Architectural Risk Analysis for Android Applications
|
|
- Eunice Green
- 8 years ago
- Views:
Transcription
1 Architectural Risk Analysis for Android Applications ComNets - AG RN-Kolloquium, Karsten Sohr TZI Universität Bremen 1
2 Outline Software security as an own discipline Security problems in Android apps Research project ZertApps Outlook 2
3 Software Security as an Own Discipline Current security mechanisms such as firewalls anti-virus software or intrustion dectection systems are reactive Cause of many security problems: security issues in software McGraw: Trinity of trouble 1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?) 2. Increasing connectivity (SOA, Internet of Things, industrial controllers ) 3. Extensibility of systems (installation of apps, plugins for browsers) Tools and processes to improve software security Security development lifecycle (SDL) 3
4 Code Review through Static Code Analysis Security analysis of the source code of applications Detection of common programming bugs, such as buffer overflows, SQLinjection- and cross-site-scripting vulnerabilities Automated analysis Use of compiler-construction techniques Intermediate representation of the program e.g. by abstract syntax trees, static single assignment (SSA) Data- and control flow analyses False positives, false negatives Non-Decidability Commercial tools: HP-Fortify SCA, IBM AppScan, Coverity Prevent (for C/C++ code) 4
5 Architectural Risk Analysis as Part of the SDL Security analysis of the software architecture At design time Detection of basic security problems ( flaws vs. bugs ) Examples of flaws: Missing encryption; only integrity protection, although confidentiality is required; inconsistent role-based access control; overprivilegation; wrong usage of software frameworks Two approaches Threat Modeling/STRIDE (Microsoft) Architectural risk analysis from McGraw Core idea in both approaches: Discussion of basic security aspects with the help of diagrams (forest-level overview) 5
6 Threat Modeling with Dataflow Diagrams 6
7 Security Holes in Mobile Apps Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger Overprivileged apps Confused-deputy problems Massive vulnerabilities in SSL-implementation of Android apps Injection of JavaScript code into apps with web functionality Faulty usage of software frameworks Basic weaknesses in systems consisting of a remote-control app and a backend 7
8 An of a Colleague If you are interested in the SSL-stuff again: The app is implemented as a WebView, i.e., all is HTML. What speaks to a big error is this: public void onreceivedsslerror(android.webkit.webview, android.webkit.sslerrorhandler, android.net.http.sslerror){ } com.webdevs.spcanywhere.mywebviewclient $r0; android.webkit.webview $r1; android.webkit.sslerrorhandler $r2; android.net.http.sslerror $r3; $r0 com.webdevs.spcanywhere.mywebviewclient; $r1 android.webkit.webview; $r2 android.webkit.sslerrorhandler; $r3 android.net.http.sslerror; virtualinvoke $r2.<android.webkit.sslerrorhandler: void proceed()>(); return; 8
9 Decompiled to Java public void onreceivedsslerror(webview paramwebview, SslErrorHandler paramsslerrorhandler, SslError paramsslerror) { } paramsslerrorhandler.proceed(); 9
10 Insecure Usage of the Android Framework: Telekom Online Manager Intent localintent1 = new Intent("de.telekom.hotspot.intent.action.SMS_STATUS"); localintent1.putextra("status", CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED); localintent1.putextra("username", str2); localintent1.putextra("password", str3); sendbroadcast(localintent1); 10
11 Problem Statement We need cost-efficient analysis methods and evaluation processes that assure that Android apps show an appropriate security level. 11
12 Current Research Project ZertApps BMBF-funded project ZertApps: Certified Security for Mobile Applications Project partners: Universität Bremen, Fraunhofer SIT, TU Darmstadt, OTARIS Interactive Service GmbH, datenschutz cert GmbH, SAP AG 12
13 Project Goals /1 Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot If necessary, dynamic analysis to improve static analysis Interaction of several apps ( confused deputy problem) Consideration of hybride apps (apps with Java and web parts) E.g., analysis of PhoneGap-based apps 13
14 Project Goals /2 Comprehensible presentation of analysis results for different groups of users Security administrators, evaluators, developers, users? Conception of a lightweight certification process / scheme Low cost Graded certification concept Tool-support for certification 14
15 Our Contribution: Architectural Risk Analysis Extraction and security analysis of the software architecture of apps Reverse engineering of dataflow diagrams (DFDs) with the help of static analysis (Soot) Automated analysis of these extracted DFDs against known architectural weaknesses (e.g., CWE entries) Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke 15
16 Example Dataflow Diagram 16
17 Example Dataflow Diagram: Hybride App 17
18 Summary & Outlook Software security becomes more relevant Mobile apps, Internet of Things, Industrie 4.0, Systematic and cost-efficient prcosses for software security are needed Especially relevant: security of apps Tool support New supporting kinds of analysis: Static (and dynamic) code analyses for the extraction and validation of the implemented security architecture 18
19 Thank you very much for your attention! Questions? 19
Automatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationWho, What, Where, How: Five Big Questions in Mobile Security
Who, What, Where, How: Five Big Questions in Mobile Security Jacob West CTO, Fortify Products HP Enterprise Security Session ID: ASEC-R31 Session Classification: Intermediate Why is mobile security an
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationBringing Security Testing to Development. How to Enable Developers to Act as Security Experts
Bringing Security Testing to Development How to Enable Developers to Act as Security Experts Background: SAP SE SAP SE Business Software Vendor Over 68000 employees Worldwide development Myself Security
