Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
|
|
- Dylan Brooks
- 8 years ago
- Views:
Transcription
1 Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs business AN AUERBACH BOOK
2 Contents Preface xvii How This Book Is Organized xviii About the Authors Acknowledgments xxi xxiii Chapter 1 How Does Software Fail Thee? Let Us Count the Ways Vulnerabilities Abound Security Flaws Are Omnipresent Cars Have Their Share of Computer Problems Too 5 the Roots of Defective Software Tracing 1.3 What Are the True Costs of Insecure Software to Global Enterprises? Addressing Security Questions Addresses Resilience References 11 Chapter 2 Characteristics of Secure and Resilient Software Functional Versus Nonfunctional Requirements Testing Nonfunctional Requirements Families of Nonfunctional Requirements Availability Capacity Efficiency Interoperability Manageability Cohesion Coupling Maintainability 22
3 2.12 Performance Portability Privacy Recoverability Reliability Scalability Security ServiceabiIity/SupportabiIity Characteristics of Good Requirements Eliciting Nonfunctional Requirements Documenting Nonfunctional Requirements References 34 Chapter 3 Security and Resilience in the Software Development Life Cycle Resilience and Security Begin from Within Requirements Gathering and Analysis Systems Design and Detailed Design Functional Decomposition Categorizing Threats Ranking Threats Mitigation Planning Design Reviews Development (Coding) Phase Static Analysis Peer Review UnitTesting Testing Deployment Security Training References 48 Chapter 4 Proven Best Practices for Resilient Applications Critical Concepts The Security Perimeter Attack Surface Mapping the Attack Surface Side Channel Attacks Application Security and Resilience Principles Practice 1: Apply Defense in Depth Practice 2: Use a Positive Security Model 56
4 4.7 Practice 3: Fail Securely Practice 4: Run with Least Privilege Practice 5: Avoid Security by Obscurity Practice 6: Keep Security Simple Practice 7: Detect Intrusions Log All Security-Relevant Information Ensure That the Logs Are Monitored Regularly Respond to Intrusions Practice 8: Don't Trust Infrastructure Practice 9: Don't Trust Services Practice 10: Establish Secure Defaults Mapping Best Practices to Nonfunctional Requirements References 64 Chapter 5 Designing Applications for Security and Resilience Design Phase Recommendations Misuse Case Modeling Security Design and Architecture Review Threat and Risk Modeling Risk Analysis and Modeling Security Requirements and Test Case Generation Design to Meet Nonfunctional Requirements Design Patterns Architecting for the Web Architecture and Design Review Checklist References 84 Chapter 6 Programming Best Practices The Evolution of Software Attacks TheOWASPTop A1: Injection A2: Cross-Site Scripting A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery A6: Security Misconfiguration A7: Failure to Restrict URL Access 92
5 6.2.8 A8: Invalidated Redirects and Forwards A9: Insecure Cryptographic Storage A10: Insufficient Transport Layer Protection OWASP Enterprise Security API (ESAPI) InputValidation and Handling Client-Side Versus Server-Side Validation Input Sanitization Canonicalization Examples of Attacks due to Improper Input Handling Approaches to Validating Input Data Handling Bad Input ESAPI Interfaces Cross-Site Scripting Same Origin Policy Attacks Through XSS Prevention of Cross-Site Scripting ESAPI Interfaces Injection Attacks SQL Injection Stored Procedures Identifying SQL Injection and Exploitation Defending Against SQL Injection Creating SQL Queries Additional Controls to Prevent SQL Injection Attacks ESAPI Interfaces Authentication and Session Management Attacking Log-in Functionality Attacking Password Resets Attacking Sensitive Transactions Cross-Site Request Forgery CSRF Mitigation Session Management Attacking Log-out Functionality Defenses Against Log-out Attacks Defenses Against Cookie Attacks Session Identifiers ESAPI Interfaces Access Control 124
