elearning for Secure Application Development

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "elearning for Secure Application Development"

Transcription

1 elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security Testing Series 10 Leaders and Managers Series Aspect Security, Inc.

2 Application Security Awareness Series This series covers fundamental application security principles. Modules cover specific security controls Input Validation, Access Control, Authenticating Users, Protecting Sensitive Data and more giving learners a solid foundation in application security essentials. 100 Introduction to Application Security [12:01 minutes] Understand software application risks and review the outline of a practical application security program. Learn to cost-effectively produce and deploy secure applications. Additionally, uncover the common challenges an organization faces when it starts to address application security. 110 Input Validation [15:57 minutes] This module defines input validation, provides basics for verifying whether an application is vulnerable to input validation attacks, and discusses common techniques for defending against these attacks. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. 120 Access Control [18:41 minutes] Learn how to limit the access of authenticated users to the resources and functions in your web application. Basic techniques to verify that an application is free from access control vulnerabilities are provided, along with attack defense methods. To benefit fully from this module, students should understand the basics of authentication. 130 Authenticating Users [27:26 minutes] User authentication is defined, common attacks and vulnerabilities are discussed, and strategies to defend against attacks and avoid vulnerabilities are provided. Credentials, cookies, sessions, and user management are covered. To benefit fully from this module, students should be familiar with the basics workings of web applications, including HTML and HTTP. 140 Error Handling and Security Logging [14:08 minutes] Learn about basic error handling patterns to prevent information leakage and denial of service. Proper logging techniques are described to ensure a complete security record. Understand how to implement simple intrusion detection techniques to make your applications more resistant to attack. 150 Protecting Sensitive Data [17:11 minutes] Basic techniques for protecting particularly sensitive or regulated data, such as credit card information, social security numbers, and healthcare data are addressed. Learn how to verify that your applications protect the sensitive data that they process. The basics of key management, encryption algorithms, hashing, and secure random number generation are covered Aspect Security, Inc. elearning for Secure Application Development Curriculum 1

3 160 Securing Communications [19:22 minutes] Security concerns related to transporting data across a network, both on the front end and with backend services are discussed. We introduce basic security controls for these connections, including: SSL, authentication, access control, and data encryption. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP, and understand the basics of session management. 180 Buffer Overflows [41:35 minutes] Buffer Overflows, sometimes called Buffer Overruns, are one of the most common and dangerous software vulnerabilities. Verify if an application is vulnerable to buffer overflow attacks and learn common techniques for defending against this category of attacks. To fully benefit from this module, students should have an advanced understanding of Input Validation as well as a basic understanding of programming languages that can suffer from buffer overflow vulnerabilities, primarily C and C Mobile Application Security Top 5 Risks [15:10 minutes] Mobile application backends may, at times, be easier to attack than their standard web counterparts because their entire user interface is on the mobile device, making it harder for developers to recognize what must be protected. This module will provide an understanding of the Top 5 categories of risks against mobile applications, as well as how to defend against, reduce or eliminate risks. Areas of focus include protecting sensitive data; server side controls; device authentication and authorization controls; session management; and cryptography. Secure Software Development Series This series covers the OWASP Top Ten 2013 and fulfills the training requirement mandated by PCI/DSS. Vulnerability areas Cross-Site Scripting (XSS), SQL Injection, Clickjacking, and others are reviewed. Prevention and removal techniques for each vulnerability area are covered as well. We teach the most cost-effective testing, prevention and remediation techniques. Specific platforms and technologies are addressed, including Java,.NET, Mobile, AJAX, Rich Internet Applications and Web Services. Validating User Input 211 Input Validation Strategy [30:42 minutes] Receive an overview of basic defenses against input manipulation and injection attacks. Strategies discussed include: minimizing input to the application, validating incoming data, and sanitizing outgoing data. A review of the common pitfalls of input validation (such as relying on client-side validation, missing canonicalization, and inconsistent application of input validation) provides students with insight to facilitate exploring new strategies. To benefit fully from the module, students should be familiar with the basic workings of web applications, including HTML and HTTP. elearning for Secure Application Development Curriculum 2

