Getting software security Right
|
|
- Elizabeth Mathews
- 8 years ago
- Views:
Transcription
1 Getting software security Right Haiyun Xu, Theodoor Scholte April
2 Table of contents 2 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects
3 Software Improvement Group 3 I 23 SIG Background Spin-off from CWI in 2000, self-owned, independent Management advisory, fact-based Accredited software analysis lab employs analysis tools and models SIG Service Examples Software Risk Assessment Reduce or eliminate technical and operational issues by identifying software system risks. Software Risk Monitor Monitor systems under development and maintenance to improve the processes involved in delivering high-quality software systems Security Risk Assessment Gain control over IT security and prevent security incidents by identifying the root causes of weak spots in code, design and process.
4 Introduction myself 4 I 23 Dr. Haiyun Xu Chief Security Officer / Researcher Main security activities Research on Software Security Model Information Security Management Security analysis of Software Defined Networking Supervising master students on security research projects
5 Table of contents 5 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects
6 Introducing SIG maintainability model The ISO standard for software quality 6 I 23 Usability Compatibility Reliability Performance Efficiency Software Quality ISO Security Functional Suitability Maintainability Portability
7 Introduction to SIG maintainability model The SIG/TÜViT quality model for software maintainability 7 I 23 System properties Component independence Component balance Unit interfacing Unit complexity Module coupling Duplication Volume Unit size Analysability x x x x Modifiability x x x Testability x x x Modularity x x x Reusability x x
8 Introduction to SIG maintainability model From measurements to risk categories to ratings 8 I 23 Star ratings are relative to hundreds of systems in the SIG benchmark Ratings are between 1 and 5 stars, where 3 stars is market average maintainability Example RISK CATEGORY PART OF SYSTEM Low risk 65% Moderate risk 15% HHHII High risk 15% Very high risk 5%
9 Table of contents 9 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects
10 Four different types of security verification They work best when applied together 10 I 23 All security risks Penetration tests Automated static code analysis Design/code reviews Build quality analysis
11 Security by Design Embedding software security in client organisation 11 I 23 Risk management and acceptance Environmental factors Legal requirements, policies, constraints Accountability Internal (risk dashboard), external (certification, compliance) Risk analysis Inventory of threats, measures and risks Threats, reqs, risks Design review Code review Security Test Pentest Req ments Design Build Test Accept Deploy Training & Guidelines QA Advice & Tuning Risk management steps Development phases SIG offer
12 Security by Design SIG services 12 I 23 Step 1. How can I get How Risk can management I make secure and acceptance How secure is my software? secure software? software? Security Risk Assessment Environmental factors Accountability Security compliance check (with Security governance Security requirements review maturity Legal scan requirements, (based on Grip policies, constraints Secure design review Internal (risk dashboard), whatever external standard) (certification, compliance) on SSD) Secure coding training & Security inspection Security requirements guidelines Security sample assessment (one usecase) Risk analysis review Inventory Secure development of threats, measures process and risks review Threats, reqs, risks Design review Code review Security Test Pentest Req ments Design Build Test Accept Deploy Training & Guidelines QA Advice & Tuning Risk management steps Development phases SIG offer
13 SIG security inspection methodology How SIG broke down security 13 I 23 System-level security Confidentiality & Integrity Non-repudiation & Accountability Authenticity Access Management Strength Session Management Strength Security User Management Authentication Method Strength Authentication Implement Strength Authentication Enforcement
14 SIG security inspection methodology The SIG ISO25010 Quality Model for security 14 I 23 System properties Access management strength Input and output verification Session management strength Final result: HHIII Secure user management Identification strength Secure data transport Authorized access Evidence strength Secure data storage Confidentiality & Integrity Non-repudiation & Accountability HHIII HIIII HHIII HHHHI HIIII HHIII HHHHI HHIII HHIII X X X X HHIII X X HHIII Authenticity X X X HIIII ISO Security sub-characteristics The model is applied using a mix of tooling and expert review, from four perspectives
15 SIG security inspection methodology Example findings from a software security inspection 15 I 23 Finding 1. Missing certificate check by mobile app is abused with man in the middle attack 2. Passwords leak because passwords are stored in database and can be decrypted 3. IAM is hacked since URL and version are exposed 4.Password leak from registration log 5.Developers create data leak because of complexity in website architecture 6. Backdoor in application interface is abused 7. Injection attack abuses browser-only input for validation of data of birth 8. Attack is not identified because logging/monitoring of key processes is not in place HHHII 3 manmonths HHHHI Impact (3+) 5 manmonths high med low low med Probability high Diameter of circle represents indication of effort
16 Table of contents 16 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects
17 Ongoing Security Research Metric-based Security Model 17 I 23
18 Ongoing Security Research Automated Security Web Scanners 18 I 23 Why are the tools not used in development process? Many vulnerability scanners exist yet they are rarely being used! What are important features needed by companies? Do the tools provide these features? What needs to improved to make tools usable?