6 6.9.1 Avoiding Security Through Obscurity Access Control Issues 124 for Broken Access Control Testing Defenses Against Access Control Attacks Administrator Interfaces Protecting Administrator Interfaces ESAPI Interfaces Cryptography Hashing and Password Security Attacking the Hash Precomputed Attacks Message Authentication Code (MAC) Home-Crown Algorithms Randomness and Pseudo-Randomness ESAPI Interfaces Error Handling User Error Messages Log-in Error Messages A Case Study Error Message Differentiation Developer Error Messages Information to Be Kept Private Structured Exception Handling ESAPI Interfaces Ajax and Flash 134 Traffic AJAX Application AJAX Client Requests Server Responses Typical Attacks Against AJAX Applications Security Recommendations for AJAX Applications Adobe Flash Sandbox Security Model Cross-Domain Policy Restrict SWF Files Embedded in HTML Attacking Flash Applications Securing Flash Applications Additional Best Practices for Software Resilience Externalize Variables EncryptedProperties Method Summary Initialize Variables Properly 142
7 Do Not Ignore Values Returned by Functions Avoid Integer Overflows 143 Practices Top 10 Secure Coding 6.16 Fifty Questions to Improve Software Security References 151 Chapter 7 Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices Embedded Systems Bad Assumptions About Embedded Systems Programming New Mantras The Framework Distributed Applications/Cloud Computing Representational State Transfer (REST) REST Stateless Authentication Attacking Distributed APIs Securing Distributed APIs Mobile Applications BlackBerry Windows Mobile iphone Mobile Application Security References 165 Chapter 8 Security Testing of Custom Software Applications Fixing Early Versus Fixing After Release Testing Phases Unit Testing Manual Source Code Review The Code Review Process Automated Source Code Analysis Automated Reviews Compared with Manual Reviews Commercial and Free Source Code Analyzers Fortify Acquiring Commercial or Open-Source Analysis Tools Deployment Strategy 181
8 8.8.1 IDE Integration for Developers Build Integration for Governance Regulatory Compliance Benefits of Using Source Code Analyzers Penetration (Pen)Testing Penetration Testing Tools Automated Black Box Scanning Deployment Strategy Cray Box Testing Limitations and Constraints of Pen Testing Tools References 189 Chapter 9 Testing Commercial off-the-shelf Systems The Problems with Shrink-Wrapped Software The Common Criteria for Information Technology Security Evaluation Harmonizing Evaluation Criteria Development Evaluation Operation 197 of the Common Criteria Key Concepts Framework The Security The Common Criteria Approach The Security Environment The Common Criteria Portal Criticisms of the CC The Commercial Community Responds The BITS/FSTC Security Assurance Initiative ICSALabs Evaluation Methodology Certification Criteria ICSA Labs Testing and Certification Process Veracode's VerAfied Software Assurance Ratings Methodology Assessing Software for the VerAfied Mark References 216
9 Chapter 10 Implementing Security and Resilience Using CLASP Comprehensive, Lightweight Application Security Process (CLASP) CLASP Concepts ,3 Overview of the CLASP Process CLASP Key Best Practices Best Practice 1: Institute Awareness Programs Best Practice 2: Perform Application Assessments Best Practice 3: Capture Security Requirements Best Practice 4: Implement Secure Development Practices Best Practice 5: Build Vulnerability Remediation Procedures Best Practice 6: Define and Monitor Metrics Best Practice 7: Publish Operational Security Guidelines CLASP Security Activities to Augment Software Development 10.6 Applying CLASP Security 10.7 Re-engineering Processes 227 Activities to Roles 228 Your SDLC for CLASP Business Objectives Process Milestones Process Evaluation Criteria Forming the Process Re-engineering Team Sample CLASP Implementation Roadmaps Green-Field Roadmap Legacy Roadmap References 236 Chapter 11 Metrics and Models for Security and Resilience Maturity Maturity Models for Security and Resilience Software Assurance Maturity Model OpenSAMM Core Practice Areas Levels of Maturity Assurance 243
