Harness Your Robot Army for Total Vulnerability Management
Size: px
Start display at page:

Download "Harness Your Robot Army for Total Vulnerability Management"

Transcription

1 Harness Your Robot Army for Total Vulnerability Management 2015 Triangle InfoSeCon Jonathan Knudsen October 8, Synopsys, Inc. 1

2 Contents Security Is Easy Builders and Buyers Software Vulnerabilities Your Robot Army Coders Gonna Code Summing Up 2015 Synopsys, Inc. 2

3 Security Is Easy ;^) 1. Find vulnerabilities 2. Fix vulnerabilities OK. This one is hard Synopsys, Inc. 3

4 Hacking Is Easy 1. Find vulnerabilities 2. Exploit vulnerabilities 2015 Synopsys, Inc. 4

5 Builders and Buyers Builders Create software Write code Use components Examples: Medical infusion pump Automobile Desktop software Mobile apps Nuclear cruise missile Buyers Consume software Provide a service Examples: Hospital Network operator Public utility Military Bank 2015 Synopsys, Inc. 5

6 Software Vulnerabilities 1. Design vulnerabilities 2. Configuration vulnerabilities 3. Code vulnerabilities To improve security, find and fix as many vulnerabilities as you can You will never find all of them Using resources efficiently puts you ahead of the curve 2015 Synopsys, Inc. 6

7 Human Hunters 1. Design vulnerabilities 2. Configuration vulnerabilities 3. Code vulnerabilities Code reviews: slow! Pair programming: slow! 2015 Synopsys, Inc. 7

8 Where Machines Can Help 1. Design vulnerabilities 2. Configuration vulnerabilities 3. Code vulnerabilities 2015 Synopsys, Inc. 8

9 Your Robot Army Configuration scanners For example, Nessus Find old versions of stuff Find default credentials Find incorrect access Source code analysis, a.k.a. static analysis For example, Coverity Software composition analysis, a.k.a. static binary analysis For example, AppCheck Fuzzing For example, Defensics 2015 Synopsys, Inc. 9

10 Source Code Analysis Generally impossible for buyers For locating unknown vulnerabilities Need the source code Need a tool that knows your language Produces some false positives Need somebody knowledgeable to interpret results, review 2015 Synopsys, Inc. 10

11 Static Composition Analysis No source code required good for buyers and builders Software supply chain management tool For locating known vulnerabilities Static analysis of executable code to detect used components Components can be correlated to known vulnerabilities Known vulnerabilities in contained libraries aren t always exposed on external interfaces Gives you a lot more information than you had before Can also correlate to software licenses 2015 Synopsys, Inc. 11

12 Fuzzing No source code required good for buyers and builders Dynamic testing for locating unknown vulnerabilities Fuzzing technique makes a big difference The more legitimate the fuzzer can look, the better Focuses on exposed attack surface The oracle challenge What is failure? How can your fuzzer detect failure? Simple: valid messaging to verify external interface Better: target instrumentation, like valgrind, Asan, etc. Add behavior analysis: how Heartbleed was found 2015 Synopsys, Inc. 12

13 Coders Gonna Code Developers write source code Multiple teams, perhaps Pull in third party components (More developers) Build finished product 2015 Synopsys, Inc. 13

14 Coders Gonna Screw Up Developers are mortal Third party developers are also mortal 2015 Synopsys, Inc. 14

15 Static Analysis Finds bugs in source code Developers fix bugs Static Analysis 2015 Synopsys, Inc. 15

16 Software Composition Analysis SCA Finds third party components Lists known vulnerabilities Update or patch components Static Analysis 2015 Synopsys, Inc. 16

17 Fuzzing SCA Dynamic fuzz testing Find unknown vulnerabilities Fix more bugs Static Analysis Fuzzing 2015 Synopsys, Inc. 17

18 You Never Get All the Way There SCA There are always more bugs Fewer bugs == lower risk Hard to explain to pointy heads Static Analysis Fuzzing 2015 Synopsys, Inc. 18

19 What if You Didn t Write the Software? SCA What are you getting? Trust, but verify SCA still works here Fuzzing still works here Fix by negotiating Apply pressure before paying Or exploit! Fuzzing 2015 Synopsys, Inc. 19

