DEVELOPING SECURE SOFTWARE

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "DEVELOPING SECURE SOFTWARE"

Transcription

1 DEVELOPING SECURE SOFTWARE A FOUNDATION FOR CLOUD AND IOT SECURITY Eric Senior Director, Product Security Office EMC Corporation Chairman of SAFECode CSA EMEA Congress November

2 ABOUT SAFECODE The Software Assurance Forum for Excellence in Code (SAFECode) is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Howard A. Schmidt Executive Director Associate Members Autodesk Boeing Cigital Codenomicon Huawei NetApp SonaType Telecommunications Systems, Inc. VeraCode VMware 2

3 SOFTWARE RUNS ON NEW TYPES OF HARDWARE... 3

4 ...SAME SOFTWARE SECURITY PROBLEMS Law of Software Assurance All software has errors and a small subset of these errors result in software vulnerabilities 4

5 STRONGEST SECURITY TECHNOLOGIES DO NOT SUSTAIN INSECURE SOFTWARE Insecure Software Secure Communications 5

6 SECURE SOFTWARE IS A FOUNDATION FOR CLOUD AND IOT SECURITY ARCHITECTURES Cloud New consumption model New deployment model New trust boundaries Internet of Things New physical boundaries New device management model New privacy challenges Same Fundamental Practices for Secure Software Development Comprehensive and holistic Adapt to new threats and new models 6

7 SOFTWARE ASSURANCE STAKEHOLDERS Software Professional Technology Developer Technology Consumer Create the software directly or indirectly for the technology developer Leverage software to deliver products, applications or services to customers Buy or use the products / services delivered by the technology developer 7

8 THE SOFTWARE PROFESSIONAL CREATE THE SOFTWARE FOR THE TECHNOLOGY DEVELOPER Rapidly growing population 48% of software developers never received a degree in computer science (*) Graduates from colleges receive little to no security training SAFECode Principle: Awareness of software assurance is fundamental to software engineering proficiency. (*) Source: Stackoverflow 2015 Developer Survey 8

9 SAFECODE TRAINING RESOURCES & ACTION PLAN All Colleges & Universities Employers Technical training modules available online for free Include software assurance awareness in any software engineering curriculum Include requirements for software assurance skills in software engineering job postings Introduction to Cryptography Secure Memory Handling in C 101 Threat Modeling 101 Secure Java Programming 101 Cross Site Scripting (XSS) 101 Product Penetration Testing 101 Auth 101: A Passwords Backgrounder for Everyone DOH: Default, Obscure and Hidden Content for Everyone An Introduction to Windows Access Controls File Permissions 101: Linux and OS X Injections 101: SQL and Beyond CSRF 101: Cross Site Request Forgery for Everyone 9

10 THE TECHNOLOGY DEVELOPER LEVERAGE SOFTWARE TO DELIVER PRODUCTS OR SERVICES TO CUSTOMERS Subject to non-realistic software assurance expectations Required to adapt their software engineering processes and train their workforce Increasingly leverage open source software SAFECode Principle: Secure software development is an organizational commitment and a holistic process 10

11 FUNDAMENTAL PRACTICES FOR SECURE SOFTWARE DEVELOPMENT SAFECode Fundamental Practices for Secure Development Experts have converged on core set of secure development practices that can be applied across diverse development environments to improve software security Threat Modeling Use Least Privilege Implement Sandboxing Minimize Use of Unsafe String and Buffer Functions Validate Input and Output to Mitigate Common Vulnerabilities Use Robust Integer Operations for Dynamic Memory Allocations and Array Offsets Use Anti-Cross Site Scripting (XSS) Libraries Use Canonical Data Formats Avoid String Concatenation for Dynamic SQL Statements Eliminate Weak Cryptography Use Logging and Tracing Determine Attack Surface Use Appropriate Testing Tools Perform Fuzz / Robustness Testing Perform Penetration Testing Use a Current Compiler Toolset Use Static Analysis Tools 11

