Open Web Applica-on Security Project
|
|
- Anthony Booker
- 8 years ago
- Views:
Transcription
1 The OWASP Foundation Open Web Applica-on Security Project Antonio Fontes SWISS CYBER STORM Conference May 2011 Rapperswil Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
2 A few words about me Antonio Fontes 6 years background working on somware security & privacy Founder and principal consultant at L7 Securité Sàrl Lecturer at HST Yverdon (HEIG- VD) Focus: Web applica-on threats and countermeasures Secure development lifecycle Penetra-on tes-ng and vulnerability assessment SoMware threat modelling and risk analysis OWASP: OWASP Switzerland : member of the board, western Switzerland delegate OWASP Geneva: Chapter leader 2
3 cat /wwwroot/agenda.html Why do organiza-ons need OWASP? OWASP worldwide OWASP in Switzerland Q/A 3
4 Thermometer: Is your organization already using OWASP material? - For internal software development? - For outsourced custom software? - For COTS acquisition? photo by Dave Oshry 4
5 Why do organisa-ons need OWASP? 5
6 Why do organisa-ons need OWASP? 6
7 Why do organisa-ons need OWASP? 77 million users! 101 million users! 7
8 Why do organisa-ons need OWASP? Handout from Sony Entertainment Online conference on the recent computer intrusion that led to more than 110 million user accounts being stolen. (May. 1 st. 2011) 8 photo by Dave Oshry
9 Why do organisa-ons need OWASP? 9
10 Just a lihle check: Who knows PBKDF2? 10
11 Why do organisa-ons need OWASP? Who understands this in your organisa6on? 11
12 Why do organisa-ons need OWASP? Use hashes!! No! Don't use hashes!! 12
13 Why do organisa-ons need OWASP? Outside the organisa-on: Increasing adop-on of Anything over HTTP Increasing hos-le interest in online services: Increasing threat popula-on Web hacking/security is easy to understand/teach Low risk of being caught Increasing offer in security consul-ng, services and products 13
14 Why do organisa-ons need OWASP? Inside organisa-ons: Developers dealing with dozens web technologies Heterogonous development teams and lifecycles Constant pressure for delivery Turnover and loss of internal know- how Who in the company is actually both up- to- date on the concept of (web) applica-ons security and has the power to take decisions? Who in the company is actually able to qualify security products and services that are paid for? 14
15 Why do organisa-ons need OWASP? Swiss Cyber Storm III - May Rapperswil
16 U.S. 501c3 not- for- profit charitable interna-onal organiza-on Structure Make applica+on security visible, so that people and organisa+ons can make informed decisions about applica+on security risks. OWASP founda-on Mission Code of ethics Independence from vendors, technology- agnos+c Core values Open, Global, Innova+on, Worldwide 16
17 "strategy" (or so...) Website Threat Board Commihees Summit Chapters Projects Conferences Members People Methods Tools Web Applica-on? Company assets 17
18 OWASP people 18
19 Project Leaders Responsible for driving volunteers effort on OWASP material projects: Workshops Brainstorming sessions Analysis/repor-ng Guides edi-ng Tools coding 19 quality- release and 26 beta- status projects P T M 19
20 Chapter Leaders Responsible for leading Local Chapters: 188 Chapters worldwide More than 300 yearly mee-ngs worldwide Connect with local organisa-ons P T M Next local chapter mee-ng: Zurich June 14 th 20
21 Global Commihees Responsible for driving volunteers effort on global OWASP outreach. OWASP current Global Commihees: Industries Membership Government Educa-on Projects Events Connec-ons P T M 21
22 Employees and contractors Kate Hartmann Logis-cs and day- to- day support for leaders of the 188 local chapters Alison Shrader Accoun-ng & Administra-on Paulo Coimbra OWASP PMO Sarah Basso Opera-ons during OWASP events 22
23 Research conference Conference dedicated to research work on applica-on security P T M 23
24 Appsec conference P T M Yearly global applica-on security focused conferences: Europe North America South America Asia Next OWASP Conference in Europe: Dublin June 7th- 10th Swiss Cyber Storm III - May Rapperswil
25 Summits Intensive 1- week workshop event with leaders, contributors, sponsors and somware vendors: Ability to connect with leading somware vendors and corporate members More than 150 reunited chapter & project leaders 80 workshops P T M 25
