Getting software security Right

Size: px
Start display at page:

Download "Getting software security Right"

Transcription

1 Getting software security Right Haiyun Xu, Theodoor Scholte April

2 Table of contents 2 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects

3 Software Improvement Group 3 I 23 SIG Background Spin-off from CWI in 2000, self-owned, independent Management advisory, fact-based Accredited software analysis lab employs analysis tools and models SIG Service Examples Software Risk Assessment Reduce or eliminate technical and operational issues by identifying software system risks. Software Risk Monitor Monitor systems under development and maintenance to improve the processes involved in delivering high-quality software systems Security Risk Assessment Gain control over IT security and prevent security incidents by identifying the root causes of weak spots in code, design and process.

4 Introduction myself 4 I 23 Dr. Haiyun Xu Chief Security Officer / Researcher Main security activities Research on Software Security Model Information Security Management Security analysis of Software Defined Networking Supervising master students on security research projects

5 Table of contents 5 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects

6 Introducing SIG maintainability model The ISO standard for software quality 6 I 23 Usability Compatibility Reliability Performance Efficiency Software Quality ISO Security Functional Suitability Maintainability Portability

7 Introduction to SIG maintainability model The SIG/TÜViT quality model for software maintainability 7 I 23 System properties Component independence Component balance Unit interfacing Unit complexity Module coupling Duplication Volume Unit size Analysability x x x x Modifiability x x x Testability x x x Modularity x x x Reusability x x

8 Introduction to SIG maintainability model From measurements to risk categories to ratings 8 I 23 Star ratings are relative to hundreds of systems in the SIG benchmark Ratings are between 1 and 5 stars, where 3 stars is market average maintainability Example RISK CATEGORY PART OF SYSTEM Low risk 65% Moderate risk 15% HHHII High risk 15% Very high risk 5%

9 Table of contents 9 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects

10 Four different types of security verification They work best when applied together 10 I 23 All security risks Penetration tests Automated static code analysis Design/code reviews Build quality analysis

11 Security by Design Embedding software security in client organisation 11 I 23 Risk management and acceptance Environmental factors Legal requirements, policies, constraints Accountability Internal (risk dashboard), external (certification, compliance) Risk analysis Inventory of threats, measures and risks Threats, reqs, risks Design review Code review Security Test Pentest Req ments Design Build Test Accept Deploy Training & Guidelines QA Advice & Tuning Risk management steps Development phases SIG offer

12 Security by Design SIG services 12 I 23 Step 1. How can I get How Risk can management I make secure and acceptance How secure is my software? secure software? software? Security Risk Assessment Environmental factors Accountability Security compliance check (with Security governance Security requirements review maturity Legal scan requirements, (based on Grip policies, constraints Secure design review Internal (risk dashboard), whatever external standard) (certification, compliance) on SSD) Secure coding training & Security inspection Security requirements guidelines Security sample assessment (one usecase) Risk analysis review Inventory Secure development of threats, measures process and risks review Threats, reqs, risks Design review Code review Security Test Pentest Req ments Design Build Test Accept Deploy Training & Guidelines QA Advice & Tuning Risk management steps Development phases SIG offer

13 SIG security inspection methodology How SIG broke down security 13 I 23 System-level security Confidentiality & Integrity Non-repudiation & Accountability Authenticity Access Management Strength Session Management Strength Security User Management Authentication Method Strength Authentication Implement Strength Authentication Enforcement

14 SIG security inspection methodology The SIG ISO25010 Quality Model for security 14 I 23 System properties Access management strength Input and output verification Session management strength Final result: HHIII Secure user management Identification strength Secure data transport Authorized access Evidence strength Secure data storage Confidentiality & Integrity Non-repudiation & Accountability HHIII HIIII HHIII HHHHI HIIII HHIII HHHHI HHIII HHIII X X X X HHIII X X HHIII Authenticity X X X HIIII ISO Security sub-characteristics The model is applied using a mix of tooling and expert review, from four perspectives

15 SIG security inspection methodology Example findings from a software security inspection 15 I 23 Finding 1. Missing certificate check by mobile app is abused with man in the middle attack 2. Passwords leak because passwords are stored in database and can be decrypted 3. IAM is hacked since URL and version are exposed 4.Password leak from registration log 5.Developers create data leak because of complexity in website architecture 6. Backdoor in application interface is abused 7. Injection attack abuses browser-only input for validation of data of birth 8. Attack is not identified because logging/monitoring of key processes is not in place HHHII 3 manmonths HHHHI Impact (3+) 5 manmonths high med low low med Probability high Diameter of circle represents indication of effort

16 Table of contents 16 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects

17 Ongoing Security Research Metric-based Security Model 17 I 23

18 Ongoing Security Research Automated Security Web Scanners 18 I 23 Why are the tools not used in development process? Many vulnerability scanners exist yet they are rarely being used! What are important features needed by companies? Do the tools provide these features? What needs to improved to make tools usable?