20 Summing Up Security is not exactly easy Applying resources wisely is important Automated tools can help find some vulnerabilities Configuration scanning Source code scanning Software composition analysis Fuzzing Most tools are useful for builders and buyers Most tools are useful for hackers 2015 Synopsys, Inc. 20

21 Thank You Jonathan Knudsen October 8, Synopsys, Inc. 21

Similar documents

What is Fuzzing: The Poet, the Courier, and the Oracle

What is Fuzzing: The Poet, the Courier, and the Oracle What is Fuzzing: The Poet, the Courier, and the Oracle Fuzzing is well established as an excellent technique for locating vulnerabilities in software. The basic premise is to deliver intentionally malformed

More information

Comparing Application Security Tools

Comparing Application Security Tools Comparing Application Security Tools Defcon 15-8/3/2007 Eddie Lee Fortify Software Agenda Intro to experiment Methodology to reproduce experiment on your own Results from my experiment Conclusions Introduction

More information

The Web AppSec How-to: The Defenders Toolbox

The Web AppSec How-to: The Defenders Toolbox The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware

More information

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD whoami? Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Investigator Security Evangelist

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure

More information

Nessus Agents. October 2015

Nessus Agents. October 2015 Nessus Agents October 2015 Table of Contents Introduction... 3 What Are Nessus Agents?... 3 Scanning... 4 Results... 6 Conclusion... 6 About Tenable Network Security... 6 2 Introduction Today s changing

More information

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08 Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08 What is a firewall? Firewalls are programs that were designed to protect computers from unwanted attacks and intrusions. Wikipedia

More information

The Hacker Strategy. Dave Aitel dave@immunityinc.com. Security Research

The Hacker Strategy. Dave Aitel dave@immunityinc.com. Security Research 1 The Hacker Strategy Dave Aitel dave@immunityinc.com Security Research Who am I? CTO, Immunity Inc. History: NSA->@stake -> Immunity Responsible for new product development Vulnerability Sharing Club

More information

Simple Steps to Securing Your SSL VPN

Simple Steps to Securing Your SSL VPN Simple Steps to Securing Your SSL VPN A five-point strategy for secure remote access Managing secure remote access is a tough job. Because remote systems may directly connect to the Internet rather than

More information

Hack Your SQL Server Database Before the Hackers Do

Hack Your SQL Server Database Before the Hackers Do Note: This article was edited in Oct. 2013, from numerous Web Sources. TJS At the Install: The default install for SQL server makes it is as secure as it will ever be. DBAs and developers will eventually

More information

WHITEPAPER. Nessus Exploit Integration

WHITEPAPER. Nessus Exploit Integration Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information

More information

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process How to Avoid an Attack - Security Testing as Part of Your Software Testing Process Recent events in the field of information security, which have been publicized extensively in the media - such as the

More information

Steven Kaplan, CISSP, CISA Accuvant skaplan@accuvant.com Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station

Steven Kaplan, CISSP, CISA Accuvant skaplan@accuvant.com Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station Steven Kaplan, CISSP, CISA Accuvant skaplan@accuvant.com Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station The Challenge: Commercial generation facilities must identify

More information

8 Steps for Network Security Protection

8 Steps for Network Security Protection 8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because

More information

Security Tools - Hands On

Security Tools - Hands On Security Tools - Hands On SecAppDev 2014 Ken van Wyk, @KRvW! Leuven, Belgium 10-14 February 2014 Caveats and Warnings This is not a sales pitch for any product(s) If you want to talk to a sales person,

More information

8 Steps For Network Security Protection

8 Steps For Network Security Protection 8 Steps For Network Security Protection 8 Steps For Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because of their

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security Secrets of Vulnerability Scanning: Nessus, Nmap and More Ron Bowes - Researcher, Tenable Network Security 1 About me Ron Bowes (@iagox86) My affiliations (note: I m here to educate, not sell) 2 SkullSpace

More information

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson Nessus A short review of the Nessus computer network vulnerability analysing tool Authors: Henrik Andersson Johannes Gumbel Martin Andersson Introduction What is a security scanner? A security scanner

More information

Integrating Web Application Security into the IT Curriculum

Integrating Web Application Security into the IT Curriculum Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?

