Why and how we are investing in Application Security Testing
|
|
- Garry McDaniel
- 7 years ago
- Views:
Transcription
1 Why and how we are investing in Application Security Testing 1
2 What I am going to talk about Software testing at the Tax Agency Prestudy of Application Security Testing (AST) and choices Pilot Project for Testing Results and Conclusion
3 Saeid Mojtahedzadeh Senior Test Manager, Test Strategist and Test specialist 20 years of testing experience in IT, telecom and finance AT Ericsson telecom, Telia AB, CSC(Computer Sciences Corporation),Tele2 AB, OMX Nasdaq, Nexus security, Sogeti AB and Tax Authority in Sweden Certified Project Manager and Scrum Master. Testing and quality manager for large and strategic projects from system testing to the acceptance test level. As a test specialist, I have worked with testing process improvement, different test methodology, test tools, test data management, test environments, test automation and application security testing.
4 General Test Strategy at the Tax Agency Product risks: FOCUS on faults and errors which have the greatest impact at application TEST Deliverables Requirements: Use Cases Supplementary Requirements System Architecture Design Information model Analysis model Design model Service specification Data model
5 SR for system development projects Supplementary Requirements: Usability Reliability Performance Supportability Design Constraints User Documentation Interfaces (HW, SW, communications & User) Licensing Requirements Applicable Standards Storage period of data Access control in order to protect data Legal Requirements Security
6 How software development and testing is done today Production System test System integration test Acceptance test Unit test Integration test Development Test Business Units Clients / Operations
7 Do we need to start with AST? Functional testing Non functional testing - Performance etc.. Web and Browser testing Automated regression and system testing What about security then? Is it covered according to supplementary specifications?
8 Decision to start with a prestudy Overview of different options for AST within the Tax Agency Consultation with other stakeholders in the field of application security Must be based on industry standards Include processes, organization, tools and legal issues
9 Prestudy: Application Security Strategies P r o a c t i v e SSDL: Secure Software Development Lifecycle SAST: Static Application Security Testing DAST: Dynamic Application Security Testing (IAST): Interactive Application Security Testing Monitoring: logs, events, network traffic etc. Reactive
10 Prestudy: Risk management standards are important! OWASP A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards CWE 1003 entries Contains vulnerability TYPES connected to OWASP categories
11 Current state: Test of application security Mission from Government Tax Agency Mission Plan Internal regulations, guidelines and process descriptions Coordination between projects and departments No guidelines or official processes Mission carried out
12 Prestudy: Three alternatives suggested Internal function employ, re-use or educate internal security competence External function purchase AST as a service handling the security test step with expertise Tool box by the Tax Agency chosen security tools which will be available for employees External functions goes hand in hand with the strategy of the Tax Agency as a whole
13 Pilot projects Projects with different size and development status: Acceptance test Development test System test Presenting the test process Not aiming at security as test, but the test process itself Test carried out on three chosen (live) projects
14 The result of Pilot projects Integrated well in different projects Little time spent by development projects Reporting according to standards gave easy measurements Input for software development and testing guidelines End of pilot = ready to run live tests for development projects
15 What happens next Offering AST internally as a service It offers security testing in software development and testing Marketing activities inside of the IT organization How to get projects interested? Cost effective and quick delivery Necessary to do it Two parallel tracks: Update the test process guidelines Run security tests and get projects used to the tests
16 Lessons Learned With risk in mind Requirements important Competence to execute Updated Test Communicate Implement in SDLC Cost on projects Marketing internally is important! Get people onboard!