12 THE TECHNOLOGY CONSUMERS / BUYERS CONSUMES PRODUCTS OR SERVICES DELIVERED BY THE TECHNOLOGY DEVELOPER Need to manage technology risk Lack of broadly adopted standards to assess security of procured software Often use ad hoc and ineffective assessment methods SAFECode Principle: developers should work towards providing more transparency in software assurance processes and practices to help customers and other key stakeholders manage risk effectively. 12

13 SOFTWARE ASSURANCE ASSESSMENT TODAY TOO MANY AD HOC AND INEFFECTIVE APPROACHES Ineffective assessment methods Require suppliers to: Attest that no vulnerabilities exist in code Share product source code Share known vulnerabilities Adopt specific tools or coding standards Challenges for suppliers Ad hoc assessment are not scalable across customers Divert expert resources from more critical tasks Misalignment with realworld secure development practices 13

14 Low High SUPPLIER ASSESSMENT FRAMEWORK Supplier Software Assurance Maturity TO BE RELEASED: END OF NOVEMBER 2015 Vendor Process Review: 1. Secure development practices 2. Product security governance 3. Vulnerability response process International Standards: IEC/ISA (industrial automation and control products) ISO/IEC : 2011 (Application security) Software Testing Penetration testing or, Binary code analysis or, Network scanning International standards focused on the IT industry lack maturity or are not broadly adopted. Now Timeline for broad adoption Future 14

15 SOFTWARE ASSURANCE: TAKE ACTION NOW Software Professional Technology Developer Technology Consumer All: Leverage online training available Academia: Teach software assurance to all software engineering students Adopt a holistic proven software assurance process as a foundation to any security architecture Use standard-based framework to assess suppliers software assurance process 15

16 Blog: Eric 16

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Principles for Software Assurance Assessment. A Framework for Examining the Secure Development Processes of Commercial Technology Providers

Principles for Software Assurance Assessment. A Framework for Examining the Secure Development Processes of Commercial Technology Providers A Framework for Examining the Secure Development Processes of Commercial Technology Providers PRIMARY AUTHORS: Shaun Gilmore, Senior Security Program Manager, Trustworthy Computing, Microsoft Corporation

More information

Software Assurance Forum for Excellence in Code

Software Assurance Forum for Excellence in Code Software Assurance Forum for Excellence in Code Security Engineering Training: Building the Foundation for Software Security Success March 2012 About SAFECode The Software Assurance Forum for Excellence

More information

The Secure Software Development Lifecycle at SAP

The Secure Software Development Lifecycle at SAP Product at SAP The Secure Software Development Lifecycle at SAP Table of Contents 3 Activities in SAP Software Development 3 Training 3 Risk Assessment 5 Planning 6 Secure Development 7 Testing 8 Validation

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Developing Secure Software in the Age of Advanced Persistent Threats

Developing Secure Software in the Age of Advanced Persistent Threats Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer

More information

Panel: SwA Practices - Getting to Effectiveness in Implementation

Panel: SwA Practices - Getting to Effectiveness in Implementation Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State

More information

ensuring security the way how we do it

ensuring security the way how we do it ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Editor Stacy Simpson, SAFECode. Contributors

Editor Stacy Simpson, SAFECode. Contributors Fundamental Practices for Secure Software Development A Guide to the Most Effective Secure Development Practices in Use Today OCTOBER 8, 2008 Editor Stacy Simpson, SAFECode Contributors Gunter Bitz, SAP

More information

R&D Security Training. Based on materials from OWASP

R&D Security Training. Based on materials from OWASP R&D Security Training Based on materials from OWASP Agenda Reasons for IT Security The web application security challenge 10 Most Critical Risks (OWASP Top 10) Security Development Lifecycle (SDL) Security

More information

Next Generation Strategies for Software Security in Critical Systems & Securing the Supply Chain BSides

