MULTI-REPRESENTATIONAL SECURITY ANALYSIS
|
|
- Poppy Miles
- 8 years ago
- Views:
Transcription
1 MULTI-REPRESENTATIONAL SECURITY ANALYSIS Eunsuk Kang MIT CSAIL ExCAPE Webinar April 30, 2015
2 Third-Party Authentication OAuth protocol Widely adapted, support from major vendors Analyzed formally using verification tools
3 Empirical study of OAuth providers [Sun & Beznosov, CCS12] Majority of them vulnerable (Google, Facebook,...)
4 Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step RFC OAuth 2.0, Internet Engineering Task Force
5 Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step Attacks exploiting details absent from model Unanticipated behavior from browser features e.g. HTTP redirects, hidden forms Design flaws, not just bugs in code Blame protocol designers? Can t predict all manners in which protocol will be used!
6 Abstractions in System Design Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Most systems too complex Decompose into overlapping aspects
7 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views
8 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views
9 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Attacker Jump between abstractions & combine details Property held over one view might be violated in another!
10 Poirot A framework for incremental reasoning of security properties across multiple abstraction boundaries
11 Standard Verification Framework Property P Verification Engine Analysis Result System Model M S M S P?
12 Our Framework: Poirot Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library
13 Our Framework: Poirot Property P Verification Engine Analysis Result M S M S P? System Model Composition Operator Start with & analyze an initial model MS Mapping Domain Model Library
14 Our Framework Property Verification Engine Analysis Result System Model Composition Operator Mapping M D Domain Model Library Generic, reusable models e.g., browser, protocols
15 Our Framework Property Verification Engine Analysis Result System Model M S Composition Operator Elaboration of MS with knowledge in MD Mapping M' K M D Domain Model Library M' = Compose(M S,M D,K)
16 Our Framework Property P Verification Engine Analysis Result M' M' P? System Model Composition Operator Re-analyze P & repeat Mapping Domain Model Library
17 Key Features Increment, iterative analysis Start with an initial model, elaborate, analyze & repeat Find & fix simple attacks first, complex ones later Explore impact of design alternatives Reusing domain knowledge Encoded by domain experts Reusable across multiple systems Details hidden from user
18 System Model Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library
19 Modeling Approach Inspirations Architectural description languages Process algebras (CSP) Structure Components with input/output channels End-to-end dataflow through channels Behavior Trace-based semantics (event traces) Declarative constraints for specifying behavior
20 Structure Model Components (C), operations (O), datatypes (D) AddItem Customer ShowCart MyStore D = {CustomerID, ItemID, Cart, Credential, Order}
21 Structure Component Input & output channels Each channel typed to an operation Connection between channels with the same type AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore
22 Structure Component states Encoded as relations Updated by operations AddItem ShowCart MyStore creds CustomerID x Credential cart CustomerID x ItemID orders CustomerID x Order
23 Behavior Behavior as traces A stream of events generated through each channel Behavior of a component set of all possible traces beh: C P(T) AddItem Y 1 ShowCart Y 2 MyStore
24 Behavior Interaction Parallel composition, synchronized on shared operation AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore additem1, additem2, showcart1 beh(customer MyStore)
25 Behavior Restricting behavior Each channel associated with a guard condition Specified as a declarative constraint AddItem(cust: CustomerID, item: ItemID, cred: Credential) Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore creds CustomerID x Credential Guard on Y1: e E (e.cust, e.cred) p.creds