17 Thank you!?
SWAT PRODUCT BROCHURE
SWAT PRODUCT BROCHURE WEB APPLICATION SECURITY Web application security has been a huge challenge for companies during the last couple of years since there are very few competent solutions available in
More informationUsing an Open Source Threat Model for Prioritized Defense
SESSION ID: STR-R04 Using an Open Source Threat Model for Prioritized Defense James Tarala Principal Consultant Enclave Security @isaudit Problem Statements In information assurance today, there are no
More informationVIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
More informationHow To Understand And Understand The Security Of A Web Browser (For Web Users)
Security vulnerabilities: should they be early detected? - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group Agenda 1. Background; 2.Motivation; 3.Research Questions;
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationCTERA End-to-End Security. Whitepaper by CTERA Networks
CTERA End-to-End Security Whitepaper by CTERA Networks Copyright 2009-2012 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
More informationIntegrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper
Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility
More informationMagenTys Testing Services Page 2
Testing Services CONTENTS 1 MAGENTYS... 3 2 COMPANY DETAILS... 4 2.1 Overview... 4 2.2 ETHICS and values... 4 3 Services... 5 3.1 Test Automation... 5 3.1.1 Test Automation Framework and Automated Test
More informationModel-Based Vulnerability Testing for Web Applications
Model-Based Vulnerability Testing for Web Applications F. Lebeau, B. Legeard, F. Peureux, A. VERNOTTE FEMTO-ST Institute / University of Franche-Comté UMR CNRS 6174, 25030 Besancon, France. Smartesting
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationBetter Software Though Expertise, Collaboration & Automation. BDD, DevOps and Testing
Better Software Though Expertise, Collaboration & Automation BDD, DevOps and Testing CONTENTS 1 MAGENTYS... 3 2 TESTING SERVICES... 4 2.1 Test Automation... 5 2.1.1 Test Automation Framework and Automated
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationApplication Security Testing How to find software vulnerabilities before you ship or procure code
Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security
More informationThe Electronic Arms Race of Cyber Security 4.2 Lecture 7
The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte List of Content Why Process Automation Security? Security Awareness Issues
More informationRemediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? Dan Cornell Denim Group, Ltd. Session ID: ASEC-302 Session Classification: Intermediate Agenda An Innocent Question Finding a
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationA Strategic Approach to Web Application Security
WhiteHat Security White Paper A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle Jerry Hoff WhiteHat Security The problem: websites are
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationSTS Federal Government Consulting Practice IV&V Offering
STS Federal Government Consulting Practice IV&V Offering WBE Certified GSA Contract GS-35F-0108T For information Please contact: gsa70@stsv.com 2007 by STS, Inc. Outline Background on STS What is IV&V?
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationEVALUATION SECURITY OF THE U.S. DEPARTMENT OF THE INTERIOR S PUBLICLY ACCESSIBLE INFORMATION TECHNOLOGY SYSTEMS
EVALUATION SECURITY OF THE U.S. DEPARTMENT OF THE INTERIOR S PUBLICLY ACCESSIBLE INFORMATION TECHNOLOGY SYSTEMS This is a revised version of the report prepared for public release. Report No.: ISD-IN-MOA-0004-2014
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationGuide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing
Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing Foreword This guide in no way intends to replace a PCI DSS certification
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationSmart (and safe) Lighting:
Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationTest Automation. Full service delivery for faster testing at optimum cost
Test Automation Full service delivery for faster testing at optimum cost To safeguard their competitive edge in today s information economy, organizations must constantly improve their products and services.
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationThe Security Development Lifecycle at SAP How SAP Builds Security into Software Products
SAP Security Concepts and Implementation The Security Development Lifecycle at SAP How SAP Builds Security into Software Products Table of Contents 4 Integrating Security Right from the Start 4 Establishing
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationWeb Application Security
Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents
More informationSoftware & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes
Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder
More informationHow To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook 1.5.1 (Windows 3) (For Windows) (Programmer) (Or
2014 Guide For Testing Your Software Security and Software Assessment Services (SSAS) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical
More informationSoftware Quality Testing Course Material
Prepared by Vipul Jain Software Quality Testing Course Material Course content is designed and will be taught in such a manner in order to make a person job ready in around 10-12 weeks. Classroom sessions
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationPreventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org
Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science
More informationSuccessful Strategies for QA- Based Security Testing
Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationStarting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden
Starting your Software Security Assurance Program May 21, 2015 ITARC, Stockholm, Sweden Presenter Max Poliashenko Chief Enterprise Architect Wolters Kluwer, Tax & Accounting Max leads the Enterprise Architecture
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationSecurity Testing for Developers using OWASP ZAP
JavaOne San Fransisco 2014 The OWASP Foundation http://www.owasp.org Security Testing for Developers using OWASP ZAP Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationIT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?
IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only? Antoine Donzé Sales Engineer Switzerland & North Africa Mid-market organizations are increasingly
More informationApplication Security Testing as a Foundation for Secure DevOps
Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016 Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical.
