Difference between revisions of "AppSecEU08 Trends in Web Hacking: What's hot in 2008"

From OWASP
Jump to: navigation, search
(New page: == The presentation == The [http://www.webappsec.org/projects/whid web hacking incident database (WHID)] is a Web Application Security Consortium project dedicated to maintaining a list o...)
 
(The speaker)
 
(8 intermediate revisions by one user not shown)
Line 1: Line 1:
 
== The presentation ==
 
== The presentation ==
  
The [http://www.webappsec.org/projects/whid web hacking incident database (WHID)] is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents.
+
[[Image:OWASP_IL_2008_01_Ofer_Shezaf.jpg|right]]The [http://www.webappsec.org/projects/whid web hacking incident database (WHID)] is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The databsae classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database [http://www.breach.com/resources/breach-security-labs/ Breach Labs] which sponsors WHID issues a periodical report on trends in Web Application Security.
  
The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only.
+
By providing answers to questions such as:
  
[http://www.breach.com/resources/breach-security-labs/ Breach Labs] which sponsors WHID has issued an analysis of the Web Hacking landscape in 2007 based on the incidents recorded at WHID. We tried to answer the following questions:
+
* The drivers behind Web hacking.
 
+
* The technology hackers use.
* The drivers, business or other, behind Web hacking.
+
* The vulnerabilities hackers exploit.
+
 
* The types of organizations attacked most often.
 
* The types of organizations attacked most often.
 +
* The common outcomes
  
 
+
The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale.
To be able to answer those questions, WHID tracks the following key attributes for each incident:
+
 
+
* Attack Method - The technical vulnerability exploited by the attacker to perform the hack.
+
* Outcome - the real-world result of the attack.
+
* Country - the country in which the attacked web site (or owning organization) resides.
+
* Origin - the country from which the attack was launched.
+
* Vertical - the field of operation of the organization that was attacked.
+
 
+
The talk will present the WHID 2007 annual report findings, updates for the 1st half of 2008 and expand of several key areas such as the sharp rise in iframe hacking and the risk associated with service providers.
+
  
 
== The speaker ==
 
== The speaker ==
  
Ofer Shezaf leads information security research for Breach Security, Inc. where he is responsible for defining security features for Breach Security’s products and driving the diverse research activities of Breach Security Labs, the research arm of Breach Security.  
+
Ofer Shezaf is the Vice President of Product Management for Breach Security, Inc. where he is responsible for defining Breach Security’s product road map and features. Prior to assuming his current role, Ofer led security research at the company. Shezaf combines broad experience in information security, focusing on application security with a background in entrepreneurship and venture capital.  
  
His research program is focused on the design and operations of web application firewalls including leading the Core Rule Set project, an open source project for generic detection of application layer attacks. Shezaf serves as an officer of the Web Application Security Consortium (WASC) where he leads the Web Hacking Incidents Database project. He also leads the Israeli chapter of the Open Web Application Security Project (OWASP).  
+
Prior to joining Shezaf served as a technology expert for leading venture capital funds such as Pitango and Evergreen and and previously as a group manager and later a special advisor on national infrastructure protection for the Israeli government and intelligence forces.  
  
Prior to joining Breach Security, Shezaf was a group manager and later a special advisor on national infrastructure protection for the Israeli government and intelligence forces.
+
As a well known application security expert, Shezaf is an officer of the Web Application Security Consortium (WASC) where he leads the Web Hacking Incidents Database project, and leads the Israeli chapter of the Open Web Application Security Project (OWASP). Shezaf holds a bachelor degree in computer engineering from the Technion, and an MBA from Tel-Aviv University.

Latest revision as of 17:05, 31 July 2008

The presentation

OWASP IL 2008 01 Ofer Shezaf.jpg
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The databsae classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

By providing answers to questions such as:

  • The drivers behind Web hacking.
  • The technology hackers use.
  • The types of organizations attacked most often.
  • The common outcomes

The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale.

The speaker

Ofer Shezaf is the Vice President of Product Management for Breach Security, Inc. where he is responsible for defining Breach Security’s product road map and features. Prior to assuming his current role, Ofer led security research at the company. Shezaf combines broad experience in information security, focusing on application security with a background in entrepreneurship and venture capital.

Prior to joining Shezaf served as a technology expert for leading venture capital funds such as Pitango and Evergreen and and previously as a group manager and later a special advisor on national infrastructure protection for the Israeli government and intelligence forces.

As a well known application security expert, Shezaf is an officer of the Web Application Security Consortium (WASC) where he leads the Web Hacking Incidents Database project, and leads the Israeli chapter of the Open Web Application Security Project (OWASP). Shezaf holds a bachelor degree in computer engineering from the Technion, and an MBA from Tel-Aviv University.