Threat Modeling. A workshop on how to create threat models by creating a hands-on example
|
|
- Dortha Webb
- 8 years ago
- Views:
Transcription
1 Threat Modeling A workshop on how to create threat models by creating a hands-on example
2 Introduction 2
3 Introduction 3
4 Part 1: Application- Layer Attacks A brief primer on some web application attacks
5 Authentication How can you break authentication? Brute-force Dictionary Birthday paradox Forgotten passwords (Paris Hilton attack) More advanced forms: Timing-based attacks Cryptanalysis Token replay attacks 5
6 Session Management Lots of potential attacks: Guess Session ID Modification attacks Content-caching Replay attacks / Session-hijacking Cookie attack DNS cache poisoning XSS (Input/Output validation) 6
7 Parameter Manipulation Free TVs for everyone! 7
8 SQL Injection DB can t differentiate between user-supplied values and computer generated values Classic 1 = 1 attack of course can get very severe xp_cmdshell 8
9 Part 2: Threat Model Case Study Intro to the case study for this class
10 Case Study Introduction You are consultants for Security Compass You have been contracted to perform a source code review and threat model on the False Secure Order web services site You will have 1 week to cover 7,500 out of over 145,000 lines of code You, as a group, have just over 2 hours to perform the threat model Prioritize which areas to cover in the threat model and identify which components are most critical You will review the architecture, interview the architect, determine data flows, determine and prioritize risk, and provide a list of countermeasures against high risk threats to look for in the review 10
11 Regular Users Read ACR Values Calls Caller Client Bro wser Apache Web Server My App Server Affected Roles Net Data Effect Threats and Risk Ratings Action Request data Send MQ Message Retrieve data from DB Regular, Administrative Users Read Mailing Options/ Mailing Options History Steps of Threat Modeling Gather Information Decompose App Brokerage Users Diagram User Type Regular User Admin User DFDs Identify Risk Use Cases Attack Trees 11
12 Gather Information Architect will walk you through the architecture of the application Please review the architecture documents provided Questions to ask Architect: Describe the application Who uses it? What is it used for? How often is it used? What kinds of data does it hold? Determine regulatory / legislative applicability Does it store/handle Personal data? Financial-reporting data? Cardholder data? Any others? What systems does it connect with? What are the entry points? Major app-sec domains: How does it handle access control, session management, logging, and input validation? Note that the architect is at too a high level to discuss issues such as error handling Remember the 5 Ws to determine business risk Who? What? When? Where? Why? How comes afterwards 12
13 Regular Users Read ACR Values Calls Caller Client Bro wser Apache Web Server My App Server Affected Roles Net Data Effect Threats and Risk Ratings Action Request data Send MQ Message Retrieve data from DB Regular, Administrative Users Read Mailing Options/ Mailing Options History Steps of Threat Modeling Gather Information Decompose App Brokerage Users Diagram User Type Regular User Admin User DFDs Identify Risk Use Cases Attack Trees 13
14 Decompose App Using the worksheets and stickers provided, break down: System Components Users Data Types Use Cases (don t do this now - complete this after the DFD) 14
15 Regular Users Read ACR Values Calls Caller Client Bro wser Apache Web Server My App Server Affected Roles Net Data Effect Threats and Risk Ratings Action Request data Send MQ Message Retrieve data from DB Regular, Administrative Users Read Mailing Options/ Mailing Options History Steps of Threat Modeling Gather Information Decompose App Brokerage Users Diagram User Type Regular User Admin User DFDs Identify Risk Use Cases Attack Trees 15
16 Data Flow Diagrams As a group, we re going to create a Level 1 DFD for a typical transaction flow based on the data we ve been given Identify components, data stores, and flow of data 5. Message returned to client Client Browser End User 1. Client sends request over web Determine trust boundaries are those trust boundaries legitimate? Web Server A Level 2 DFD would use the layers described in the presentation and middle tier design documents 4. Application server returns message to web server App Server 2. Web server forwards request to app server Allows us to drill in on those components we need to look at most 3. App server processes logic and updates DB Database 16
17 Interactive Time Our next steps will involve examining use cases and determining risk levels So what are the most pertinent use cases for this application? 17
18 Regular Users Read ACR Values Calls Caller Client Bro wser Apache Web Server My App Server Affected Roles Net Data Effect Threats and Risk Ratings Action Request data Send MQ Message Retrieve data from DB Regular, Administrative Users Read Mailing Options/ Mailing Options History Steps of Threat Modeling Gather Information Decompose App Brokerage Users Diagram User Type Regular User Admin User DFDs Identify Risk Use Cases Attack Trees 18
19 Create Use Case Using the worksheets and stickers provided to fill out use cases based on a single transaction flow from the DTD Example: User Updates Inventory in I-Tracker Client Browser 1. Sends inventory update HTTP form 2. Forwards HTTP Request 3. Update DB I-Tracker DB I-Tracker Web I-Tracker App 4. Notifies shipping team Notifications Description of Call Flow Call # Sender Receiver Description 1 Client I-Tracker Web Client sends an inventory request form submitted via the app along with JSESSION ID cookie 2 I-Tracker Web I-Tracker App Web server forwards request to app server 3 I-Tracker App I-Tracker DB App Server updates DB with new value for inventory 4 I-Tracker App Notifications Notification is sent to shipping if necessary 19
