Source code security testing

Size: px
Start display at page:

Download "Source code security testing"

Transcription

1 Source code security testing Simone Riccetti EMEA PSS Security Services All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS goals and objectives. By providing this information, IBM is not committing to provide this capability.

2 Agenda Nuove vulnerabilità e rischi Tipologie di approcci in base al problema Selezione dei test Nuove tecnologie 2 21 March 2012

3 Sistemi in continua evoluzione Complessità Integrazione Estensibilità Connettività

4 Perché la sicurezza del codice è così importante? La maggior parte dei buchi di sicurezza del software non sono sfruttati in modo diretto da utenti malintenzionati, ma sono piuttosto sfruttati per errore da altri programmi o componenti, causando effetti imprevedibili che degradano la sicurezza e la qualità delle applicazioni.

5 Un esempio semplice.buffer overflow foo { void func(void) int i; char buffer[256]; for(i=0;i<512;i++) return; buffer[i]='a'; } s you can see, our 'buffer' gets filled with 256 'A's, followed by 256 more that just don't fit.

6 Non tutte le vulnerabilità sono facilmente individuabili.

7 Modeling e complessità int main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf( %d\n,sum); printf( %d\n,i); } Enter T T T T T T sum = 0 i = 1 while(i < 11) printf(sum) printf(i) T T sum = sum + i i = i + i

8 Metodologie e tecniche di test disponibili Dynamic analysis Penetration test Users priviledge escalation test Denial of service Non repudiation testing Failure testing Cryptographic validation testing Privacy and Confidential testing Software security unit test Software security regression test Static analysis altri? Challenge: Integrazione nel SDLC!!! Definizione dei requisiti Requisiti di sicurezza Abuse cases Design Principi di secure design Risk analysis Implementazione Secure coding Security testing Test Risk analysis Security testing Deploy Vulnerability management Secure deployment Operational enablement Security testing Analisi assistita o manuale?

9 Dynamic vs. Static Analysis Static Analysis Null pointer dereference Threading issues Code quality issues Issues in dead code Insecure crypto functions Issues in back-end application code Stored vulneabilities Complex SQL injection Total Potential Security Issues Dynamic Analysis Environment configuration issues Patch level issues Runtime privileges issues Authentication issues Protocol parser/serializer issues Session management issues Issues in external 3rd party web components Cross-site request forgery Malware analysis Manual Assessment Business logic issues Dynamic & Static SQL Injection Cross Site Scripting HTTP Response Splitting OS Commanding LDAP Injection XPath Injection Path Traversal Buffer Overflows Format String Issues

10 Che approccio adottare? Dipende The Balancing Act Tipo di applicazione? Numero di KLOC? Tecnologie e framework? Prospettiva? Security skills Tipo di vulnerabilità che voglio individuare Organizzazione..

11 Esempio: Remediation black box (SQL inj) An SQL Injection vulnerability was identified Let s fix it! Identificare la parte di codice vulnerabile Scrivere il codice che elimina la vulnerabilità

12 Esempio: Remediation black box (SQL inj)

13 Esempio: Remediation black box (SQL inj)

14 Esempio: Remediation black box (SQL inj)

15 Esempio: Remediation black box (SQL inj)

16 Esempio di static analysis (taint analysis) Source request.getparameter() Sink statement.executequery() Limite: binary analysis

17 L approccio deve essere completo.e questo vale anche per I tool Hybrid Analysis = + Black Box White Box Hybrid Analysis Technologies in IBM Rational AppScan: Correlazione JSA (JavaScript Security Analyzer) Glass box technology

18 La logica di business si sta sviluppando anche lato client Client-Side Logic in Web Applications 30% 25% 25% 20% 15% 10% 5% 5% 0% 5 Years Ago Today Il codice sorgente che viene inviato al browser può essere utilizzato per effettuare analisi statica

19 Obfuscation IBM Internet Security Systems Prima Dopo

20 L analisi dinamica prevede una parte statica (DOM Based XSS) 1.Reflected 2.Stored 3.DOM-based TODAY S FOCUS Example of trace provided by IBM Rational Appscan JSA

21 Glass Box Technology Image: Meawpong3405 / FreeDigitalPhotos.net

22 Glass Box Architecture E un approccio blackbox con un agente integrato nell application server La correlazione degli eventi permette di individuare con precisione i metodi vulnerabili nel codice Fondamentale per vulnerabilità di tipo Blind SQL Injection Applica tion Server Application Under Test Agent Agent AppScan Control & Report

23

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

SCADA / Smart Grid Security Who is really in control of our Control Systems?

