Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.
|
|
- Anne Hardy
- 8 years ago
- Views:
Transcription
1 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1
2 Class Objectives What is Threat Modeling Express How to facilitate a TME session Adding security into your backlog How to cope with lack of security knowledge and/or lack of time 2012 Security Compass inc. 3 Outline Introductions (10 minutes) Class scenarios (10 minutes) Understand our app (10 minutes) 2012 Security Compass inc. 4 2
3 Outline TME process discussion and workshop (90 minutes) Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures Fitting Results into Agile Process (20 minutes) Questions / Parked Issues 2012 Security Compass inc. 5 Introductions 3
4 A Bit About Me Managed application security consulting Security Compass Original developer of SANS Java EE training class OWASP project leader, media writing/appearances, etc. Canadian who suppresses Canadian-isms for benefit of American audience, eh? 2012 Security Compass inc. 7 Currently VP of Product Development Product Owner at SD Elements Loves agile development We build a user-focused app with all the real world constraints, but have a higher imperative for security than most 2012 Security Compass inc. 8 4
5 A Bit About You Name, company, role Why are you interested in security? 2012 Security Compass inc. 9 Ground Rules 5
6 1. Time-boxed 2012 Security Compass inc Ask questions, but park discussions outside time-box 2012 Security Compass inc. 12 6
7 3. Let other people speak 2012 Security Compass inc Please wait for breaks to use phones 2012 Security Compass inc. 14 7
8 Class Scenario Fake Company Inc. Does somebody have a real app we can model? 2012 Security Compass inc. 16 8
9 Threat Model Express What is Threat Modeling? 9
10 Traditional Express vs Threat Model Express Steps Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc
11 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design 2012 Security Compass inc
12 Goals 2. Guide source code and/or runtime security review 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design 2012 Security Compass inc
13 Threat Model Scope 2012 Security Compass inc. 25 Custom Code 2012 Security Compass inc
14 3 rd Party Libraries Server Config 2012 Security Compass inc
15 8/16/2012 Network Security 2012 Security Compass inc. 29 Social Engineering 15
16 Inbound & Outbound Interfaces 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces 2012 Security Compass inc
17 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 33 Information to Gather 2012 Security Compass inc
18 Application s purpose 2012 Security Compass inc. 35 Use cases 2012 Security Compass inc
19 Architecture 2012 Security Compass inc. 37 Data Risk 2012 Security Compass inc
20 Design 2012 Security Compass inc. 39 Security features 2012 Security Compass inc
21 Let s be realistic. Let s assume we didn t have time to gather information 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App 2012 Security Compass inc
22 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 43 Meeting Setup 2012 Security Compass inc
23 Meeting Personnel Architect / Developer Security Business / Product Owner Meeting Objects Mandatory Mandatory Important Optional Diagram Risk Chart Flipchart Other Documentation 23
24 Threats Components Attack Risk 2012 Security Compass inc. 47 Determine Attacker Motivations 24
25 Cause Harm to Human Safety Financial Gain 25
26 Steal Personal Records Cause Financial Harm to Organization 2012 Security Compass inc
27 Gain Competitive Advantage 2012 Security Compass inc. 53 Send Political Statement 2012 Security Compass inc
28 Attack Organizational Stakeholders Diminish Ability to Make Decisions 28
29 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What s the relative priority? 10 minutes 2012 Security Compass inc
30 For each use case, how can attackers achieve motivations? Don t focus on technology 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes 2012 Security Compass inc
31 Determine Threats- Educate Yourself First! Free training: computer-based-training/#!/ get-free-owasp-course 2012 Security Compass inc. 61 Determine Threats- Fast Way: 2012 Security Compass inc
32 Determine Threats- Researched Way 2012 Security Compass inc. 63 Standalone System Threats Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Domain specific threats Authentication & authorization threats Information leakage threats Software Tech Stack Threats on tech stack (e.g. third party libraries) Other Subsystems Attacks on other subsystems Attacks from other subsystems 32
33 Networked System Threats Your System Network communication Remote System Threats on standalone system originating from remote system Threats targeted at remote system Protocol-specific threats Protocol implementation threats Protocol authentication threats Protocol sniffing/altering threats Fake Company Inc. Examples for our app 2012 Security Compass inc
34 Examples Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Examples Domain specific threats Software 34
35 Examples Authentication & authorization threats Software Examples Information leakage threats Software 35
36 Examples Tech Stack Threats on tech stack (e.g. third party libraries) (XSS) 36