More information

Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5.

Today s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5. 2 3 About Your Trainer Dakota State University faculty member Bank pen testers in a former life Instructor at Secure Banking Solution s Institute (www.protectmybank.com) I m lucky; I don t have a real

More information

Marble & MobileIron Mobile App Risk Mitigation

Marble & MobileIron Mobile App Risk Mitigation Marble & MobileIron Mobile App Risk Mitigation SOLUTION GUIDE Enterprise users routinely expose their employers data and threaten network security by unknowingly installing malicious mobile apps onto their

More information

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006 CSE331: Introduction to Networks and Security Lecture 17 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Summary:

More information

A Network Administrator s Guide to Web App Security

A Network Administrator s Guide to Web App Security A Network Administrator s Guide to Web App Security Speaker: Orion Cassetto, Product Marketing Manager, Incapsula Moderator: Rich Nass, OpenSystems Media Agenda Housekeeping Presentation Questions and

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner

More information

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2 Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning

More information

Management (CSM) Capability

Management (CSM) Capability CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE

More information

The AppSec How-To: Achieving Security in DevOps

The AppSec How-To: Achieving Security in DevOps The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be

More information

Security within a development lifecycle. Enhancing product security through development process improvement

Security within a development lifecycle. Enhancing product security through development process improvement Security within a development lifecycle Enhancing product security through development process improvement Who I am Working within a QA environment, with a focus on security for 10 years Primarily web

More information

Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN

Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Balazs Bucsay A Little About Us Hungarian Hacker 14 years of experience in IT- Security Strictly technical

More information

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Proteggere i dati direttamente nel database Una proposta tecnologica Angelo Maria Bosis Sales Consulting Senior Manager

More information

Secure Software Development Lifecycle. Security... Not getting better

Secure Software Development Lifecycle. Security... Not getting better Secure Software Development Lifecycle This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007 This lecture material is copyrighted by

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

IDS and Penetration Testing Lab ISA656 (Attacker)

IDS and Penetration Testing Lab ISA656 (Attacker) IDS and Penetration Testing Lab ISA656 (Attacker) Ethics Statement Network Security Student Certification and Agreement I,, hereby certify that I read the following: University Policy Number 1301: Responsible

More information

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 3,

More information

A Case for Managed Security

A Case for Managed Security A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time

Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1 T Sponsored by: #ISSAWebConf 2 Welcome Conference Moderator Phillip Griffin CISM,

More information

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program. The Power of Fuzz Testing to Reduce Security Vulnerabilities Transcript Part 1: Why Fuzz Testing? Julia Allen: Welcome to CERT's podcast series: Security for Business Leaders. The CERT program is part

More information

Host-based Intrusion Prevention System (HIPS)

Host-based Intrusion Prevention System (HIPS) Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively

More information

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES Ira Winkler Codenomicon Session ID: MBS-W05 Session Classification: Intermediate Zero Day Attacks Zero day attacks are rising in prominence They tend to be

More information

BackTrack 5 tutorial Part I: Information gathering and VA tools

BackTrack 5 tutorial Part I: Information gathering and VA tools P a g e 1 BackTrack 5 tutorial Part I: Information gathering and VA tools Karthik R, Contributor You can read the original story here, on SearchSecurity.in. BackTrack 5, codenamed Revolution, the much

More information

Why is a strong password important?

Why is a strong password important? Internet Security Why is a strong password important? Identity theft motives: To gain access to resources For the challenge/fun Personal reasons Theft methods Brute forcing and other script hacking methods

More information

Client logo placeholder XXX REPORT. Page 1 of 37

Client logo placeholder XXX REPORT. Page 1 of 37 Client logo placeholder XXX REPORT Page 1 of 37 Report Details Title Xxx Penetration Testing Report Version V1.0 Author Tester(s) Approved by Client Classification Confidential Recipient Name Title Company

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Student Tech Security Training. ITS Security Office

Student Tech Security Training. ITS Security Office Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with

More information

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities

More information

How to Grow and Transform your Security Program into the Cloud

How to Grow and Transform your Security Program into the Cloud How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Web application security: automated scanning versus manual penetration testing.