19 Ongoing Security Research Security Analysis of Software Defined Networking (SDN) Figure 9: Attack tree overview 19 I 23 The sub-attack trees represented in Figure 9 are addressed in the following sections Attack trees 1 and 2: Denial of Service Attacks Apply STRIDE and Attack tree for threat modeling Design test cases and perform using SDN tools... SDN SECURITY TESTING FRAMEWORK 62 7) Stop arpspoof; 8) Verify that the ping starts working again, as the real controller is connected again. Security assessment approach Threat Modeling DoS attacks are usually performed by generating a very large number of packets that likely generate new flows. The attack trees of Figure 10 and Figure 11 define how this type of attacks can be performed when considering the switch and the controller, respectively. Figure 33: ARP spoof controller form a malicious system Assessment Notice that this attack can also be formed on the northbound interface of the controller, i.e., by spoofing either the controller or the SDN applications Modifying northbound API In this section we demonstrate a tampering attack on the northbound API. It corresponds to the attack described in the attack tree in section (Branch 2 of Figure 15). The attack uses the same infrastructure as the previous attacks, but now we are attacking the Northbound interface of Floodlight. Notice that it will work equally well on the Southbound API. We use ettercap to modify sent and received messages, and for that we use the ettercap filter script shown in Figure 34. SDN Security Research Testing Figure 10: Denial of service attack on the forwarding devices (e.g., switch). Mitigation CONFIDENTIAL Mitigation solutions and best practices Security application Figure 34: Ettercap filter of-attack.filter To perform the attack, we start the network as before. First we need compile the filter file using the command:

20 Table of contents 20 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects

21 Potential Topic For Student Projects Cyber Security: Software Security Code Review 21 I 23 By accident or by design? Security Code Review oftware security How to perform security code review Software Improvement Group e Improvement effectively Group (SIG)/ specializes efficiently? in measuring software aintainability, reliability, performance) and provides actionable to improve design, source code and the development process. Are the security standards / guidelines be helpful (e.g., OWASP ASVS)? security? urity Model Will it be helpful if we group code Secure data transport Identification strength Access management strength Finding security risks Session maangement strength Penetration tests Authorized access Input and output verification Secure data storage All security risks Evidence strength Secure user management Make sure your client signs an indemnity waiver ( vrijwaringsverklaring ). This document waives any damages the test may cause; the test cannot start with- Haiyun Xu, Theodoor Scholte, April , Radboud Rating University Nijmegen HHHHI HHHHI HHIII HHHHI HHHHI HHIII HHHHI HHHII HHIII out this. Confidentiality SIG does & not need to be a party in this agreement, but you will need to Overall rating 29 I 5 Automated security code analysis Are the static analysis tools helpful (e.g., IR-funded research SIG further develops its method for finding es using a mix of design/code review, Including build quality a penetration analysis, code test etration tests, in order Are to the assess penetration the level of testing security tools in 1-5 helpful? stars. ves 20 pilots with various organizations. We do not perform penetration tests ourselves, but hire external experts instead. Pene- dwide security incidents are tration caused testers by mistakes one in software. or multiple SIG s URLs of a working system as a starting point for their a thorough, structured, Fortify)? consistent and repeatable way to have Security design/ Build quality test, and attempt various known attacks code within reviewsa time box (usually 1-2 weeks). analysis & The reviews Security to prevent the Practice code making can reviewer software assist strategy? you mistakes. in finding a penetration tester, but account manager and t in software security, from the very start of development. It sis of build quality How in to order design Requirements consultant on need code to review address expertise the following: on Get scope and pricing clear. The testers need to have some idea of the size of the system to test to base their pricing on. This can be accomplished by arranging access to a testing environment or by having the client indicate the size (typically in level? number of pages). Either way, the systems and URLs to test need to be reviewers by skill clearly demarcated. Confidentiality: Balance is only visible to the owner 19

22 Potential Topic For Student Projects Patching and Security 22 I 23 User aspect Does patching faster improve security? Maintainability of library, known vulnerabilities Vendor aspect Do we want a policy that skips patching in favor of rolling software fast enough to make it a moving target? When patching, is that better to disclose or keep the fix secret? Design a cost model for patching

23 Potential Topic For Student Projects More open projects online 23 I 23 Open projects:

24 Haiyun Xu GETTING SOFTWARE RIGHT

Measuring Software Product Quality

Measuring Software Product Quality Measuring Software Product Quality Eric Bouwers June 17, 2014 T +31 20 314 0950 info@sig.eu www.sig.eu Software Improvement Group Who are we? Highly specialized advisory company for cost, quality and risks