26 Dataflow Model Inter-component data flow Transmitted as arguments of an operation v hasaccess(c, t) if c has access to value v after trace t hasaccess: (C x T) P(V) Assumptions c has access to value v if (1) it initially knows v or (2) it has received an event with v as argument Can send an event only if it has access to all arguments
27 Verification Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library
28 Analysis Encoding in Alloy Modeling language based on first-order relational logic Translation to a SAT formula; solve(m P) Bounded verification (trace length, data values) Properties Confidentiality & integrity More broadly, safety properties Customer should be able to access only its own orders t T, o: Order, s: MyStore, c: Customer o hasaccess(c, t) (c.id, o) s.orders(t)
29 Domain Model Library Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library
30 Domain Model Library Web-related domain models Category Models Component Browser, HTTP server, network endpoint Feature Protocol Encryption, scripting, same-origin policy, crosssite origin requests (CORS), PostMessage SSL, OAuth, OpenID Benefits Amortized cost; built once, reused multiple times Expertise not required of user
31 Composition Operator Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library
32 Composing Models Problem Two partial models, describing different viewpoints With distinct vocabularies But potentially overlapping in reality AddItem M1: Store model Customer ShowCart MyStore Relate? M2: HTTP model Browser HttpReq Server
33 Representations Representation relation (R) Informally, represented as deployed as, implemented as, encoded as S 1 S 2 (S1, S2) R Formally, every instance of S1 is also an instance of S2 Introduced between a pair of components, operations, datatypes i.e., R = (RC, RO, RD)
34 Relating Elements Representation as a way of describing overlaps HttpReq AddItem HttpReq = AddItem' M1 M2 M (AddItem, HttpReq) R i.e. AddItem is implemented as a kind of HTTP requests
35 Mapping Elements Describe how members of the two sets are mapped AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq AddItem HttpReq = AddItem' HttpReq(method: Method, url: URL, headers: set Header) Mapping as a concretization relation Corresponds to design decisions!
36 Complex Mapping MyStore OAuth Client Server = MyStore' OAuthClient Server i.e. MyStore is deployed as HTTP server and also participates in OAuth protocol
37 Behavior Expansion Effects of composition Possible introduction of behavior into the system Previously verified properties may no longer hold! Types of expansion Channel Addition Dataflow Expansion Alphabet Expansion AddItem Customer ShowCart MyStore Browser HttpReq Server
38 Channel Addition AddItem Customer MyStore AddItem Customer Browser Customer [Browser] MyStore HttpReq Server Component obtains channels & generates new events Customer interacts with other HTTP servers Allows attacks where attacker sets up malicious pages
39 Dataflow Expansion AddItem Customer MyStore AddItem(CustomerID, ItemID, Cred) Customer Browser Cred Header Customer [Browser] MyStore HttpReq(Method, URL, set Header) Server New types of data flow into component Server may now receive credentials as headers
40 Alphabet Expansion AddItem Customer Customer Browser AddItem [HttpReq] MyStore MyStore [Server] MyStore Server AddItem HttpReq Component generates new event types Any HTTP client can invoke AddItem operation Can t assume how AddItem will be invoked Common mistake among web developers!
41 Composition Operator Composition function M = compose(m1, M2, K) with mappings K = (KC, KO, KD) Two-step procedure For each pair (S1, S2) appearing in K: 1. Merge Introduce representation relation between S1 & S2 2. Refine Constrain members of S1 & S2 according to K
42 Merge 1. Introduce representation relation between S1 & S2 Construct S1 that obtains characteristics (channels, arguments, fields) of S1 & S2 AddItem Customer MyStore MyStore Server Customer Browser AddItem [HttpReq] AddItem HttpReq Customer [Browser] MyStore [Server] In resulting model M : (MyStore, Server) RC (Customer, Browser) RC Browser HttpReq Server (AddItem, HttpReq) RO