10 11.3 The Building Security In Maturity Model (BSIMM) BSIMM Software Security Framework BSIMM Activities Governance: Strategy and Metrics Governance: Compliance and Policy Governance: Training 258 Attack Models Intelligence: Intelligence: Security Features and Design Intelligence: Standards and Requirements SSDLTouchpoints: Architecture Analysis SSDLTouchpoints: Code Review SSDLTouchpoints: Security Testing Deployment: Penetration Testing Deployment: Software Environment Deployment: Configuration Management and Vulnerability Management 284 Results with BSIMM Measuring 11.6 Helpful Resources For Implementing BSIMM Applying BSIMM to the Financial Services Domain Working Group Methodology References 289 Chapter 12 Taking It to the Streets Getting Educated DEVELOPER 530: Defending Web Applications DEVELOPER 530: Essential Secure Coding in Java/JEE DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications DEVELOPER 542: Web App Penetration Testing and Ethical Hacking DEVELOPER 544: Secure Coding in.net: Developing Defensible Applications 294
11 DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications DEVELOPER 534: Secure Code Review for Java Web Apps DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications Aspect Security Inc CERT Software Engineering Institute (SEI) SEI Secure Coding in C and C++ Course Getting Certified Certified Secure Software Lifecycle Professional (CSSLP) Why Obtain the CSSLP? Benefits of Certification to the Professional Benefits of Certification to the Enterprise Getting Involved Web Application Security Consortium Reaching Out for Research DHS Research Program Areas The U.S. Treasury and the FSSCC Last Call Conclusion References 316 Glossary 319 Appendix A 2010 CWE/SANS Top 25 Most Dangerous Programming Errors 335 A.1 Brief Listing of the Top A.1.1 Insecure Interaction Between Components 336 A.1.2 Risky Resource Management 336 A.1.3 Porous Defenses 337 A.2 Detailed CWE Descriptions 338
12 A.2.1 A.2.2 A.2.3 A.2.4 A.2.5 A.2.6 A.2.7 A.2.8 A.2.9 A.2.10 A.2.11 A.2.12 A.2.13 A.2.14 A.2.15 A.2.16 A.2.17 A.2.18 CWE-79: Failure to Preserve Web Page Structure ("Cross-Site Scripting") 338 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command ("SQL Injection") 338 CWE-120: Buffer Copy Without Checking Size of Input ("Classic Buffer Overflow") 339 CWE-352: Cross-Site Request Forgery (CSRF) 339 CWE-285: Improper Access Control (Authorization) 339 CWE-807: Reliance on Un-trusted Inputs in a Security Decision 340 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") 340 CWE-434: Unrestricted Upload of File with Dangerous Type 340 CWE-78: Improper Special Elements Used in an OS Command ("OS Command Injection") 341 Sanitization of CWE-311: Missing Encryption of Sensitive Data 341 CWE-798: Use of Hard-Coded Credentials 341 CWE-805: Buffer Access with Incorrect Length CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ("PHP Value 342 File Inclusion") 342 CWE-129: Improper Validation of Array Index 342 CWE-754: Improper Check for Unusual or Exceptional Conditions 342 CWE-209: Information Exposure Through an Error Message 343 CWE-190: Integer Overflow or Wraparound 343 CWE-131: Incorrect Calculation of Buffer Size 343
13 A.2.19 A.2.20 A.2.21 A.2.22 A.2.23 CWE-306: Missing Authentication for Critical Function 344 CWE-494: Download of Code Without Integrity Check 344 CWE-732: Incorrect Permission for Critical Resource 344 Assignment CWE-770: Allocation of Resources Without Limits or Throttling 344 CWE-601: URL Redirection to Site ("Open Redirect") 345 A.2.24 CWE-327: Use of a Broken or Risky Cryptographic Algorithm 345 A.2.25 CWE-362: Race Condition 345 Appendix B Enterprise Security API 347 B.1 Interface Encoder 348 B.2 Interface User 349 B.3 Interface Authenticator 350 B.4 Interface AccessController 351 B.5 Interface AccessReferenceMap 352 B.6 Interface Encryptor 355 B.7 Interface HTTPUtiIities 355 B.8 Interface Logger 357 Index 361
Points of View. CxO s point of view. Developer s point of view. Attacker s point of view
Web App Security 2 CxO s point of view Points of View Measurable security SCAP (Security Content Automation Protocol) Developer s point of view Secure coding/software security CWE (Common Weakness Enumeration)
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationRESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press
SECURE and RESILIENT SOFTWARE Requirements, Test Cases, and Testing Methods Mark S. Merkow and Lakshmikanth Raghavan CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationWeb Application Security
Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationThe Electronic Arms Race of Cyber Security 4.2 Lecture 7