20 Find Risk for Threats This is the most difficult part of the threat model Starts with a solid base of knowledge of application security attacks (learned through your last class) What are the attack types? Do they affect C,I, or A? How likely are they? Enhanced by keeping up-to-date with other attacks. Reading the OWASP attacks section is a great resource: 20
21 Find Risk for Threats Common Weaknesses Enumeration is another great resource: May be too big to read all, but can do meaningful keyword searching (e.g. look for XML) 21
22 Find Risk for Threats For the purposes of this class we ll rely on the knowledge of the students Please use blank template provided Ignore Threat # for now Threats and Risk Ratings Attack Vector Data Types CIA Risk Threat # At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs 22
23 Use Cases Determining Risk We take the highest value from the data-types for each threat, and use that as our impact rating Threats and Risk Ratings Attack Vector At client At client At client Data Types Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs CIA Data Risk Data Type Description Inventory Levels L H M Amount of inventory for each product Customer IDs L H M Unique ID for each end customer Sales Order Numbers L H M Unique order # for each sales order Description of Orders L L L Description of sales order Product IDs L H M User is authenticated, User is authorized to perform functions Password H M M Password of system user User ID M M M ID of system user Session ID H M M Session ID value for user (JSession from Tomcat) 23
24 Find Risk for Threats Likliehood was determined from our knowledge of threats and by external resources. We assign a value of 1 for low, 2 for medium, and 3 for high for both likelihood and impact Risk = Likelihood X Impact Use the following chart from the resulting product to determine the risk level Likelihood X Impact = Risk Score Low Medium High 24
25 Fill in the Risk! Threats and Risk Ratings Attack Vector Data Types CIA Risk Threat # At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs H 1 At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs H 2 At client Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs N/A 3 From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs H 4 From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs H 5 From client to web server Inventory Levels Customer IDs Sales Order Numbers Product IDs Session IDs N/A 6 25
26 Regular Users Read ACR Values Calls Caller Client Bro wser Apache Web Server My App Server Affected Roles Net Data Effect Threats and Risk Ratings Action Request data Send MQ Message Retrieve data from DB Regular, Administrative Users Read Mailing Options/ Mailing Options History Steps of Threat Modeling Gather Information Decompose App Brokerage Users Diagram User Type Regular User Admin User DFDs Identify Risk Use Cases Attack Trees 26
27 Attack Trees Determine how a threat may be exploited Confidentiality at client Plaintext data read during transmission Cross-site scripting in app Properly configured SSL Strong input validation 27
28 Attack Trees Can be very cumbersome and time-consuming Alternative notation is easier: Threat #1: Confidentiality at client Attack: Malware steals data Countermeasure: Set cache-control to no-cache for sensitive pages Attack: Sensitive data stored on client machine Countermeasure: Set cache-control to no-cache for sensitive pages Countermeasure: Prevent sensitive data from reaching client in error messages by providing a default, generic error page defined in Struts web.xml. Ensure all runtime and checked exceptions are caught and handled before reaching any JSP or Servlet. Attack: Session compromised Countermeasure: Use strong session identifiers use existing functionality to do this (e.g. JSESSION ID) Countermeasure: Expire sessions after 15 minutes of inactivity Countermeasure: Enforce hard time out after 8 hours regardless of amount of activity Countermeasure: Expire cookie at end of browsing session Countermeasure: Validate all user input using Apache Struts validators to prevent XSS Countermeasure: HTML encode all output using URLEncoder to prevent XSS Countermeasure: Use HTTP-Only tag to mitigate risk of XSS-stolen cookies 28
29 Determine Attacks For the three highest risk threats in your use case: Determine attacks Determine possible countermeasures (from your own knowledge, web resources, or by asking experts) Please fill out the attack tree sheets provided 29
30 Share Findings Which areas of code are most pertinent to review given our limited timelines? What suggestions would we make to the architect/management to improve the application s security in the next release? 30
31 Tools Unfortunately, not many tools out there Microsoft Threat Analysis & Modeling free tool is best bet Search for this at msdn.microsoft.com 31
32 Questions / Profile Our consultants have serviced large (Fortune 500) and medium sized companies across most major industries We have worked for major security players, including Foundstone and Deloitte We have co-authored or contributed to several security books, including: Hacking Exposed: Web Applications, 2nd Edition HackNotes: Network Security Buffer Overflow Attacks: Detect, Exploit & Prevent Windows XP Professional Security Writing Security Tools and Exploits We have presented at and continue to present at security conferences, including: Blackhat Amsterdam; Reverse Engineering Conference 2005 in Montreal; HackInTheBox 2005 in Malaysia; ISC2's Infosec Conferences in Las Vegas, NYC, Toronto & DC; CSI NetSec; DallasCon; ToorCon; and Freenix. We present and contribute to open source projects: Chair at OWASP Toronto, Presented at OWASP Toronto, Contributed to YASSP Project (Lead by SANS and Xerox). 32
