Web Application Security Assessment and Vulnerability Mitigation Tests
|
|
- Pamela Davidson
- 8 years ago
- Views:
Transcription
1 White paper BMC Remedy Action Request System Web Application Security Assessment and Vulnerability Mitigation Tests January
2 Contacting BMC Software You can access the BMC Software website at From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX USA Telephone or Outside United States and Canada Telephone (01) Fax (01) Fax If you have comments or suggestions about this documentation, contact Information Development by at Copyright 2010 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. AppScan, IBM, and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation. Restricted Rights Legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section , DFARS , DFARS , DFARS , and DFARS , as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX , USA. Any contract notices should be sent to this address.
3 Customer Support You can obtain technical support by using the Support page on the BMC Software website or by contacting Customer Support by telephone or . To expedite your inquiry, please see Before Contacting BMC Software. Support website You can obtain technical support from BMC Software 24 hours a day, 7 days a week at From this website, you can: Read overviews about support services and programs that BMC Software offers. Find the most current information about BMC Software products. Search a database for problems similar to yours and possible solutions. Order or download product documentation. Report a problem or ask a question. Subscribe to receive notices when new product versions are released. Find worldwide BMC Software support center locations and contact information, including addresses, fax numbers, and telephone numbers. Support by telephone or In the United States and Canada, if you need technical support and do not have access to the Web, call or send an message to customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) Outside the United States and Canada, contact your local support center for assistance. Before contacting BMC Software Have the following information available so that Customer Support can begin working on your issue immediately: Product information o Product name o Product version (release number) o License number and password (trial or permanent) Operating system and environment information o Machine type o Operating system type, version, and service pack o System hardware configuration o Serial numbers o Related software (database, application, and communication) including type, version, and service pack or maintenance level Sequence of events leading to the problem Commands and options that you used Messages received (and the time and date that you received them) o Product error messages o Messages from the operating system, such as file system full o Messages from related software
4 License key and password information If you have a question about your license key or password, contact Customer Support through one of the following methods: customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) In the United States and Canada, call Outside the United States and Canada, contact your local support center for assistance. Submit a new issue at
5 Contents System architecture... 7 AppScan test results... 8 OWASP Top Ten: AR System protections General guidelines Encryption Secure Socket Layer Secure Tomcat installation Session management HTTP TRACE disabled XSS filter enhanced Data Visualization module plugins Mid tier Return Back parameter Mid tier and portlet containers... 16
6 White paper Web Application Security Assessment and Vulnerability Mitigation Tests This paper highlights the IBM Rational AppScan automated assessment process for web application security that BMC implements for the BMC Remedy Action Request (AR) System. It also provides a list of security protections that BMC provides to mitigate against vulnerabilities outlined in the Open Web Application Security Project (OWASP) Top Ten list. Note: The IT environment and network infrastructure in which your AR System runs must be properly secured and include standard IT network security tools and systems such as firewalls and intrusion detection systems (IDS). The following AR System security-related information is available on the Customer Support website at BMC Remedy AR System Encryption Security Guide BMC Remedy AR System Installation Guide - Mid-tier post-installation procedures section BMC Remedy AR System Configuring You Web Server and Installing BMC Remedy Mid Tier with a.war File white paper Web Application Security Assessment and Vulnerability Mitigation Tests 6
7 System architecture System architecture The AR System architecture is multi-tiered; it consists of a Presentation layer, a Logic layer, and a Data layer as shown in Figure 1. Figure 1. AR System security architecture diagram Presentation layer The Presentation layer consists of the web browser client connected to the mid tier with secure socket layer (SSL) encryption. You must implement SSL to secure the connection between the browser and the web server. BMC supports any SSL version that is supported by the HTTP web services vendors listed in the BMC Remedy AR System Compatibility Matrix, which is available on the Support website. Web Application Security Assessment and Vulnerability Mitigation Tests 7