The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte List of Content Why Process Automation Security? Security Awareness Issues
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationBuilding & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast
Building & Measuring Security in Web Applications Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast Brief Bio - CEO & Founder Cycubix Limited - 10+ years security experience in Technology, Manufacturing,
More informationANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York
ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationTEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com
TEAM Academy Catalog 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 TEAM ACADEMY OVERVIEW 2 Table of Contents TEAM Academy Overview... 4 TEAM Professor Overview... 4 Security Awareness and
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationMore Repeatable Vulnerability Assessment An introduction
Försvarets Materielverk/CSEC 2008 Document ID CB-039 Issue 0.4 More Repeatable Vulnerability Assessment An introduction Helén Svensson 1 Section Agenda Background Introduction to the following aspects
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationTemplate for PFI Final Incident Report for Remote Investigations
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report for Remote Investigations Template for PFI Final Incident Report for Remote Investigations Version 1.1 February 2015 Document
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationTop Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP
Top Web Application Security Issues Daniel Ramsbrock, CISSP, GSSP daniel ramsbrock.com Presentation Overview Background and experience Financial services case study Common findings: Weak input validation
More informationCase Study: Treating Challenges in Software Trustability
Software Security, Dependability and Resilience Initiative (S S D R I) Case Study: Treating Challenges in Software Trustability Ian Bryant Technical Director SSDRI [DMU/CSC/SSDR/2011/142 v1.1 20111207]
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationOWASP Secure Coding Practices Quick Reference Guide
OWASP Secure Coding Practices Quick Reference Guide Copyright and License Copyright 2010 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For
More informationSoftware Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0
Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Paul E. Black Elizabeth Fong Vadim Okun Romain Gaucher Software Diagnostics and
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationEnterprise Security API (ESAPI) Java Java User Group San Antonio. Jarret Raim June 3 rd, 2010
Enterprise Security API (ESAPI) Java Java User Group San Antonio Jarret Raim June 3 rd, 2010 What is it? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationLost in Translation: Understanding the Hacker Mindset
Lost in Translation: Understanding the Hacker Mindset 11710 Plaza America Dr., Ste 520, Reston, VA 20190 www.knowledgecg.com Voice: 703.467.2000 Fax: 703.547.0322 1 Agenda Introductions Secure SDLC Approach
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationCS 356 Lecture 23 and 24 Software Security. Spring 2013
CS 356 Lecture 23 and 24 Software Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationComparison of Secure Development Frameworks for Korean e- Government Systems
, pp.355-362 http://dx.doi.org/10.14257/ijsia.2014.8.1.33 Comparison of Secure Development Frameworks for Korean e- Government Systems Dongsu Seo School of Information Technology Sungshin University dseo@sungshin.ac.kr
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationConducting Web Application Pentests. From Scoping to Report For Education Purposes Only
Conducting Web Application Pentests From Scoping to Report For Education Purposes Only Web App Pen Tests According to OWASP: A Web Application Penetration Test focuses only on evaluating the security of
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.0 August 2014 Document Changes Date Version Description August 2014 1.0 To
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.1 February 2015 Document Changes Date Version Description August 2014 1.0 To
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More information