Quality Assurance version 1

Save this PDF as:
Size: px
Start display at page:

Download "Quality Assurance version 1"

Transcription

1 Quality Assurance version 1

2 Introduction Quality assurance (QA) is a standardised method that ensures that everything works as it was intended to work and looks as it was intended to look. It should force all stakeholders (agency, us, technical partners etc.) to focus on the user of the site, what we d like them to achieve and how. Thorough QA and testing should be done throughout the production life cycle. No website should go live to the public without having gone through the mandatory testing processes as specified in this document. It is worth noting that the objective of QA and testing is not to eliminate all errors at all times, this is an impossible task. More that we ensure the major risks are mitigated and that the website performs as expected for the intended target audience. We recommend the following process as a baseline for testing a website: Depending on your project management methodology (waterfall, agile etc.) the above can be approached either as a linear or iterative process. 1

3 1. Planning, budgeting & roles It is essential that QA and testing are embedded in the project plan for the website from the outset, in terms of timing, budget allocation and roles. Failure to plan correctly may result in deadlines being missed or websites going live with errors that could undermine the investment made. 1.1 Planning and budgeting As testing is the last phase before a website goes live this area always comes under pressure when other elements of the project overrun, especially when there is a fixed deadline. We must maintain this testing period at all times to ensure the investment made is not compromised by errors or a poor user experience. There are no hard and fast rules about the amount of testing that should be done on a website. This varies according to the value of the site to the business (i.e. an ecommerce site would go through a very rigorous process as security and user experience are of paramount importance), whereas a microsite to support a tactical event would require less testing. Nevertheless we would envisage that at least 10% of the total time spent on the project should be allocated to QA and testing. It follows that this should also equate to around 10% of the budget for the website. 1.2 Roles All stakeholders should understand the value of testing and their role in the process. The agency should lead this process using this document as a guide. They should ensure that sufficient time is allocated and booked into the diaries of the correct stakeholders within SABMIller to review and feed back, so that the website is delivered on time and meets expectations. Checklist No. Title Icon Measured 1.1 At least 10% of the time of a project is dedicated to QA & testing 1.2 At least 10% of the budget of a project is dedicated to QA & testing 1.3 Allocate specific testing roles to all stakeholders and schedule in diaries 2

4 Further reading 1. The Open Web Application Security Project 3

5 2. Test plans Test plans are documents that systematically test defined variables and situations with the aim of delivering a website that is fit for purpose and meets our and the audiences expectations. They aim to replicate real life situations with the website and test performance based on objective measures, removing subjectivity from the testing process. 2.1 Creating test plans Test plans are created from three main inputs: 1. Functional specification - what should the site do according to the briefing (e.g. collect data, display video etc.) 2. Audience - who will interact with the site (e.g. what are their capabilities, what technology will they be using etc.) 3. Objectives of the website - what the site needs to achieve for the business (e.g. reposition brand, increase awareness etc.) 2.2 Test cases From these inputs a series of test cases should be created that interrogate the basics of the website (e.g. do all the links work?) and its critical functions (e.g. does the sign up form work?). A test case should set some criteria for the environment; state the inputs and the expected outputs. Below is an example of a test case for link checking[1]: 1. In Windows 8, load Internet Explorer 8. Clear browser caches, and clear history. 2. In the URL field type in testurl.com and hit the ENTER key. 3. On the home page, for each link: a. examine the link text b. click on the link, and verify that the link works c. verify that the new page is the correct page, as indicated by the link text d. verify that the little black arrow correctly indicates the current page e. click on the browser's BACK button f. verify that the link's colour changed to the vlink color 4. Once all links on the home page have been tested, click on the first link in the left navigation column. 5. For this page, repeat steps 2a - 2f. 6. Repeat steps 3 and 4 until every page has been tested. 4

6 When creating test cases it is crucial that you fully understand the user, especially in regards to how the website will be accessed (device, operating system, browser etc.) and the user s digital competency and expectations. Refer back to research when planning the site and overlay this onto the test cases to ensure that the intended user s exact persona is catered for during testing. Checklist No. Title Icon Measured 2.1 Create a test plan for the website 2.2 Test cases should replicate basic and critical functions of the website 2.3 All test cases should incorporate the users means of access (device, browser, o/s etc.) and their digital competency / expectations References 1. Further reading 1. Applied Software Project Management - Test plans and test cases 2. IEEE 829 5