8 White Paper Logic layer The Logic layer includes instances of a mid tier, a JavaServer Pages (JSP) engine, a web server, and the AR System server. The JSP engine and accompanying servlets provide dynamically generated HTML and XML documents in response to web client requests. The mid tier installer includes and can automatically install a bundled version of the Tomcat web server. The mid tier translates client requires, interprets responses from the AR System server, handles web service requests, and runs server-side processes that present AR System functionality to the client from the AR System server. The server executes workflow and business logic that define all AR System applications. Because all AR System clients are API-based, turning on encryption ensures that all interactions with the server are encrypted. Data layer The Data layer consists of one or more databases, which perform data storage and retrieval functions. The AR System server connects to the Data layer using database client API libraries. The server can work with the database encryption libraries used to protect data that is transmitted between the server and database. 8 Web Application Security Assessment and Vulnerability Mitigation Tests
9 AppScan test results AppScan test results BMC uses IBM Rational AppScan, a Web 2.0 security assessment tool, as an integrated part of the software development life cycle (SDLC). By performing a wide range of early detection testing, BMC identifies and fixes or mitigates vulnerabilities before they become security risks. AppScan provides issue severity levels and detailed descriptions as well as advisories and issue solution recommendations for potential security risks related to AR System components. BMC uses this data to investigate and proactively resolve security issues. Figure 2 shows a sample AppScan results page. Figure 2. Sample AppScan test result window Web Application Security Assessment and Vulnerability Mitigation Tests 9
10 White Paper Table 1 lists the AppScan version 7.8 test results. No high-severity vulnerabilities were detected in the AR System mid tier version patch 7. Table 1. AppScan test results AR System Servlet AdminServlet ApplicationServlet AttachServlet Test Result False vulnerabilities were detected. This AR System servlet is implemented in the web service module. Users must provide a user name and password when the service is requested. False vulnerabilities were detected. An error page notifies users that a session is not valid. BackChannelServlet FBImageServlet Flashboard_params FormsServlet HomeServlet Imagepool ImageServlet LicenseReleaseServlet LoginServlet LogoutServlet Plugineventester ProtectedWSDLServlet ReportServlet False vulnerabilities were detected. The embedded script is not executed. It is reported as an error. In addition, an error is logged and appears in the status bar. Access is not allowed. False vulnerabilities were detected. An error is logged and appears in the status bar. Access is not allowed. False vulnerabilities were detected. The mid tier responds with an error page. 10 Web Application Security Assessment and Vulnerability Mitigation Tests
11 OWASP Top Ten: AR System protections AR System Servlet Report_params ResourceServlet ViewFormServlet Test Result False vulnerabilities were detected. When URL parameters are sent, BMC advises users to deploy HTTP over SSL. False vulnerabilities were detected. The embedded script is not executed. It is reported as an error. When URL parameters are sent, BMC advises users to deploy HTTP over SSL. OWASP Top Ten: AR System protections Using AppScan, BMC specifically tests for vulnerabilities identified in the Open Web Application Security Project (OWASP) Top Ten list. Security risks identified by OWASP and AR System protections are listed and described in Table 2. Table 2. AR System protections against the OWASP Top Ten Sample risk OWASP description AR System protections Injection Attackers trick a process into calling external processes of their choice by injecting control-plane data into the data plane. Command injection has two forms: An attacker changes the command that the program executes, explicitly redefining the command. An attacker changes the environment in which the command executes, implicitly redefining the command. To prevent command injection, AR System disables server-side scripting. To prevent JavaScript and SQL injection, AR System: Encloses all dates in quotes and escapes all quotes. Uses filters for escape characters. Provides strong-types and usersupplied fields. Checks for type constraints. To prevent blind SQL injection, AR System properly filters escape characters. Secures variables with strong types and validation. Sets security privileges on the database to least required. Web Application Security Assessment and Vulnerability Mitigation Tests 11
