W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM
|
|
- Emily Nicholson
- 8 years ago
- Views:
Transcription
1 BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA
2 Ryan English Ryan English is the group product manager for SPI Dynamics' QAInspect(tm) Quality Assurance Security testing product line, overseeing product strategy and direction for the company's five Quality Assurance products. Prior to joining SPI Dynamics, Ryan was responsible for product management at Live Oak Technologies, a quality assurance software company. In addition, Ryan was a project manager for the supply chain software company VerticalNet, where he assisted in the strategic growth and development of their consulting division. Ryan has also led project management teams with MCI Worldcom and DayNine. Ryan is a seasoned speaker on the topic of security testing Web applications in QA and has spoken at several Quality Assurance industry events including Mercury World 2005.
3 ASAP Integrating Security into the Development Lifecycle Ryan English Group Product Manager
4 History of Web Applications Simple, single server solutions Browser Web Server HTML
5 Web Application Architecture Web Services Wireless Web Servers Presentation Layer Application Server Business Logic Database Server Customer Identification Media Store Content Services Access Controls Browser Transaction Information Core Business Data
6 Web Applications Breach the Perimeter HTTP(S) IMAP FTP SSH TELNET POP3 Internet IIS SunOne Apache Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any Web Server: 80 DMZ ASP.NET WebSphere Java Firewall only allows applications on the web server to talk to application server. Trusted Inside Firewall only allows application server to talk to database server. SQL Oracle DB2 Corporate Inside
7 The State of Application Security Certain industries Networks Early Adopters These early adopter make automated Secured, Begin Manual industries establish application Applications Application application security assessments Vulnerable Testing programs 2000 standard practice 2006 Web application security programs Enabled across the software development lifecycle (SDLC) Leverage automated assessment software Involve cross functional teaming Require executive sponsorship
8 The State of Application Security Over 70 percent of security vulnerabilities exist at the application layer, not the network layer Gartner The battle between hackers and security professionals has moved from the network layer to the Web applications themselves Network World 64 percent of developers are not confident in their ability to write secure applications Microsoft Developer Research Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money Counterpane Internet Security
9 The State of Application Security Britain warns of major attack 40M credit cards hacked Hackers seen aiming at government, corporate networks Breach at third party payment processor affects 22 million Visa cards and 14 million The Associated Press Updated: 1:42 p.m. ET June 16, 2005 MasterCards. June 20, 2005: 3:18 PM EDT By Jeanne Sahadi, CNN/Money senior writer In 2004, 78% of enterprises hit by viruses, 49% had laptops stolen, 37% reported unauthorized access to information CSI and FBI Computer Crime and Security Survey
10 Web Application Vulnerabilities Web application vulnerabilities occur in three major areas: Platform Administration Application
11 Web Application Vulnerabilities Platform: Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience script kiddies Most easily defendable of all web vulnerabilities Must have streamlined patching procedures Must have inventory process Platform Examples: IIS UNICODE Apache chunked encoding
12 Web Application Vulnerabilities Administration: More difficult to correct than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings Administration Examples: Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing
13 Web Application Vulnerabilities Application: Coding techniques do not include security Input is assumed to be valid, but not tested Inappropriate file calls reveal source code & system files Unexamined input from a browser can inject scripts into page for replay against later visitors Unhandled error messages reveal application and database structures Unchecked database calls can be piggybacked with a hacker s own database call, giving direct access to business data through a web browser Application Examples: Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation SQL Injection Hidden Web Paths Forceful Browsing
14 What is a Web-Based Application? What is the data path (Network) for web applications? How does a web-based application work (HTTP)? How does your application work? Web Application HTTP Network
15 How Do Web Applications Communicate? Network Layer Web Application HTTP Network
16 How Do Web Applications Communicate? Network Layer Client connects to the server Client sends request to server Server responds to client Connection is disconnected HTTP is stateless Server ( ) Client PC Port: 80 ( ) Request Response
17 Securing the Network Layer SSL (Secure Sockets Layer) Provided encryption of data between a client and server Typically guarantees to client that server is who it asserts itself to be Server ( ) Client PC Port: 443 ( ) SSL Tunnel