26 OWASP members 26
27 OWASP Membership Individual members: Annual fee: 50$/year Free access to OWASP Training day events Reduced fees at OWASP Events Current count: 1383 individual contribu-ng members 27
28 OWASP Membership Corporate members: 52 public corporate members Annual fee: 5 000$/year Delegates for the Summit event Logo on website, use as marke-ng argument Majority is from the US, but Switzerland is also there 28
29 OWASP Membership Academic members: Annual fee: 0$/year Donate: support 40 members Switzerland: 1 officialised partnership (HEIG- VD) 2 pending partnerships 29
30 OWASP: the web portal 30
31 hhps:// unique visitors monthly pages viewed monthly 60% driven by search engines 19% referred by other websites Highest traffic mo-ves: OWASP Top 10 Webscarab project XSS preven6on cheat sheet sql injec6on 31
32 hhp://lists.owasp.org More than 400 mailing lists currently running users Related to: tools, documents, methods, commihees, events, outreach, leaders, etc. 32
33 OWASP projects 33
34 OWASP projects: Tools Analyze Design Implement Verify Deploy Respond An-SAMMY ESAPI CSRFGuard Encoding S-nger JBroFuzz LiveCD WebScarab O2 Code Crawler ModSecurity CRS DirBuster WebScarab Orizon Zed Ahack Proxy Academy portal, Broken Web applica-ons, ESAPI Swingset, Webgoat 34
35 OWASP projects: Documents Analyze Design Implement Verify Deploy Respond Secure contract Applica-on security requirements Threat risk modeling Development J2EE Security RoR Security.NET Security Code Review Tes-ng ASVS Backend Security Code Review Tes-ng AJAX Security PHP Security Secure coding prac-ces Academy, Appsec FAQ, Appsec metrics, Common Vuln. List, Educa-on, Exams, Legal, OWASP Top 10 35
36 Tools: webgoat COTS web applica-on for webapp security (CBT) training Click and run /index.php/webgoat P T M 36
37 Tools: ModSecurity core ruleset Cri-cal protec-ons centralized in a core ruleset (CRS) to be installed on ModSecurity enabled Apache servers Provides: HTTP Protocol compliance Ahack detec-on Error detec-on Search engine monitoring hhps:// P T M 37
38 Tools: Entreprise Security API Control library encapsula-ng most security func-ons required in web applica-ons: Authen-ca-on Access control Sessions Encoding Input valida-on Encryp-on Logging Intrusion detec-on hhps:// P T M 38
39 Documents: OWASP Top 10 hhps:// P T M 39
40 Documents: code review guide Instruc-ons and methodology manual for conduc-ng code security reviews Guidance on detec-ng the major security flaws created during implementa-on hhps:// Category:OWASP_Code_Review_Project P T M 40
41 Documents: ASVS ASVS: Applica-on Security Verifica-on Standard 4 verifica-on (assurance) levels across more than 120 security controls Tailored to your own risk aversion hhps:// P T M 41
42 Documents: OpenSAMM Open SoMware Assurance Maturity Model P T M hhps:// Category:SoMware_Assurance_Maturity_Model 42
43 OWASP Switzerland 43
44 OWASP Switzerland's structure No legal form (yet, just a few days lem) Leader: Sven Vetsch Board members: Tobias Christen, Antonio Fontes Based in Zurich 130 mailing list members Next mee6ng: June 14 th Other local city/region chapters: OWASP Geneva 90 list members Next mee-ng: September 6 th 44
45 Ac-vi-es: mee-ngs and conferences Local chapter mee-ngs: 1,2,3 speakers per event Geneva, Yverdon, Zurich ~8 mee-ngs/year Ahendance: people People love these mee-ngs! (Historical) conference partnerships: 45
46 Ac-vi-es: awareness sessions Awareness session for Swiss organiza-ons: 1 hour, head- to- head session with an OWASP representa-ve at your company Syllabus: OWASP organiza-on, OWASP projects and membership opportuni-es 4 Swiss private companies requested this in 2010 It s free! BUT: it s not free training or consul-ng!! à No product names à No "reviews" à No training. 46
47 OWASP Switzerland is live! (non exhaus-ve list, sorry for those I forgot L ) Ivan Butler: Web applica-on firewall & Hacking lab Tobias Christen: Security & Usability Alexis Fitzgerald : Gathering applica-on security requirements Chris-an Folini : ModSecurity CRS & DDoS defense Antonio Fontes : Threat modelling & Lifecycle security Axel Neumann: Zed Ahack Proxy Sylvain Maret : Strong authen-ca-on Pierre Parrend : Java mobile applica-ons Sven Vetsch : Advanced XSS ahacks and defense... ß come to me amer the talk if you want your name here 47
