,550 --> 00:06:55,120
And the last number, seven billion dollars.

83
00:06:55,980 --> 00:07:03,240
You're wondering what that is, that's the estimated size of the application security market by 2023.

84
00:07:04,850 --> 00:07:07,730
So this might give you an idea for a career, huh?

85
00:07:08,240 --> 00:07:08,590
Uh.

86
00:07:11,560 --> 00:07:13,810
So after this long introduction.

87
00:07:14,820 --> 00:07:20,370
To the current situation and Web application security, some of you may confuse the word website, Web

88
00:07:20,370 --> 00:07:21,930
page, web application.

89
00:07:21,960 --> 00:07:22,920
That's understandable.

90
00:07:24,170 --> 00:07:27,110
And of course, there are differences between these terms.

91
00:07:28,290 --> 00:07:35,790
They're not completely the same, but they are related to each other and it only matters if you do anything

92
00:07:35,790 --> 00:07:39,440
that's related to development at all.

93
00:07:40,450 --> 00:07:46,370
So the term Web site, it's what you display in the Web browser on a user's computer, right?

94
00:07:47,210 --> 00:07:49,040
And a website can have Web pages.

95
00:07:50,240 --> 00:07:52,790
Website can even consist of just one single page.

96
00:07:54,280 --> 00:08:00,700
And the term Web application, it's sometimes used instead of website.

97
00:08:02,660 --> 00:08:09,710
But today, by increasing mobility, this term is now used for the websites that are displayed in mobile

98
00:08:09,710 --> 00:08:13,490
browsers and they seem more like mobile applications.

99
00:08:14,670 --> 00:08:19,950
So using these terms in the right place is very important to a developer, it doesn't necessarily matter

100
00:08:19,950 --> 00:08:20,550
to a user.

101
00:08:21,890 --> 00:08:26,090
However, for a weapon tester, I don't think that's going to cut it.

102
00:08:26,450 --> 00:08:26,900
Why?

103
00:08:27,500 --> 00:08:33,530
Because a weapon tester deals with the basics and this means that you can use both.

104
00:08:34,490 --> 00:08:40,500
Now, from the very first day that I started testing, I got used to saying Web application.

105
00:08:41,060 --> 00:08:43,250
So that's what you're going to hear a lot from me.

106
00:08:43,820 --> 00:08:45,870
But then again, you're here to learn for me.

107
00:08:46,400 --> 00:08:50,000
So this is the beginning of a very beautiful relationship.

108
00:08:50,570 --> 00:08:52,400
That was from Casablanca, by the way.