37 Examples Other Subsystems Attacks on other subsystems Examples Other Subsystems Attacks from other subsystems 37
38 Examples Threats on standalone system originating from remote system Your System Business Logic Attacks e.g. parameter manipulation 38
39 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 77 Impact 2012 Security Compass inc
40 Impact Factors Regulatory compliance 2012 Security Compass inc. 79 Impact Factors Financial cost 2012 Security Compass inc
41 Impact Factors Brand / reputational risk 2012 Security Compass inc. 81 Impact Factors Number of users affected 2012 Security Compass inc
42 Likelihood 2012 Security Compass inc. 83 Likelihood Factors Attack complexity 2012 Security Compass inc
43 Likelihood Factors Location of application in network 2012 Security Compass inc. 85 Likelihood Factors Origin of attack in network 2012 Security Compass inc
44 Likelihood Factors Reproducibility 2012 Security Compass inc Highest risk Impact Lowest risk 1 1 Likelihood 5 44
45 T1: SQL Injection T2: Http Response Splitting T2 T1 Fake Company Inc. Rank risk of our threats 30 minutes 2012 Security Compass inc
46 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 91 T1: SQL Injection T2: Http Response Splitting Prepared Statements OR Stored Procedures Whitelist validate data in HTTP responses 46
47 Fake Company Inc. Countermeasures for 10 threats 15 minutes 2012 Security Compass inc. 93 Recap Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc
48 Fitting Results into Agile Process Just add prioritized list to backlog and we re done! 2012 Security Compass inc
49 Not So Fast. Sometimes It s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat] 2012 Security Compass inc
50 What about SQL injection? Example of a Constraint 2012 Security Compass inc. 99 Look at non-security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else Security Compass inc
51 Define Triggers for Constraints 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: Escape output Parameterize queries Check authorization 2012 Security Compass inc
52 Bonus: Scales to other Non- Functional Requirements 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes 2012 Security Compass inc
53 Summary TME process Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Countermeasures 2012 Security Compass inc. 105 Summary Add security as stories to backlog or as constraints 2012 Security Compass inc
54 Questions? Parked Issues? 2012 Security Compass inc
Threat Modeling. A workshop on how to create threat models by creating a hands-on example
Threat Modeling A workshop on how to create threat models by creating a hands-on example Introduction 2 Introduction 3 Part 1: Application- Layer Attacks A brief primer on some web application attacks
More informationLearning Course Curriculum
Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationThreat Modeling. Deepak Manohar
Threat Modeling Deepak Manohar Outline Motivation Past Security Approaches Common problems with past security approaches Adversary s perspective Vs Defender s perspective Why defender s perspective? Threat
More informationHow to Develop Cloud Applications Based on Web App Security Lessons
Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationEC-Council E C S P.NET. EC-Council. EC-Council Certified Secure Programmer (.NET)
E C S P.NET (.NET) ECSP.NET Course Software defects, bugs, and flaws in the logic of the program are consistently the cause for software vulnerabilities. Analysis by software security professionals has
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationUsing an Open Source Threat Model for Prioritized Defense
SESSION ID: STR-R04 Using an Open Source Threat Model for Prioritized Defense James Tarala Principal Consultant Enclave Security @isaudit Problem Statements In information assurance today, there are no
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More information5054A: Designing a High Availability Messaging Solution Using Microsoft Exchange Server 2007
5054A: Designing a High Availability Messaging Solution Using Microsoft Exchange Server 2007 Course Number: 5054A Course Length: 2 Days Course Overview This 2-day course teaches messaging engineers to
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationSecurity in the Sauce Labs Cloud
SAUCE LABS REPORT Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Overview It s impossible to deny that in this day and age internet security should
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationSecurity vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More information5053A: Designing a Messaging Infrastructure Using Microsoft Exchange Server 2007
5053A: Designing a Messaging Infrastructure Using Microsoft Exchange Server 2007 Course Number: 5053A Course Length: 3 Days Course Overview This three-day instructor-led course provides students with the
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationDay 1 - Technology Introduction & Digital Asset Management
SharePoint Developers Academy 2010 Course Syllabus Introduction Day 1 - Technology Introduction & Digital Asset Management 1. Kick Start a. Participant Introductions b. Course Overview c. Training Goals
More informationITDUMPS QUESTION & ANSWER. Accurate study guides, High passing rate! IT dumps provides update free of charge in one year!