SCADA / Smart Grid Security Who is really in control of our Control Systems? SCADA / Smart Grid Security Who is really in control of our Control Systems? Simone Riccetti Certified SCADA Security Architect Agenda Overview of Security landscape SCADA security problem How to protect

More information

Client Side Cross Site Scripting

Client Side Cross Site Scripting Client Side Cross Site Scripting 1 Client Side Cross Site Scripting CLIENT SIDE XSS - DI PAOLA 2 Soluzioni e sicurezza per applicazioni mobile e payments Consorzio Triveneto, azienda leader nei sistemi

More information

Web App Security Audit Services

Web App Security Audit Services locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System

More information

Industrial Control Systems Security. Denny Gregianin_Sales Area Manager

Industrial Control Systems Security. Denny Gregianin_Sales Area Manager Industrial Control Systems Security Denny Gregianin_Sales Area Manager VEM in Numbers 5 29 170 800 495 5000 Dipendenti e Fatturato Design & Delivery NOC SOC HR & Quality Operations Custom Application Development

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Lorenzo.barbieri@microsoft.com Blogs.msdn.com/vstsitalia. www.geniodelmale.info

Lorenzo.barbieri@microsoft.com Blogs.msdn.com/vstsitalia. www.geniodelmale.info Lorenzo.barbieri@microsoft.com Blogs.msdn.com/vstsitalia www.geniodelmale.info Visual Studio Team System, Professional e Standard Team Explorer si integra in VS2008/VS2005 Visual Studio.NET 2003, VS 6.0,

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Early Vulnerability Detection for Supporting Secure Programming

Early Vulnerability Detection for Supporting Secure Programming Early Vulnerability Detection for Supporting Secure Programming Luciano Sampaio - lsampaio@inf.puc- rio.br Alessandro Garcia - afgarcia@inf.puc- rio.br OPUS Research Group LES DI PUC- Rio - Brazil OPUS

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

How to renew S&S Video Italian version. 2009 IBM Corporation

How to renew S&S Video Italian version. 2009 IBM Corporation How to renew S&S Video Italian version A. Renewal Email Lasciate che vi illustri come rinnovare le vostre licenze software IBM con Passport Advantage Online. (Let me show you how to renew your IBM software

More information

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems

More information

Vulnerabilità e Attacchi alle Infrastrutture IT Simone Riccetti. Sr. IT Security Architect

Vulnerabilità e Attacchi alle Infrastrutture IT Simone Riccetti. Sr. IT Security Architect Vulnerabilità e Attacchi alle Infrastrutture IT Simone Riccetti Sr. IT Security Architect Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 2 The

More information

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Howard Williams mentor.com/embedded Internet-of-Things Trends The world is more connected IoT devices are smarter and more complex

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Web Application Security

Web Application Security About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost

More information

Percorso Mcsa Managing and Mainting Windows 8

Percorso Mcsa Managing and Mainting Windows 8 Percorso Mcsa Managing and Mainting Windows 8 Descrizione In questo corso, gli studenti imparano a progettare l'installazione, la configurazione e la manutenzione di Windows 8. Due caratteristiche uniche

More information

Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5

Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5 Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5 Obiettivi Al termine del corso i partecipanti saranno in grado di: Descrivere i processi coinvolti nella

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web Presented by: Mike Grima Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web 1 OWASP Top 10 OWASP Testing Framework (Testing Guide)

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Sicurezza Data Center 22 giugno 2015. Fabio Paravani Regional Account Manager

Sicurezza Data Center 22 giugno 2015. Fabio Paravani Regional Account Manager Sicurezza Data Center 22 giugno 2015 Fabio Paravani Regional Account Manager A world safe for exchanging digital information CEO Founded Headquarters Employees Offices 2012 Sales Eva Chen 1988, United

