Software security, by the numbers. October 20, 2015
|
|
- Noel Harrison
- 8 years ago
- Views:
Transcription
1 Software security, by the numbers October 20, 2015
2 Why are we here? 2
3 Chris Wysopal, CTO & Co-Founder 15+ years focused solely on application security One of the original security researchers from mid 90 s. Was part of hacker think tank, The L0pht. Founded Veracode to build automated application security testing My son now keeps me busy installing Minecraft mods. 3
4 What is the SoSS report? 4
5 What s so special about this? Anonymized data from our customers to illustrate AppSec trends - 5
6 What questions can we answer? Which industries are doing the best job of reducing application-layer risk? Do I have more serious vulnerabilities than my peers? What percentage of vulnerabilities do my peers remediate? How many of our applications should pass the OWASP Top 10 when initially assessed? What are the Top 10 most common vulnerabilities in our vertical? Which programming languages are my peers using? 6
7 >What are the Headlines? What are the headlines? 7
8 WHO DOES BEST AGAINST INDUSTRY STANDARDS? 8
9 WHO FIXES THE MOST VULNERABILITIES? 9
10 Industry comparison: flaw profiles 10
11 Security quality on first scan 11
12 Security quality on first scan Even the best performing industry sector fails for 3 out of 5 applications 12
13 Programming languages used 13
14 Programming languages used Programming language is not a clear indicator of security quality 14
15 Flaw density 15
16 Flaw density Flaw density is only useful for benchmarking or tracking a particular application over time 16
17 Top vulnerabilities by industry 17
18 Industry comparison: remediation profiles 18
19 Flaw remediation rates Wide spread in % of flaws found vs. fixed May be due to external factors (industry regulations, competitive landscape) and/or security policies 19
20 Remediation by flaw density Small improvement in flaw density overall, greater improvement in very high and high severity flaws 20
21 Impact of remediation coaching For applications that used a readout, the development team fixed more than 2.5x the average # of flaws per megabyte 21
22 How safe is the software I buy? 22
23 Sources of software (IDG survey) 23
24 Commercial quality on first scan Code you purchase is just as likely (maybe more likely) to contain vulnerabilities as code you build Most organizations don t hold their suppliers accountable for security quality in the same way the do for functionality or performance 24
25 Three characteristics of a successful program 25
26 #1: Metrics driven Peter Drucker 26
27 #2: Remediation focused 27
28 #3: Habit forming 28
29 #3: Habit forming MONSTERS PREVENT CODE ROT! 29
30 THANK YOU
31 Appendix slides 31
32 Financial Services summary Includes: Banking, Finance, Insurance Initial quality: % of apps passed OWASP Top 10 on first scan but almost 3 in 5 still fail Remediation: - Fixed 65% of flaws found during 18 month period Flaw density: 3-36 flaws/mb overall - 5 very high or high severity flaws/mb SQL Injection prevalence: 6-29% of applications had at least one SQL Injection vulnerability, the second lowest Language Mix App Vuln Prevalence.NET 42% Java 48% Classic ASP 3% PHP 2% C++ 2% ios 2% Other 1% Android 1% ColdFusion JavaScript 0% 0% Code Quality Crypto Issues Info Leakage CRLF Injection Cross-Site Scripting Directory Traversal Insufficient Input Validation SQL Injection Credentials Mgmt Time & State 29% 25% 23% 65% 60% 58% 52% 49% 48% 41% 32
33 Manufacturing summary Includes: Manufacturing, Aerospace Initial quality: % of apps passed OWASP Top 10 on first scan but almost 2/3 still fail Remediation: - Fixed 81% of flaws found during 18 month period Flaw density: flaws/mb overall - 54 very high or high severity flaws/mb.net 36% Language Mix C++ 10% Java 37% ColdFusion 9% Classic ASP 4% ios 2% Other 2% PHP 1% JavaScript 1% Android 0% SQL Injection prevalence: 4-31% of applications had at least one SQL Injection vulnerability Code Quality Crypto Issues Info Leakage CRLF Injection Cross-Site Scripting Directory Traversal Insufficient Input Validation SQL Injection Time & State Credentials Mgmt App Vuln Prevalence 56% 51% 49% 45% 45% 40% 33% 31% 24% 17% 33
34 Technology summary Includes: Technology, Telecommunications, Electronics, Software, Security Products & Services, Consulting Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 50% of flaws found during 18 month period Flaw density: 5-83 flaws/mb overall - 29 very high or high severity flaws/mb SQL Injection prevalence: 3-28% of applications had at least one SQL Injection vulnerability.net 30% Language Mix Java 45% PHP ios 6% 6% Android 6% C++ 4% Other 3% Classic ASP 1% ColdFusion 1% JavaScript 1% Code Quality Crypto Issues Info Leakage CRLF Injection Directory Traversal Cross-Site Scripting Insufficient Input Validation Credentials Mgmt SQL Injection Time & State App Vuln Prevalence 70% 62% 62% 54% 49% 48% 37% 30% 28% 26% 34