19 Ongoing Security Research Security Analysis of Software Defined Networking (SDN) Figure 9: Attack tree overview 19 I 23 The sub-attack trees represented in Figure 9 are addressed in the following sections Attack trees 1 and 2: Denial of Service Attacks Apply STRIDE and Attack tree for threat modeling Design test cases and perform using SDN tools... SDN SECURITY TESTING FRAMEWORK 62 7) Stop arpspoof; 8) Verify that the ping starts working again, as the real controller is connected again. Security assessment approach Threat Modeling DoS attacks are usually performed by generating a very large number of packets that likely generate new flows. The attack trees of Figure 10 and Figure 11 define how this type of attacks can be performed when considering the switch and the controller, respectively. Figure 33: ARP spoof controller form a malicious system Assessment Notice that this attack can also be formed on the northbound interface of the controller, i.e., by spoofing either the controller or the SDN applications Modifying northbound API In this section we demonstrate a tampering attack on the northbound API. It corresponds to the attack described in the attack tree in section (Branch 2 of Figure 15). The attack uses the same infrastructure as the previous attacks, but now we are attacking the Northbound interface of Floodlight. Notice that it will work equally well on the Southbound API. We use ettercap to modify sent and received messages, and for that we use the ettercap filter script shown in Figure 34. SDN Security Research Testing Figure 10: Denial of service attack on the forwarding devices (e.g., switch). Mitigation CONFIDENTIAL Mitigation solutions and best practices Security application Figure 34: Ettercap filter of-attack.filter To perform the attack, we start the network as before. First we need compile the filter file using the command:
20 Table of contents 20 I Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design 4. SIG ongoing security research 5. Potential research topics for student projects
21 Potential Topic For Student Projects Cyber Security: Software Security Code Review 21 I 23 By accident or by design? Security Code Review oftware security How to perform security code review Software Improvement Group e Improvement effectively Group (SIG)/ specializes efficiently? in measuring software aintainability, reliability, performance) and provides actionable to improve design, source code and the development process. Are the security standards / guidelines be helpful (e.g., OWASP ASVS)? security? urity Model Will it be helpful if we group code Secure data transport Identification strength Access management strength Finding security risks Session maangement strength Penetration tests Authorized access Input and output verification Secure data storage All security risks Evidence strength Secure user management Make sure your client signs an indemnity waiver ( vrijwaringsverklaring ). This document waives any damages the test may cause; the test cannot start with- Haiyun Xu, Theodoor Scholte, April , Radboud Rating University Nijmegen HHHHI HHHHI HHIII HHHHI HHHHI HHIII HHHHI HHHII HHIII out this. Confidentiality SIG does & not need to be a party in this agreement, but you will need to Overall rating 29 I 5 Automated security code analysis Are the static analysis tools helpful (e.g., IR-funded research SIG further develops its method for finding es using a mix of design/code review, Including build quality a penetration analysis, code test etration tests, in order Are to the assess penetration the level of testing security tools in 1-5 helpful? stars. ves 20 pilots with various organizations. We do not perform penetration tests ourselves, but hire external experts instead. Pene- dwide security incidents are tration caused testers by mistakes one in software. or multiple SIG s URLs of a working system as a starting point for their a thorough, structured, Fortify)? consistent and repeatable way to have Security design/ Build quality test, and attempt various known attacks code within reviewsa time box (usually 1-2 weeks). analysis & The reviews Security to prevent the Practice code making can reviewer software assist strategy? you mistakes. in finding a penetration tester, but account manager and t in software security, from the very start of development. It sis of build quality How in to order design Requirements consultant on need code to review address expertise the following: on Get scope and pricing clear. The testers need to have some idea of the size of the system to test to base their pricing on. This can be accomplished by arranging access to a testing environment or by having the client indicate the size (typically in level? number of pages). Either way, the systems and URLs to test need to be reviewers by skill clearly demarcated. Confidentiality: Balance is only visible to the owner 19
22 Potential Topic For Student Projects Patching and Security 22 I 23 User aspect Does patching faster improve security? Maintainability of library, known vulnerabilities Vendor aspect Do we want a policy that skips patching in favor of rolling software fast enough to make it a moving target? When patching, is that better to disclose or keep the fix secret? Design a cost model for patching
23 Potential Topic For Student Projects More open projects online 23 I 23 Open projects:
24 Haiyun Xu h.xu@sig.eu GETTING SOFTWARE RIGHT
Measuring Software Product Quality
Measuring Software Product Quality Eric Bouwers June 17, 2014 T +31 20 314 0950 info@sig.eu www.sig.eu Software Improvement Group Who are we? Highly specialized advisory company for cost, quality and risks