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationA Holistic Approach to Security Testing
Ruediger Bachmann and Achim D. Brucker Developing Secure Software A Holistic Approach to Security Testing Building secure software requires a well-selected combination of security testing techniques during
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationAll Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt. 04.10.2015 Secure Software Engineering Group Steven Arzt 1
All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect Steven Arzt 04.10.2015 Secure Software Engineering Group Steven Arzt 1 04.10.2015 Secure Software Engineering Group Steven Arzt
More information1000 Projects later. Security Code Scans at SAP
1000 Projects later Security Code Scans at SAP About Us Ruediger Bachmann is a Development Architect at SAP AG working, as member of the central code analyses team, in the areas application security and
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationRevision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org
SDLA-312 ISA Security Compliance Institute Security Development Lifecycle Assurance - Security Development Lifecycle Assessment v3.0 Lifecycle Phases Number Phase Name Description PH1 Security Management
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationD. Best Practices D.1. Assurance The 5 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationThreat Modeling for Secure Embedded Software
SECURITY INNOVATION & KLOCWORK WHITE PAPER JUNE 2011 Threat Modeling for Secure Embedded Software As embedded software becomes more ubiquitous and connected powering everything from home appliances and
More informationSoftware security assessment based on static analysis
Software security assessment based on static analysis Christèle Faure Séminaire SSI et méthodes formelles Réalisé dans le projet Baccarat cofinancé par l union européenne Context > 200 static tools for
More informationSoftware security specification and verification
Software security specification and verification Erik Poll Security of Systems (SoS) group Radboud University Nijmegen Software (in)security specification and verification/detection Erik Poll Security
More informationSoftware & Hardware Security
Software & Hardware Security Erik Poll Digital Security group Radboud University Nijmegen The Netherlands Nijmegen 2 Digital Security group Rigorous & formal methods to design & analyse secure ICT systems
More informationExtracting and Analyzing the Implemented Security Architecture of Business Applications
Extracting and Analyzing the Implemented Security Architecture of Business Applications Bernhard J. Berger, Karsten Sohr and Rainer Koschke Center for Computing Technologies (TZI), Universität Bremen Bremen,
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationCenzic Product Guide. Cloud, Mobile and Web Application Security
Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationFortify. Securing Your Entire Software Portfolio
Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationTOOL EVALUATION REPORT: FORTIFY
TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify
More informationTEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com
TEAM Academy Catalog 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 TEAM ACADEMY OVERVIEW 2 Table of Contents TEAM Academy Overview... 4 TEAM Professor Overview... 4 Security Awareness and
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationCrosscheck Web Services Patent Pending Automated SOA Compliance and Security Assessment
Pagina 1 di 5 Hacking News Malwares Cyber Attack Vulnerabilities Hacking Groups Spying e.g. Hacking Facebook +1,310,745 163,900 392,600 +10m Follow Firing Range Open Source Web App Vulnerability Scanning
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More information(In-)Security of Backend-as-a-Service
(In-)Security of Backend-as-a-Service Siegfried Rasthofer (TU Darmstadt / CASED) Steven Arzt (TU Darmstadt / CASED) Robert Hahn (TU Darmstadt) Max Kolhagen (TU Darmstadt) Eric Bodden (Fraunhofer SIT /
More informationBYOD: End-to-End Security
BYOD: End-to-End Security Alen Lo MBA(CUHK), BSc(HKU), CISA, CCP, CISSP, CISM, CEH IRCA Certified ISMS Lead Auditor, itsmf ISO 20000 Auditor Principal Consultant i-totalsecurity Consulting Limited alenlo@n2nsecurity.com
More informationMike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011
Mike Zusman 3/7/2011 OWASP Goes Mobile SANS AppSec Summit 2011 Agenda Introductions OWASP Summit Recap OWASP Mobile Top 10 v0.1 (DRAFT) 2 Who Are We Other than carbon-based multi-cellular life forms 3
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationThru. Secure File Sync And Share - For The Enterprise
Thru Secure File Sync And Share - For The Enterprise An Introduction Built exclusively for the business user and enterprises, Thru is an end to end file sharing and collaboration solution, that not only
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More informationAgile Secure Software Development in a Large Software Development Organisation Security Testing
Agile Secure Software Development in a Large Software Development Organisation Security Testing Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP SE, Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe,
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationOverview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink. fatih.bilger@prolink.com.tr
Overview of F5 Networks Fatih Bilger Senior Systems Engineer, Prolink fatih.bilger@prolink.com.tr Company Snapshot Leading provider of Application Delivery Networking products that optimize the security,
More informationUsing Web Security Scanners to Detect Vulnerabilities in Web Services
DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt CISUC Department of Informatics Engineering University
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationCourse Modules for Software Security
Course Modules for Software Security Austin Frazier, Xiaohong Yuan, Yaohang Li, Stephan Hudson, North Carolina A&T State University Abstract Each year the reported number of security vulnerabilities increases
More informationkeep your Passwords secure!