35 Healthcare summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 43% of flaws found during 18 month period Flaw density: 1-15 flaws/mb overall - 2 very high or high severity flaws/mb Crypto Issues prevalence: 1-80% of applications had at least one cryptography-related vulnerability Java 30%.NET 52% Language Mix ios 7% Android 4% PHP 3% Classic ASP 2% ColdFusion 2% Other 2% JavaScript C++ 0% Crypto Issues Info Leakage Code Quality Insufficient Input Validation CRLF Injection Cross-Site Scripting Directory Traversal SQL Injection Time & State Credentials Mgmt App Vuln Prevalence 61% 60% 48% 46% 45% 43% 32% 26% 23% 80% 35
36 Retail and Hospitality summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 43% of flaws found during 18 month period Flaw density: 2-28 flaws/mb overall - 5 very high or high severity flaws/mb Language Mix SQL Injection prevalence: 1-25% of applications had at least one SQL Injection vulnerability, the lowest prevalence App Vuln Prevalence Java 37%.NET 45% C++ 5% ios 4% Android 4% Classic ASP 2% Other 3% PHP 2% ColdFusion 1% JavaScript 0% Code Quality Crypto Issues Info Leakage CRLF Injection Directory Traversal Cross-Site Scripting Insufficient Input Validation SQL Injection Credentials Mgmt Time & State 25% 24% 21% 68% 63% 55% 54% 52% 44% 44% 36
37 Government summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 27% of flaws found during 18 month period Flaw density: 4-62 flaws/mb overall - 7 very high or high severity flaws/mb SQL Injection prevalence: 7-40% of applications had at least one SQL Injection vulnerability Java 36%.NET 53% Language Mix PHP 4% Classic ASP 3% C++ Other 0% 1% ColdFusion 3% JavaScript Android ios 0% 0% Cross-Site Scripting Code Quality Info Leakage Insufficient Input Validation Crypto Issues CRLF Injection Directory Traversal SQL Injection Credentials Mgmt Time & State App Vuln Prevalence 20% 19% 70% 66% 62% 52% 51% 48% 45% 40% 37
38 All other industries summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 52% of flaws found during 18 month period Flaw density: flaws/mb overall - 26 very high or high severity flaws/mb SQL Injection prevalence: 6-37% of applications had at least one SQL Injection vulnerability Language Mix App Vuln Prevalence.NET 23% PHP 10% Java 46% ios 7% Android 7% C++ 4% Other 3% Classic ASP 1% ColdFusion 1% JavaScript 1% Crypto Issues Code Quality Info Leakage CRLF Injection Cross-Site Scripting Credentials Mgmt Insufficient Input Validation Directory Traversal SQL Injection Time & State 65% 59% 53% 48% 46% 37% 34% 34% 32% 23% 38
STATE OF SOFTWARE SECURITY
STATE OF SOFTWARE SECURITY Volume 6: Focus on Industry Verticals JUNE 2015 03 VERACODE State of Software Security Report, Volume 6: Focus on Industry Verticals CONTENTS Introduction by Chris Wysopal, Veracode
More informationSTATE OF SOFTWARE SECURITY
STATE OF SOFTWARE SECURITY Focus on Application Development SUPPLEMENT TO VOLUME 6 03 VERACODE State of Software Security Report, Supplement to Volume 6: Focus on Application Development CONTENTS Introduction
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationState of Software Security Report
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Now Including Mobile App Data! SEE PAGE 37 SINCE OUR LAST REPORT, the risks associated with vulnerable
More informationTHEODORA TITONIS VERACODE Vice President Mobile
THEODORA TITONIS VERACODE Vice President Mobile MOBILE SECURITY Increasing Threat MOBILE RISK 64% 34% 47% Companies with no BYOD policy. 3 Companies with no app security program. 4 614% Nearly half of
More informationMetrics for Insights on
Metrics for Insights on State of Application Security Veracode, Inc. Presented by: Ashish Larivee, Veracode Betsy Nichols, PlexLogic 1 Who we are Ashish Larivee Veracode Elizabeth A. Nichols, Ph.D. PlexLogic
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationState of Software Security Report
VOLUME 2 State of Software Security Report The Intractable Problem of Insecure Software September 22, 2010 Software Security Simplified AS EVERY CIO AND CISO IS AWARE, the flood of news generated by attacks
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationVOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationSWASCAN ALL in ONE. SWASCAN Web Application SWASCAN Network SWASCAN Code Review
SWASCAN ALL in ONE SWASCAN Web Application SWASCAN Network SWASCAN Code Review SWASCAN at a Glance The first Cloud Suite Security Platform The right way to manage the Security Risk, both for web and mobile
More information2,000 Websites Later Which Web Programming Languages are Most Secure?