Next Generation Strategies for Software Security in Critical Systems & Securing the Supply Chain BSides Next Generation Strategies for Software Security in Critical Systems & Securing the Supply Chain BSides Daniel Thanos (daniel.thanos@telus.com) Director Advanced Cybersecurity & Strategic Programs September,

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information

A Strategic Approach to Web Application Security

A Strategic Approach to Web Application Security WhiteHat Security White Paper A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle Jerry Hoff WhiteHat Security The problem: websites are

More information

Juniper Networks Secure

Juniper Networks Secure White Paper Juniper Networks Secure Development Lifecycle Six Practices for Improving Product Security Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3

More information

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp. Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission

More information

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview Description C Service Overview G- Cloud Specialist Cloud Services Security and Penetration Testing This document provides a description of TVS s Security and Penetration Testing Service offered under the

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Security Testing & Load Testing for Online Document Management system

Security Testing & Load Testing for Online Document Management system 1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents

More information

Cutting Edge Practices for Secure Software Engineering

Cutting Edge Practices for Secure Software Engineering Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

Top Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP

Top Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP Top Web Application Security Issues Daniel Ramsbrock, CISSP, GSSP daniel ramsbrock.com Presentation Overview Background and experience Financial services case study Common findings: Weak input validation

More information

Testing for Security

Testing for Security Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is

More information

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.

More information

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure

More information

Chapter 4 Application, Data and Host Security

Chapter 4 Application, Data and Host Security Chapter 4 Application, Data and Host Security 4.1 Application Security Chapter 4 Application Security Concepts Concepts include fuzzing, secure coding, cross-site scripting prevention, crosssite request

More information

Editor Stacy Simpson, SAFECode. Contributors

Editor Stacy Simpson, SAFECode. Contributors Security Engineering Training A Framework for Corporate Training Programs on the Principles of Secure Software Development April 20, 2009 Editor Stacy Simpson, SAFECode Contributors Eric Baize, EMC Corporation

More information

Introduction to Application Security. Trinity University Computer Science. September 18 th, 2008

Introduction to Application Security. Trinity University Computer Science. September 18 th, 2008 Introduction to Application Security Trinity University Computer Science September 18 th, 2008 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From Here?

More information

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute

More information

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required

More information

CompTIA Security+ (Exam SY0-410)

CompTIA Security+ (Exam SY0-410) CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

Securing SharePoint (TRISC) Email: dan@denimgroup.com Twitter: @danielcornell. March 24 th, 2009

Securing SharePoint (TRISC) Email: dan@denimgroup.com Twitter: @danielcornell. March 24 th, 2009 Securing SharePoint Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell Email: dan@denimgroup.com Twitter: @danielcornell March 24 th, 2009 Agenda Background SharePoint Basics Securing

More information

Security Testing with Selenium

Security Testing with Selenium with Selenium Vidar Kongsli Montréal, October 25th, 2007 Versjon 1.0 Page 1 whois 127.0.0.1? Vidar Kongsli System architect & developer Head of security group Bekk Consulting Technology and Management

More information

The Security Development Lifecycle

The Security Development Lifecycle The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation Context and History 1960s penetrate and patch 1970s

More information

EC-Council E C S P JAVA. EC-Council. Stop the Buffer Overflows. Stop the Vulnerabilities. Start Writing Secure Code. Become an ECSP.

EC-Council E C S P JAVA. EC-Council. Stop the Buffer Overflows. Stop the Vulnerabilities. Start Writing Secure Code. Become an ECSP. EC-Council TM E C S P JAVA EC-Council Certified Secure Programmer Stop the Buffer Overflows. Stop the Vulnerabilities. Start Writing Secure Code. Become an ECSP Program Brochure ECSP Java Course Software

More information

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone) Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /

More information

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Howard Williams mentor.com/embedded Internet-of-Things Trends The world is more connected IoT devices are smarter and more complex

More information

CONTENTS. PCI DSS Compliance Guide

CONTENTS. PCI DSS Compliance Guide CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not