4 212 Preventing Injection Attacks [20:28 minutes] Students are introduced to injection flaws, examples of common injection attacks, and basic defenses against injection. Key concepts including interpreters, common injection vulnerability patterns, injection attacks and defenses, utilizing static commands, and more are explained. Basic knowledge of SQL, HTML, XML, and command line shells is helpful but not required. 213 Preventing XSS Vulnerabilities [20:56 minutes] This module details different types of Cross-Site Scripting (XSS) vulnerabilities and how they can be exploited. Discover how to find XSS flaws and evaluate their exploitability. Learn prevention strategies, including how to properly escape output in different contexts in HTML. 214 Using Canonicalization and Encoding [23:22 minutes] This introduction to canonicalization and encoding covers why proper decoding and encoding is critical to performing effective input validation and identifying attacks. To benefit fully from this module, students should be familiar with the basics of input validation and defending against injection attacks. 215 Performing Secure File Uploads and Downloads [12:11 minutes] The complexities of implementing file upload and download securely in a web application are addressed. Validating upload requests, storing files carefully, and testing file and upload features for vulnerabilities are covered. Students should be familiar with HTTP and basic input validation techniques. 216 Preventing Header Injection [18:06 minutes] Problems related to HTTP header injection and attack consequences are presented. We discuss techniques to verify whether an application is vulnerable to header injection and how to defend against these attacks. To fully benefit from this module, students should be familiar with HTTP and injection techniques. 226 Unsafe Redirects and Forwards [17:29 minutes] Common security weaknesses related to sending redirect responses through the browser, such as using untrusted information in the location and disclosing sensitive information, are illustrated. Access control concerns associated with performing server side forwards are covered. Students should understand the basics of HTTP and input validation. 331 Understanding DOM-Based XSS [14:38 minutes] Understand DOM-Based XSS, a specific type of Cross-Site Scripting (XSS) vulnerability. Learn how to recognize this vulnerability and prevent it from appearing in your code. For maximum understanding of this module, students should be familiar with Reflected and Stored XSS. elearning for Secure Application Development Curriculum 3

5 Controlling Access 221 Access Control Strategy [16:56 minutes] Approaches for defining and enforcing access control policies are introduced. Access control core concepts are discussed and applied to typical web application architectures, including enforcing access control at the URL, business logic, data, and presentation layers. Techniques for verifying application access control implementations are also discussed. To fully benefit from this module, students should be familiar with the basics of authentication. 222 Presentation Layer Access Control [12:35 minutes] Understanding that presentation layer access control does not provide protection against attack is a critical concept for developers. Learn to identify potential holes in the presentation layer that can be exploited and defend against those attacks. Topics covered include forced browsing and direct object references. To fully benefit from this module, students should be familiar with access control strategy. 223 URL Access Control [19:10 minutes] Effective strategies for performing access control at the URL layer are presented. Techniques are demonstrated for verifying that your application s URL based access control implementation is robust. Common attacks like forced browsing are shown. To fully benefit from this module, students should be familiar with HTTP and access control strategy. 224 Business Layer Access Control [17:26 minutes] Techniques to enforce access control for business functions are presented. Students will learn how to verify business layer access control through testing and code review. In addition, learn to implement business layer protections in a simple, structured way. To fully benefit from this module, students should be familiar with access control strategy. 225 Implementing Data Layer Access Control [12:02 minutes] Learn to secure sensitive data stored by your application from attackers. Data access control is a security mechanism that ensures that users are only allowed to access authorized data based on the user s identity, roles, and/or permissions. Common attacks on application data and strategies for defending against them are discussed. Students should be familiar with access control strategy. 227 Clickjacking [14:03 minutes] Learn various approaches for defending against Clickjacking (a common attack where attackers frame pages from other sites to trick users into unwittingly clicking on those pages). Prevent your pages from being framed with framebreaking scripts and a X-Frame-Options header. elearning for Secure Application Development Curriculum 4