18 Securing the Network Layer SSL Firewalls Allows or disallows traffic to pass from the external network to the internal network Acts as a traffic cop Port 80 (HTTP) and port 443 (HTTPS) travel freely through the firewall Server Client PC ( ) ( ) Port: 443 SSL Tunnel
19 Securing the Network Layer SSL Firewalls IDS (Intrusion Detection System) Monitors network for malicious activities Typically signature based detection (similar to virus protection) Blind to encrypted (SSL) traffic Server ( ) Port: 443 Client PC ( ) IDS SSL Tunnel
20 What is HTTP? Web Application HTTP Network
21 Demonstration
22 Elements that Drive Change People: Providing guidance on secure application development Process: Security cannot be an afterthought Tools: Providing the most innovative tools
23 People: Education As a Driver MSDN and TechNet Sharing whitepapers and how tos Patterns & Practices Dedicated team focused on security guidance Education Train every Developer and IT Professional on security
24 Accountability and Incentives Microsoft Developer Research: Almost 40 percent of developers say that their companies do not think it is very important to write secure applications CXOs and management say it is very important Current incentives on performance and ship dates Must be driven top-down
25 Application Security Assurance Program Maturity Model & Best Practices
26 Application Security Assurance Program (ASAP) ASAP Maturity Model is about defining a roadmap and execution of the SDL Organizations should implement their own Trustworthy Computing Initiative tailored to their own needs Describes the programs needed to integrate security throughout the software development lifecycle and throughout the production lifespan of the application A holistic program providing end to end lifecycle coverage while spanning People, Process and Technology TECHNOLOGY PEOPLE PROCESS Proactive & Strategic Management Technical & Management Curriculum Policy-driven Secure SDL Executive Buy-in, Integrated Organization Integrated Development & QA Tools Developer Awareness Cross- Functional Teams Reactive & Tactical Security Department Testing Tools Organizational Silos
27 ASAP Maturity Model Level 1: Reactive & Tactical Proactive & Strategic Reactive & Tactical TECHNOLOGY PEOPLE PROCESS Security Department Testing Tools Organizational Silos Characterized By: Security team finds application vulnerabilities from initial scanning efforts Most vulnerabilities require development fixes Vulnerability reports sent to development Development pushes back due to short timelines & business impact of security rework Due to a lack of application security training, issue acceptance and resolution is difficult
28 ASAP Maturity Model Level 2: Planned & Purposeful Proactive & Strategic TECHNOLOGY PEOPLE PROCESS Characterized By: Security team conducts assessment Developers trained on security Vulnerabilities still require development fixes Vulnerability reports sent to development Integrated Development & QA Tools Developer Awareness Cross- Functional Teams Reactive & Tactical Security Department Testing Tools Organizational Silos Now, developers understand the issues The development process still doesn t include proactive secure development.
29 ASAP Maturity Model Level 3: Proactive & Strategic TECHNOLOGY PEOPLE PROCESS Characterized By: Vulnerability management software used across SDLC Security processes in place across SDLC Proactive & Strategic Management Technical & Management Curriculum Policy-driven Secure SDL Executive Buy-in, Integrated Organization Reactive & Tactical Integrated Development & QA Tools Security Department Testing Tools Developer Awareness Organizational Silos Cross- Functional Teams Security integrated into entire development lifecycle All levels of the organization committed to security Complete security curriculum standard practice
30 ASAP Best Practices Requirements Design Development QA Test Release Support & Services Regulatory Compliance Threat Modeling Create development standards Secure code library Source code review Proactive & Strategic Security kickoff Security training Infrastructure Design Development assessment tools QA assessment tools Reactive & Tactical Pen Testing Security services Automated assessment tools Infrastructure assessment
31 Effective ASAP Implementations Executive Sponsorship Must obtain senior level management sponsorship Must assess potential impacts to application development efforts Must clearly communicate criticality of ASAP Management must understand that ASAP is not a project, it will be integrated into the existing processes in the SDLC
32 Security Kickoff Requirements Design Development QA Test Release Support & Services Establish ASAP team Development Quality Security Audit, Risk, etc. Identify checkpoints in the SDLC where security will be reviewed Establish rapport Processes are made up of people This is a team with common goals, not a boxing match
33 Security Training Requirements Design Development QA Test Release Support & Services Identify development and quality team Define appropriate training levels for team members Provide general secure coding training Provide company and department specific training Company / department standards Proper use of libraries and objects
34 Create Development Standards Requirements Design Development QA Test Release Support & Services Standards should define how critical activities are done. Database access Authentication / Authorization Encryption Etc. Standards should be: Clear and include specific examples Concise, people will read or much less follow a long winded policy