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationEstablishing your Automation Development Lifecycle
Establishing your Automation Development Lifecycle Frequently I engage clients in assessing and improving their automation efforts. The discussion normally starts from a position of frustration We ve invested
More informationImproving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities
Improving your Secure SDLC ( SSDLC ) with Prevoty How adding real-time application security dramatically decreases vulnerabilities February 2015 Improving your Secure SDLC ( SSDLC ) with Prevoty Table
More informationBusiness Analysis Manager - IT
Business Analysis Manager - IT It s about you Are you a business professional who knows how to lead teams to help nontechnical colleagues to solve problems using technology? Are you are a logical thinker
More informationKey Points. Indicative productivity has more than doubled in the team by using Agile SCRUM and TFS
Case study - Team Foundation Server and Agile Communications giant increases software development productivity, customer transparency and builds team spirit with Agile SCRUM and Team Foundation Server
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational
More information"Data Manufacturing: A Test Data Management Solution"
W14 Concurrent Session 5/4/2011 3:00 PM "Data Manufacturing: A Test Data Management Solution" Presented by: Fariba Alim-Marvasti Aetna Healthcare Brought to you by: 340 Corporate Way, Suite 300, Orange
More informationCHAPTER 9. DEVELOPING IT SY STEM S Bringing IT System s to Life
CHAPTER 9 DEVELOPING IT SY STEM S Bringing IT System s to Life 9-2 Introduction Every Organization Is Using Information Technology But IT systems don t magically appear. Organizations spend billions of
More informationLatin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE
Latin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE ASHIT DALAL, PCI-DSS QSA, CRISC, CGEIT, CISM, CISA, CSSA, CPEA Sr. Manager & Managing Consultant K3DES LLC,
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationOffshore Delivery of TTCN-3 Testing Services
Offshore Delivery of TTCN-3 Testing Services Miguel Ramos miguel.ramos@mtp.es TTCN-3 User Conference 2009 3 5 June 2009 ETSI, Sophia Antipolis, France Index About Us : Métodos y Tecnología (MTP) MTP Delivery
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationAddressing Cyber Security in Oracle Utilities Applications
Addressing Cyber Security in Oracle Utilities Applications Anthony Shorten Principal Product Manager Oracle Utilities Global Business Unit Sept, 2014 Safe Harbor Statement The following is intended to
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationSubmission: Consultation on the Standing Offer Agreement for Quality Professional Service 2 (SOA QPS2)
Submission: Consultation on the Standing Offer Agreement for Quality Professional Service 2 (SOA QPS2) Office of the Government Chief Information Officer, Government of Hong Kong Special Administrative
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationFortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA
Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationSecurity Assessment through Google Tools -Focusing on the Korea University Website
, pp.9-13 http://dx.doi.org/10.14257/astl.2015.93.03 Security Assessment through Google Tools -Focusing on the Korea University Website Mi Young Bae 1,1, Hankyu Lim 1, 1 Department of Multimedia Engineering,
More informationSecure Coding in Node.js
Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1 Introduction Seth Law VP of Research & Development @
More informationSecurity Testing & Load Testing for Online Document Management system
1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents
More informationQuality Assurance - Karthik
Prevention is better than cure Quality Assurance - Karthik This maxim perfectly explains the difference between quality assurance and quality control. Quality Assurance is a set of processes that needs
More informationSecurity Content Automation Protocol for Governance, Risk, Compliance, and Audit
UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security
More informationImplementation Strategy
Implementation Strategy http://www.bestpractices.cahwnet.gov/primary%20processes/5-syst%20implementation/impl%20strategy.htm Page 1 of 2 Implementation Strategy The implementation strategy defines the
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationSECURITY AND RISK MANAGEMENT
SECURITY AND RISK MANAGEMENT IN AGILE SOFTWARE DEVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 #WHOAMI Security Architect @ Financial Services Organization Location:
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationService Definition: Agile Business Services
Service Definition: Service Definition: Description: Sogeti s offers a tailored approach to agile support whether you need help with agile development, testing, or both. Our comprehensive coaching and
More informationTHE WEB HACKING INCIDENTS DATABASE 2009
THE WEB HACKING INCIDENTS DATABASE 2009 BI-ANNUAL REPORT AUGUST 2009 Breach Security, Inc. Corporate Headquarters 2141 Palomar Airport Road, #200 Carlsbad, CA 92011 USA tel: (760) 268-1924 toll-free: (866)
More informationBeyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product
More informationBusiness Solutions Manager Self and contribution to Team. Information Services
POSITION DESCRIPTION Position Title: Responsible To: Responsible For Agile Test Analyst Business Solutions Manager Self and contribution to Team Position Purpose: The Agile Test Analyst is responsible
More informationApplication Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis. Training Brochure
Application Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis Training Brochure Synopsis This Four-day practical training is designed for Information Systems auditors, application
More informationTransforming industries: energy and utilities. How the Internet of Things will transform the utilities industry
Transforming industries: energy and utilities How the Internet of Things will transform the utilities industry GETTING TO KNOW UTILITIES Utility companies are responsible for managing the infrastructure
More informationPoints of View. CxO s point of view. Developer s point of view. Attacker s point of view
Web App Security 2 CxO s point of view Points of View Measurable security SCAP (Security Content Automation Protocol) Developer s point of view Secure coding/software security CWE (Common Weakness Enumeration)
More information