How To Understand And Understand The Security Of A Web Browser (For Web Users)
|
|
- Doris Sharlene Short
- 3 years ago
- Views:
Transcription
1 Security vulnerabilities: should they be early detected? - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group
2 Agenda 1. Background; 2.Motivation; 3.Research Questions; 4.Hypotheses; 5.Empirical Method and Evaluation; 6.Work Plan; 7.Expected Contributions; 8.Questions? 2
3 Background 3
4 Background What is a good software? 3
5 Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); 3
6 Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); Issues of usability, efficiency and others are easy to spot. 3
7 Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); Issues of usability, efficiency and others are easy to spot. What about Security? 3
8 Background (2) 4
9 Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one to be precise; 4
10 Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one to be precise; Organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not. 4
11 Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one to be precise; Organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not. Cross-Site Scripting identified in 53%; 4
12 Background (3) Open Web Application Security Project (OWASP); OWASP Top , 2004, 2007, 2010, 2013; Spread the word! 5
13 Background (4)
14 Background (4) OWASP Top
15 Background (4) OWASP Top (SQL/Command) Injection; 02 Broken Authentication and Session Management; 03 Cross-Site Scripting (XSS); 04 Insecure Direct Object References; 05 Security Misconfiguration; 06 Sensitive Data Exposure; 07 Missing Function Level Access Control; 08 Cross-Site Request Forgery (CSRF); 09 Using Known Vulnerable Components; 10 Unvalidated Redirects and Forwards;
16 Background >> SQL Injection 7
17 Background >> SQL Injection It affects all programming languages; 7
18 Background >> SQL Injection It affects all programming languages; 7
19 Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' 7
20 Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' Remove delete from deldeleteete ; 7
21 Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' Remove delete from deldeleteete ; The same solution works in all programming languages; 7
22 Motivation Everything is going online; Applications are going global; Reputation is really important; The later you find a problem, the more expensive it will be to fix it. 8
23 Motivation (2) 9
24 Motivation (3) 10
25 Research Questions 11
26 Research Questions RQ1 - Who should check for security vulnerabilities? 11
27 Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? 11
28 Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? 11
29 Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? 11
30 Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? 11
31 Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? RQ5 - Which of these security vulnerabilities are the most interesting for early detection? 11
32 Hypotheses 12
33 Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; 12
34 Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; 12
35 Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; 12
36 Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; H4 - Most security vulnerabilities are introduced by inexperienced developers; 12
37 Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; H4 - Most security vulnerabilities are introduced by inexperienced developers; H5 - The deadlines are to blame. 12
38 Empirical Method and Exploratory Study; Evaluation Analyze existing code with the tools available; Mining on bug reports and forums about the topic; 13
39 Work Plan Download and use the most used tools that finds security vulnerabilities; Try to identify which are the vulnerabilities most interesting for early detection; 14
40 Expected Contributions Recommend specific guidelines for development processes to follow; Recommend specific features for tools that finds security vulnerability should have; 15
41 Questions? 16
42 Thank you! - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group
Early Vulnerability Detection for Supporting Secure Programming
Early Vulnerability Detection for Supporting Secure Programming Luciano Sampaio - lsampaio@inf.puc- rio.br Alessandro Garcia - afgarcia@inf.puc- rio.br OPUS Research Group LES DI PUC- Rio - Brazil OPUS
More informationHow To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook 1.5.1 (Windows 3) (For Windows) (Programmer) (Or
2014 Guide For Testing Your Software Security and Software Assessment Services (SSAS) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSmart (and safe) Lighting:
Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationSecurity Assessment through Google Tools -Focusing on the Korea University Website
, pp.9-13 http://dx.doi.org/10.14257/astl.2015.93.03 Security Assessment through Google Tools -Focusing on the Korea University Website Mi Young Bae 1,1, Hankyu Lim 1, 1 Department of Multimedia Engineering,
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationHardening Moodle. Concept and Realization of a Security Component in Moodle. a project by
Concept and Realization of a Security Component in Moodle a project by Andreas Gigli, Lars-Olof Krause, Björn Ludwig, Kai Neumann, Lars Schmidt and Melanie Schwenk 2 Agenda Plugin Installation in Moodle
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationSuccessful Strategies for QA- Based Security Testing
Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationAddressing Cyber Security in Oracle Utilities Applications
Addressing Cyber Security in Oracle Utilities Applications Anthony Shorten Principal Product Manager Oracle Utilities Global Business Unit Sept, 2014 Safe Harbor Statement The following is intended to
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational
More informationA6- Sensitive Data Exposure
OWASP Vulnerabilities and Attacks Simplifie d: Business Manager Series Part 2 Have you heard of the times when Fantastic Frank from Randomland was furious? Money and critical data was being stolen from
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationModel-Based Vulnerability Testing for Web Applications
Model-Based Vulnerability Testing for Web Applications F. Lebeau, B. Legeard, F. Peureux, A. VERNOTTE FEMTO-ST Institute / University of Franche-Comté UMR CNRS 6174, 25030 Besancon, France. Smartesting
More informationSecure Coding in Node.js
Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1 Introduction Seth Law VP of Research & Development @
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationWeb Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationWeb Application Security
Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationNikolay Zaynelov Annual LUG-БГ Meeting 2015. nikolay.zaynelov.com nikolay@zaynelov.com
Nikolay Zaynelov Annual LUG-БГ Meeting 2015 nikolay.zaynelov.com nikolay@zaynelov.com Introduction What is WordPress WordPress is a free and open source content management system (CMS). It is the most
More informationCoverity Scan. Big Data Spotlight
Coverity Scan Big Data Spotlight Coverity Scan Service The Coverity Scan service began as the largest public-private sector research project in the world focused on open source software quality and security.