48 Thank you! Visit the OWSAP Website: hhps:// Join the OWASP Switzerland mailing list: hhp:// Follow us on Get in touch with your local OWASP representa-ves: Sven Vetsch (Switzerland) sven.vetsch@disenchant.ch Antonio Fontes (Western/French Switzerland) antonio.fontes@owasp.org 48
Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)
Managing Web & Application Security with OWASP bringing it all together Tobias Gondrom (OWASP Project Leader) OWASP World OWASP is a worldwide free and open community focused on improving the security
More informationOpenSAMM Software Assurance Maturity Model
Libre Software Meeting Brussels 10-July-2013 The OWASP Foundation http://www.owasp.org Open Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium
More informationBuilding & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast
Building & Measuring Security in Web Applications Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast Brief Bio - CEO & Founder Cycubix Limited - 10+ years security experience in Technology, Manufacturing,
More informationTobias Gondrom (OWASP Global Board Member)
Tobias Gondrom (OWASP Global Board Member) OWASP World OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security
More informationMobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov
Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business Dmitry Dessiatnikov DISCLAIMER All informa,on in this presenta,on is provided for informa,on purposes only and in
More informationCONTENTS. Introduc on 2. Undergraduate Program 4. BSC in Informa on Systems 4. Graduate Program 7. MSC in Informa on Science 7
1 1 2 CONTENTS Introducon 2 Undergraduate Program 4 BSC in Informaon Systems 4 Graduate Program 7 MSC in Informaon Science 7 MSC in Health Informacs 13 2 3 Introducon The School of Informaon Science at
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationVoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov
VoIP Security How to prevent eavesdropping on VoIP conversa8ons Dmitry Dessiatnikov DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security
More informationDefending Against Web App A0acks Using ModSecurity. Jason Wood Principal Security Consultant Secure Ideas
Defending Against Web App A0acks Using ModSecurity Jason Wood Principal Security Consultant Secure Ideas Background Info! Penetra?on Tester, Security Engineer & Systems Administrator!!!! Web environments
More informationA R o a d t o y o u r C l o u d. Professional Service. C R M a n d C l o u d C o n s u l t i n g
RM-C A R o a d t o y o u r C l o u d Professional Service C R M a n d C l o u d C o n s u l t i n g CRM-C Highlights! A Unique Cloud CRM Consulting service firm! Specializing in cloud CRM and Office Collaboration
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationMain Research Gaps in Cyber Security
Comprehensive Approach to cyber roadmap coordina5on and development Main Research Gaps in Cyber Security María Pilar Torres Bruna everis Aerospace and Defence Index CAMINO WP2: Iden8fica8on and Analysis
More informationSo#ware- based CyberSecurity. Michael Butler Gennaro Parlato Electronic and So.ware Systems (ESS)
So#ware- based CyberSecurity Michael Butler Gennaro Parlato Electronic and So.ware Systems (ESS) Security is mul;- faceted Confiden;ality Authen;ca;on Authorisa;on / Access Control Trust / Reputa;on Anonymity
More informationCri$cal Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evalua$on, and Compliance Carl Hauser & Adam Hahn
Cri$cal Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evalua$on, and Compliance Carl Hauser & Adam Hahn Overview Evalua$on Common Criteria Security Tes$ng Approaches
More informationReali9es of Being PCI Compliant
Reali9es of Being PCI Compliant Miguel (Mike) O. Villegas CISA, CISSP, GSEC, CEH, QSA, PA- QSA, ASV Vice President- K3DES LLC Professional Strategies S23 CRISC CGEIT CISM CISA Abstract PCI DSS compliance
More informationMAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term
MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT How to Drive Adop.on, Efficiency, and ROI for the Long Term What We Will Cover Today Presenta(on Agenda! Who We Are! Our History! Par7al
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationBank of America Security by Design. Derrick Barksdale Jason Gillam
Bank of America Security by Design Derrick Barksdale Jason Gillam Costs of Correcting Defects 2 Bank of America The Three P s Product Design and build security into our product People Cultivate a security