6 Authenticating Users 231 Authentication Strategy [17:26 minutes] Understand the various techniques used by web applications to authenticate users and handle identity. Strengths and weaknesses associated with different authentication schemes are examined, recommendations to minimize authentication vulnerabilities are provided, and techniques to verify authentication schemes are shown. To benefit fully from this module, students should be familiar with the basic workings of web applications, HTTP, and sessions. 232 Understanding HTTP Authentication Schemes [17:50 minutes] This module explores BASIC authentication, form-based authentication, and the proper use of sessions. Prevalent attacks on these authentication schemes including brute force attacks, session hijacking, and session fixation are discussed. Students will learn best practices to protect authentication schemes from attack. To fully benefit from this module, students should understand HTTP and sessions. 233 Secure Session Management [16:36 minutes] Session hijacking allows user sessions to be completely taken over by an attacker. Students will learn how to determine if applications are vulnerable to session attacks and how to defend against these attacks. To fully benefit from this module, students should be familiar with HTTP and authentication strategy. 234 Protecting Credentials [17:43 minutes] Understand how to protect authentication credentials that are used by users, applications, and even systems. Learn attack techniques as well as how to defend your application against improper credential protection. 235 Managing Identity within an Application [13:03 minutes] Information about users must be managed correctly both in the application and in security controls. This module will review identity management and implementation. To benefit fully from this module, students should have a basic understanding of authentication strategy. 236 Preventing Forged Requests (CSRF) [14:17 minutes] Cross-Site Request Forgery (CSRF) allows an attacker to trick a victim s browser into issuing requests to a vulnerable web application. Learn basic techniques to check applications for CSRF vulnerabilities and defend against attacks. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. They should also understand the basics of authentication and session management. elearning for Secure Application Development Curriculum 5

7 Error Handling and Security Logging 241 Handling Security Errors and Detecting Attacks [11:20 minutes] This module provides guidance on how to securely handle exceptions (including security exceptions) as well as how to avoid leaking implementation details to attackers. Learn to establish a security exception hierarchy and a general error handling scheme, as well as strategies for generating safe error messages and detecting intrusions. 242 Effective Security Logging [15:30 minutes] Create effective security logs that can be used to identify and triage attacks. Learn which events to log, what to log for each event and how to verify proper logging implementation. Ensuring accountability and using logs for forensics and are discussed. Protecting Sensitive Data 251 Introduction to Cryptography [15:48 minutes] Cryptography basics are presented including: the fundamentals of using keys and algorithms to securely encrypt data; key management; hashing; digital signatures; and random numbers. This module provides a foundation for the Using Cryptography Securely module (252). 252 Using Cryptography Securely [16:04 minutes] Basic cryptographic techniques to encrypt and hash data for security purposes are addressed with a focus on using standard approved cryptographic libraries securely, rather than creating custom cryptographic code. Common vulnerabilities associated with the use of encryption are discussed including credential handling, failure to encrypt sensitive data, algorithm choice, and more. 253 X.509 Certificates [25:35 minutes] X.509 Certificates are the most common type of digital certificate. Learn the structure and key elements of X.509 certificates, understand the Key and Certificate lifecycle, install and properly protect certificates, and more. 261 Using SSL [18:07 minutes] While the concepts of SSL/TLS are known to many, the details and security specific decisions of implementation are often poorly understood, leading to insecure deployments. Learn to properly implement, test and verify SSL/TLS in an application to protect data in transit. Particular focus is given to the transitions between secure and insecure parts of an application. To benefit fully from this module, students should be familiar with the basic workings of HTTP, cryptography, and certificates. elearning for Secure Application Development Curriculum 6