12 White Paper Sample risk OWASP description AR System protections Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Attackers can make a single request to a vulnerable server that causes the server to create two responses. The second response might be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server. Attackers can bypass authentication mechanisms if credentials do not accompany every request. Attackers force the return of sensitive information instead of non-sensitive information that would be returned normally. Using this technique, attackers make victims perform actions that they did not intend to, such as logging out, purchasing items, or other functions provided by the vulnerable website. The victim s browser is tricked into issuing a command to a vulnerable web application. The vulnerability is caused by browsers automatically including user authentication data such as a session ID, IP address, or Microsoft Windows domain credentials with each request. This attack involves exploiting insecure configurations. All user-supplied HTML special characters are encoded into character entities, thereby preventing them from being interpreted as HTML. All requests contain credentials. The mid tier does not use cookies. It uses a cache ID in the URL and controls the user role (such as the Admin role.) AR System uses web server session management to store AR System authentication into the HTTPS session. All object references are subject to permissions enforced by the AR System server. The AR System disables web server scripting in the mid tier. In addition, logic that runs processes on the AR System server is restricted by the AR System permissions model, and processes that may be run are restricted to specific directories on the server. AR System configuration guidelines ensure secure operation. For example, AR System restricts user access to directories required for user operations, and AR System validates all user input. 12 Web Application Security Assessment and Vulnerability Mitigation Tests
13 OWASP Top Ten: AR System protections Sample risk OWASP description AR System protections Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards The most common flaw in this area is simply not encrypting data that deserves encryption. When encryption is employed, unsafe key generation, nonrotating keys, and weak algorithm usage is common. The use of weak or unsalted hashes to protect passwords is also common. External attackers have difficulty detecting such flaws due to limited access. Attackers may access pages beyond the login page without authorization. Attackers may intercept unprotected network traffic if only SSL or TLS is used during authentication. Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. All sensitive data is encrypted within AR System. All communication between the web browser and the web server can be encrypted using HTTPS. All communication between the web server and the AR System server can be encrypted using API encryption. All access to all AR System pages require authorization from the AR System server. AR System uses transport layer security and digital signatures to perform end-to-end validation after a connection is made to an endpoint. FIPS-compliant Performance and Premium Encryption add-on components are provided for additional cryptographic protection among AR System components. All AR System parameters are validated and authenticated against user credentials. Web Application Security Assessment and Vulnerability Mitigation Tests 13
14 White Paper General guidelines This section describes general security guidelines to consider when using AR system. Encryption AR System provides BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security components that you can install to provide well-protected communication among AR System components. Performance Security includes a Federal Information Processing Standard (FIPS) encryption option. When this option is enabled, network traffic is encrypted using AES CBC with a 128-bit key for data encryption and a 1024-bit modulus for the RSA key exchange. It uses SHA-1 for message authentication. This option supports the minimum FIPS encryption requirements. Premium Security includes a premium FIPS encryption option. When this option is enabled, network traffic is encrypted using AES CBC with a 256- bit key for data encryption and a 2048-bit modulus for the RSA key exchange. It uses SHA-1 for message authentication. This option supports premium FIPS encryption requirements. Secure Socket Layer You should use secure socket layer (SSL) to encrypt the traffic between the HTTP web server and the browser client. Configuring the environment for SSL support is beyond the scope of any guidance that BMC provides. Note that enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt traffic. Secure Tomcat installation Because the Tomcat JSP engine is bundled with the mid tier, the AR System installation script performs the following clean-up tasks to ensure that security issues in Tomcat are resolved: Removes the contents of the root directory from the Tomcat_installation_directory/webapps directory. Adds an index.html file to the root directory. This file appears if the administrator enters in a browser and Tomcat is running properly. Removes the tomcat-docs directory from the Tomcat_installation_directory/webapps directory. 14 Web Application Security Assessment and Vulnerability Mitigation Tests