More informationWe protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
More informationEverything You Need to Know about Cloud BI. Freek Kamst
Everything You Need to Know about Cloud BI Freek Kamst Business Analy2cs Insight, Bussum June 10th, 2014 What s it all about? Has anything changed in the world of BI? Is Cloud Compu2ng a Hype or here to
More informationThe AppSec How-To: 10 Steps to Secure Agile Development
The AppSec How-To: 10 Steps to Secure Agile Development Source Code Analysis Made Easy 10 Steps In Agile s fast-paced environment and frequent releases, security reviews and testing sound like an impediment
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationNIST Email Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting
NIST Email Security Improvements William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting Presenters Scott Rose Computer Scientist, NIST ITL William (Curt) Barker Guest Researcher,
More informationFinancial Fraud Threats & Preven3on. Mark Frank EVP, Senior Opera3ons Officer Colorado Business Bank
Financial Fraud Threats & Preven3on Mark Frank EVP, Senior Opera3ons Officer Colorado Business Bank Why Pay ACen3on to Fraud Risks? Fraud occurs everywhere, and NO organiza3on is immune Changing business
More informationDistance.fsu.edu. Dr. Susann Rudasill, Director Office of Distance Learning
Distance.fsu.edu Dr. Susann Rudasill, Director Office of Distance Learning Live Link Organiza;onal Structure Interim Provost & Vice President Faculty Development and Advancement Budget Office Academic
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationARTIST Methodology and Tooling. Jesus Gorroñogoitia - Atos SOC Crete, 1 st July 2015
ARTIST Methodology and Tooling Jesus Gorroñogoitia - Atos SOC Crete, 1 st July 2015 Motivation: From SaaP to SaaS So#ware as a Product based Company So#ware as a Service based Company : Cloud Computing
More informationInforma.on Systems in Organiza.ons
Informa.on Systems in Organiza.ons MIS 2101 Week 7 / Chapter 7 Enhancing Business Processes Using Enterprise Informa.on Systems Photo: Objet Mathema+que by Man Ray, 1934 Chapter 7 Learning Objec.ves Core
More informationProtec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko
Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning MIS5206 Week 8 In the News Readings In Class Case Study BCP/DRP Test Taking Tip Quiz In the News Discuss items
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationSo#ware quality assurance - introduc4on. Dr Ana Magazinius
So#ware quality assurance - introduc4on Dr Ana Magazinius 1 What is quality? 2 What is a good quality car? 2 and 2 2 minutes 3 characteris4cs 3 What is quality? 4 What is quality? How good or bad something
More informationDiscovering Computers Fundamentals, 2010 Edition. Living in a Digital World
Discovering Computers Fundamentals, 2010 Edition Living in a Digital World Objec&ves Overview Discuss the importance of project management, feasibility assessment, documenta8on, and data and informa8on
More informationCompliance Solu.ons with a Budget in Mind
Compliance Solu.ons with a Budget in Mind complex, expensive PCI requirements tools to aid in mee7ng these requirements These tools will cost you exactly Open Source / Free Caveats May require more technical
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationBill Sieglein, Founder CSO Breakfast Club PLATINUM SPONSOR: SOLUTIONARY
AGENDA 8:00 8:30 Breakfast and Social Networking 8:30 8:45 Welcome & Introduc@ons, Bill Sieglein, Founder CSO Breakfast Club 8:45 9:15 Keynote: Don Gray, Chief Security Strategist PLATINUM SPONSOR: SOLUTIONARY
More informationHacking for Fun and Profit
Hacking for Fun and Profit W3Lc0me to Th3 Fu1ur How to break stuff How to trade How to hide Help! Page 1 Knowing the enemy Page 2 E1 - Who am I ^ Ivan Bütler, Uznach, 31.12.1970 ^ Speaker at Blackhat 2008
More informationWeb attacks and security: SQL injection and cross-site scripting (XSS)
Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike
More informationDDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna
DDOS Mi'ga'on in RedIRIS SIG- ISM. Vienna Index Evolu'on of DDOS a:acks in RedIRIS Mi'ga'on Tools Current DDOS strategy About RedIRIS Spanish Academic & research network. Universi'es, research centers,.
