Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Size: px
Start display at page:

Download "Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References"

Transcription

1 ITIS 4166/5166 Network Based Application Development Security in Network-Based Applications Anita Raja Spring 2006 Agenda Network Security. Application Security. Web Services Security. References Open Web Application Security Project (OWASP) Oasis (Organization for the Advancement of Structured Information Standards) Serious threats to Network Security Network Security Customized virus will evade popular virus scan programs: Virus immunology techniques may help, but there is no guarantee! Customized trojans. IDS and popular tools are generally ineffective. Attack techniques: Be noisy. Be quiet. Be clever. 1

2 Denial of service Noisy sync flooding. Typical denial of service starts with a hacked account (e.g. AOL surveys!). Synchronized attacks uses multiple staging points, very difficult to detect and deal with. Best defenses Educate users about password and common sense security precautions. Don t execute active MIME contents: Christmas cards etc. Security is a system engineering problem: the system is only as secure as its weakest link. Clear risk assessment. Turn off unwanted services: simplify, simplify and simplify. Best defenses Don t blindly use defaults! Upgrade software. Don t make information easily available. User education and more user education. Application Security Web applications Web application threats Web applications are pervasive: driver license renewal, grade entry, banking, trading stocks, airline reservation, hotel reservation, buying books, library. They are typically outside of firewalls. Data Database Backend systems frontend systems Web Server User interface code Invalid input Code Data Browser Flaws in Code, Web server, Front end system, Back end system or database ==> unauthorized access of privileged accounts, the OS, network, or sensitive data and may result in denial of services. 2

3 Common Hack Attacks 1. Hidden Field Manipulation 2. Parameter Tampering 3. Malicious Values 4. Cookie Poisoning 5. Stealth Commanding Hidden Field Manipulation Open the html page within HTML editor. Locate the hidden field (e.g., <type=hidden name=price value=99.95>. Modify content (e.g., <type=hidden name=price value=1.00>. Save the html file locally and browse it. Click buy button to perform electronic shop lifting via hidden manipulation. Parameter Tampering Input Malicious Values Failure to confirm the correctness of CGI parameters embedded in a hyper link can be easily used to break the site security. a search CGI may accept a template parameter Search.exe?template=result.html&q=security By replacing the template parameter, one may be able to obtain access to any file, e.g. Search.exe?template=/etc/passwd&q=security Original / Attacked Account File Cookie Poisoning Newly created user Injected user with admin priv. 3

4 Cookie Modification Gain Access of Other User Stealth Commanding The use of server side executions (e.g. eval or system Perl commands, SQL queries) enable someone to plant Trojanhorses in form submissions and run malicious or unauthorized commands: Example : Postcard site. User fills in a postcard sending form, including the recipient name. Site s the recipient with the postcard. CGI used for this purpose was written in Perl, and it had the following statement in it: open (MAIL, " $mailprog $recipient ). Replacing $recipient with the hacker will be mailed the password file. Shell commands can be executed as well by sending "x;rm -r /", deleting the entire site. Web Application Security Web application opens channels for HTTP requests. Attacks hidden within legal HTTP application requests will bypass firewalls, filters, intrusion detection. Secure web sites (https/ssl) only protects the channel. Web application code needs to be part of an organization s security perimeter. OWASP Top 10 Web Application Vulnerabilities 1. Unvalidated Input Common vulnerabilities that lead to compromise of information: A1 Unvalidated Input A2 Broken Access Control A3 Broken Authentication & Session Management A4 Cross-Site Scripting (XSS) Flaws A5 Buffer Overflows A6 Injection Flaws A7 Improper Error Handling A8 Insecure Storage A9 Denial of Service Information from web requests is not validated or filtered before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Common types of attack: forced browsing command insertion cross site scripting buffer overflows format string attacks SQL injection cookie poisoning hidden field manipulation. A10 Insecure Configuration Management 4