15 General guidelines Removes the host-manager and manager web default web applications from the Tomcat_installation_directory/webapps/server/webapps directory. Removes the deployment descriptors for the host-manager and manager applications from the Tomcat_installation_directory/conf/Catalina/localhost. directory. The descriptors are the host-manager.xml and manager.xml. Removes all unused ports from service (in particular, port 8080). It strips the default server.xml configuration file in the Tomcat installation directory so that the installation supports the mid tier only. These tasks make the Tomcat installation more secure; however, it can be difficult to determine if the mid tier or if the Tomcat engine failed to install properly because all extraneous services are removed. To ease this problem, an index.html page that displays when Tomcat is running is also installed. If the mid tier fails to run after installation, complete the following steps to determine whether the problem is the Tomcat installation or the mid tier installation: 1. Stop Tomcat. 2. Open the Tomcat_installation_directory/conf/server.xml file and uncomment the Connector entry at port Restart Tomcat. 4. In a browser on the same computer as the Tomcat installation, go to If the Tomcat engine is running properly, the message: Tomcat is running displays in the browser. Session management HTTP TRACE disabled If a session between the web browser and the mid tier is idle for 90 minutes or if the user closes a browser, the AR System license is released. You can configure idle time parameters in the Mid Tier Configuration tool. HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE request with all header information including cookies, and the server simply responds with that same data. To prevent cross-site tracing (XST) attacks that use XSS and the HTTP TRACE function, the HTTP TRACE function in the mid tier is disabled by default. To disable the HTTP TRACE function completely, you must also disable HTTP TRACE on the application server hosting the mid tier. For information about how to enable the TRACE function, see HTTP tracing in the mid tier in the BMC Remedy Mid Tier Guide. Web Application Security Assessment and Vulnerability Mitigation Tests 15
16 White Paper XSS filter enhanced By default, the mid tier contains an XSS filter that is frequently updated with additional characters. Data Visualization module plugins By default, security is disabled for data passed through the mid tier using the data visualization model plugins. To enable mid tier security for the plugins, you must add the following option to the config.properties file: arsystem.plugin_securitycheck=true Mid tier Return Back parameter The default value of the Return Back parameter is false. You must change the value to true to prevent the mid tier from allowing a user to submit a URL containing a Return Back parameter. To change the value, add the following setting to the config.properties file and restart the mid tier: arsystem.allow.returnback.url=true If the default value is not changed, arsystem.allow.returnback.url could allow users to alter a base return URL when the URL is sent back to the browser from the web server. This behavior could make the system vulnerable to a phishing attack. Mid tier and portlet containers To prevent frame phishing vulnerabilities in the mid tier, the mid tier verifies that it is not placed inside a portlet container and/or displayed in third-party frames or iframes. If a portlet container, third-party frame, or iframe is detected, the mid tier automatically disconnects from the object and displays the content in a single window. 16 Web Application Security Assessment and Vulnerability Mitigation Tests
17 *187116*
White Paper BMC Remedy Action Request System Security
White Paper BMC Remedy Action Request System Security June 2008 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationKnowledge Article Performance Comparison: BMC Remedy ITSM Incident Management version 7.5.00 Vs. 7.0.03 on Windows
Knowledge Article Performance Comparison: BMC Remedy ITSM Incident Management version 7.5.00 Vs. 7.0.03 on Windows April 2009 www.bmc.com Contacting BMC Software You can access the BMC Software website
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationWhite Paper March 1, 2005. Integrating AR System with Single Sign-On (SSO) authentication systems
White Paper March 1, 2005 Integrating AR System with Single Sign-On (SSO) authentication systems Copyright 2005 BMC Software, Inc. All rights reserved. BMC, the BMC logo, all other BMC product or service
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationBMC BladeLogic Client Automation Installation Guide
BMC BladeLogic Client Automation Installation Guide Supporting BMC BladeLogic Client Automation 8.2.02 January 2013 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com.
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWhite Paper: BMC Service Management Process Model 7.6 BMC Best Practice Flows
White Paper: BMC Service Management Process Model 7.6 BMC Best Practice Flows October 2009 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website,
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationBMC Remedy Action Request System 7.6.04 Configuration Guide
BMC Remedy Action Request System 7.6.04 Configuration Guide January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain
More informationPATROL Console Server and RTserver Getting Started
PATROL Console Server and RTserver Getting Started Supporting PATROL Console Server 7.5.00 RTserver 6.6.00 February 14, 2005 Contacting BMC Software You can access the BMC Software website at http://www.bmc.com.