More information

Software Assurance: An Overview of Current Industry Best Practices

Software Assurance: An Overview of Current Industry Best Practices Software Assurance: An Overview of Current Industry Best Practices February 2008 Executive Summary Software Assurance: An Overview of Current Industry Best Practices Software underpins the information

More information

D. Best Practices D.1. Assurance The 5 th A

D. Best Practices D.1. Assurance The 5 th A Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation

More information

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Web Application Security

Web Application Security Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

IBM Connections Cloud Security

IBM Connections Cloud Security IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application

More information

IT Risk Management: Guide to Software Risk Assessments and Audits

IT Risk Management: Guide to Software Risk Assessments and Audits IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5

More information

Secure Code Development

Secure Code Development ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop

More information

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Ivan Medvedev Principal Security Development Lead Microsoft Corporation Ivan Medvedev Principal Security Development Lead Microsoft Corporation Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Advanced ANDROID & ios Hands-on Exploitation

Advanced ANDROID & ios Hands-on Exploitation Advanced ANDROID & ios Hands-on Exploitation By NotSoSecure Ltd. Abstract: This fast-paced training will get you familiar with the various Android as well as ios exploitation techniques, and bypassing

More information

MIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

MIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016 MIS 5203 Lifecycle Management 1 Week 13 April 14, 2016 Study Objectives Systems Implementation contd Configuration Management Monitoring and Incident Management Post implementation Reviews Project Success

More information

Making your web application. White paper - August 2014. secure

Making your web application. White paper - August 2014. secure Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why

More information

Enterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University. manzano@cs.fsu.

Enterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University. manzano@cs.fsu. Enterprise Security Moving from Chaos to Control with Integrated Security Management Yanet Manzano Florida State University manzano@cs.fsu.edu manzano@cs.fsu.edu 1 Enterprise Security Challenges Implementing

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science

More information

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Computer Scientist. Conduct research in latest computer and network security technologies for high assurance system security solutions

Computer Scientist. Conduct research in latest computer and network security technologies for high assurance system security solutions Computer Scientist Conduct research in latest computer and network security technologies for high assurance system security solutions Develop algorithms, tools and techniques to enhance information assurance

More information

Software Security Touchpoint: Architectural Risk Analysis

Software Security Touchpoint: Architectural Risk Analysis Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized

More information

Application Security Testing How to find software vulnerabilities before you ship or procure code

Application Security Testing How to find software vulnerabilities before you ship or procure code Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security

More information

Keyword: Cloud computing, service model, deployment model, network layer security.

Keyword: Cloud computing, service model, deployment model, network layer security. Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

8070.S000 Application Security

8070.S000 Application Security 8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810. October 21, 2013 STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington 98504 5810 October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department

More information

Designing and Coding Secure Systems

Designing and Coding Secure Systems Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can

More information

Auditing the Security of an SAP HANA Implementation

Auditing the Security of an SAP HANA Implementation Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen

More information

Advanced ANDROID & ios Hands-on Exploitation

Advanced ANDROID & ios Hands-on Exploitation Advanced ANDROID & ios Hands-on Exploitation By Attify Trainers Aditya Gupta Prerequisite The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages

More information

A Survey on Security Issues in Service Delivery Models of Cloud Computing

A Survey on Security Issues in Service Delivery Models of Cloud Computing A Survey on Security Issues in Service Delivery Models of Cloud Computing { S. Subashini and V. Kavitha (2011) Presented by: Anthony Postiglione Outline Introduction What is Cloud Computing Pros/Cons of

More information

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing

More information

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Web Application Remediation. OWASP San Antonio. March 28 th, 2007 Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions

More information

Centre of Digital Innovation

Centre of Digital Innovation Centre of Digital Innovation mlab v1.1 mgovernment Centre of Digital Innovation CoDI http://mgovlab.government.ae Version Control Version Date Author 1.0 24 December 2014 Humaid Al Ali 1.1 29 December

More information