35 Threat Modeling Requirements Design Development QA Test Release Support & Services The process of identifying critical components of a system, where and how an attack is most likely to occur and where such an attack would be the most effective Taking this information and using it to ensure that high risks scenarios are protected against Advantages Practical attackers view of the system Flexible Early in the SDLC Disadvantage Relatively new technique Good threat models don t automatically mean good software
36 Infrastructure Design Requirements Design Development QA Test Release Support & Services Infrastructure considerations Network design Firewalls IDS SSL use Data Encryption Authentication Infrastructure Single sign on Understanding what each security measure does and does not do is critical
37 Infrastructure Design Requirements Design Development QA Test Release Support & Services Infrastructure considerations: Network design Firewalls IDS SSL use Data Encryption Authentication Infrastructure Single sign on Understanding what each security measure does and does not do is critical
38 Secure Coding libraries Requirements Design Development QA Test Release Support & Services Libraries should provide a consistent method of Validating user input Not limit developer functionality by changing the development process Detecting ongoing attacks and protecting the application from these attacks Libraries can be either commercial or custom built
39 Source Code Review Requirements Design Development QA Test Release Support & Services Source code review is the process of manually checking a Web applications source code for security issues Advantages: Many bus or backdoors can only be found via source code review Can provide a very detailed review of application functionally Disadvantages: Requires highly skilled security developers Can miss calls to issues in compiled libraries Cannot detect run-time errors easily Time consuming and tedious
40 Development Assessment Tools Requirements Design Development QA Test Release Support & Services Process of testing a running application Typically involves exercising the application in it s normal operating mode, taking note of pages, parameters, cookies, and other data being passed to and from the application, then sending malformed versions of the information to the application to see what errors are generated Advantages: Tools can be integrated directly into existing development environments Can be done during development, test and pre-production Will show many as-built security vulnerabilities that were a result of bugs or un-designed features Can be done rapidly with the addition of appropriate tools Disadvantages: Can miss some types of security issues that can be discovered by other means (i.e., Source code review) When done manually, the process can be very time consuming
41 QA Automated Assessment Tools Requirements Design Development QA Test Release Support & Services Tools should be able to leverage existing QA assets for the purposes of security testing Login scripts Functional test scripts Defect tracking system Tools should integrate directly it the existing QA testing suite and compliment the existing process Should not overly burden the QA team with additional tests Should not require extensive application knowledge
42 Penetration Testing Requirements Design Development QA Test Release Support & Services Penetration testing is the practice of utilizing a specialist in the area of application security to attempt to breach an applications security measures The goal is to gain confidence that a hacker could not breach the security measures that have been put into place Penetration testing provides a real-world view of the application and it s associated risks
43 Automated Assessment Tools Requirements Design Development QA Test Release Support & Services Provides automated, ongoing assessment of web based applications to ensure that new attack methodologies will not make existing applications vulnerable. Ensure that applications are secure prior to going live. This is the last line of defense and is a place to double check the process. These tools should scale to handle the demand an enterprise will put on it s web application assessment assets.
44 Infrastructure Assessment Requirements Design Development QA Test Release Support & Services Network scanning IDS Database scanning SSL SSL accelerators Password crackers Etc.
45 Regulatory Compliance Requirements Design Development QA Test Release Support & Services Compliance will effect all aspects of the SDLC Compliance may have specific or implied requirements that effect how software is architected and the features that must be included Audit requirements Security & Access control requirements Regulations HIPAA, GLBA, SOX, CA1386, etc. Federal Trade Commission (FTC)
46 Session Summary Effectively dealing with application security issues is a process level issue, not simply a code issue. Integrating security in to the SDLC (ASAP Programs) allow companies to integrate security into there processes and gain a mature level of security without undue effect on the overall process. ASAP must be a management level initiative due to the effect it will have on the entire SDLC.