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationensuring security the way how we do it
ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationMobile Application Threat Analysis
The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationPreventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org
Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationTesting Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies
Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE Jimmie Parson Checkpoint Technologies Welcome, Introductions Agenda Checkpoint Technologies Quick Corporate Overview Why do
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationOWASP Omaha. The Open Web Application Security Project Omaha Chapter
OWASP Omaha The Open Web Application Security Project Omaha Chapter What is OWASP? The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationFunctional vs. Load Testing
Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationTaxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science
Taxonomic Modeling of Security Threats in Software Defined Networking Jennia Hizver PhD in Computer Science SDN Adoption Rates SDN Attack Surface SDN Threat Model Attack Examples Threat Mitigation Agenda
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationPenetration Testing in Romania
Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationGuideline on Vulnerability and Patch Management
CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationSoftware Security. Group project: application security verification using OWASP ASVS
Software Security Group project: application security verification using OWASP ASVS Brainstorm What would you do if you if someone asked you to check if some application they use (and possibly bought)
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationTelecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT
Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationhttps://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationASU Web Application Security Standard
ASU Web Application Security Standard Spring 2014 2 1 PURPOSE This standard seeks to improve the security of ASU Web applications by addressing the following: Threat modeling and security testing Web application
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationJuniper Networks Secure
White Paper Juniper Networks Secure Development Lifecycle Six Practices for Improving Product Security Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationNETWORK PENETRATION TESTING
Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes
More informationEthical Hacking Agreement for External Network Security Unannounced Penetration Test
Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Agreement made on the (date), between (Name of Consultant) of (street address, city, state, zip code), referred to herein
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationAn Introduction to Network Vulnerability Testing
CONTENTS Introduction 3 Penetration Testing Overview 4 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and Delivering Results 6 VeriSign SecureTEST 7 Common Vulnerability
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationCourse Title: Penetration Testing: Network & Perimeter Testing
Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationSecurity Challenges & Opportunities in Software Defined Networks (SDN)
Security Challenges & Opportunities in Software Defined Networks (SDN) June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationState of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net
Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net Ralph Durkee Founder of Durkee Consulting since 1996 Founder of Rochester OWASP since 2004 President of Rochester ISSA chapter
More informationTaxonomic Modeling of Security Threats in Software Defined Networking
Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationCRYPTUS DIPLOMA IN IT SECURITY
CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationSecure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification
Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationPenetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box
Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationCourse Title: Penetration Testing: Network Threat Testing, 1st Edition
Course Title: Penetration Testing: Network Threat Testing, 1st Edition Page 1 of 6 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base
More informationCOURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationLEADING CYBER SECURITY AND PENETRATION TESTING COMPANY
LEADING CYBER SECURITY AND PENETRATION TESTING COMPANY www.secupent.com service@secupent.com WEBSITE PENETRATION TESTING Do you know in the modern era websites and related applications are tantalizing
More informationRecon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you
More informationSoftware Defined Networking Security
Software Defined Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering
More informationTHE OPEN UNIVERSITY OF TANZANIA
THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationHow to Avoid an Attack - Security Testing as Part of Your Software Testing Process
How to Avoid an Attack - Security Testing as Part of Your Software Testing Process Recent events in the field of information security, which have been publicized extensively in the media - such as the
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More information