5 Unvalidated Input May manipulate any part of HTTP Request: URL, query string, headers, cookies, form fields. Client-side validation is NOT sufficient. Unvalidated Input Countermeasure - Parameters should be validated against a positive specification that defines: Data type (string, integer, real, etc ). Allowed character set. Minimum and maximum length. Whether null is allowed. Whether the parameter is required or not. Whether duplicates are allowed. Numeric range. Specific legal values (enumeration). Specific patterns (regular expressions). Application Firewalls. 2. Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to: Access other users accounts. View sensitive files. Use unauthorized functions. Broken Access Control Commonly Found Broken Access Control Issues Insecure Id s Using predictable ID, index, to access confidential data. Forced Browsing Past Access Control Checks Deep linking of administrative pages, skipping the authentication pages. Path Traversal The use of relative path (e.g.,../../target_dir/target_file ) as part of a request for information. File Permissions. Client Side Caching Confidential Information are cache by the local browser. Broken Access Control Broken Access Control: Allowing user to access parts of the application without the appropriate privilege. Viewing authorized content. Authorization loopholes. External facing administrative interfaces. Countermeasures: Develop well-defined access control requirements / policy. Well defined role based and granular access control. Extensive testing. 3. Broken Authentication & Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can: Defeat authentication restrictions. Assume other user s identities. 5

6 Broken Authentication Countermeasures: Password Strength enforced. Password Change Controls single mech. old/new. Password Storage hashed / encrypted. Protecting Credentials in Transit SSL. Session ID Protection SSL / strong session ID. Account Lists (Account Enumeration) prevent access. Browser Caching turn off, insofar as possible. Trust Relationships avoid implicit trust. Protecting certificates & authentication keys. 4. Cross-Site Scripting (XSS) Flaws Web application can be used as a mechanism to transport an attack to an end user s browser. Successful attack can: Disclose end user s session token. Attack local machine. Spoof content to fool the user. Cross-Site Scripting Cross Site Scripting: Usually a result of Unvalidated Input. Using legitimate functions of an application to send malicious scripts to another user. Used to steal session cookies. Phishing attacks. Two categories Reflected and Stored Reflected The malicious scripts is either embedded in the requests or retrieved from another location. Stored The malicious scripts is stored in the database or file in the application. Cross-Site Scripting Countermeasures: Rigorous positive validation: Headers. Cookies. Query Strings. Form/hidden fields. Encoding user-supplied output: <, >, (, ), #, & to character entities. 5. Buffer Overflows Web application components in some languages that do not properly validate input can crash. In some cases, can take control of process. Components include: CGI libraries. Drivers. Web application server components. Buffer Overflow Buffer Overflow often a result of: Input Validation. Format String issues. Countermeasure: Input validation. 6

7 6. Injection Flaws Web applications pass parameters when they access external systems or the local OS. If attacker can embed malicious commands in these parameters, external system may execute those commands: on behalf of the web application. Injection Flaws Injection Flaws: Executing malicious code using system or database commands. Often found in scripting languages (Perl, PHP, Python, TCL, etc). SQL Injection. Command Injection. Countermeasures: Input validation. Avoid using shell or system command in the application. Use prepared statements or stored procedures for SQL queries. 7. Improper Error Handling Error conditions that occur during normal operation (e.g., catch) are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can: Gain detailed system information. Deny service. Cause security mechanisms to fail. Crash the server. Improper Error Handling Improper Error Handling: Unnecessary disclosure of detailed internal error messages such as stack traces, database dumps, and error. Information such as: Database type and version. Directory structure and file location. Server Version. Database query. Countermeasures: Use generic error messages. Use centralized logging instead of displaying the error back to the user. 8. Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Insecure Storage Insecure Storage encompasses several general categories of problems dealing with the storage of critical data, such as: Failure to encrypt critical data. Insecure storage of keys, certificates, and passwords. Improper storage of secrets in memory. Poor sources of randomness. Poor choice of algorithm. Attempting to invent a new encryption algorithm. Use of Encoding instead of encryption. Countermeasures: Minimize use of encryption. Only keep information that is absolutely necessary. Protect your secrets. 7

8 9. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also: Lock users out of their accounts. Cause entire application to fail. Application Denial of Service Application Denial of Service resulting from the exhaustion of: Bandwidth. database connections. disk storage. CPU. Memory. threads. Countermeasures: Limit resources allocated to users. Avoid expensive resources for un-authenticated users. Check error handling scheme for effect on overall application. 10. Insecure Configuration Management Strong server configuration standard is critical to secure web applications Servers have many configuration options that impact security and are not secure out of the box Insecure Configuration Management Insecure Configuration Management: Unpatched security flaws in the server software. Server software flaws or misconfigurations that permit directory listing and directory traversal attacks. Unnecessary default, backup, or sample files, including scripts, applications, configuration files, and web pages. Improper file and directory permissions. Unnecessary services enabled, including content management and remote administration. Default accounts with their default passwords. Administrative or debugging functions that are enabled or accessible. Overly informative error messages (more details in the error handling section). Misconfigured SSL certificates and encryption settings. Use of self-signed certificates to achieve authentication and man-in-themiddle protection. Use of default certificates. Improper authentication with external systems. Insecure Configuration Management Web Application Security Assessment Countermeasures Start w/ guidelines from vendor / security organizations. Harden guidelines for: Explicit configuration of all security mechanisms. Turning off unused services. Setting up role-based access control. Logging / Alerts. Regular Configuration Maintenance: Latest vulnerabilities. Latest security patches. Updating guidelines. Vulnerability Scanning. Internal checksum for server configuration vs. guidelines. Assessing the web server / application server / database server: Using automated scanner to uncover common vulnerabilities. Assessing the application: Using combination of automated scanner and manual interrogation (80/20 Rule): 20% of the time doing automated scan. 80% of the time manually assessing the application. Code Review: Automated source code / binary code scans. Tracing the application flow from end-to-end. 8