43 Refine 2. Constrain members of S1 & S2 according to K Specified as a declarative constraint AddItem HttpReq AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq(method: Method, url: URL, headers: set Header) {a: AddItem, c: HttpReq c.method = POST a.customer c.url.query a.item c.url.query a.cred c.headers } KO
44 Partial Mappings Mapping can be partially specified AddItem HttpReq {a: AddItem, c: HttpReq c.method = POST } KO Analyzer generates mapping that leads to attack! User can leave some design decisions unknown & interactively explore alternative mappings
45 Case Studies Two publicly deployed sites IFTTT End-user service composition HandMe.In Personal item tracking with QR code
46 Case Studies Two publicly deployed sites IFTTT & HandMe.In Methodology Start with an abstract workflow model Elaborate with domain models & re-analyze Replay attacks on the concrete system Results Previously unknown attacks on both sites Confirmed with the developers Analysis times < 15 seconds Modeling effort: 1~2 weeks
47 Attack on IFTTT Authentication on IFTTT User creates a recipe with trigger & action IFTTT must be given third-party access to both (OAuth)
48 Attack on IFTTT Confidentiality Property User s private data is not accessible to attacker
49 Attack on IFTTT Login CSRF Attacker tricks user into signing in under its credentials Relatively minor; may see history of user s actions But in combination with IFTTT Security consequences far greater! Can leak private data through IFTTT channels Complex interaction Between IFTTT, OAuth, browser models
50 Attack on IFTTT Login Authorize Blogger [Server] CreateBlog User [Browser] Req Server (Evil) PostPhoto Create Recipe IFTTT [Server] Facebook [Server] Notify
51 Attack on IFTTT Login Authorize Google Blogger [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 1. User visits a page hosted by evil server Req PostPhoto Server (Evil) Facebook [Server]
52 Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 2. User gets logged User [Browser] Create Recipe IFTTT [Server] Notify onto Blogger under attacker s credential Req Server (Evil) PostPhoto Facebook [Server]
53 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 3. User creates a new recipe on IFTTT Req PostPhoto Server (Evil) Facebook [Server]
54 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog 4. Blogger authorizes User [Browser] Create Recipe IFTTT [Server] Notify IFTTT to perform action, but under the attacker s account! Req PostPhoto Server (Evil) Facebook [Server]
55 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 5. User posts a photo on Facebook Req PostPhoto Server (Evil) Facebook [Server]
56 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 6. IFTTT is notified of the trigger Req PostPhoto Server (Evil) Facebook [Server]
57 Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 7. IFTTT creates a User [Browser] Create Recipe IFTTT [Server] Notify new blog on the attacker s account, with the user s photo! Req Server (Evil) PostPhoto Facebook [Server]
58 Internet of Things Security (Collaboration with Hamid Bagheri)
59 Looking Ahead Property P Verification Engine Analysis Result M' M' P? System Model M S M' Composition Operator M D Mapping K Domain Model Library Synthesis: Construct K that satisfies P
60 Looking Ahead Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library Model Extraction: Mine specs from domain sources (e.g. CVE)
61 Poirot A framework for incremental analysis of security properties across multiple system abstractions Any questions?
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationSSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities
123456 SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities Yuchen Zhou David Evans 1 http://www.ssoscan.org/ Single Sign-On Service 2 Single Sign-On Workflow Integrator (e.g.,
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationDeveloping ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led
Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationOAuth: Where are we going?