8 262 Securing Cookie Use [21:38 minutes] A cookie is a short text string sent by web applications to maintain state in the browser. Protecting this state and understanding the limitations of cookie protection are critical to web application security. This module covers common attacks against cookies and details the use of protection mechanisms such as the Secure and HttpOnly flags as well as encryption and integrity seals. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. 263 Using Services Securely [20:57 minutes] Understand the risks and necessary controls to use backend services from a web application securely. Topics include the importance of securing services; handling authentication and access control with services; and performing input validation with services. Additionally, learn to securely transmit and store data via services and verify that service use is secure. Students should have some background in security fundamentals. 264 Using SSL with Java &.NET [22:48 minutes] Understand the relationship between server and client side certificates and private keys. Get acquainted with commonly used, publicly available SSL libraries for Java and.net as well as how to properly use them. Learn how to install and protect client and server side certificates and private keys in both Java and.net. Platform Specific 281 Introduction to Secure Coding for Rich Internet Applications [13:31 minutes] Understand the security threats to all stakeholders (server to client, client to server, client to client) in an RIA. Learn the guidelines for developing and deploying safer code for your applications. Students should have a basic background in RIA technology and foundational knowledge of security. 282 Introduction to Secure Coding for AJAX Applications [15:54 minutes] Understand the challenges of securing AJAX-enabled web applications. In addition to securing the server using traditional web security techniques, the AJAX interface (which fields XML HTTP requests) must be protected. Learn how to minimize attack surfaces, control access to data and functions, protect against injection, and prevent forged requests. To benefit fully from this module, students should be familiar with the basic workings of AJAX applications including XHR and HTTP. 283 Introduction to Secure Coding for Java EE Applications [17:36 minutes] Secure Java applications by using a set of standard security controls to avoid the five most critical security vulnerabilities. Additionally, learn to test the security of these applications. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. Knowledge of Java web technology is also required. elearning for Secure Application Development Curriculum 7

9 284 Introduction to Secure Coding for.net Applications [26:35 minutes] Understand the risks associated with.net software applications, basic methods of secure coding, and how to test applications. Focus areas include: the need for security controls, the five most critical security areas for.net applications, and how to verify the security of those applications. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. Knowledge of.net web technology is also required. Web Services 291 Introduction to Web Services Security [17:41 minutes] Web services, common web service architectural styles, and the security standards available to each style of web service are introduced. WSDLs and the security issues surrounding their use and dissemination are explained in detail. Recommended architectures for providing security services within a web service are provided. To benefit fully from this module, students should be familiar with the basic workings of web applications and web services including XML and HTTP. An understanding of the basics of authentication, access control, and session management are also required. 292 Web Services Authentication and Authorization [20:03 minutes] Understand the challenges of authenticating and authorizing web service requests. Web authentication models are discussed along with how to leverage WS-Security to include practically any kind of authentication token. Learn how to use the same techniques for providing access control as in a typical web application. Additionally, understand how to use WS-Security to include authorization tokens, typically SAML assertions, in SOAP requests to provide access control. Mobile Application Secuirty 313 Top 5 ios Application Risks [28:31 minutes] Learn to implement the security controls necessary to mitigate the top five critical security risks facing ios applications. Mobile applications can be especially vulnerable, as most utilize typical web application technologies that routinely have significant vulnerabilities. And while ios applications may share a backend server with more traditional web applications, client-side concerns are different. In this module, understand ios development and security models to deliver the most secure native mobile applications possible. 314 Top 5 Android Application Risks [26:42 minutes] Mitigate the top five critical security risks facing Android applications. Mobile applications can be especially vulnerable, as most utilize typical web application technologies that routinely have significant vulnerabilities. And while Android applications may share a backend server with more traditional web applications, client-side concerns are different. In this module, understand Android development and security models to deliver the most secure native mobile applications possible. elearning for Secure Application Development Curriculum 8

