Supply Chain Management of Open Source Software used within Software Development Lifecycle
|
|
- Hector Crawford
- 8 years ago
- Views:
Transcription
1 Slide 1 Supply Chain Management of Open Source Software used within Software Development Lifecycle Author: Roderick Koch Co-Author: Kym Watkin-Statham Secure Sw. Dev. Lifecycle with a focus on OSS.
2 Slide 2 What is Open Source Software (OSS)? DoD CIO Memo Clarifying Guidance Regarding OSS, 16 Oct 2009, To effectively achieve its missions, the Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. The use of Open Source Software (OSS) can provide advantages in this regard. Open Source Software is software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of that software. In other words, OSS is software for which the source code is open. 2 DoD see s the advantages of using OSS and supports its use. OSS is human readable source code available of study, modification, enhancement and redistribution.
3 Slide 3 Commercial or OSS Which is the greater risk? Fallacy that more eyes make the code safer Developers like to build, not audit and fix others developer s code. Does your Commercial Software Vendor or Open Source Foundation have a process for secure software development and evaluation testing? Do they provide visibility into the process and results? Foreign Developer participation means that it s foreign developed software But.US companies also outsource development to foreign developers. 3
4 Slide 4 Growth of OSS usage 4 Demand for Open Source components is skyrocketing. An 800% increase over the last five years. Today typically 80-90% of a software project is OSS components with % being custom code providing the glue. Could you provide your customer a list of all OSS used on your project? What you did to evaluate it for licensing and vulnerabilities? How did it s use get approved?
5 Slide 5 Widespread Vulnerabilities in OSS Organizations regularly consume outdated, flawed, or insecure components 5 Organizations regularly consume outdated, flawed, or insecure components, which can introduce significant risk.
6 Slide 6 Complexity OSS Component complexity exacerbates the problem. Organizations lack actionable security, quality and licensing information. 6 Components are enormously complex; each one is made up of hundreds of sub-assemblies (e.g. class files). Class files are commonly shared among components. It is difficult and time consuming for developers to research and determine security, quality and licensing characteristics for all of the components they use to assemble their applications. To do this for direct dependencies is hard enough; to extend this research to all component dependencies is beyond reason. Even if research is conducted, it is difficult to take action because it is not integrated directly in the tools that developers use and problems are found much later in the lifecycle. Given the pressure to deliver applications quickly, developers are forced to take a chance when they select components exposing the organization to risk.
7 Slide 7 Control Process for OSS in SDLC 7 OSS Projects innovate rapidly and release frequently. However, there is no update notification infrastructure for open source components.
8 Slide 8 Software Security Development Lifecycle (SSDL) Software assurance begins with code quality and evidence of that quality. You can assume a software defect found during the development of a product may require $1 to remedy. If the defect escapes the development phase and enters the independent testing phase the cost will be approximately $100 to remedy. If the defect escapes the independent testing phase and makes it into production the cost will be approximately $1,000 to remedy. If sensitive data is lost or attackers make the software do things they are not supposed to do, through exploitation of a known software weakness, the costs of this defect may exceed many thousands of dollars to repair if repair is even possible and the impact could go well beyond anything that money can represent. 8 BSIMM (pronounced bee simm ) = Building Security In Maturity Model, v = vendor, a subset of the whole. The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.
9 Slide 9 How to judge the good from the bad OSS Project or Foundation? Approval from independent third party evaluator Does the Project or Foundation have; Good commercial company backing? Popularity in open source communities? Committer activity levels? Good Documentation and support system? Good Change Management and Intellectual Property (IP) controls? Good bug tracking system, historic time to fix vulnerabilities, current vulnerabilities? 9 Approval from independent evaluator like Black Duck, Veracode, Coverity, Sonatype, all offer some information of OSS for free, and more for a fee.
10 Slide 10 How to judge the good from the bad OSS? Black Duck 10
11 Slide 11 How to judge the good from the bad OSS? Black Duck 11
12 Slide 12 OSS vulnerability tracking OSS Vulnerability Tracking (Common Vulnerability and Exposure) (National Vulnerability DB (Open Source Vulnerability DB) (US Computer Emergancy Readiness Team) (DoD CAC required) (Open Search for Vulnerabilities) Most OSS foundations and project have a bug tracking system No standard for reporting & responding Library version control and dependencies can get sticky The vulnerability is fixed in the new version, but it breaks other functionality, therefore, you still need to run the older vulnerable library. 12
13 Slide 13 Component Lifecycle Management (CLM) A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process. The benefits of this approach include: Provides a central facility for active risk assessment and management across development environments & teams Informs and governs the software supply chain by validating, authenticating, securely delivering, and monitoring components security popularity and licensing information throughout the development lifecycle. It offers developer-friendly policy enforcement and early flaw detection and prevention. Ensures the security and integrity of the components that make up critical applications by providing a complete component and application bill-of-materials inventory and a fast-path to discovering and fixing at-risk applications. Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place. 13 A new approach is Component Lifecycle Management (CLM). For example, if a development team inadvertently downloads an obsolete OSS component, CLM can apply a method of breaking the build when that library is submitted, enforcing the use of a more current version. CLM informs the developers and security staff which components have risky vulnerabilities and which ones do not.