OAuth: Where are we going? What is OAuth? OAuth and CSRF Redirection Token Reuse OAuth Grant Types 1 OAuth v1 and v2 "OAuth 2.0 at the hand of a developer with deep understanding of web security will likely
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationDeveloping ASP.NET MVC 4 Web Applications MOC 20486
Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies
More informationSESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
More informationSecure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com
Secure Coding SSL, SOAP and REST Astha Singhal Product Security Engineer salesforce.com Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may
More informationOAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig
OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig Agenda 1. Motivation behind draft-maler-ace-oauth-uma-00.txt. 2. Mapping of existing
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationNext Generation Clickjacking
Next Generation Clickjacking New attacks against framed web pages Black Hat Europe, 14 th April 2010 Paul Stone paul.stone@contextis.co.uk Coming Up Quick Introduction to Clickjacking Four New Cross-Browser
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationOnegini Token server / Web API Platform
Onegini Token server / Web API Platform Companies and users interact securely by sharing data between different applications The Onegini Token server is a complete solution for managing your customer s
More informationMANAGED SECURITY TESTING
MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan
More informationDeveloping ASP.NET MVC 4 Web Applications
Course M20486 5 Day(s) 30:00 Hours Developing ASP.NET MVC 4 Web Applications Introduction In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationNetwork Security OAuth
Network Security OAuth Parma, May 28th, 2013 Online Services and Private Data The evolution of online services, such as social networks, has had a huge impact on the amount of data and personal information
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationAutomatic Analysis of Browser-based Security Protocols
Automatic Analysis of Browser-based Security Protocols Avinash Sudhodanan Alessandro Armando (FBK, coordinator) Roberto Carbone (FBK, tutor) Luca Compagna (SAP, tutor) FP7-PEOPLE-2012-ITN Outline Context
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More informationOAuth. Network Security. Online Services and Private Data. A real-life example. Material and Credits. OAuth. OAuth
Network Security Dr. Ing. Simone Cirani Parma, May 28th, 2013 Online Services and Private Data The evolution of online services, such as social networks, has had a huge impact on the amount of data and
More informationCommon Criteria Web Application Security Scoring CCWAPSS
Criteria Web Application Security Scoring CCWAPSS Author Frédéric Charpentier, security pentester. France. Fcharpentier@xmcopartners.com Releases Version 1.0 : First public release September 2007 Version
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationMobile Security. Policies, Standards, Frameworks, Guidelines
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps
Dell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps May 2015 This guide includes: What is OAuth v2.0? What is OpenID Connect? Example: Providing OpenID Connect SSO to a Salesforce.com
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationThe Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits
The Devil is Phishing: Rethinking Web Single Sign On Systems Security Chuan Yue USENIX Workshop on Large Scale Exploits and Emergent Threats (LEET 2013) Web Single Sign On (SSO) systems Sign in multiple
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationBringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com
Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationitds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22
Paterva itds OAuth Integration itds OAuth Integration Building and re-using OAuth providers within Maltego AM 2014/09/22 Contents Maltego OAuth Integration... 3 Introduction... 3 OAuth within the Maltego
More informationIntroduction to Automated Testing
Introduction to Automated Testing What is Software testing? Examination of a software unit, several integrated software units or an entire software package by running it. execution based on test cases
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationAxway API Gateway. Version 7.4.1
O A U T H U S E R G U I D E Axway API Gateway Version 7.4.1 3 February 2016 Copyright 2016 Axway All rights reserved. This documentation describes the following Axway software: Axway API Gateway 7.4.1
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationIdentity Implementation Guide
Identity Implementation Guide Version 37.0, Summer 16 @salesforcedocs Last updated: May 26, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationWebmail Using the Hush Encryption Engine
Webmail Using the Hush Encryption Engine Introduction...2 Terms in this Document...2 Requirements...3 Architecture...3 Authentication...4 The Role of the Session...4 Steps...5 Private Key Retrieval...5
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationi. Node Y Represented by a block or part. SysML::Block,
OMG SysML Requirements Traceability (informative) This document has been published as OMG document ptc/07-03-09 so it can be referenced by Annex E of the OMG SysML specification. This document describes
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationAn Insight into Cookie Security
An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSecure Programming Lecture 12: Web Application Security III
Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy
SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT How to Create a Frictionless, Secure Customer Identity Management Strategy PART 1: WHAT IS SAML? SAML in Context Security Assertion Markup Language
More informationRevision 1.0. September 2010 2002-2010 ICS Learning Group
Revision 1.0 September 2010 2002-2010 ICS Learning Group Disclaimer ICS Learning Group makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationIBM WebSphere Application Server
IBM WebSphere Application Server OAuth 2.0 service provider and TAI 2012 IBM Corporation This presentation describes support for OAuth 2.0 included in IBM WebSphere Application Server V7.0.0.25. WASV70025_OAuth20.ppt
More informationHow To Manage Web Content Management System (Wcm)
WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationOpenID Connect 1.0 for Enterprise
OpenID Connect 1.0 for Enterprise By Paul Madsen Executive Overview In order to meet the challenges presented by the use of mobile apps and cloud services in the enterprise, a new generation of identity
More informationAuthentication Integration
Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication
More informationD. Best Practices D.1. Assurance The 5 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and
More informationLogin with Amazon. Developer Guide for Websites
Login with Amazon Developer Guide for Websites Copyright 2014 Amazon Services, LLC or its affiliates. All rights reserved. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.
