white SECURITY TESTING WHITE PAPER
|
|
- Cody Carter
- 8 years ago
- Views:
Transcription
1 white SECURITY TESTING WHITE PAPER
2 Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach Framework Project Initiation Process Conclusion Our Expertise Appendix References... 21
3 Introduction Applications or networks always have security leaks which can cause severe damage to companies and lose important data due to these being open to outside world. Application/product security often relate to business-critical information because these require high level of security. But, with considerably less time in delivering the applications/products, thorough security audit and security assessments are often omitted. Because of these security flaws, organizations can go into legal exposure and there could be life ending situation also. Security testing and auditing with proper analysis is necessary and critical in eliminating most of the software flaws. This paper outlines a framework created by ZENQ team and on how security testing takes place in order to establish a strategy and approach by following industry standards.
4 The Need for Security Testing Implementing information security measures are becoming more difficult due to the huge number of possible information security threats connected to the use of the Internet. Table below describes the % of vulnerabilities across different industries with average number of days to fix the issues Figure 1. The Current state of Web Site Security Sorted by industry
5 Security Scorecards
6
7
8
9 MOST COMMON VULNERABILITIES The below figure depicts the most prevalent vulnerability classes calculated based on the percentage occurrence of at least one instance being found within any given website
10 When Information Security measures are implemented, application should be tested for external intrusion issues using methods like: XSS (Cross site scripting) Failure to restrict URL access Insecure Direct Object Reference Cross Site Request Forgery Direct SQL code injection in the web page SQL injection in the site address (url sql injection) Password cracking using decryption systems Guessing the web site session id (session prediction) Buffer overflow In general there are four basic security requirements which need to be addressed: Confidentiality: Unauthorised users are restricted from viewing the sensitive information. Integrity: Only authorized users or processes are permitted to modify data. Availability: Availability is a requirement that is often neglected when thinking about security. However, productivity of users decreases dramatically if network-based applications are not available or too slow because of denial-of-service attacks. If, for example, a web-based e-learning system is slow, users do not only require more time to do their work, but they also become frustrated, increasing the negative effect on productivity. Non-Repudiation: Users are unable to deny having carried out operations. For instance, whenever grades of students are changed, it must be possible to reliably trace who has performed the modification To overcome these attacks, early and frequent security analysis is needed At ZENQ we perform comprehensive test to make sure that Confidentiality, Integrity & Availability of the application are protected against Security breaches, with our specially designed test approach
11 Test Approach In order to combat the security threats in applications, the security testing has to be conducted so that appropriate measures can be taken to eliminate vulnerabilities before they are exploited. The Security testing specialists here at ZenQ, have come up with a structured approach for security testing.our approach is based on industry wide standards, best practices and methodologies such as OWASP, WASC, SANS & NIST. Indicated in the Figure1.1 below of the security testing methodology that we follow to minimize the risk of security breach and improve the security stature of the applications under test (AUT) and the phases are briefly described subsequently. Figure 1.1: Process Flow
12 Phase 1: Threat Modelling The initial phase of conducting penetration testing would include threat modeling of web/mobile applications i.e. to identify threats, attacks, vulnerabilities and countermeasures that could affect the application. The process is two-fold: Define Scope: We begin by gathering information below about the critical assets, target applications from client expectations document and then conduct further evaluation to define scope (Important assets/functionalities and their relative values, Areas of concern to the assets known vulnerabilities, if any) for the testing effort. Threat Profiles: The next step is to list out all the possible threats to the application. In addition, also determine possible goals of the adversary in attacking the application, which in turn would assist in identifying the vulnerabilities that exist as a result of these goals. The identified threats are classified using the STRIDE model and thread profile is created. The Threat profile created will include the following attributes: Asset Critical functionality/feature of the application under test Actor - Who or what may violate security requirements such as confidentiality, integrity and availability of an asset Motive (optional) Indication of whether the actor s intentions are deliberate or accidental Access control How the asset (functionality/feature) will be accessed by the actor Outcome Immediate result of violating the security requirements of an asset i.e. disclosure, modification, destruction, loss, interruption etc.
13 Phase 2: Test Plan Once the Threat model is reviewed and established, we move forward with the test planning. A detailed test plan will be created will cover overall strategy in execution, deliverables, test cases and effort to conduct penetration testing. Test Strategy: Test Strategy included as a part of the Test Plan, describes the scope, approach, resources and schedule for the testing activities of the project. It also includes defining what will be tested, who will perform testing, how testing will be managed, and the associated risks and contingencies. Test Design: The Probability of occurrence of the event & Risk associated with each occurrence are taken into account when designing the Tests. Test cases: Once the threat profile is ready, the attack techniques to try out are determined, For each threat in the threat profile, we list down all the possible ways of realizing it. For example, we can try to view another user s account information by either an SQL injection attack or by manipulating the request variables or by accessing the information from the browser cache. The complete list of exact test cases that will be tried out for each threat are included as a part of the Test plan. Each test case will specify the page and the variable where the test will be tried out. This detailed test plan serves an important purpose: it ensures a thorough test is carried out and that no attack vector for any threat is left unexplored.
