SQuAD: Application Security Testing
|
|
- Asher Woods
- 8 years ago
- Views:
Transcription
1 SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010
2 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things about technology progress are also the things that make security harder: The ability to encapsulate knowledge (software) The ability to easily traverse geographic borders (networking) The ability to automate t a difficult task (software & networking)
3 Moore s Law for processers: old hat Yeah, we ve heard about (and experienced) Moore s Law for a long time. So what about NOW? Storage is getting cheaper faster than computing Bandwidth is getting cheaper faster than storage
4 Networks have become the 21 st driver century per Do ollar Sp pent Perfor rmance Optical Fiber (bits per second) (Doubling time 9 Months) Data Storage (bits per square inch) (Doubling time 12 Months) Number of Years Scientific American, January 2001, slide by Larry Smarr, 2005
5 What is security? Vigilance Knowledge Risk management Methodology and policies Applied science ce / forensics Architecture Implementation Operations 3 risks and 3 priorities: Disclosure -> Confidentiality Corruption -> Integrity Unavailability -> Availability Multi-layered defense We have to deal with application and host security
6 Common security myths Myth #1: We aren t a likely target of attack. Fact: 42% of the 2009 CSI/FBI Computer Crime Survey respondents reported detecting a breach in the prior 12 months.
7 Common security myths Myth #2: A small percent of attacks/breaches involve insiders. id Fact: Actually, today nearly half of all attacks/breaches involve insiders.
8 Common security myths Myth #3: We re secure because we have a firewall. Fact: Almost nothing could be further from the truth. Multiple surveys have established that 95% of organizations that had a break-in had a standard commercial firewall in place.
9 Common security myths Myth #4: We haven t been broken into, therefore we are secure. Fact: Most break-ins go undetected for more than six months.
10 Types of breaches in 2009
11 Key trends One-third of CSI Survey Respondents organizations were fraudulently represented as the sender of a phishing message Incidents increasing in frequency: financial fraud, malware infection, denials of service, password sniffing, and Web site defacement Incidents decreasing in frequency: wireless exploits and instant messaging abuse Regulations, standards, and rules, oh my! HIPAA and HITECH Sarbanes-Oxley (SOX) FISMA Gramm-Leach-Bliley Act (Financial Services Modernization) SAS70 PCI/DSS COBIT
12 Which standards affect software developers and testers? Many standards specifically reference information system development and testing ISO27002 Accepted industry best practices NIST 800 series A collection of Special Publications developed accepted as IT security standards by the federal government PCI DSS compliance required for all organizations that process credit card payments HIPAA compliance required for all organizations that store or process EPHI While HIPAA does not specifically address coding or testing requirements, in order for organizations using software to be compliant, the products must meet certain standards
13 Some examples ISO27002 Section Input data validation Data input to applications should be validated to ensure that this data is correct and appropriate. Checks should be applied to the input of business transactions, standing data, and parameter tables. The following guidelines should be considered: Dual input or other input checks, such as boundary checking or limiting fields to specific ranges of input data, to detect the following errors: Out of range values Invalid characters in data fields Missing or incomplete data Exceeding upper and lower data volume limits Unauthorized or inconsistent control data Periodic review of the content of key fields or data files to confirm their validity and integrity Procedures for responding to validation errors Procedures for testing the plausibility of the input data Etc.
14 ISO27002 continued Section Control of internal processing Validation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. Section Message integrity Requirements for ensuring authenticity and protecting message integrity in applications should be identified and appropriate controls identified and implemented. Section Output data validation Data output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.
15 NIST Section SC-2 Application Partitioning The information i system separates user functionality (including user interface services) from information system management functionality. The information system prevents the presentation of information system management-related functionality at an interface for general users. Section SC-3 Security Function Isolation The information system isolates security functions from nonsecurity functions. Section SC-4 Information in Shared Resources The information system prevents unauthorized and unintended information transfer via shared system resources. Section SC-5 Denial of Service Protection The information system protects against or limits the effects of denial of service attacks.
16 NIST continued The list goes on and on A few more examples Resource priority (limit use of resources by priority) Boundary protection (control communication at the boundaries) Transmission integrity (protect transmitted information from modification) Transmission confidentiality (protect from disclosure)
17 Open Web Application Security Project The OWASP guide is the de-facto authoritative resource for web application security For example, the PCI DSS standard requires that applications are developed according to OWASP Too loose to be called a standard, but still a wonderful resource Lots of resources: OWASP Guide Top 10 Lists WebGoat training application WebScarab b and more!