ITDUMPS QUESTION & ANSWER Accurate study guides, High passing rate! IT dumps provides update free of charge in one year! HTTP://WWW.ITDUMPS.COM Exam : 70-549(C++) Title : PRO:Design & Develop Enterprise
More informationCourse Content: Session 1. Ethics & Hacking
Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationAutomating Security Testing. Mark Fallon Senior Release Manager Oracle
Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage
More informationKEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationAudience. At Course Completion. Prerequisites. Course Outline. Take This Training
Designing a High Availability Messaging Solution using Microsoft Exchange Server 2007 Course 5054A: Two days; Instructor-Led Preliminary Course Syllabus Note: You are viewing a Preliminary Course Syllabus.
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationRevisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist
Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist Overview Background What it is? How are we doing? Web 2.0 SQL injection meets AJAX Fuggle SQL Injection meets Google
More informationSecurity in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect
Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Table of Contents page 2 page 4 page 6 page 8 page 9 page 10 page 11 Overview I. Sauce Labs Data
More informationMobile Application Threat Analysis
The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under
More informationEmbedded Java & Secure Element for high security in IoT systems
Embedded Java & Secure Element for high security in IoT systems JavaOne - September 2014 Anne-Laure SIXOU - ST Thierry BOUSQUET - ST Frédéric VAUTE - Oracle Speakers 2 Anne-Laure SIXOU Smartgrid Product
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationSECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain
SECURITY RISK MANAGEMENT FROM TECHNOLOGY VISION TO MARKET REALITY Avi Corfas, VP EMEA Skybox Security FIRST 2007 Seville, Spain Topics The Risk Assessment Challenge What Is IT Security Risk Management?
More informationMobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX
Mobile Banking Secure Banking on the Go Matt Hillary, Director of Information Security, MX Mobile Banking Channels SMS / Texting Mobile Banking Channels Mobile Web Browser Mobile Banking Channels Mobile
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationThis presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat
1 2 3 4 This presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat Modeling. 5 Security people don t all agree on the
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing
More informationK2 [blackpearl] deployment planning
K2 [blackpearl] deployment planning UNDERSTANDING THE DEPLOYMENT SCENARIOS AND OPTIONS December 14 This paper describes the various deployment scenarios of the K2 [blackpearl] software, and discusses when
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationFunctional vs. Load Testing
Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly
More informationMCSE 5053/5054 - Designing a Messaging Infrastructure and High Availability Messaging Solution Using Microsoft Exchange Server 2007
MCSE 5053/5054 - Designing a Messaging Infrastructure and High Availability Messaging Solution Using Microsoft Exchange Server 2007 Duration: 5 Days Course Price: $2,975 Software Assurance Eligible Course
More informationMobile App Security. Using Threat Modeling to Review Mobile Devices and Apps. Copyright 2012 KRvW Associates, LLC
Mobile App Security Using Threat Modeling to Review Mobile Devices and Apps Your Instructor Ken van Wyk ken@krvw.com Work Experience 20+ years in Information Security l l l l CMU CERT/CC Founder DoD CERT
More informationThomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch
Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch What
More informationAgile Security Successful Application Security Testing for Agile Development
WHITE PAPER Agile Security Successful Application Security Testing for Agile Development Software Security Simplified Abstract It is an imperative to include security testing in application development.