Security Solutions & Training. Exploit-Me. Open Source Firefox Plug-Ins for Penetration Testing
Security Solutions & Training Exploit-Me Open Source Firefox Plug-Ins for Penetration Testing Introduction 2 Introduction 3 Agenda State of web application security XSS Really a Danger? Introducing XSS-Me
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationAPPLICATION SECURITY AND ITS IMPORTANCE
Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationAuditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1
Auditing a Web Application Brad Ruppert SANS Technology Institute GWAS Presentation 1 Objectives Define why application vulnerabilities exist Address Auditing Approach Discuss Information Interfaces Walk
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationKnow your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.
Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationHacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS
Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationWEB SERVICES VULNERABILITIES
WEB SERVICES VULNERABILITIES A white paper outlining the application-level threats to web services Prepared By: Date: February 15, 2007 Nishchal Bhalla Sahba Kazerooni Abstract Security has become the
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationSECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting
SECURITY ADVISORY December 2008 Barracuda Load Balancer admin login Cross-site Scripting Discovered in December 2008 by FortConsult s Security Research Team/Jan Skovgren WARNING NOT FOR DISCLOSURE BEFORE
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationCommon Security Vulnerabilities in Online Payment Systems
Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited
More informationØredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc.
Øredev 2006 Web application testing using a proxy Lucas Nelson, Symantec Inc. Agenda What is a proxy? Setting up your environment Pre-login tests Post-login tests Conclusion A man in the middle proxy The
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationPenetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box
Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationSecure Web Development Teaching Modules 1. Threat Assessment
Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationClient vs. Server Implementations of Mitigating XSS Security Threats on Web Applications
Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats
More informationWeb Application Security
Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Technical and Operational Requirements for Approved Scanning Vendors (ASVs) Version 1.1 Release: September 2006 Table of Contents Introduction...1-1 Naming
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationRecommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSecurity features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
More informationQualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014
QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationBasic & Advanced Administration for Citrix NetScaler 9.2
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationwhite SECURITY TESTING WHITE PAPER
white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationAdobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661
Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the
More informationTechnical Findings Sample Report
Technical Findings Sample Report A B C C o m p a n y S a m p l e S e c u r i t y A s s e s s m e n t 2 5 0 S c i e n t i f i c D r i v e S u i t e 3 0 0 N o r c r o s s G A 3 0 0 9 2 P h o n e N u m b
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationThreat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)
Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /
More informationThis presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat
1 2 3 4 This presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat Modeling. 5 Security people don t all agree on the
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationLearn Ethical Hacking, Become a Pentester
Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationSecurity in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References
ITIS 4166/5166 Network Based Application Development Security in Network-Based Applications Anita Raja Spring 2006 Agenda Network Security. Application Security. Web Services Security. References Open
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationSEC320 1. Secure. Usable. Cheap. Data. Applications. Host Internal Network Perimeter Physical Security. People, Policies, & Process.
Threat Modeling Networks Fundamental Tradeoff Secure Jesper M. Johansson Senior Security Strategist Microsoft Corporation jesperjo@microsoft.com http://blogs.technet.com/jesper_johansson Usable You get
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
More informationSENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0
SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN Final Version 1.0 Preconditions This security testing plan is dependent on the following preconditions:
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationA Practical Approach to Threat Modeling
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
More information