More information

Making your web application. White paper - August 2014. secure

Making your web application. White paper - August 2014. secure Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why

More information

ensuring security the way how we do it

ensuring security the way how we do it ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

! Resident of Kauai, Hawaii

! Resident of Kauai, Hawaii SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science

More information

Mobile Application Threat Analysis

Mobile Application Threat Analysis The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under

More information

Automatic vs. Manual Code Analysis

Automatic vs. Manual Code Analysis Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science Taxonomic Modeling of Security Threats in Software Defined Networking Jennia Hizver PhD in Computer Science SDN Adoption Rates SDN Attack Surface SDN Threat Model Attack Examples Threat Mitigation Agenda

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be

More information

Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue

Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to

More information

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE Jimmie Parson Checkpoint Technologies Welcome, Introductions Agenda Checkpoint Technologies Quick Corporate Overview Why do

More information

OWASP Omaha. The Open Web Application Security Project Omaha Chapter

OWASP Omaha. The Open Web Application Security Project Omaha Chapter OWASP Omaha The Open Web Application Security Project Omaha Chapter What is OWASP? The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Functional vs. Load Testing

Functional vs. Load Testing Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Guideline on Vulnerability and Patch Management

Guideline on Vulnerability and Patch Management CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board

More information

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

HP Application Security Center

HP Application Security Center HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

NETWORK PENETRATION TESTING

NETWORK PENETRATION TESTING Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Software Security. Group project: application security verification using OWASP ASVS

Software Security. Group project: application security verification using OWASP ASVS Software Security Group project: application security verification using OWASP ASVS Brainstorm What would you do if you if someone asked you to check if some application they use (and possibly bought)

More information

Security Challenges & Opportunities in Software Defined Networks (SDN)

Security Challenges & Opportunities in Software Defined Networks (SDN) Security Challenges & Opportunities in Software Defined Networks (SDN) June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Taxonomic Modeling of Security Threats in Software Defined Networking

Taxonomic Modeling of Security Threats in Software Defined Networking Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.

More information

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure

More information

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting

https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests

More information

QuickBooks Online: Security & Infrastructure

QuickBooks Online: Security & Infrastructure QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...

More information

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges

More information

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods

More information

Ethical Hacking as a Professional Penetration Testing Technique

Ethical Hacking as a Professional Penetration Testing Technique Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Juniper Networks Secure

Juniper Networks Secure White Paper Juniper Networks Secure Development Lifecycle Six Practices for Improving Product Security Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3

More information

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab

More information

ASU Web Application Security Standard

ASU Web Application Security Standard ASU Web Application Security Standard Spring 2014 2 1 PURPOSE This standard seeks to improve the security of ASU Web applications by addressing the following: Threat modeling and security testing Web application

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Web Application security testing: who tests the test?

Web Application security testing: who tests the test? Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance

More information

From the Bottom to the Top: The Evolution of Application Monitoring

From the Bottom to the Top: The Evolution of Application Monitoring From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Agreement made on the (date), between (Name of Consultant) of (street address, city, state, zip code), referred to herein

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process How to Avoid an Attack - Security Testing as Part of Your Software Testing Process Recent events in the field of information security, which have been publicized extensively in the media - such as the

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

FortiWeb 5.0, Web Application Firewall Course #251

FortiWeb 5.0, Web Application Firewall Course #251 FortiWeb 5.0, Web Application Firewall Course #251 Course Overview Through this 1-day instructor-led classroom or online virtual training, participants learn the basic configuration and administration

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

An Introduction to Network Vulnerability Testing

An Introduction to Network Vulnerability Testing CONTENTS Introduction 3 Penetration Testing Overview 4 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and Delivering Results 6 VeriSign SecureTEST 7 Common Vulnerability

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Course Title: Penetration Testing: Network & Perimeter Testing

Course Title: Penetration Testing: Network & Perimeter Testing Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics

More information

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp. DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

Network Configuration Management

Network Configuration Management Network Configuration Management Contents Abstract Best Practices for Configuration Management What is Configuration Management? FCAPS Configuration Management Operational Issues IT Infrastructure Library

More information

How to Develop Cloud Applications Based on Web App Security Lessons

How to Develop Cloud Applications Based on Web App Security Lessons Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications

More information

Application Security Center overview

Application Security Center overview Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net Ralph Durkee Founder of Durkee Consulting since 1996 Founder of Rochester OWASP since 2004 President of Rochester ISSA chapter

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

CRYPTUS DIPLOMA IN IT SECURITY

CRYPTUS DIPLOMA IN IT SECURITY CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review

More information

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1 PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information