7 3. Types of testing There are many different types of testing and each type should be used in conjunction with others to fit exactly the requirements of the particular website. Below we have explained what we expect as a base level of mandatory testing for any website to guarantee it meets the minimum requirements with regards to accessibility, usability and security. 3.1 Capture environmental factors When completing any type of testing you should also record browser types and versions, operating system, machine platforms, connection speeds etc. In short, record any parameter that would affect the ability to reproduce the results or could aid in troubleshooting any defects found by testing. 3.2 Device The website should be checked on all significant devices that the audience might use to access the site. This is to ensure a site displays and functions across desktops, tablets and mobiles (and, to a lesser degree, large screens such as televisions which are sometimes used for displaying sites). 3.3 Browser compatibility The website must be checked for compatibility (function and display) across all supported browsers. For mobile devices it is recommended to test on the actual device as opposed to a simulator to ensure proper performance. You can also make use of online services to help with cross-browser testing: Browser Stack - Browsershots Performance Unit Automated testing using unit tests for both front and back-end code will greatly reduce your testing time and also limit the chance of adding regressions during maintenance or updates to the site. The unit tests could be run manually or as part of the build/deploy process. The tool you use for your back-end code will differ depending on the language you use, but for the front-end code you could use tools like Selenium [1] or QUnit [2] Load In load testing it is recommended to gradually increase the number of virtual users, loading at the beginning and throughout the test. Increasing the load gradually means that the site s performance can be measured at different load levels. It is also vital in identifying performance bottlenecks and breaking points of an application. During load 6

8 testing you should emulate typical user behaviour to see how well your website handles large numbers of users. There are many load testing tools available like Load Impact [3] or JMeter [4]. 3.5 Accessibility Accessibility is the practice of making sites available and usable to people of all abilities / disabilities across all devices and platforms. In many countries there is now legislation which lays out the minimum legal requirements for websites. Your local or regional legal counsel will be able to advise if you are unsure. How to code for good accessiblity is covered in the Web Development section and this area is also covered in more depth in the User Experience section. 3.6 Code validation As the project progresses code should be validated as it is written. However, it should also have one final run through the W3C Mark-up Validation Service ( to remove as many errors as possible. 3.7 Security It is essential that websites are designed, coded and hosted to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects. As a minimum requirement all wesites which collect personal information need to be security tested as part of their introduction, or when there is significant changes to the design of the site. The Open Web Application Security Project has compiled the top 10 website and application security risks. As a minimum we need to ensure the website is protected against these risks: 1. Injection Injection flaws such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorised data. 2. Cross-site scripting (XSS) XSS flaws occur when an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface websites or redirect the user to malicious sites. 7

9 3. Broken authentication and session management Application functions relating to authentication and session management are often not implemented correctly. This can allow attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. 4. Insecure direct object references A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorised data. 5. Cross-site request forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. 6. Security misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained because many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. See the Hosting section for more details on how the environment should be set up. 7. Insecure cryptographic storage Many web applications do not properly protect sensitive data (eg, credit cards, SSNs and authentication credentials) with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud and other crimes. 8. Failure to restrict URL access Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. 9. Insufficient transport layer protection Applications frequently fail to authenticate, encrypt and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or just use them incorrectly. 8

10 10. Unvalidated redirects and forwards Web applications frequently redirect and forward users to other pages and websites using untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorised pages. There is a set of paid and free tools here that you can test your site against the above potential weaknesses: If your website is to have an ecommerce function or hold any sensitive data (national identity numbers, passport numbers, credit card details etc.) then the potential risks associated with the website are much higher. It is essential that you inform your local or regional security officer at the very start of the project so that the additional checks and security that will be needed can be put in place. They need to be involved in the project from the outset to ensure the website conforms to the standards required to mimimise the increased risks. 3.8 Regression Regression testing is used when significant changes (new code, patches, confirgurations etc.) have been added to a website. It aims to test the previously existing code and functions to ensure the new changes have not caused any new errors or issues. Typically you would run similar tests to the original ones completed on the website to see if any new faults occurr after the changes. 3.9 User acceptance This shoud be the final stage of testing before the website goes live and the objective is to obtain confirmation by all stakeholders that the website meets mutually agreed-upon requirements. Essentially, it is to answer the question, is it fit for the business? A link to the website (hosted in a staging environment) is usually sent to the relevant stakeholders and they are asked to assess it against the functional specification, the objectives and their expectations. It is common for the agency to set the stakeholders real life tasks to replicate the audience s use of the website. The purpose of User Acceptance Testing (UAT) is not usually to locate minor issues (e.g. spelling errors) but more to test the major functional aspects of the site from a technocal and usability perspective. When all stakeholders have approved the website then UAT is completed. UAT is usually the final set of tests before a website is moved from the staging environment to live and so released to the public. 9