18 OWASP Top 10 A1 Injection OWASP Description SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command query. A2 Cross-Site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation. A3 Broken authentication ti ti and Application functions related to session management authentication and session management are often not implemented correctly. A4 Insecure Direct Object Reference Exposure of an internal implementation object to the consumer.
19 OWASP Top 10 OWASP Description A5 Cross Site Request Forgery A6 Security Misconfiguration A7 Insecure Cryptographic Storage A pre-authenticated session that coerces a vulnerable web application to execute arbitrary actions on behalf of the attacker. The application, framework dependencies, server, or platform are not security configured and/or are poorly maintained. Sensitive data is not protected by encryption or hashing.
20 OWASP Top 10 OWASP Description A8 Failure to Restrict URL Access Access to sensitive data restricted only by URL obfuscation (security through obscurity). A9 Insufficient Transport Layer Protection A10 Unvalidated Redirects or Forwards. Lack of authentication, encryption, or other security controls for data in transit. Redirects and forwards are not properly validated, allowing attackers to trick users in to visiting iii malicious lii pages.
21 OWASP Top 10 versus MITRE Vulnerability Trends
22 Finding vulnerabilities Jeremiah Grossman 4/2007
23 Finding vulnerabilities continued Jeremiah Grossman 4/2007
24 Real World SQL Injection Attacks April 13, 2008: Oklahoma Department of Corrections leaks 10,597 SSNs from the sex offender registry web site A printer friendly link used a raw SQL string as a URL parameter Trivially manipulating the parameters allowed arbitrary database queries, including SSN Site last modified in 2005, so 3 years of exposure
25 Real World XSS Attack April 18, 2008 Barack Obama s official site hacked Javascript and malicious HTML passed to the URL was not properly validated Clicking certain links redirected to hillaryclinton.com
26 OWASP Testing Guide Defines 10 categories for testing web applications Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing
27 Security testing techniques Manual Inspection and Review Pros: Flexible, low cost of entry, improves communication Cons: Extremely time consuming, high level of skill req d Threat Modeling Decompose, Define/Classify, Explore vulnerabilities and threats, Mitigate Pros: Practical attacker view of the system/process, standards based (NIST ) Cons: New, somewhat vague Source Code Review Pros: Complete coverage, Accurate Cons: Requires extreme skill, may miss vulnerabilities in dependencies Pen Testing Pros: Fast, test code directly Cons: Late in the life cycle, lower coverage
28 Questions? Contact us any time! Terry Morreale Ben Whaley
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationFortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE
FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationFunctional vs. Load Testing
Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationPenetration Testing in Romania
Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationHow To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook 1.5.1 (Windows 3) (For Windows) (Programmer) (Or
2014 Guide For Testing Your Software Security and Software Assessment Services (SSAS) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical
More informationThe Electronic Arms Race of Cyber Security 4.2 Lecture 7
The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte List of Content Why Process Automation Security? Security Awareness Issues
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationSession 30. IT Security: Threats, Vulnerabilities and Countermeasures. Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO
Session 30 IT Security: Threats, Vulnerabilities and Countermeasures Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO New Cyber Security World New threats New tools and services to protect New organization
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationWeb Application Security 101
dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationWhy a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper
Why a Web Application Firewall Makes Good Business Sense How to Stay Secure with AppWall Whitepaper Table of Contents Introduction...3 Living on the Edge: Your Unprotected Business is at Risk...3 The World
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationSuccessful Strategies for QA- Based Security Testing
Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More informationStopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?
Stopping SQL Injection and Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet? Manoranjan (Mano) Paul CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT Catalyst(s) SQL
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationAppDefend Application Firewall Overview
AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture
More informationImplementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3
Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3 ABSTRACT 1 Project Engineer, CDACC-56/1, Sector-62, Noida, 2 Executive Director, CDACC-56/1,
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationHow DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements
How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements DataSunrise, Inc. https://www.datasunrise.com Note: the latest copy of this document is available at https://www.datasunrise.com/documentation/resources/
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationDetecting and Defending Against Security Vulnerabilities for Web 2.0 Applications
Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationHow Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant
How Security Testing can ensure Your Mobile Application Security Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant Once More Consulting & Advisory Services IT Governance IT Strategic
More informationVIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More information