More information

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

MANAGED SECURITY TESTING

MANAGED SECURITY TESTING MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Corso: Core Solutions of Microsoft Skype for Business 2015 Codice PCSNET: MSKY-5 Cod. Vendor: 20334 Durata: 5

Corso: Core Solutions of Microsoft Skype for Business 2015 Codice PCSNET: MSKY-5 Cod. Vendor: 20334 Durata: 5 Corso: Core Solutions of Microsoft Skype for Business Codice PCSNET: MSKY-5 Cod. Vendor: 20334 Durata: 5 Obiettivi Al termine del corso i partecipanti saranno in grado di: Descrivere l'architettura di

More information

VASCO Data Security. The Authentication Company. Richard Zoni Channel Manager Italy

VASCO Data Security. The Authentication Company. Richard Zoni Channel Manager Italy VASCO Data Security The Authentication Company Richard Zoni Channel Manager Italy 05/05/2010 Le password... più utilizzate 1. password 2. 123456 3. Qwerty 4. Abc123 5. pippo 6. 696969 7. Myspace1 8. Password1

More information

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies

More information

Executive Summary On IronWASP

Executive Summary On IronWASP Executive Summary On IronWASP CYBER SECURITY & PRIVACY FOUNDATION 1 Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Cloud Services: cosa sono e quali vantaggi portano alle aziende manifatturiere

Cloud Services: cosa sono e quali vantaggi portano alle aziende manifatturiere Cloud Services: cosa sono e quali vantaggi portano alle aziende manifatturiere Sergio Gimelli Sales Consulting Director Oracle Italy Fabbrica Futuro Verona, 27 Giugno 2013 1 2 Cosa è il Cloud? il Cloud

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

2,000 Websites Later Which Web Programming Languages are Most Secure?

2,000 Websites Later Which Web Programming Languages are Most Secure? 2,000 Websites Later Which Web Programming Languages are Most Secure? Jeremiah Grossman Founder & Chief Technology Officer 2010 WhiteHat Security, Inc. WhiteHat Security Founder & Chief Technology Officer

More information

Alberto Meneghini! Security Leader, IBM Italia! IBM Security. 2015 IBM Corporation. 12015 IBM Corporation

Alberto Meneghini! Security Leader, IBM Italia! IBM Security. 2015 IBM Corporation. 12015 IBM Corporation Alberto Meneghini! Security Leader, IBM Italia! 12015 IBM Corporation Esistono istituzioni finanziarie che sanno cosa significa essere attaccate ed altre che neppure lo immaginano. In quale vi riconoscete?!

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

Navicat Premium è uno strumento di amministrazione per database con connessioni-multiple, consente di connettersi

Navicat Premium è uno strumento di amministrazione per database con connessioni-multiple, consente di connettersi Navicat Premium è uno strumento di amministrazione per database con connessioni-multiple, consente di connettersi simultaneamente con una singola applicazione a MySQL, SQL Server, SQLite, Oracle e PostgreSQL,

More information

C.S.E. Nodi Tipici Parametrizzati al 15-4-2015. 14/04/2015 Copyright (c) 2015 - Castalia srl

C.S.E. Nodi Tipici Parametrizzati al 15-4-2015. 14/04/2015 Copyright (c) 2015 - Castalia srl C.S.E. Nodi Tipici Parametrizzati al 15-4-2015 14/04/2015 Copyright (c) 2015 - Castalia srl 1 Avvertenze (1) Ci sono tre sezioni in questo documento: 1. Nodi in tutte le versioni (background azzurro):

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013 STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810 October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

TOOL EVALUATION REPORT: FORTIFY

TOOL EVALUATION REPORT: FORTIFY TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division

More information

New IBM Security Scanning Software Protects Businesses From Hackers

New IBM Security Scanning Software Protects Businesses From Hackers New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

Dall Information Security alla Cyber Security, e ritorno

Dall Information Security alla Cyber Security, e ritorno Dall Information Security alla Cyber Security, e ritorno (Come migliorare la sicurezza dell azienda attraverso un efficace governo degli incidenti) Luca Bechelli (CLUSIT) Marco Di Leo (HP) Fabio Vernacotola

More information

JavaScript static security analysis made easy with JSPrime

JavaScript static security analysis made easy with JSPrime JavaScript static security analysis made easy with JSPrime Nishant Das Patnaik & Sarathi Sabyasachi Sahoo nishant.dp@gmail.com & sarathisahoo@gmail.com JavaScript is the lingua-franca of Web 2.0 and, recently,

More information

WebGoat for testing your Application Security tools

WebGoat for testing your Application Security tools WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Tutta la formazione che cerchi, su misura per te.