11 Checklist No. Title Icon Measured 3.1 Device testing carried out on all siginificant devices for the audience 3.2 Cross-browser compatibility testing carried out on all browsers the audience might use 3.3 Performance unit and load testing completed 3.4 Accessibility must meet minimum legal requirements for your country 3.5 Code should be run through a final W3C validation 3.6 Security - If your website is collecting personal information then inform your local or regional security officer who will arrange for the appropriate testing before the website goes live 3.7 Security the website must pass all 10 of the common security issues 3.8 Security if your website has ecommerce functions or collects sensitive data inform your local or regional security officer at the start of the project 3.9 Regression tests should be carried out if there has been a major code or functional upgrade Best Practice 3.10 UAT should be carried out by all relevant stakeholders to ensure the website is fit for purpose References

12 Further reading General 1. Testing tools 2. Links about web usability 3. Usability and web design Browser compatibility 1. A dozen cross browser testing tools Performance 1. JUnit 2. PHPUnit 3. NUnit 4. Performance testing traps 5. Performance testing tools 6. Performance test tools Accessibility 1. Web content accessibility guidelines 2. Legally required web accessibility 3. Web accessibility testing Code validation 1. Markup Validation Service reasons why your code won't validate and how to fix it Security 1. Penetration testing guide 2. Security test tools 3. Software security testing Regression 1. Regression testing tools and methods 2. Regression testing UAT 1. User acceptance testing a business analyst s perspective 11

13 2. User acceptance testing 3. What is user acceptance testing? 12

14 4. Issues and feedback During the testing process it is crucial that all issues and feedback are captured, categorised and acted upon, where appropriate. The approach to capture and assessment needs to be thorough and systematic to ensure that the website is tested suitably. 4.1 Logging issues and feedback All issues and feedback should be logged in a database of some kind. This could be something as simple as an Excel spreadsheet or you might be using some project management software such as Base Camp which has these functions built in. Each item should be assigned properties such as the priority and scope (in or out), as well as recording such attributes as description, error message, affected functionality, etc. In addition, you should assign and track ownership of the problem and the progress made towards resolution. All entries need to be reviewed, commented and, if appropriate, acted upon so they are resolved to all stakeholders satisfaction. 4.2 Prioritising issues and feedback Sometimes the number of issues and amount of feedback can, initially at least, be overwhelming. Therefore, a framework is usually required in order to categorise and prioritise them and, especially, to remove subjectivity from the process. For example, a brand manager may think that the slight colour deviation in the logo is of paramount importance. However, if the website s database remains open and consumer data exposed then this has much more of an impact for the brand. Below is a basic framework of how to categorise issues and feedback with some examples[1]: Critical infrastructure has failed (a server has crashed, the network is down, etc.) functionality critical to the purpose of the website is broken, such as the search or commerce engine on a commerce site security of data is compromised the site does not function on a desired device High a major functionality is broken or misbehaving one or more pages is missing a link on a major page is broken 13

15 a graphic on a major page is missing Medium data transfer problems (like an include file error) browser inconsistencies, such as table rendering or protocol handling page formatting problems, including slow pages and graphics broken links on minor pages user interface problems (users don t understand which button to click to accomplish an action, or don t understand the navigation in a subsection, etc.) Low display issues, like font inconsistencies or color choice text issues, like typos, word choice, or grammar mistakes page layout issues, like alignment or text spacing There is a temptation when dealing with issues and feedback to action the easy and simple ones first, as this makes the list shorter. This should be resisted and each problem should be dealt with according to priority and logic. Checklist No. Title Icon Measured 4.1 Create a log for all issues and feedback 4.2 Categorise issues and feedback and prioritise 4.3 Action issues and feedback in priority order 4.4 Work through the log until all issues and feedback are resolved and approved by all stakeholders References 1. Further reading 1. How to prioritise usability problems 14