More informationEC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015 terreactive Background. About
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationEnterprise Manager. Version 6.2. Installation Guide
Enterprise Manager Version 6.2 Installation Guide Enterprise Manager 6.2 Installation Guide Document Number 680-028-014 Revision Date Description A August 2012 Initial release to support version 6.2.1
More informationGuiding Principles that work Ruel L.A. Ellis
Guiding Principles that work Ruel L.A. Ellis Why E-Learning Rationale for E-Learning Why E-Learning Projects Fail Project Management Philosophy Stage 1: Defining the Project Stage 2: Planning the E-Learning
More informationMaster of Science in Software Engineering Student Guide
King Fahd University of Petroleum & Minerals College of Computer Sciences and Engineering Information and Computer Science Department Master of Science in Software Engineering Student Guide http://www.ccse.kfupm.edu.sa/swe/
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationInformation Security for Modern Enterprises
Information Security for Modern Enterprises Kamal Jyoti 1. Abstract Many enterprises are using Enterprise Content Management (ECM) systems, in order to manage sensitive information related to the organization.
More informationComputer Information Systems (CIS)
Computer Information Systems (CIS) CIS 113 Spreadsheet Software Applications Prerequisite: CIS 146 or spreadsheet experience This course provides students with hands-on experience using spreadsheet software.
More informationWeb Application Architectures
Web Engineering Web Application Architectures Copyright 2013 Ioan Toma & Srdjan Komazec 1 Where we are? # Date Title 1 5 th March Web Engineering Introduction and Overview 2 12 th March Requirements Engineering
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationAbout this Course This 5 day ILT course teaches IT Professionals to design and deploy Microsoft SharePoint 2010.
Course 10231B: Designing a Microsoft SharePoint 2010 Infrastructure OVERVIEW About this Course This 5 day ILT course teaches IT Professionals to design and deploy Microsoft SharePoint 2010. Audience Profile
More informationHow to measure your business resiliency
How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com
More informationWhitePaper. Private Cloud Computing Essentials
Private Cloud Computing Essentials The 2X Private Cloud Computing Essentials This white paper contains a brief guide to Private Cloud Computing. Contents Introduction.... 3 About Private Cloud Computing....
More informationOWASP Cornucopia. Ecommerce Website Edition. The OWASP Foundation. OWASP London https://www.owasp.org. 3rd June 2013
The OWASP Foundation OWASP London https://www.owasp.org 3rd June 2013 OWASP Cornucopia Ecommerce Website Edition OWASP Cornucopia - Ecommerce Website Edition helps developers identify security requirements
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationBuilding a Web Application Security Program. Rich Mogull Adrian Lane Securosis, L.L.C.
Building a Web Application Security Program Rich Mogull Adrian Lane Securosis, L.L.C. Old School, New School, Oh SH*& School What s Different About This Presentation We are focusing on the business processes
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationIntroduction to Automated Testing
Introduction to Automated Testing What is Software testing? Examination of a software unit, several integrated software units or an entire software package by running it. execution based on test cases
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly
More informationPenetration Testing: Lessons from the Field
Penetration Testing: Lessons from the Field CORE SECURITY TECHNOLOGIES SCS SERVICES May 2009 1 Agenda: About me: Alberto Soliño Director of Security Consulting Services at Core Security One of first five
More informationPenetration Testing: Advanced Oracle Exploitation Page 1
Penetration Testing: Advanced Oracle Exploitation Page 1 Course Index:: Day 1 Oracle RDBMS and the Oracle Network Architecture... 3» Introduction and Oracle Review...3» Service Information Enumeration:...3»
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationAuditing the Security of an SAP HANA Implementation
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationSECURITY EDUCATION CATALOGUE
SECURITY EDUCATION CATALOGUE i ii TABLE OF CONTENTS Introduction 2 Security Awareness Education 3 Security Awareness Course Catalogue 4 Security Awareness Course Builder 7 SAE Print Material 8 Secure Code
More informationCenzic Product Guide. Cloud, Mobile and Web Application Security
Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous
More informationMobile Application Security Sharing Session May 2013
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
More informationDisaster Recovery Plan The Business Imperatives
Disaster Recovery Plan The Business Imperatives Table of Contents Disaster Recovery Plan The Business Imperatives... 3 Introduction... 3 A Disaster Recovery Program The Need of the Hour... 3 Approach to
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationRanch Networks for Hosted Data Centers
Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More information