10 Secure Architectures and Threat Modeling Series Designed for developers and security architects, we teach a structured approach to threat modeling that enables you to identify, quantify and address the security risks associated with an application. This enables teams to map to business requirements and secure application architectures. We also demonstrate how to harden web and application servers, development platforms and frameworks. 170 Hardening Application Platforms and Frameworks [27:33 minutes] Get a high-level understanding of the techniques used to harden application platforms, including the application framework, application server, web server and host layers. Students should be familiar with the basic workings of web applications, particularly in the deployment environment. 271 Hardening Web Servers [11:51 minutes] Understand hardening concepts and how to determine when and what hardening changes to make to your web server. Consider how to adapt to the requirements, risks and constraints of your situation with a prioritized, risk-management approach to hardening changes. 272 Hardening Application Servers [09:07 minutes] Actions required to harden a web application server, including configuration options, are addressed with a focus on when and what hardening changes to make to your application server. Consider how to adapt to the requirements, risks and constraints of your situation. 273 Using Components Securely [11:29 minutes] The use of components during application development has surged. Minimize your security risks when using libraries and learn to identify components with known vulnerabilities. Understand how to develop a component inventory to use across applications and update components with known vulnerabilities. 311 Understanding Mobile Application Threats [13:00 minutes] Learn the threats to mobile computing and how to apply existing application security principles to the mobile environment. We explore vectors like location-based attacks, SMS, Bluetooth, contacts, photos, purchasing, and calls. Designed for mobile developers, testers, and architects, this module will get you started on managing the security of your mobile applications. 420 Threat Modeling and Security Architecture Review [17:29 minutes] Threat modeling and security architecture reviews are efficient and effective methods to identify vulnerabilities throughout the software development lifecycle. We provide a framework to organize security controls, threat agents, business functions and more in order to make security visible. Students should have a high-level understanding of application security attack vectors as well as security verification processes and techniques. elearning for Secure Application Development Curriculum 9

11 Application Security Testing Series Designed for testers and application security staff, we explain how to leverage the strengths of static, dynamic and runtime testing tools in conjunction with manual code review and penetration testing. 101 Introduction to Application Security Verification [10:06 minutes] Get an introduction to application security verification, the process of ensuring that an application (or group of applications) uses appropriate security controls properly and does not contain vulnerabilities. Learn the benefits of a positive approach to application security verification. Understand the differences between security verification and penetration testing, the techniques used in security verification, and how tools can be incorporated into your process. 410 Security Verification Methodology [13:22 minutes] Understand various techniques for verifying the security of an application. Compare automated tools and manual approaches, as well as the differences between Static, Dynamic and Runtime verification. Learn to mix and match these techniques, using automation when possible, to verify the security of an application effectively. Students will also learn what s involved in scoping reviews, rating risks and writing findings. Students should have a working understanding of common application security issues. 411 Effective Security Testing [13:49 minutes] Learn a proven, repeatable process for scoping, structuring, executing, and documenting an application security test. Understand how to plan the resources and access you need, identify application security testing targets, design your tests, and report on the results. Consider time and resource constraints, where tools can be leveraged and more. To benefit fully from this module, students should understand common vulnerabilities and security verification methodologies. 412 Effective Security Code Review [19:42 minutes] Understand the goals of an effective code review and how to plan a tailored code review strategy. Learn how tools complement manual processes. Hear strategies to effectively review large-scale enterprise applications. To get the most out of this module, students should also have completed prior modules on or have an advanced understanding of authentication strategy, enforcing access control, and input validation. elearning for Secure Application Development Curriculum 10

12 Leaders and Managers Series With security breaches on the rise, engineering management and software development leaders must learn about the reality of today s threat landscape. We discuss the software development life cycle (SDLC) and how to infuse secure application development into your processes. 102 Introduction to the Secure Development Lifecycle [12:48 minutes] Approaches to integrate security into the software development lifecycle (SDLC) are discussed. Consider how to reduce your risk to an acceptable level, deploy applications securely and use standard security controls. Key foundations and activities that development teams can use during design and development to produce secure code are introduced. Topics include security architecture, standard controls, secure delivery and more. 103 Introduction to Managing Application Security [23:02 minutes] Learn to manage application security using a balanced approach. Aimed at technical leaders and managers, this module introduces the key areas of application security: foundation, implementation, verification, and management. Build security into the development lifecycle, manage ongoing improvements to the process and enable your developers to procure and produce secure software. 421 Application Security Risk Management [14:58 minutes] Application Security Risk Management is the cornerstone of a successful application security program. Learn to identify key application risk management standards so that your organization stakeholders agree on the fundamentals. Understand how to identify and prioritize your application portfolio. Finally, understand how to produce compelling dashboards that make application security visible within your organization. To fully benefit from this module, you should have a basic understanding of Security Verification and the Software Development Lifecycle. 450 Integrating Security into Waterfall Projects [22:18 minutes] Explore methods of integrating security activities into a waterfall-style project. Understand how to integrate key security activities throughout the development lifecycle, from threat modeling to secure deployment and operation. Learn efficient approaches to reduce security risks to an acceptable level and build assurance evidence of an application s security posture. To fully benefit from this module, students should have a working understanding of application security issues and software development processes. 460 Integrating Security into Agile Projects [19:09 minutes] The sprint structure of Agile projects makes them challenging for traditional approaches to application security, which track the stages in waterfall-style. Understand how to integrate security into Agile projects: learn how to establish agile secure foundations, integrate security activities into sprints, and develop job aids to expedite the process. Students should have a working understanding of application security issues and Agile software methods. elearning for Secure Application Development Curriculum 11