More informationSecure Programming Lecture 12: Web Application Security III
Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationPenta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au
Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationYour customers protected against cybercrime. New commercial opportunities for you
Your customers protected against cybercrime New commercial opportunities for you The vulnerability management solution for SMEs Through ThreadScan ThreadStone offers SMEs optimal security control of systems
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationHow To Write A Web Application Vulnerability Scanner And Security Auditor
ARGENTINA CHILE COLOMBIA MEXICO PANAMA PERU SPAIN USA VENEZUELA WAPITI Web application vulnerability scanner and Security auditor March 2010 www.gesfor.es www.grupogesfor.com1 Agenda Why is security necessary?
More informationPenetration testing systems since 1989
Pantone 641C Pantone 377C Penetration testing systems since 1989 Enex TestLab offers fully independent, cost effective and flexible penetration testing services. Our prices are compelling just ask but
More informationCollege Training Program
College Training Program Importance of Information Security Training There is only one way to keep your product plans safe and that is by having a trained, aware and a conscientious workforce. - Kevin
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationReal World Java Web Security
Real World Java Web Security Java User Group Karlsruhe Dominik Schadow bridgingit Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationHacking de aplicaciones Web
HACKING SCHOOL Hacking de aplicaciones Web Gabriel Maciá Fernández Fundamentos de la web CLIENTE SERVIDOR BROWSER HTTP WEB SERVER DATOS PRIVADOS BASE DE DATOS 1 Interacción con servidores web URLs http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba.txt
More informationNoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team
NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection NoSQL databases
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationAPPLICATION SECURITY AND ITS IMPORTANCE
Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationWeb Security - Hardening estudy
Web Security - Hardening estudy Matthias Hecker, Andreas Schmidt, Philipp Promeuschel, Ivo Senner, Andre Rein, Bartosz Boron, Christian Ketter, Christian Thomas Weber Fachhochschule Giessen-Friedberg September
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationYour company protected against cybercrime
Your company protected against cybercrime SMEs are easy prey for cyber criminals Which entrepreneur doesn t sometimes become aware of the trouble a burglary in his company would cause? Solid locks on doors
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationWeb Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research
Web Hacking Incidents Revealed: Trends, Stats and How to Defend Ryan Barnett Senior Security Researcher SpiderLabs Research Ryan Barnett - Background Trustwave Senior Security Researcher Web application
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationVIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
More informationNetwork Security Exercise #8
Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science,
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationTRAINING SERVICES elearning
SECURELY ENABLING BUSINESS Securely Enabling Your Business TRAINING SERVICES elearning Engaging and Effective Overview FishNet Security s Training Services team offers engaging, interactive elearning courses
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationBridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011
Bridging the Gap - Security and Software Testing Roberto Suggi Liverani ANZTB Test Conference - March 2011 1 Agenda Roberto, what test are you doing? Is this a defect, vulnerability or both? What can we
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationThomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch
Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch What
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationTRAINING SERVICES elearning
Securely Enabling Your Business TRAINING SERVICES elearning Engaging and Effective Overview FishNet Security s Training Services team offers engaging, interactive elearning courses that cover a range of
More informationWeb Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc
Web Application Firewalls Evaluation and Analysis Andreas Karakannas Andreas.Karakanas@os3.nl George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam System & Network Engineering MSc
More informationMobile App Security. Using Threat Modeling to Review Mobile Devices and Apps. Copyright 2012 KRvW Associates, LLC
Mobile App Security Using Threat Modeling to Review Mobile Devices and Apps Your Instructor Ken van Wyk ken@krvw.com Work Experience 20+ years in Information Security l l l l CMU CERT/CC Founder DoD CERT
More informationSOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS
SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS Hanım Eken Gazi University hanim.eken@os.gazi.edu.tr Abstract Today, thousands of applications world-wide web, and mobile media applications are used
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationIT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?
IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only? Antoine Donzé Sales Engineer Switzerland & North Africa Mid-market organizations are increasingly
More informationWeb Application Security
Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session
More information