More informationNetwork Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones
Network Security Security in Compu5ng, Chapter 7 Topics l Network AAacks l Reconnaissance l AAacks l Spoofing l Web Site Vulnerabili5es l Denial of Service l Network Defences l Firewalls l Demilitarised
More informationOnline Enrollment Op>ons - Sales Training. 2011. Benefi+ocus.com, Inc. All rights reserved. Confiden>al and Proprietary 1
Online Enrollment Op>ons - Sales Training 2011. Benefi+ocus.com, Inc. All rights reserved. Confiden>al and Proprietary 1 Agenda Understand Why This is Important Enrollment Op>ons Available EDI Blues Enroll
More informationSecurity testing the Internet-of-things
Security testing the Internet-of-things Lindholmen Software Development Day 2014-10-16 Emilie Lundin Barse Informa(on Security Consultant, Combitech emilie.barse@combitech.se Contents State of security
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationPoten&al Impact of FDA Regula&on of EMRs. October 27, 2010
Poten&al Impact of FDA Regula&on of EMRs October 27, 2010 Agenda The case for regula&ng Impact on manufacturers Impact on providers Recommenda&ons and best prac&ces 2 A Medical Device Is an instrument,
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationSecure Web Development Teaching Modules 1. Threat Assessment
Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security
More informationCase Studies in Solving Testing Constraints using Service Virtualization
Case Studies in Solving Testing Constraints using Service Virtualization Rix.Groenboom@Parasoft.NL 2/21/14 1 Introduction Paraso& is supplier automated tes1ng solu1ons Since 1984, Los Angeles (US) and
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationProgram Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional.
Program Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional. 163 Stormont Street New Concord, OH 43762 614-286-7895
More informationInterna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationNETWORK DEVICE SECURITY AUDITING
E-SPIN PROFESSIONAL BOOK VULNERABILITY MANAGEMENT NETWORK DEVICE SECURITY AUDITING ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. NETWORK DEVICE SECURITY, CONFIGURATION AUDITING,
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationWhat does it mean to be a leader in healthcare?
What does it mean to be a leader in healthcare? Lead and inspire others Make a meaningful and significant impact in the industry Create new business opportuni+es Manage effec+vely and efficiently Learn, engage
More informationHow Do You Secure An Environment Without a Perimeter?
How Do You Secure An Environment Without a Perimeter? Using Emerging Technology Processes to Support InfoSec Efforts in an Agile Data Center PTC Briefing January 18, 2015 About the Presenters CHARLA GRIFFY-BROWN
More informationGÉANT Cloud Ac-vity Towards Pan- European Cloud Services Kris?n Selvaag
GÉANT Cloud Ac-vity Towards Pan- European Cloud Services Kris?n Selvaag Coordinator IaaS Procurement NTW, Copenhagen Sept. 15 16, 2015 About Includes 36 Na?onal Members, which are European na?onal research
More informationA tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility
A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on
More informationMission. To provide higher technological educa5on with quality, preparing. competent professionals, with sound founda5ons in science, technology
Mission To provide higher technological educa5on with quality, preparing competent professionals, with sound founda5ons in science, technology and innova5on, commi
More informationCyber Supply Chain Risk Management Portal
Cyber Supply Chain Risk Management Portal Dr. Sandor Boyson, Director, Supply Chain Management Center& Holly Mann, Chief InformaBon Officer R.H. Smith School Of Business The Cyber Supply Chain Challenge
More informationManaged Services. An essen/al set of tools for today's businesses
Managed Services An essen/al set of tools for today's businesses Manage your enterprise better with a holis/c solu/on to all your IT worries only at Infolob What are Managed Services? By far the most cu/ng
More informationCloud Risks and Opportunities
Cloud Risks and Opportunities John Howie COO Cloud Security Alliance #SCCLondon About the Cloud Security Alliance Global, not- for- profit organiza;on Building security best prac;ces for next genera;on
More informationDeveloping Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013
Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts October 3, 2013 Agenda 1. Introductions 2. Higher Ed Industry Trends 3. Technology Trends in Higher Ed
More informationHow To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook
How To Perform a SaaS Applica7on Inventory in 5Simple Steps A Guide for Informa7on Security Professionals WHY SHOULD I READ THIS? This book will help you, the person in the organiza=on who cares deeply
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationLegacy Archiving How many lights do you leave on? September 14 th, 2015
Legacy Archiving How many lights do you leave on? September 14 th, 2015 1 Introductions Wendy Laposata, Himforma(cs Tom Chase, Cone Health 2 About Cone Health More than 100 loca=ons 6 hospitals, 3 ambulatory
More informationWeb Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
More informationSUMMIT. November 2010
SUMMIT November 2010 Why Summit? Comprehensive Summit provides a unified approach to IT enterprise management following a prescriptive, ITIL based framework Rapid Deployment Summit is developed for and
More informationState of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net
Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net Ralph Durkee Founder of Durkee Consulting since 1996 Founder of Rochester OWASP since 2004 President of Rochester ISSA chapter
More information(Why) Should Research Universi6es Have Schools of Educa6on?