9 Web Service Security Positions 1. Web services are really only useful internally, so security is not a concern. 2. Web services cannot be secured, and pose a significant threat to the security of an otherwise robust enterprise. 3. Web services can be secured using SSL and password authentication, just like e-commerce sites on the web. 4. SSL is not sufficient to secure web services, but I do not have a basis for figuring out just what level of security I need or what options I have. K.A Far, Pillar Technologies Security Issues Authentication: ensures that we know and approve access for the identity of a party in a given security domain. Authorization: ensures that an authorized entity has access to a controlled subset of all available secured resources. Confidentiality: ensures that only authorized parties can understand a secured message. Integrity: ensures that a message arrives at its destination unaltered from the point it left its sender. Non-repudiation: ensures that a sender cannot deny that he/she sent a given message; binds a transaction to a non-refutable identity. Impact on Web Services A Starting Point For Authentication Questions arise because of the plaintext concerns over a simple WS architecture: how to perform authentication/authorization? how to guarantee integrity? how to enforce confidentiality and non-repudiation? HTTP BASIC-AUTH user name and password are encoded in the HTTP stream as Base64 encoded plaintext stored in an HTTP header Authorization: Basic U2thdGVib2FyZdhcmVo in this mode, simple Base64 decoding reveals the credentials there is no encryption involved Moving beyond BASIC-AUTH While BASIC-AUTH is pervasive, it is not secure The next step is to secure the BASIC-AUTH transmission using HTTPS HTTP is secured using the Secured Sockets Layer (SSL) SSL encrypts the messages passed back and forth in the HTTP conversation, including the BASIC-AUTH header however, we mentioned earlier that SSL was not sufficient to secure web services let s talk about what is missing Why SSL is sufficient in e-commerce applications? 1. Transactions are generally conducted within the web application context at the e-commerce site there are no intermediaries or multi-party transactions. 2. SSL conversations are conducted point-to-point. 3. As long as the consumer can remit payment, user credentials are good enough to authenticate and authorize their transaction meanwhile, e-commerce sites cannot generally do anything to gain non-repudiation with their customers. 4. Individual transactions are relatively small and will not break the bank, when compared with total throughput. 9

10 On the Other Hand An individual web service transaction can involve literally millions of dollars of potential risk exposure, versus a shopping experience at amazon.com. Remember that web services are systems transacting with systems an open communication channel could be the conduit for a large volume of transacting data. What about client certificates? The basic mechanism for authentication breaks down when we start asking a system to supply a user name and password anyway have you ever seen a user name and password coded into system algorithms??? have you ever abused a user name and password that you learned from application code??? client certificates are one analogous, but more secure, means for authentication a certificate is a token that contains credentials for asynchronous encryption that remain confidential to its owner Benefit of client certificates client certificates allow us to create a secured SSL channel that guarantees non-repudiation so if we secure BASIC-AUTH over HTTPS using client certificates, is that enough??? Essential issue of SSL SSL encrypts the conversation between a single client and server, including authentication credentials however, there is no guarantee of non-repudiation without a client certificate more importantly, you lose confidentiality and non-repudiation in the presence of ANY intermediaries or multi-party transactions beneath the transport layer Intercepting the SOAP request and response Since we cannot do much to secure the transport layer when it involves a single link in an arbitrary chain, what is left? we have to secure the message itself. that requires us to take a look into SOAP and a few security standards for web services. To add security features to the XML communications, we can intercept the process of marshaling and unmarshaling the request and response Client h a n d l e r h a n d l e r request response h a n d l e r h a n d l e r Web Service 10