14 Each Test case will be comprised of the following: Threat scenario Pages/functionalities for which threat will have affect Associated attacks to be performed for each threat scenario Phase 3: Test Execution With the complete test plan reviewed and agreed upon with the client, the penetration software testing activity will be carried out by executing each test case from the test plan. As each test case is executed, there may be a need for more tests to confirm the results. Test Execution includes: Identification of vulnerabilities based on the attack performed, Exploitations, Exfiltration of data, if any
15 Phase 4: Result Reporting Upon completion of the test execution, root cause analysis will be done and recommendations on how vulnerabilities can be addressed will be determined. Detailed reports will then be prepared, based on which the application can be secured. Following are the reports are provided to the client upon completion of the Testing: Technical Review Report : Along with the vulnerabilities observed, the report also has the details of the impact it would have on the business, ease of exploiting it and risk rating. It also describes how the exploit was carried out with steps and screenshots wherever required and recommendations on how the vulnerability can be fixed. Executive Review Report : A high level report which describes about the process followed in security testing and would also have risk rating of the application from the business perspective. The Risk Rating Matrix that we utilize for ranking the risks is described in the Appendix.
16 Framework The framework consists of set of components that combine to achieve the structured approach for conducting security tests efficiently and effectively. The logical architecture and set of underlying components of the framework that combine to achieve the structured utilized by ZENQ s Security test team is depicted in the Figure below and the components are briefly explained subsequently.
17 Project Initiation Process Initial Call Discusses about the Security Testing Service Offering Understands the client requirements Test Proposal Creation of security test proposal Submit the security test proposal for client's approval Penetration Tests Understands the functionality of the application and creates Threat modeling sheet Perform vulnerability assessment using manual and automation tools Exploit the vulnerabilities Reports Create comprehensive audit report with vulnerabilities identified and suggestion on how to resolve these vulnerabilities Compliance certificate that adheres to security standards
18 Conclusion This paper elucidates the current challenges faced by applications built across different industries and need for security testing in this area. We ve reviewed the current categories, criteria and approaches for security testing to conduct security testing of applications pertaining to various industries. We believe that with our approach, based on industry recognized OWASP guidelines, our clients will be able to thwart and remediate vulnerabilities, which pose serious risk to the applications if not avoided, ensure that compliance with banking, financial and other relevant standards is met and perform their transactions and maximize the return-on-investment.
19 Our Expertise ZenQ s Security testing team effectively uses the process to identify threats and conduct penetration tests much like an attacker would do. Our Areas of Expertise include: Web Application Penetration Testing Web Services Security Testing Mobile Application Security Testing External Network Security Testing Internal Network Security Testing Secure Code review
20 Appendix Risk Rating Matrix: RATING DEFINED AS CRITICAL HIGH RISK Serious vulnerabilities that have been exploited or are highly likely to be exploited and/or significant deficiencies in design, implementation or management identified. Vulnerabilities discovered with moderate likelihood of exploitation and/or at least one significant deficiency in design, implementation or management identified. MEDIUM RISK ELEVATED RISK LOW RISK Vulnerabilities discovered with moderate likelihood of exploitation and/or multiple deficiencies in design, implementation or management identified. Vulnerabilities discovered with low likelihood of exploitation and/or minor deficiencies in design, implementation or management identified. No vulnerabilities or deficiencies in design, implementation or management. All patches and service packs have been applied.
21 References ZENQ is a Pure Play Testing Services Company based in India. Our highly competent IT Professionals, Domain experts, combined with industry best practices & our investments in state-of-the-art technologies made us a dependable and long-term IT service partner to all our clients. For more details, visit our website OR send us an at info@zenq.com
NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER
A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K - 1 2 E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationAdobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661
Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationFunctional vs. Load Testing
Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationSecurity Testing & Load Testing for Online Document Management system
1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents
More informationensuring security the way how we do it
ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationExpert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited
Practical Aspects of Web Application Penetration Testing & Vulnerability Analysis Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited Presentation Path Motivation Penetration
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational
More informationTechnical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments
DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationThreats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationA Practical Approach to Threat Modeling
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationWHITE PAPER. An Introduction to Network- Vulnerability Testing
An Introduction to Network- Vulnerability Testing C ONTENTS + Introduction 3 + Penetration-Testing Overview 3 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationCyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.
Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationMANAGED SECURITY TESTING
MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationWEB Penetration Testing
FTA Annual Conference WEB Penetration Testing and Vulnerability Analysis June 10, 2008 Timothy R. Blevins, KDOR Chief Information Officer 1 WEB Penetration Testing What is WEB Penetration Testing? When
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More informationFinal Audit Report AUDIT OF THE INFORMATION SECURITY POSTURE OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S USAJOBS SYSTEM FY 2012
u.s. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION SECURITY POSTURE OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S USAJOBS
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationReducing the Cost and Complexity of Web Vulnerability Management
WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this
More informationIY2760/CS3760: Part 6. IY2760: Part 6
IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationTable of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More information- Table of Contents -
- Table of Contents - 1 INTRODUCTION... 1 1.1 TARGET READERS OF THIS DOCUMENT... 1 1.2 ORGANIZATION OF THIS DOCUMENT... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 4 2 OVERVIEW
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationAudit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationIT Risk Management: Guide to Software Risk Assessments and Audits
IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationSecure in 2010? Broken in 2011!
Secure in 2010? Broken in 2011! Matias Madou Principal Security Researcher Abstract In 2010, a security research firm stumbled on a couple of vulnerabilities in Apache OFBiz, a widely used open source
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More information