Tutta la formazione che cerchi, su misura per te. Implementing and Administering Internet Information Services (IIS) 6.0 MOC2576-3 Giorni - 1.190.000 + iva Prerequisiti Almeno due anni di esperienza nell amministrazione di sistemi basati su Windows Servers:

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

D. Best Practices D.1. Assurance The 5 th A

D. Best Practices D.1. Assurance The 5 th A Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and

More information

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges

More information

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST. CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

METHODS TO TEST WEB APPLICATION SCANNERS

METHODS TO TEST WEB APPLICATION SCANNERS METHODS TO TEST WEB APPLICATION SCANNERS Fernando Román Muñoz, Luis Javier García Villalba Group of Analysis, Security and Systems (GASS) Department of Software Engineering and Artificial Intelligence

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Web Application Vulnerabilities

Web Application Vulnerabilities Securing Web Applications with Information Flow Tracking with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel Web Application Vulnerabilities 50% databases had a

More information

IBM Security Services

IBM Security Services IBM Security Services - Penetration Testing - July 15, 2014 12014 IBM Corporation THE EVOLVING THREAT LANDSCAPE 2 Success in today s dynamic, data driven global marketplace requires effective enterprise

More information

Web Application Security How to Minimize Prevalent Risk of Attacks

Web Application Security How to Minimize Prevalent Risk of Attacks guide: Web Application Security How to Minimize Prevalent Risk of Attacks Table of Contents I. Summary II. Primer on Web App Security III. Types of Web App Vulnerabilities IV. Detecting Web App Vulnerabilities

More information

Establishing a Continuous Process for PCI DSS Compliance

Establishing a Continuous Process for PCI DSS Compliance Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply

More information

IJMIE Volume 2, Issue 9 ISSN: 2249-0558

IJMIE Volume 2, Issue 9 ISSN: 2249-0558 Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006 Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Tecnologie e Protocolli per Internet 1 Introduzione al NAT Network Address Translation

Tecnologie e Protocolli per Internet 1 Introduzione al NAT Network Address Translation Tecnologie e Protocolli per Internet 1 Introduzione al NAT Network Address Translation Prof. Stefano Salsano e-mail: stefano.salsano@uniroma2.it AA2012/13 Blocco 10 Le slides di questo blocco sono tratte

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing

More information

AppDefend Application Firewall Overview

AppDefend Application Firewall Overview AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Copyright 2006. Watchfire Corporation. All Rights Reserved.

Copyright 2006. Watchfire Corporation. All Rights Reserved. AppScan Frequently Asked Technical Questions 1. How is AppScan different from other web application scanners? (p. 2) 2. How do I know if I ve covered all of my applications? (p. 3) 3. How is AppScan different

More information

GOVERNMENT OF MAHARASHTRA

GOVERNMENT OF MAHARASHTRA GOVERNMENT OF MAHARASHTRA DIRECTORATE OF INFORMATION TECHNOLOGY GENERAL ADMINISTRATION DEPARTMENT 7 th Floor, Mantralaya, Mumbai-400 032 DIT 2012/CR 188/39 Dated: 5 th July, 2012 Addendum I: With effect

More information

8070.S000 Application Security

8070.S000 Application Security 8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx

More information

Primiano Tucci Università di Bologna

Primiano Tucci Università di Bologna Hard real-time meets embedded multicore NIOS SoPCs Primiano Tucci Università di Bologna DEIS Dipartimento di Elettronica, Informatica e Sistemistica Il paradigma System on (Programmable) Chip come fattore

More information

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.

More information