Web application security: automated scanning versus manual penetration testing. Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents

More information

Goals. Understanding security testing

Goals. Understanding security testing Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3

More information

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015 NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps

More information

How To Test For Security On A Network Without Being Hacked

How To Test For Security On A Network Without Being Hacked A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few

More information

Integrating Tools Into the SDLC

Integrating Tools Into the SDLC Integrating Tools Into the SDLC FIRST Conference 2007 The problem Too many organizations have either: Failed to try software security tools at all Tried tools, but became overwhelmed Tools relegated to

More information

Amadeus Shaping the future of travel

Amadeus Shaping the future of travel 2015 Amadeus IT Group SA Amadeus Shaping the future of travel Neill Cameron Application Security Office 9 July 2015 2015 Amadeus IT Group SA Amadeus in a few words Amadeus is a technology and SaaS company

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

<Insert Picture Here> Third Party Software Some Security Considerations

<Insert Picture Here> Third Party Software Some Security Considerations 1 Third Party Software Some Security Considerations John Heimann Vice President, Security Program Management Global Product Security Third Party Software Oracle products (and those

More information

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent

More information

How to Get from Scans to a Vulnerability Management Program

How to Get from Scans to a Vulnerability Management Program How to Get from Scans to a Vulnerability Management Program Gary McCully Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC. Synopsis

More information

Build it, Break it, Fix it A new security contest

Build it, Break it, Fix it A new security contest Build it, Break it, Fix it A new security contest Prof. Michael Hicks co-conceived with Andrew Ruef and co-developed with Jan Plane, Atif Memon, and David Levin University of Maryland, College Park USA

More information

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE

More information

The need for Security Testing An Introduction to the OSSTMM 3.0

The need for Security Testing An Introduction to the OSSTMM 3.0 The need for Security Testing An Introduction to the OSSTMM 3.0 Charles W. Fullerton OPST,CISSP,CSS1,CCNP,CCDA,CNA,A+ Founder, CEO Charles W. Fullerton Institute of Analysis www.cia-sec.com The need for

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Cyber Essentials KAMI VANIEA 2

Cyber Essentials KAMI VANIEA 2 Cyber Essentials DR. KAMI VANIEA KAMI VANIEA 2 First, the news Office of Personnel Management http://www.usatoday.com/story/news/politics/2015/06/23/op m-hack-senate-archuleta-hearing/29153773/ KAMI VANIEA

More information

Network Detective. Network Detective Inspector. 2015 RapidFire Tools, Inc. All rights reserved 20151013 Ver 3D

Network Detective. Network Detective Inspector. 2015 RapidFire Tools, Inc. All rights reserved 20151013 Ver 3D Network Detective 2015 RapidFire Tools, Inc. All rights reserved 20151013 Ver 3D Contents Overview... 3 Components of the Inspector... 3 Inspector Appliance... 3 Inspector Diagnostic Tool... 3 Network

More information

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com

More information

Integrated Threat & Security Management.

Integrated Threat & Security Management. Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

NWEN405: Security Engineering

NWEN405: Security Engineering NWEN405: Security Engineering Lecture 15 Secure Software Engineering: Security Evaluation Engineering & Computer Science Victoria University of Wellington Dr Ian Welch (ian.welch@vuw.ac.nz) Waterfall Secure

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Security Mgt. Tools and Subsystems

Security Mgt. Tools and Subsystems Security Mgt. Tools and Subsystems some attack and defense security tools at work Reconaissance Passive Active Penetration Classes of tools (network-bound) Passive Reconaissance Passively listen and analyze

More information

Understand Backup and Recovery Methods

Understand Backup and Recovery Methods Understand Backup and Recovery Methods Lesson Overview Understand backup and recovery methods. In this lesson, you will explore: Backup management Backup options Recovery methods Backup Management Windows

More information

Vulnerability Assessment Lab

Vulnerability Assessment Lab Vulnerability Assessment Lab Fully assessing a company's security posture is a critical job to maintain intellectual property integrity, and protect customer information. As a security auditor your job

More information

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014 Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014 Alex Zacharis Nikos Tsagkarakis info@census-labs.com Census S.A. http://census-labs.com/ Contents Why target travelers?