14 Slide 14 Component Lifecycle Management (CLM) Sonatype CLM for IDE in Eclipse lets developers make the best component choices early in the development cycle Point out bottom right shows current version popularity [black your version], License, Security Alerts Center describes the Vulnerabilities with CVE or OSVDB IDs.
15 Slide 15 Component Lifecycle Management (CLM) Integration with Content Integration servers enforces policy at build times. Sonatype Demo
16 Slide 16 Component Lifecycle Management (CLM) Dashboards and reports provide a complete view of global risk with drill-down detail to drive action. 16
17 Slide 17 Component Lifecycle Management (CLM) Newly discovered threats are continuously reported against your inventory of components to ensure sustaining trust throughout your software supply chain. Sonatype Demo
18 Slide 18 Obtain approval for use of OSS Who or Where in the organization does the final approval lie? Don t ask, don t tell policy has worked in the past, why change it? Internal program approval PM or Change Control Board CISO, ISSM, IAM External customer s approval process What does the contract say about OSS? Is there a formal external approval required; Contracting Agent, CISO, DAA Approved Products List 18 Who s the Sheriff in your town? Who can give final approval to use OSS? Talk the bullets. Approved Product List? Example the Army has a CoN List.
19 Slide 19 This? or This? How do developers structure and manage the source code? Melting Pots or Buckets of accountability? 19
20 Slide 20 Code from Multiple Sources Custom Developed 15% Legacy Harvested Code Others? Subcontractors 5% 10% Final Project Code Open Source Software 55% Commercial Software 5% Government Provided 10% FOR OFFICIAL USE ONLY (FOUO) 20
21 Slide 21 Software Security Development Lifecycle (SSDL) - Security Architecture Review 21
22 Slide 22 Potential Threats within the SDLC License Violations (aka. IP) Injection of Malicious Functionality Design Flaw in Security Functionality Poor Coding Practice 22
23 Slide 23 What s in memory? Memory will contain juicy information, such as passwords or decrypted messages from other clients, secret key from X.509 certificates. Sending another heartbeat message leaks another 64KB, so rinse and repeat to scour the victim's system for goodies. How long? OpenSSL's implementation of TLS heartbeats was committed to the project's source code 61 minutes to midnight on Saturday, 31 December, It was out there 2 years before official discovery by Google and Codenomicon. What bad is that this vulnerability will not show up on audit log files. It s following normal accepted behavior.
24 Slide 24 Was Heartbeat a security design flaw? IETF RFC 6520 defines the Heartbeat Extension for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) allowing the usage of keep-alive functionality without performing a renegotiation and a basis for Path Maximum Transmission Unit (PMTU) discovery. The necessary probe packets are the HeartbeatRequest messages. Jim Humphreys - Senior Security Analyst at Tangible Security posted his opinion on LinkedIn: The problem is that the standard does NOT REQUIRE that the recipient of a Heartbeat Request Message verify that the length of the data in the Payload field be exactly the same length as specified in the Heartbeat Message Length field. While this may seem obvious, its usually the obvious (but unstated) that leads to problems in fully specifying a protocol. FOR OFFICIAL USE ONLY (FOUO) 24
25 Slide 25 IETF RFC Heartbeat Request and Response Messages The Heartbeat protocol messages consist of their type and an arbitrary payload and padding. struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[heartbeatmessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; The total length of a HeartbeatMessage MUST NOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. type: The message type, either heartbeat_request or heartbeat_response. payload_length: The length of the payload. payload: The payload consists of arbitrary content. padding: The padding is random content that MUST be ignored by the receiver. The length of a HeartbeatMessage is TLSPlaintext.length for TLS and DTLSPlaintext.length for DTLS. Furthermore, the length of the type field is 1 byte, and the length of the payload_length is 2. Therefore, the padding_length is TLSPlaintext.length - payload_length - 3 for TLS and DTLSPlaintext.length - payload_length - 3 for DTLS. The padding_length MUST be at least 16. FOR OFFICIAL USE ONLY (FOUO) The sender of a HeartbeatMessage MUST use a random padding of at least 16 bytes. The padding of a received HeartbeatMessage message MUST be ignored. If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently. When a HeartbeatRequest message is received and sending a HeartbeatResponse is not prohibited as described elsewhere in this document, the receiver MUST send a corresponding HeartbeatResponse message carrying an exact copy of the payload of the received HeartbeatRequest. If a received HeartbeatResponse message does not contain the expected payload, the message MUST be discarded silently. If it does contain the expected payload, the retransmission timer MUST be stopped. 25