2,000 Websites Later Which Web Programming Languages are Most Secure? Jeremiah Grossman Founder & Chief Technology Officer 2010 WhiteHat Security, Inc. WhiteHat Security Founder & Chief Technology Officer
More informationApplication Backdoor Assessment. Complete securing of your applications
Application Backdoor Assessment Complete securing of your applications Company brief BMS Consulting is established as IT system integrator since 1997 Leading positons in Eastern Europe country Product
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationAdobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661
Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationWe protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
More informationStudy of Software Related Cybersecurity Risks in Public Companies
FEATURE SUPPLEMENT Study of Software Related Cybersecurity Risks in Public Companies Feature Supplement of Veracode s State of Software Security Report APRIL 2012 Table of Contents Introduction...................................................................................2
More informationHackMiami Web Application Scanner 2013 PwnOff
HackMiami Web Application Scanner 2013 PwnOff An Analysis of Automated Web Application Scanning Suites James Ball, Alexander Heid, Rod Soto http://www.hackmiami.org Overview Web application scanning suites
More informationState of Software Security Report
VOLUME 2 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary September 22, 2010 Software Security Simplified Executive Summary The following are some of the
More informationStatic & Dynamic Analysis for Web Applications. OWASP Atlanta Chapter March 2010 Meeting. The OWASP Foundation http://www.owasp.
Static & Dynamic Analysis for Web Applications Tony UcedaVelez Atlanta, Chapter Lead & Guest Panel: Atlanta Chapter March 2010 Meeting Jeremiah Grossman (WhiteHat Security) Chris Eng (Veracode) Russell
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationSimon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470
Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationIs your software secure?
Is your software secure? HP Fortify Application Security VII konferencja Secure 2013 Warsaw - October 9, 2013 Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172)
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationVOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the
More informationSANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security
SANDCAT WHAT IS SANDCAT? THE WEB APPLICATION SECURITY ASSESSMENT SUITE Sandcat is a hybrid multilanguage web application security assessment suite - a software suite that simulates web-based attacks. Sandcat
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationWebCruiser Web Vulnerability Scanner Test Report. Input Vector Test Cases Cases Count Report Pass Rate. Erroneous 200 Responses 19 19 100%
WebCruiser Web Vulnerability Scanner Test Report V3.4.0 Made by Janusec (http://www.janusec.com ) 1. Test Report 1.1. SQL Injection Test Report Input Vector Test Cases Cases Count Report Pass Rate Erroneous
More informationThe Total Economic Impact Of Veracode s Cloud-Based Application Security Service
A Forrester Total Economic Impact Study Commissioned By Veracode Project Director: Sean Owens July 2014 The Total Economic Impact Of Veracode s Cloud-Based Application Security Service Avoided Costs, Cost
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager Bryan Beverly June 2 nd, 2010 Today's Presentation The challenges of application security scanning and remediation What Vulnerability
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationBraindumps.C2150-810.50 questions
Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationTechnical Description Web Security Contest
Technical Description Web Security Contest 1 P a g e Table of Contents 1. INTRODUCTION... 3 2. COMPETENCY SPECIFICATION... 3 3. OBJECTIVES... 4 4. RULES & REGULATIONS... 4 4.1. Teams... 4 4.2. Competition...