13 IT S TIME TO LEARN Contact a Training Specialist Today Call or About Aspect Security Aspect Security protects the software that runs your business. Let us help your organization establish enterprise-wide application security strategies, from risk modeling to regulatory compliance to automation, that are tailored to your needs. We ve worked with organizations worldwide, protecting critical applications in the government, defense, financial, healthcare, services and retail sectors. Let us bring that experience to bear on your environment. We deliver on time, on budget and with an exceptional level of commitment. Contact us today to discuss how we can help you. Aspect Security, Inc Guilford Road, Suite 300 Columbia, MD Aspect Security, Inc.

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Interactive Application Security Testing (IAST)

Interactive Application Security Testing (IAST) WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Web Application Security

Web Application Security Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

Integrating Security Testing into Quality Control

Integrating Security Testing into Quality Control Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Establishing a Continuous Process for PCI DSS Compliance

Establishing a Continuous Process for PCI DSS Compliance Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp. Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Web Application Security

Web Application Security Web Application Security Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview Web applications are essential to everything from embedded systems to e-commerce systems. This class looks

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Paul E. Black Elizabeth Fong Vadim Okun Romain Gaucher Software Diagnostics and

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

.NET Secure Coding 5-Day Course. Course Syllabus

.NET Secure Coding 5-Day Course. Course Syllabus .NET Secure Coding 5-Day Course Course Syllabus Course description.net secure coding 5-day course Secure programming is the last line of defense against attacks targeted toward our systems. This course

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com TEAM Academy Catalog 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 TEAM ACADEMY OVERVIEW 2 Table of Contents TEAM Academy Overview... 4 TEAM Professor Overview... 4 Security Awareness and

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp. DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Certified Secure Web Application Secure Development Checklist

Certified Secure Web Application Secure Development Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

MANAGED SECURITY TESTING

MANAGED SECURITY TESTING MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan

More information

APPLICATION SECURITY AND ITS IMPORTANCE

APPLICATION SECURITY AND ITS IMPORTANCE Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Validation Procedure. ANNEX 4. Security Testing Basis

Validation Procedure. ANNEX 4. Security Testing Basis WP 3 - D3.4 Validation Procedure. ANNEX 4. Security Testing Basis Project Acronym: ExtremeFactories Full Title: Internet based environment implementing agile management methods for enabling the set-up,

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the

More information

IBM Rational AppScan: Application security and risk management

IBM Rational AppScan: Application security and risk management IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

SECURITY EDUCATION CATALOGUE

SECURITY EDUCATION CATALOGUE SECURITY EDUCATION CATALOGUE i ii TABLE OF CONTENTS Introduction 2 Security Awareness Education 3 Security Awareness Course Catalogue 4 Security Awareness Course Builder 7 SAE Print Material 8 Secure Code

More information

Automatic vs. Manual Code Analysis

Automatic vs. Manual Code Analysis Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

1 0 0 V i l l a g e C o u r t H a z l e t, N J 0 7 7 3 0, U S A Tel: +1 (732) 416-7722 w w w. p a l i n d r o m e t e c h. c o m.

1 0 0 V i l l a g e C o u r t H a z l e t, N J 0 7 7 3 0, U S A Tel: +1 (732) 416-7722 w w w. p a l i n d r o m e t e c h. c o m. Impart Assurance Instill Trust Inspire Confidence Mike Stauffer Advanced mobile data networks and the promise of accessing mission critical apps anytime from anywhere are two reasons behind the increase

More information