26 Slide 26 What if RFC 6520 had required The Heartbeat Request Message to verify that the length of the data in the Payload field be exactly the same length as was specified in the Heartbeat Message Length field or discard without reply. What if developers were trained on secure coding practices What if a static code scan was performed to check for bad coding practice What if a fuzz or application penetration test was performed? FOR OFFICIAL USE ONLY (FOUO) 26
27 Slide 27 Software Security Development Lifecycle (SSDL) - Open Source Security & Static Code Scans 27
28 Slide 28 Did you really get the source code? Developers like to take the easy path Downloading compiled code (binaries or.jars) rather then source code. Downloading everything but only using a portion An example from Apache Lucene Downloading and compiling the source code can be difficult Usually downloading with (Git, Subversion, Mercurial) Providence & Chain of Custody (Verifying Hashes & Signatures) Jan 6 15:39: openssl-1.0.1f.tar.gz (MD5) (SHA1) (PGP sign) 28
29 Slide 29 Heartbeat - Was it a coding oversight? hbtype = *p++; /* message type is popped into the hbtype variable, the pointer is incremented by one byte */ n2s(p, payload); /* the n2s() procedure writes the 16-bit length of the heartbeat payload to the variable payload and increments the pointer by two bytes. */ pl = p; /* Then pl becomes a pointer to start of payload */ /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); The Fix: hbtype = *p++; n2s(p, payload); if ( payload + 16 > s->s3->rrec.length) return 0; /* silently discard */ pl = p; FOR OFFICIAL USE ONLY (FOUO) 29
30 Slide 30 Would a static scan find Heartbeat vulnerability? 30 OpenSSL-1.0.1f 134 Folders, 2,361 Files
31 Slide 31 Why didn t Cppcheck catch this? 31 Static scan shows 7 Stylistic warnings and no errors. memcpy() is not a App Sexc Dev STIG banned function Place to use a static code scan is for your developers to run one against their own code during code check-in process.
32 Slide 32 Why didn t Cppcheck catch this? instances of memcpy() in this file alone. Difficulty of tracing variables feeding a function if you were not the author. Certainly code that implements communication protocols should get a high level of review.
33 Slide 33 Limitations of Static Source Code Scans Cannot scan binaries.class are compiled JRE runtime binaries, not source code. They are difficult to scan with accuracy..so.a.dll.exe High false positive counts Importing entire 3rd party projects brings in many files that will never be use. This drives up the count of High and Moderate findings. For example: Lucene: 61 high findings (.class files) 33 Static Code Scans can catch lots of bad code. They primarily focus on Availability and Performance issues. It is best to use them early in the SDLC.
34 Slide 34 Software Security Development Lifecycle (SSDL) - Static/Dynamic Binary Scanners 34
35 Slide 35 Static/Dynamic Binary Scans A determination of software vulnerability density for a specific version of software at a point in time provided through a third party administered process. This analysis is done against the software s binaries not the source code. It can catch additions made within the compile process Probably better at catching Malware 35
36 Slide 36 Static/Dynamic Binary Scans What to look for: Minimum; CWE/CVE ID & Vulnerability Definition, Folder File & Line #, Risk Level Better; CWE/CVW link, click through to code (IDE integration), Exploitability 36
37 Slide 37 Static/Dynamic Binary Scans What to look for: Your scanner should help you prioritize fixes 37
38 Slide 38 What to look for: Static/Dynamic Binary Scans Your scanner should help you track remediation progress 38
39 Slide 39 Software Security Development Lifecycle (SSDL) - Dynamic/Fuzz/Penetration Testing 39
40 Slide 40 Dynamic/Fuzz/Pen Testing A software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding a potential memory leak. Fuzzing is commonly used to test for security problems in software or computer systems. File formats and network protocols are the most common targets of testing, but any type of program input can be fuzzed. Interesting inputs include environment variables, keyboard and mouse events, and sequences of API calls. Even items not normally considered "input" can be fuzzed, such as the contents of databases, shared memory, or the precise interleaving of threads. For the purpose of security, input that crosses a trust boundary is often the most interesting. For example, it is more important to fuzz code that handles the upload of a file by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user. Codenomicon, a commercial vendor of fuzz testing tools, was testing their Safeguard extension feature for protocol testing and discovered the Heartbleed flaw and reported to CERT What is Fuzz testing? Pick key areas like; network protocols, file formats, user inputs. Fuzz test anything that crosses the trust boundary.