More information

Manipulating Microsoft SQL Server Using SQL Injection

Manipulating Microsoft SQL Server Using SQL Injection Manipulating Microsoft SQL Server Using SQL Injection Author: Cesar Cerrudo (sqlsec@yahoo.com) APPLICATION SECURITY, INC. WEB: E-MAIL: INFO@APPSECINC.COM TEL: 1-866-9APPSEC 1-212-947-8787 INTRODUCTION

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

Blended Security Assessments

Blended Security Assessments Blended Security Assessments Combining Active, Passive and Host Assessment Techniques October 12, 2009 (Revision 9) Renaud Deraison Director of Research Ron Gula Chief Technology Officer Table of Contents

More information

Security Testing. How security testing is different Types of security attacks Threat modelling

Security Testing. How security testing is different Types of security attacks Threat modelling Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making

More information

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications Polycom Recommended Best Security Practices for Unified Communications March 2012 Unified Communications (UC) can be viewed as another set of data and protocols utilizing IP networks. From a security perspective,

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

SECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain

SECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain SECURITY RISK MANAGEMENT FROM TECHNOLOGY VISION TO MARKET REALITY Avi Corfas, VP EMEA Skybox Security FIRST 2007 Seville, Spain Topics The Risk Assessment Challenge What Is IT Security Risk Management?

More information

Countering The Faults Of Web Scanners Through Byte-code Injection

Countering The Faults Of Web Scanners Through Byte-code Injection Countering The Faults Of Web Scanners Through Byte-code Injection Introduction Penetration testing, web application scanning, black box security testing these terms all refer to a common technique of probing

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

The Peak of Chaos Shane D. Shook, PhD 10/31/2012

The Peak of Chaos Shane D. Shook, PhD 10/31/2012 w h a c k e r n a v k n d n h m y a w h o? n r h p e n c n o s a n w s o v y i d u n n n r n m s r k d e a i k o w i r c d i o m u t w e t w s u t s i v i t c a Shane D. Shook, PhD 10/31/2012 Cyber Crime

More information

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure Introduction Tenable Network Security is the first and only solution to offer security visibility, Azure cloud environment auditing, system

More information

Automatic vs. Manual Code Analysis

Automatic vs. Manual Code Analysis Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

Analysis of SQL injection prevention using a proxy server

Analysis of SQL injection prevention using a proxy server Computer Science Honours 2005 Project Proposal Analysis of SQL injection prevention using a proxy server By David Rowe Supervisor: Barry Irwin Department of Computer

More information

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008 Automated Penetration Testing with the Metasploit Framework NEO Information Security Forum March 19, 2008 Topics What makes a good penetration testing framework? Frameworks available What is the Metasploit

More information

White Paper The Dynamic Nature of Virtualization Security

White Paper The Dynamic Nature of Virtualization Security White Paper The Dynamic Nature of Virtualization Security The need for real-time vulnerability management and risk assessment Introduction Virtualization is radically shifting how enterprises deploy, deliver,

More information

24/7 Visibility into Advanced Malware on Networks and Endpoints

24/7 Visibility into Advanced Malware on Networks and Endpoints WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction

More information

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS 1 OCTOBER 2004 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

Application Security Testing. Jesper Kråkhede

Application Security Testing. Jesper Kråkhede Application Security Testing Jesper Kråkhede AST 2015-10-22 2 Others call it security and try to avoid it I call it passion and dive right into it Jesper Kråkhede Worked as a security consultant for 17

More information

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1) Configuring Virtual Switches for Use with PVS February 7, 2014 (Revision 1) Table of Contents Introduction... 3 Basic PVS VM Configuration... 3 Platforms... 3 VMware ESXi 5.5... 3 Configure the ESX Management

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION copyright 2003 securitymetrics Security Vulnerabilities of Computers & Servers Security Risks Change Daily New

More information

HP Application Security Center

HP Application Security Center HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and

More information

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization. Best Practices for Threat & Vulnerability Management Don t let vulnerabilities monopolize your organization. Table of Contents 1. Are You in the Lead? 2. A Winning Vulnerability Management Program 3. Vulnerability

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information