11 Anatomy of a SOAP message Relevant security specifications To add security to the content in the SOAP body, we will be altering the received message: for the receiver to get back to the original message, we must add processing instructions. those processing instructions are added to the SOAP header. XML Signature for signing all or part of an XML document provides integrity and nonrepudiation, regardless of intermediaries XML Encryption for encrypting portions of an XML document provides confidentiality, regardless of intermediaries by adding these to the authentication capabilities of BASIC-AUTH and SSL, the security picture is more complete there are other ways to authenticate as well authorization is all that is left often that requires additional effort on your part we will get back to this Fundamentals of signatures Role of encryption A signature is a special form of digest computed on a relevant block of data: a hash code is computed on the data block using a well-known algorithm: the sender computes the initial hash and adds it to the transmission. the receiver computes the hash on the data and checks that both hash codes match. this ensures the digest and the data block have integrity (they are unaltered from sender to receiver). to prevent hacking, the digest is hashed a second time and then encrypted: the hashed and encrypted digest is called a signature. private-key encryption provides non-repudiation. To this point we have discussed authentication, authorization, integrity and non-repudiation the role of encryption is to provide confidentiality it is the process of converting plaintext into ciphertext we will go into the mechanics more in the second part for now, consider that using XML Encryption, we can selectively encrypt any portion of the SOAP body Securing web service entry points In addition to the security concerns addressed so far, there should be consideration for securing the entry points to web services UDDI registries ebxml registries web application interfaces used for developing and testing In most cases we have seen to date, WSDL interfaces are published and directly accessible from unsecured points in the network. Securing UDDI/ebXML registries UDDI v3 provides additional support for digitally signing several request elements businessentity, businessservice, bindingtemplate, tmodel, publisherassertion, etc this allows consumers who look up web services to be identified with non-repudiation Moreover, authorization is implemented such that publishers can modify only the entries they created 11

12 Additional tactics for securing registries Security Assertions Markup Language (SAML) Digitally-signed WSDL XML Encryption of private request/response elements (recall that registries are also web services) Reducing authorization to the registry to very short timed intervals to reduce sniffing and replay attacks Use SAML (described next) to make assertions about the authorization of a party Provides queries and assertions in XML authentication authorization (decisions) attributes of known security parties Open source implementations etc. Commercial implementations SunONE Identity Server Netegrity JSAML Toolkit Baltimore SelectAccess Systinet WASP Card WS-Security Specification defining how they apply to SOA Submitted to OASIS in 2002 for development as a standard WS-Security defines headers for subject authentication, as well as specifications for signing and encrypting that info there are also many related specifications that are in various states of acceptance 12

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Top 10 Web Application Security Vulnerabilities - with focus on PHP Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Web App Security Audit Services

Web App Security Audit Services locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Web Application Security

Web Application Security Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470 Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Web Vulnerability Assessment Report

Web Vulnerability Assessment Report Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Network Security Audit. Vulnerability Assessment (VA)

Network Security Audit. Vulnerability Assessment (VA) Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application

More information

Secure Web Applications. The front line defense

Secure Web Applications. The front line defense Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

OWASP Web Application Penetration Checklist. Version 1.1

OWASP Web Application Penetration Checklist. Version 1.1 Version 1.1 July 14, 2004 This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and understand that license and copyright conditions.

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Java Web Application Security

Java Web Application Security Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against

More information

Homeland Security Red Teaming

Homeland Security Red Teaming Homeland Security Red Teaming Directs intergovernmental coordination Specifies Red Teaming Viewing systems from the perspective of a potential adversary Target hardening Looking for weakness in existing

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Web Application Attacks And WAF Evasion

Web Application Attacks And WAF Evasion Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application

THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application E.Bertino 1, D.Bruschi 2, S.Franzoni 2, I.Nai-Fovino 2, S.Valtolina 2 1 CERIAS, Purdue University, West Lafayette, IN,

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

Implementation of Web Application Firewall

Implementation of Web Application Firewall Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process

More information

Chapter 4 Application, Data and Host Security

Chapter 4 Application, Data and Host Security Chapter 4 Application, Data and Host Security 4.1 Application Security Chapter 4 Application Security Concepts Concepts include fuzzing, secure coding, cross-site scripting prevention, crosssite request

More information

Lecture 15 - Web Security

Lecture 15 - Web Security CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 15 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

Application Design and Development

Application Design and Development C H A P T E R9 Application Design and Development Practice Exercises 9.1 What is the main reason why servlets give better performance than programs that use the common gateway interface (CGI), even though

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Abstract: This paper discusses the SQL injection vulnerability, its impact on web applications, methods for pre-deployment and

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category

More information