41 Slide 41 Hire a Bounty Hunter? 41 Bounty Hunters Talk about the Hacker Black Market Talk about Google and other Corp. paying a bounty of up to $4,000 per bug.
42 Slide 42 Key Takeaways 42
43 Slide 43 Questions? Contact: 43 Thank ISSA & Cyber Huntsville Questions?
44 Slide 44 Web References 1. DoD CIO guidance on Open Source Software 2. Video on Open Source component vulnerability 3. Title: Financial Services, ISAC working group white paper on 3 rd party software security : ng_group.pdf Building Security In Maturity Model 6. Black Duck Hub on OSS 7. Cartoon explanation of Heartbleed 8. SSL Heart Beat FRC 9. OpenSSL source code download Comparison of free and open-source software licenses:
45 Slide 45 Book References Title: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Author: Mark Down Title: Secure Coding Standards, Software Engineering Institute, Carnegie Mellon: The CERT C Secure Coding Standard The Cert C++ Secure Coding Standard The CERT Oracle Secure Coding Standard for Java 45
Heartbleed. or: I read the news, too. Martin R. Albrecht. Information Security Group, Royal Holloway, University of London
Heartbleed or: I read the news, too Martin R. Albrecht Information Security Group, Royal Holloway, University of London XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 RFC 6520: Transport
More informationRecent (2014) vulnerabilities in SSL implementations. Leiden University. The university to discover.
Recent (2014) vulnerabilities in SSL implementations Introduction We will discuss two vulnerabilities in SSL implementations that were found in 2014: The Apple bug, affecting recent Mac OS X and ios devices.
More informationWhy Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?
April 22 WP003 2014 Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed? James A. Kupsch and Barton P. Miller University of Wisconsin-Madison In response to the Heartbleed vulnerability,
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationSource Code Review Using Static Analysis Tools
Source Code Review Using Static Analysis Tools July-August 05 Author: Stavros Moiras Supervisor(s): Stefan Lüders Aimilios Tsouvelekakis CERN openlab Summer Student Report 05 Abstract Many teams at CERN,
More informationIs Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationFeeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN
Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Balazs Bucsay A Little About Us Hungarian Hacker 14 years of experience in IT- Security Strictly technical
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationSECURITY ASPECTS OF OPEN SOURCE
SECURITY ASPECTS OF OPEN SOURCE Phyto Michael 1 2015 Black Duck Software, Inc. All Rights Reserved. THE OPEN SOURCE SECURITY LANDSCAPE March 2015 2 2015 Black Duck Software, Inc. All Rights Reserved. OPEN
More informationSecurity in Android apps
Security in Android apps Falco Peijnenburg (3749002) August 16, 2013 Abstract Apps can be released on the Google Play store through the Google Developer Console. The Google Play store only allows apps
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationApplication Security Testing How to find software vulnerabilities before you ship or procure code
Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationDISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES
DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES By Michael Crouse Dr. Errin W. Fulp, Ph.D., Advisor Abstract The increasingly high volume of users on the web and their use of web
More informationDOES OPEN MEAN VULNERABLE?
DOES OPEN MEAN VULNERABLE? GENIVI All Members Meeting, Seoul Korea - October 2015 Bill Weinberg, Senior Director, Open Source Strategy Black Duck Software 2015 Black Duck Software, Inc. All Rights Reserved.
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationExtreme Networks Security Analytics G2 Vulnerability Manager
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
More informationHow To Improve Your Software
Driving Quality, Security and Compliance in Third- Party Code Dave Gruber Director of Product Marketing, Black Duck Keri Sprinkle Sr Product Marketing Manager, Coverity Jon Jarboe Sr Technical Marketing
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationPut a Firewall in Your JVM Securing Java Applications!
Put a Firewall in Your JVM Securing Java Applications! Prateep Bandharangshi" Waratek Director of Client Security Solutions" @prateep" Hussein Badakhchani" Deutsche Bank Ag London Vice President" @husseinb"
More informationCyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
More informationIMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation 2 ABSTRACT Enterprises today
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More information2011 Forrester Research, Inc. Reproduction Prohibited
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationAPPLICATION SECURITY: ONE SIZE DOESN T FIT ALL
APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL Charles Henderson Trustwave SpiderLabs Session ID: Session Classification: SPO2-W25 Intermediate AGENDA One size rarely fits all Sizing up an application
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationYour world runs on applications. Secure them with Veracode.
Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationWhy You Need an Application Security Program
Written by Johannes B. Ullrich, PhD January 2016 Sponsored by Veracode 2016 SANS Institute More than a decade ago, when investigating an IRC server used by a criminal gang to control compromised systems,
More informationHarness Your Robot Army for Total Vulnerability Management
Harness Your Robot Army for Total Vulnerability Management 2015 Triangle InfoSeCon Jonathan Knudsen October 8, 2015 2015 Synopsys, Inc. 1 Contents Security Is Easy Builders and Buyers Software Vulnerabilities
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationObtaining Enterprise Cybersituational
SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational
More informationNitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring
NitroView Unified Security and Compliance Unmatched Speed and Scale Application Data Monitoring Database Monitoring Log Management Content Aware SIEM TM IPS Today s security challenges demand a new approach
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More informationUnderstanding and evaluating risk to information assets in your software projects
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
More informationCritical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn
Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationTLS/SSL in distributed systems. Eugen Babinciuc
TLS/SSL in distributed systems Eugen Babinciuc Contents 1. Introduction to TLS/SSL 2. A quick review of cryptography 3. TLS/SSL in distributed systems 4. Conclusions Introduction to TLS/SSL TLS/SSL History
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationTOOL EVALUATION REPORT: FORTIFY
TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify
More informationDefending Behind The Device Mobile Application Risks
Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced Agenda The What The Problem Mobile Ecosystem
More informationHow To Manage Web Content Management System (Wcm)
WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationAcano solution. Security Considerations. August 2015 76-1026-01-E
Acano solution Security Considerations August 2015 76-1026-01-E Contents Contents 1 Introduction... 3 2 Acano Secure Development Lifecycle... 3 3 Acano Security Points... 4 Acano solution: Security Consideration
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationHow to Instrument for Advanced Web Application Penetration Testing
How to Instrument for Advanced Web Application Penetration Testing Table of Contents 1 Foreword... 3 2 Problem... 4 3 Background... 4 3.1 Dynamic Application Security Testing (DAST)... 4 3.2 Static Application
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationCS3235 - Computer Security Thirteenth topic: System attacks. defenses
Overflows... Security case studies CS3235 - Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson
More informationREVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
More informationMITIGATING RISKS FROM DEVELOPMENT, INTEGRATION, DISTRIBUTION AND DEPLOYMENT. 2015 Black Duck Software, Inc. All Rights Reserved.
MITIGATING RISKS FROM DEVELOPMENT, INTEGRATION, DISTRIBUTION AND DEPLOYMENT 2015 Black Duck Software, Inc. All Rights Reserved. BILL WEINBERG Bill leads the Black Duck Open Source Strategy consultancy,
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationSSL and Browsers: The Pillars of Broken Security
SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationNeXUS REPOSITORY managers
PRODUCT OVERVIEW NeXUS REPOSITORY managers Nexus OSS, Nexus Pro and Nexus Pro+ Nexus repository managers help organizations build better software, faster. Like a supply chain, applications are built by
More informationAppropriate Software Security Control Types for Third Party Service and Product Providers
White Paper Third Party Software Security Working Group Appropriate Software Security Control Types for Third Party Service and Product Providers Third Party Software Security Working Group 1 2 Third Party
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationOutlook Safe Sender s Filtering
Outlook Safe Sender s Filtering User s Guide Also Guide to Making Internet Explorer More Secure By: Gregg Sterner Trellix Engineering Corp. Table of Contents Introduction... 1 This Manual... 3 Junk E-mail
More informationPOODLE. Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp. 2015/3/3 APAN 39th in Fukuoka 1
POODLE Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp 2015/3/3 APAN 39th in Fukuoka 1 Summary POODLE: Padding Oracle On Downgraded Legacy Encryption Discovered in October 2014 by Google
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationOPEN SOURCE SECURITY
OPEN SOURCE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationTelecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT
Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email
WHITE PAPER Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email EXECUTIVE SUMMARY Data Loss Prevention (DLP) monitoring products have greatly
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationJBoss security: penetration, protection and patching. David Jorm djorm@redhat.com
JBoss security: penetration, protection and patching David Jorm djorm@redhat.com Contents The problem Background Historical vulnerabilities JBoss worm Security response for products The solution The Problem
More informationWhitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS
Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS A number of applications today use SSL and TLS as a security layer. Unsniff allows authorized users to analyze these applications by decrypting
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More information