More informationA Study of What Really Breaks SSL HITB Amsterdam 2011
A Study of What Really Breaks SSL HITB Amsterdam 2011 v1.0 Ivan Ristic Michael Small 20 May 2011 Agenda 1. State of SSL 2. Quick intro to SSL Labs 3. SSL Configuration Surveys 4. Survey of Actual SSL Usage
More informationThe Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering Department
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationTitle Page. Hosted Payment Page Guide ACI Commerce Gateway
Title Page Hosted Payment Page Guide ACI Commerce Gateway Copyright Information 2008 by All rights reserved. All information contained in this documentation, as well as the software described in it, is
More informationSECURITY AND REGULATORY COMPLIANCE OVERVIEW
Powering Cloud IT SECURITY AND REGULATORY COMPLIANCE OVERVIEW BetterCloud for Office 365 Executive Summary BetterCloud provides critical insights, automated management, and intelligent data security for
More informationChap 1. Introduction to Software Architecture
Chap 1. Introduction to Software Architecture 1. Introduction 2. IEEE Recommended Practice for Architecture Modeling 3. Architecture Description Language: the UML 4. The Rational Unified Process (RUP)
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationMid-Project Report August 14 th, 2012. Nils Dussart 0961540
Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationAdvanced Administration for Citrix NetScaler 9.0 Platinum Edition
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationPRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS
www.openi-ict.eu Open-Source, Web-Based, Framework for Integrating Applications with Social Media Services and Personal Cloudlets PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS Open-Source,
More informationSSL Overview for Resellers
Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More informationOpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Boyd @ryguyrg Dave Primmer May 2010
OpenID Single Sign On and OAuth Data Access for Google Apps Ryan Boyd @ryguyrg Dave Primmer May 2010 Why? View live notes and questions about this session on Google Wave: http://bit.ly/magicwave Agenda
More informationMashery OAuth 2.0 Implementation Guide
Mashery OAuth 2.0 Implementation Guide June 2012 Revised: 7/18/12 www.mashery.com Mashery, Inc. 717 Market Street, Suite 300 San Francisco, CA 94103 Contents C hapter 1. About this Guide...5 Introduction...
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationSage Integration Cloud Technology Whitepaper
Sage Integration Cloud Technology Whitepaper Sage Christian Rubach July 21, 2016 Abstract Sage is committed to providing businesses around the world the information, insight and tools they need to succeed.
More informationRTC-Web Security Considerations
RTC-Web Security Considerations IETF 80 Eric Rescorla ekr@rtfm.com IETF 80 RTC-Web Security Issues 1 The Browser Threat Model Core Web Security Guarantee: users can safely visit arbitrary web sites and
More informationImplementation Vulnerabilities in SSL/TLS
Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationCleaning Encrypted Traffic
Optenet Documentation Cleaning Encrypted Traffic Troubleshooting Guide iii Version History Doc Version Product Date Summary of Changes V6 OST-6.4.300 01/02/2015 English editing Optenet Documentation
More informationOracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 (11.1.2.4.0)
Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 (11.1.2.4.0) July 2015 Oracle API Gateway OAuth User Guide, 11g Release 2 (11.1.2.4.0) Copyright 1999, 2015, Oracle and/or its
More information