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationBMC Remedy Action Request System 7.6.04 Integration Guide
BMC Remedy Action Request System 7.6.04 Integration Guide January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationBMC Remedy IT Service Management Suite 7.6.04 Installing and Configuring Server Groups
BMC Remedy IT Service Management Suite 7.6.04 Installing and Configuring Server Groups January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationBMC Remedy Action Request System 7.0 Configuring
BMC Remedy Action Request System 7.0 Configuring May 2006 Part No: 58466 Copyright 1991 2006 BMC Software, Inc. All rights reserved. BMC, the BMC logo, all other BMC product or service names, BMC Software,
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationBMC Impact Solutions Infrastructure Management Guide
BMC Impact Solutions Infrastructure Management Guide Supporting BMC Impact Manager version 7.3 BMC Impact Administration Server 7.3 BMC Impact Explorer version 7.3 BMC Impact Portal version 7.3 February
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationCONTROL-M/Enterprise Manager API Developer Guide
CONTROL-M/Enterprise Manager API Developer Guide Supporting CONTROL-M/Enterprise Manager version 6.4.01 September 2008 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com.
More informationBMC Remedy IT Service Management 7.5.00 Concepts Guide
BMC Remedy IT Service Management 7.5.00 Concepts Guide February 2009 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More informationCisco is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Legal Notices Copyright 1999, 2009 BMC Software, Inc. Copyright 1996-2014 Numara Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationCA SiteMinder. Agent for IIS Installation Guide. r12.0 SP3
CA SiteMinder Agent for IIS Installation Guide r12.0 SP3 This documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationBlackShield ID Agent for Terminal Services Web and Remote Desktop Web
Agent for Terminal Services Web and Remote Desktop Web 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication
More informationBlackShield ID Agent for Remote Web Workplace
Agent for Remote Web Workplace 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced,
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationConnectivity to Polycom RealPresence Platform Source Data
Polycom RealAccess Security White Paper The Polycom RealAccess service is delivered using the Software as a Service (SaaS) model. This white paper outlines how the service protects sensitive customer data
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationBMC Remedy IT Service Management 7.0 Data Management Administrator s Guide
BMC Remedy IT Service Management 7.0 Data Management Administrator s Guide November 2007 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website,
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationBentley CONNECT Dynamic Rights Management Service
v1.0 Implementation Guide Last Updated: March 20, 2013 Table of Contents Notices...5 Chapter 1: Introduction to Management Service...7 Chapter 2: Configuring Bentley Dynamic Rights...9 Adding Role Services
More informationCA SiteMinder. Web Agent Installation Guide for IIS 12.51
CA SiteMinder Web Agent Installation Guide for IIS 12.51 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation
More informationIUCLID 5 Guidance and Support
IUCLID 5 Guidance and Support Web Service Installation Guide July 2012 v 2.4 July 2012 1/11 Table of Contents 1. Introduction 3 1.1. Important notes 3 1.2. Prerequisites 3 1.3. Installation files 4 2.
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationBasic & Advanced Administration for Citrix NetScaler 9.2
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
More informationBMC Performance Manager Portal Monitoring and Management Guide
BMC Performance Manager Portal Monitoring and Management Guide Supporting BMC Performance Manager Portal 2.7 Remote Service Monitor 2.7 April 2009 www.bmc.com Contacting BMC Software You can access the
More informationCA SiteMinder. Web Agent Installation Guide for IIS. r12.5
CA SiteMinder Web Agent Installation Guide for IIS r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationSecurity features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationThis document contains the following topics:
Release Notification BMC Discovery Solution Version 8.1.00 December 18, 2009 This document describes the products and components contained in version 8.1.00 of BMC Discovery Solution. If you have any questions,
More informationHow To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook 1.5.1 (Windows 3) (For Windows) (Programmer) (Or
2014 Guide For Testing Your Software Security and Software Assessment Services (SSAS) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical
More informationXerox DocuShare Security Features. Security White Paper
Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a
More informationBMC Remedy Knowledge Management 7.2 Planning and Configuration Guide
BMC Remedy Knowledge Management 7.2 Planning and Configuration Guide December 2007 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website,
More informationSECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS
More informationChristchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard
Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Corporate Policies & Procedures Section 1: General Administration Document
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More information