Spencer F!ndation Annual Lecture (Why) Should Research Universi6es Have Schools of Educa6on? Deborah Loewenberg Ball April 14, 2009 San Diego, California A closer look at the ques6on It s a real ques6on...
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationPCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management
PCI VERSION 2.0 AND RISK MANAGEMENT Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management Objec&ve: Protect cardholder data (CHD) wherever it resides Applica&on: All card
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationBPO. Accerela*ng Revenue Enhancements Through Sales Support Services
BPO Accerela*ng Revenue Enhancements Through Sales Support Services What is BPO? Business Process Outsorcing (BPO) is the process of outsourcing specific business func6ons to a third- party service provider
More informationAn Econocom Group company. Your partner in the transi4on towards Mobile IT
An Econocom Group company Your partner in the transi4on towards Mobile IT A few key figures 40 000 mobile terminals integrated annually 200 M of telecom expenses managed 50 000 mobility support 4ckets
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationUsing FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013
Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management TSCP Symposium November 2013 Quantum Secure s Focus on FICAM and Related Standards Complete Suite of Physical Iden:ty
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationCS 5150 So(ware Engineering System Architecture: Introduc<on
Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering System Architecture: Introduc
More informationLeveraging OWASP to Reduce Web App Data Breach Risk
Leveraging OWASP to Reduce Web App Data Breach Risk P R E S E N T E D B Y J O H N VERRY P R I N C I P A L S E C U R I T Y C O N S U L T A N T P I V O T POINT SECURITY www.pivotpointsecurity.com Specialists
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationCiviCRM Implementa/on Case Study
CiviCRM Implementa/on Case Study Leukaemia and Lymphoma Research www.leukaemialymphomaresearch.org.uk Parvez Saleh About the LLR Having gone through the socware/supplier selec/on process, the LLR decided
More informationDivision of Informa-on Technology. Welcome to the Technology at Maryland Session
Division of Informa-on Technology Welcome to the Technology at Maryland Session The Division of Informa0on Technology is the central IT organiza0on for the university. www.it.umd.edu The Division of IT
More informationHI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Opera5ons Bugcrowd @Kym_Possible whoami? Senior Director of a Red Team PSIRT
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationPaco Hope <paco@cigital.com> Florence Mo ay <fmo ay@cigital.com> 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware
Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third
More informationNo Cloud Allowed. Denying Service to DDOS Protection Services
No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon Allison.Nixon@integralis.com Pentesting, Incident Response PaulDotCom host Cloud Based DDOS Protection How it works
More informationAdvanced Web Security, Lab
Advanced Web Security, Lab Web Server Security: Attacking and Defending November 13, 2013 Read this earlier than one day before the lab! Note that you will not have any internet access during the lab,
More informationSophos Ltd. All rights reserved.
Sophos Ltd. All rights reserved. 1 Sophos Approach to Unified Security Integrated Security for Be9er Protec;on James Burchell & Greg Iddon, Sales Engineers UK&I, Technology Services What we re going to
More informationDr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT
Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT December 3, 2013 slide 1 A global leader in power and
More informationDevelopment of Open Source RESTful WHOIS. Haikuo Zhang
Development of Open Source RESTful WHOIS Haikuo Zhang Why We Need a New WHOIS Protocol WHOIS Protocol (RFC 3912) has problems WHOIS has never been internationalized WHOIS was defined for ASCII only WHOIS
More informationITDays Security issues
ITDays Security issues Malicious Intrusion, are we concerned in our Organiza;on? 7 steps to evaluate your situa;on! Christophe Bianco - Christophe Rosenkranz Paul Jung November 2014 1 Agenda Are you concerned?
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationSplunk for Networking and SDN
Copyright 2013 Splunk Inc. Splunk for Networking and SDN Stela Udovicic Senior Product Marke?ng Manager, Splunk #splunkconf Legal No?ces During the course of this presenta?on, we may make forward- looking
More informationChallenges of PM in Albania and a New. Professional Perspec8ve. Prepared by: Dritan Mezini, MBA, MPM B.S. CS
Challenges of PM in Albania and a New Professional Perspec8ve Prepared by: Dritan Mezini, MBA, MPM B.S. CS Table of contents Presenter s brief introduc8on General Concepts What is a project? What is Project
More informationWeb Applica+on Security: Be Offensive! About Me
Web Applica+on Security: Be Offensive! Eric Johnson Cypress Data Defense 1 About Me Eric Johnson (Twi
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationAlexander Polyakov CTO ERPScan
Invest in security to secure investments ERP Security. Myths, Problems, Solu6ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More information