16 5. Live When all issues and feedback have been resolved to all stakeholders satisfaction then the website can be set live for consumers to interact with. 5.1 Deployment If transferred from a staging environment then in real terms little should change with the site. However, at the point a new website is set live it is prudent to re-check the main pages and functions of the site. At this point any housekeeping URLs, for example to clear test submissions from a database, must be disabled. 5.2 Ongoing monitoring and maintenance As the website is tested in the live environment it is crucial that all user initiated issues and feedback are captured, prioritised and resolved. There is no substitute for the real life environment and voice of the actual user, so feedback should be encouraged, acted upon and reflected back to the user where possible. Use a syetm and log similar to that in the testing phase to guarantee that this is worked through systematically. Additionally, the website s performance should be monitored and periodic tests should be carried out. The nature and frequency of these tests will depend on the website. Repeating the tests before setting the site live but with new and more stringent parameters will increase performance and user experience by making marginal improvements over time. All security patches and any other relevant software update to the website must be made as soon as possible to ensure the highest level of security and performance. Checklist No. Title Icon Measured 5.1 Re-check the websites main pages and functions once live 5.2 Disable all housekkeping URL s and other test related functions 5.3 Continue to gather issues and feedback in a log, prioritise and amend as appropriate 15

17 5.4 Put performance monitoring in place to enable ongoing analysis 5.5 Carry out periodic tests of website functionality and performance to make marginal gains Best Practice 5.6 Ensure all security patches and other updates are made in a timely fashion 16

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Integrating Security Testing into Quality Control

Integrating Security Testing into Quality Control Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Annex B - Content Management System (CMS) Qualifying Procedure

Annex B - Content Management System (CMS) Qualifying Procedure Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

2014 Guide For Testing Your Software. Security and Software Assessment Services (SSAS)

2014 Guide For Testing Your Software. Security and Software Assessment Services (SSAS) 2014 Guide For Testing Your Software Security and Software Assessment Services (SSAS) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Web Application Security Considerations

Web Application Security Considerations Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute

More information

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Corporate Policies & Procedures Section 1: General Administration Document

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Using Free Tools To Test Web Application Security

Using Free Tools To Test Web Application Security Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing Foreword This guide in no way intends to replace a PCI DSS certification

More information

SQuAD: Application Security Testing

SQuAD: Application Security Testing SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things

More information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection

More information

Sichere Software- Entwicklung für Java Entwickler

Sichere Software- Entwicklung für Java Entwickler Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10 Web Application Security and the OWASP Top 10 1 Sapient Corporation 2011 Web Application Security and the OWASP Top 10 This paper describes the most common vulnerabilities of web applications, as outlined

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

Levels of Software Testing. Functional Testing

Levels of Software Testing. Functional Testing Levels of Software Testing There are different levels during the process of Testing. In this chapter a brief description is provided about these levels. Levels of testing include the different methodologies

More information

Statistics Whitepaper

Statistics Whitepaper White paper Statistics Whitepaper Web Application Vulnerability Statistics 2010-2011 Alex Hopkins whitepapers@contextis.com February 2012 Context Information Security 30 Marsh Wall, London, E14 9TP +44

More information

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the

More information

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications

More information

Web Application Security

Web Application Security Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Web Application Firewall on SonicWALL SSL VPN

Web Application Firewall on SonicWALL SSL VPN Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following

More information

Columbia University Web Application Security Standards and Practices. Objective and Scope

Columbia University Web Application Security Standards and Practices. Objective and Scope Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Secure Programming Lecture 12: Web Application Security III

Secure Programming Lecture 12: Web Application Security III Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)

More information

Secure Code Development

Secure Code Development ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop

More information

Application Security Vulnerabilities, Mitigation, and Consequences

Application Security Vulnerabilities, Mitigation, and Consequences Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2 Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

Making your web application. White paper - August 2014. secure

Making your web application. White paper - August 2014. secure Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application

More information

The Web AppSec How-to: The Defenders Toolbox

The Web AppSec How-to: The Defenders Toolbox The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

The monsters under the bed are real... 2004 World Tour

The monsters under the bed are real... 2004 World Tour Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Session 30. IT Security: Threats, Vulnerabilities and Countermeasures. Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO

Session 30. IT Security: Threats, Vulnerabilities and Countermeasures. Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO Session 30 IT Security: Threats, Vulnerabilities and Countermeasures Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO New Cyber Security World New threats New tools and services to protect New organization

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp. Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information