More informationMobile Application Security Sharing Session May 2013
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationSTATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013
STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810 October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department
More informationWeb Vulnerability Assessment Report
Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationWeb Application Security How to Minimize Prevalent Risk of Attacks
guide: Web Application Security How to Minimize Prevalent Risk of Attacks Table of Contents I. Summary II. Primer on Web App Security III. Types of Web App Vulnerabilities IV. Detecting Web App Vulnerabilities
More informationSecurity Automation in Agile SDLC Real World Cases
Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016 Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationMobile App Security. Using Threat Modeling to Review Mobile Devices and Apps. Copyright 2012 KRvW Associates, LLC
Mobile App Security Using Threat Modeling to Review Mobile Devices and Apps Your Instructor Ken van Wyk ken@krvw.com Work Experience 20+ years in Information Security l l l l CMU CERT/CC Founder DoD CERT
More information2014 Website Security Statistics Report
2014 Website Security Statistics Report Introduction An end to the war of languages maybe. Whenever beginning a new software project, you have to make a choice: what programming languages or development
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More information3 rd Party Application Analysis: Best Practices and Lessons Learned. Chris Wysopal Founder and CTO Veracode
3 rd Party Application Analysis: Best Practices and Lessons Learned Chris Wysopal Founder and CTO Veracode Agenda q About Veracode q Need for 3 rd Party Analysis q Terminology q Sample Size/Success Rates
More informationOWASP Mobile Top Ten 2014 Meet the New Addition
OWASP Mobile Top Ten 2014 Meet the New Addition Agenda OWASP Mobile Top Ten 2014 Lack of Binary Protections added Why is Binary Protection important? What Risks Need to be Mitigated? Where to Go For Further
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationThreat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform
Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform Sebastian Zabala Senior Systems Engineer 2013 Trustwave Holdings, Inc. 1 THREAT MANAGEMENT
More informationWeb Application Security 101
dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in
More informationThe State of Mobile Application Insecurity
The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationWeb Application Security
About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More information5 Simple Steps to Secure Database Development
E-Guide 5 Simple Steps to Secure Database Development Databases and the information they hold are always an attractive target for hackers looking to exploit weaknesses in database applications. This expert
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More informationHP WebInspect Tutorial
HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the
More informationSuccessful Strategies for QA- Based Security Testing
Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationWeb application vulnerability statistics for 2010-2011
Web application vulnerability statistics for 2010-2011 SERGEY GORDEYCHIK DMITRY EVTEEV ALEXANDER ZAITSEV DENIS BARANOV SERGEY SCHERBEL ANNA BELIMOVA GLEB GRITSAI YURI GOLTSEV TIMUR YUNUSOV ILYA KRUPENKO
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationWeb Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationTHOUSANDS OF APPS CAN'T BE WRONG: MOBILE APPLICATION ANALYSIS AT SCALE
THOUSANDS OF APPS CAN'T BE WRONG: MOBILE APPLICATION ANALYSIS AT SCALE Chris Eng Vice President, Research Session ID: Session Classification: MBS-T08 Intermediate Agenda State of Mobility in the Enterprise
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationWHITEPAPER ON SAP SECURITY PATCH IMPLEMENTATION Helps you to analyze and define a robust strategy for implementing SAP Security Patches
A BasisOnDemand.com White Paper WHITEPAPER ON SAP SECURITY PATCH IMPLEMENTATION Helps you to analyze and define a robust strategy for implementing SAP Security Patches by Prakash Palani (Prakash.palani@basisondemand.com)
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationTable of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
More informationSecurity Metrics Rehab. Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management
Security Metrics Rehab Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management April 11, 2014 About Me! Author of P.A.S.T.A threat modeling methodology (risk
More informationWhat Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It
What Every (Software) Engineer Needs To Know About Security -- and -- Where To Learn It Neil Daswani http://www.neildaswani.com http://www.learnsecurity.com Is the sky falling? (yet?) TJX (March 2007)
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More informationlocuz.com Professional Services Security Audit Services
locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.
More informationRevisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist
Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist Overview Background What it is? How are we doing? Web 2.0 SQL injection meets AJAX Fuggle SQL Injection meets Google
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationManaging Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)
Managing Web & Application Security with OWASP bringing it all together Tobias Gondrom (OWASP Project Leader) OWASP World OWASP is a worldwide free and open community focused on improving the security
More informationA Strategic Approach to Web Application Security
WhiteHat Security White Paper A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle Jerry Hoff Vice President, Static Code Analysis Division
More informationSAP: Session (Fixation) Attacks and Protections
www.taddong.com SAP: Session (Fixation) Attacks and Protections (in Web Applications) Raul Siles raul@taddong.com April 15, 2011 VII OWASP Spain Chapter Meeting Copyright 2011 Taddong S.L. Todos los derechos
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More information