47 Closing and Q&A
SQL Server Security "The Hackers Goldmine
SQL Server Security "The Hackers Goldmine Secure Software Forum (SSF) Annual education series dedicated to secure software Leading security experts collaborate on education initiatives Yearly programs
More informationT14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, 2006 1:30PM
BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationMicrosoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services roblab@microsoft.com
Microsoft Security Development Lifecycle for IT Rob Labbé Application Consulting and Engineering Services roblab@microsoft.com The Reasons for Secure Software There are many threats to data and systems
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationWeb Security School Final Exam
Web Security School Final Exam By Michael Cobb 1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet? a. IIS Admin
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationNew IBM Security Scanning Software Protects Businesses From Hackers
New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationCreating A Culture of Security and Privacy in the Digital Age. Dave Welsh Microsoft Corporation dmwelsh@microsoft.com
Creating A Culture of Security and Privacy in the Digital Age Dave Welsh Microsoft Corporation dmwelsh@microsoft.com Situation Computers worldwide: 663 million1 Web users worldwide, 2004: 719,334,756,
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationBank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM
Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM Agenda Introduction to Application Hacking Demonstration of Attack Tool Common Web Application Attacks Live Bank Hacking Demonstration
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationReference Architecture: Enterprise Security For The Cloud
Reference Architecture: Enterprise Security For The Cloud A Rackspace Whitepaper Reference Architecture: Enterprise Security for the Cloud Cover Table of Contents 1. Introduction 2 2. Network and application
More informationWeb Application Security 101
dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationBuilding Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationUnderstanding Security Testing
Understanding Security Testing Choosing between vulnerability assessments and penetration testing need not be confusing or onerous. Arian Eigen Heald, M.A., Ms.IA., CNE, CISA, CISSP I. Introduction Many
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSecurity Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions
Security Awareness For Server Administrators State of Illinois Central Management Services Security and Compliance Solutions Purpose and Scope To present a best practice approach to securing your servers
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationStarting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden
Starting your Software Security Assurance Program May 21, 2015 ITARC, Stockholm, Sweden Presenter Max Poliashenko Chief Enterprise Architect Wolters Kluwer, Tax & Accounting Max leads the Enterprise Architecture
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationDETAILED RISK ASSESSMENT REPORT
DETAILED RISK ASSESSMENT REPORT Executive Summary During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle s Motor
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationUniversities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence
Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence About ERM About The Speaker Information Security Expert at ERM B.S. Software Engineering and Information Technology
More informationEnterprise-Grade Security from the Cloud
Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationThe New PCI Requirement: Application Firewall vs. Code Review
The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security
More informationHow To Compare Your Web Vulnerabilities To A Gamascan Report
Differential Report Target Scanned: www.gamasec-test.com Previous Scan: Wed Jul 2 15:29:12 2008 Recent Scan: Wed Jul 9 00:50:01 2008 Report Generated: Thu Jul 10 12:00:51 2008 Page 1 of 15 Differential
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationPreliminary Course Syllabus
Preliminary Course Syllabus Designing Security for Microsoft SQL Server 2005 Elements of this syllabus are subject to change. Key Data Product #: 1917 Course #: 2787A Number of Days: 2 Format: Instructor-Led
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationOverview of Banking Application Security and PCI DSS Compliance for Banking Applications
Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Thought Paper www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process
More informationNSFOCUS Web Application Firewall White Paper
White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect
More informationSecuring SaaS Applications: A Cloud Security Perspective for Application Providers
P a g e 2 Securing SaaS Applications: A Cloud Security Perspective for Application Providers Software as a Service [SaaS] is rapidly emerging as the dominant delivery model for meeting the needs of enterprise
More informationChristchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard
Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Corporate Policies & Procedures Section 1: General Administration Document
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationAn Anatomy of a web hack: SQL injection explained
An Anatomy of a web hack: SQL injection explained By David Strom Founding Editor-in-Chief Network Computing Magazine January 2009 Breach Security, Inc. Corporate Headquarters 2141 Palomar Airport Road,
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More information