Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
|
|
- Jared Cannon
- 8 years ago
- Views:
Transcription
1 Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
2 Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies to Build Secure Apps Questions and Answers
3 Denim Group Background Enterprise application development company with security expertise Custom software development Application-level integration Application security assessments and secure application development
4 What is Application Security Security associated with custom application code Focus is on web application security Versus non-internet facing applications Complements existing infrastructure security assets such as firewalls, IDS, and secured operating systems
5 Nature of HTTP and the Web Connectionless protocol no state Anonymity of attacks Assumption: web servers expect request to come from browser, therefore implicitly trust input
6 Why Application Security 70% of applications reviewed by security firm had significant security design Security Briefing Interaction between server, 3 rd party code, and custom business logic creates vulnerabilities Patching or rebuilding app expensive Perception exists that locking down OS and web server = web security
7 Why Application Security Web-facing, business critical applications HTTP & SLL open to the world Much investment focused on infrastructure Well understood threats, mature products Firewalls, authentication, intrusion detection Security many times an overlooked facet of web development projects
8 Examples of Potential Vulnerabilities
9 Parameter Tampering Price information is stored in hidden HTML field with assigned $ value Assumption: hidden field won t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with new price Still widespread in many web stores
10 Price Changes via Hidden HTML tags
11 Price Changes via Hidden HTML tags
12 Cookie Poisoning Attacker impersonates another user Identifies cookie values that ID s the customer to the site Attacker notices patterns in cookie values Edits pattern to mimic another user
13 Cookie Poisoning
14 Cookie Poisoning
15 Cookie Poisoning
16 Cookie Poisoning
17 Unvalidated Input Attack Exploitation of implied trust relations Instead of: Attacker inputs: ////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end application
18 Unvalidated Input Attack
19 Unvalidated Input Attack
20 Unvalidated Input Attack
21 Unvalidated Input Attack
22 Open Web Application Security Project Top Ten Most Critical Web Application Security Vulnerabilities 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Access Control 4. Cross-Site Scripting Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management Source:
23 Client side authentication Web apps many times use client-side code to present and manage data Storage of usernames or ID numbers in cookie make them ripe for forgery Sites rely on cookie expiration to terminate sessions You can modify cookies to extend time Bottom line: Never trust anything from an http request
24 Potential Strategies to Build Secure Apps
25 Key Issue: Build vs. Measure Cultures Application Development groups are building technical capabilities based upon evolving business requirements Corporate IS Security dept. in charge of ongoing security operations
26 Additional Challenges Most organizations do not have sufficiently skilled resources to cope with application security assessments Development teams typically under deadlines I love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
27 Emerging Best Practices Security must become a key aspect of the development process Security requirements reflected in design plan Ensure the security is part of the iterative development process Changes to web sites are ongoing and are not static QA Group should not be last line of defense
28 Code Evaluation Paths Code review auditing source code Expensive, time consuming, and takes expertise Application assessments reviews functionality and interactions of compiled applications in real-life environments Potentially superficial and only capture a % of actual vulnerabilities in custom code
29 Application Security Reviews Internal or 3 rd party process to assess internally developed applications Assessment reviews major web app vulnerabilities Use best-of-breed tools and custom scripts Integrated with client development schedule Reviews designed to coincide with key development milestones of client project
30 Application Security Reviews Commercial security scanners are becoming more widespread Automated tools are great first-round way to assess potential vulnerabilities However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners Consider Augmenting security team with internal or external.net and Java security experts
31 Assessment Benefits 3 rd -party assessment of applications by noted experts; Increase confidence & reliability in application Compliance with government regulations Sarbanes Oxley, GLB, HIPAA Satisfies potential SEC audit objectives Knowledge transfer to clients on development techniques for secure applications
32 Wrap up Application Security is emerging as a critical aspect of enterprise security Emerging best practices include iterative assessments and defense in depth Cultural, organizational, and technical challenges all may hinder an effective strategy
33 Wrap Up Questions and Answers
How to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationApplication Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com
Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationApplication Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com
Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security
More informationAn Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006
An Introduction to Application Security In ASP.NET Environments Houston.NET User Group February 23 rd, 2006 Overview Background What is Application Security and Why Is It Important? Examples ASP.NET Specific
More informationAn Introduction to Application Security in J2EE Environments
An Introduction to Application Security in J2EE Environments Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY Governance and Risk Management YOUR LAST LINE OF DEFENSE Aug 06 2009 ANSES RAH RAH Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Prolog
More informationDon t Get Burned! Are you Leaving your Critical Applications Defenseless?
Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationWhy Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS
Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Acknowledgements Ed Barlow Technical Director EMEA Ed sends his apologies. The following presentation is based on the talk
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationThe New PCI Requirement: Application Firewall vs. Code Review
The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb Application Security
Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationMANAGED SECURITY TESTING
MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan
More informationNew IBM Security Scanning Software Protects Businesses From Hackers
New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationThe security of Web applications
AARMS Vol. 8, No. 1 (2009) 173 178 INFORMATION SECURITY The security of Web applications VALÉRIA PÓSERNÉ OLÁH Budapest Tech, John Von Neumann Faculty of Informatics, Budapest, Hungary The network (LAN)
More informationApplication Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant
Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationTop Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore
Top Ten Web Attacks Saumil Shah Net-Square BlackHat Asia 2002, Singapore TodayÕs battleground Ð the Web Web sites and web applications rapidly growing. Complex business applications are now delivered over
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationSecurity Test s i t ng Eileen Donlon CMSC 737 Spring 2008
Security Testing Eileen Donlon CMSC 737 Spring 2008 Testing for Security Functional tests Testing that role based security functions correctly Vulnerability scanning and penetration tests Testing whether
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationWeb Application Vulnerabilities and Avoiding Application Exposure
Web Application Vulnerabilities and Avoiding Application Exposure The introduction of BIG-IP Application Security Manager (ASM) version 9.4.2 marks a major step forward. BIG-IP ASM now offers more features
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationChallenges of Automated Web Application Scanning
1 Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." Blackhat Windows 2004 Seattle, WA Jeremiah Grossman (CEO) WhiteHat Security, Inc. 2 Speaker Bio
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationMore Than A Microsoft World. Marc Maiffret Co-Founder Chief Hacking Officer
More Than A Microsoft World Marc Maiffret Co-Founder Chief Hacking Officer The eeye Marketing Slide We Make Security Software Retina Network Security Scanner Blink Host Based Security REM Enterprise Vulnerability/Threat
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More information