keep your Passwords secure! architectures for secure identity ManageMent: a bottom View Secure Identity Management is is a a key key aspect for corporate security. It It comprises modern technical solutions
More informationMobile Application Security Sharing Session May 2013
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
More informationDANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability
More informationMOBILIZING ORACLE APPLICATIONS ERP. An Approach for Building Scalable Mobility Solutions. A RapidValue Solutions Whitepaper
MOBILIZING ORACLE APPLICATIONS ERP An Approach for Building Scalable Mobility Solutions A RapidValue Solutions Whitepaper TABLE OF CONTENTS Executive Overview Typical Architecture for Mobilizing Oracle
More informationEECS 588: Computer and Network Security. Introduction January 14, 2014
EECS 588: Computer and Network Security Introduction January 14, 2014 Today s Class Welcome! Goals for the course Topics, what interests you? Introduction to security research Components of your grade
More informationIBM Security Strategy
IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration
More informationWeb Application Scanners: Definitions and Functions
Web Application Scanners: Definitions and Functions Elizabeth Fong and Vadim Okun Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8970 {efong,vadim.okun}@nist.gov
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationSecuring ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH
Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationProcedure of Secure Development Tool Adoption Study
Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these
More informationASL IT SECURITY XTREME XPLOIT DEVELOPMENT
ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits
More informationArchitecture of Enterprise Mobile Apps
Architecture of Enterprise Mobile Apps November 22, 2011 Sergey Zabaluev http://mobile.ctco.eu Setting the context Business trends need for speed and agility Highly competitive, global marketplace Increasing
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY Governance and Risk Management YOUR LAST LINE OF DEFENSE Aug 06 2009 ANSES RAH RAH Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Prolog
More informationContenu du Cours : IBM Mobile Application
Contenu du Cours : IBM IBM Middle East and Africa University IBM Copyright 2014 IBM CONFIDENTIAL - Why IBM? IBM MARKET LEADER IN THE MOBILE APPLICATION SPACE GARTNER Magic Quadrant Development Platforms
More informationBuilding a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved
Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing
More informationSecure Programming with Static Analysis. Jacob West jacob@fortify.com
Secure Programming with Static Analysis Jacob West jacob@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity U Unforeseen Consequences Software Security Today The line between
More informationContinuous Prevention Testing
Continuous Prevention Testing By Andre Gironda OWASP October 2007 Bio Andre Gironda OWASP Phoenix, Chicago, MSP Other projects involved in WASC WASSEC NIST SAMATE Web Application Scanner Focus Group Web
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationIBM Rational AppScan Source Edition
IBM Software November 2011 IBM Rational AppScan Source Edition Secure applications and build secure software with static application security testing Highlights Identify vulnerabilities in your source
More informationTrustworthy Software Systems
Trustworthy Software Systems Greg Morrisett Cutting Professor of Computer Science School of Engineering & Applied Sciences Harvard University Little about me Research & Teaching Compilers, Languages, Formal
More informationBraindumps.C2150-810.50 questions
Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationOWASP Mobile Top Ten 2014 Meet the New Addition
OWASP Mobile Top Ten 2014 Meet the New Addition Agenda OWASP Mobile Top Ten 2014 Lack of Binary Protections added Why is Binary Protection important? What Risks Need to be Mitigated? Where to Go For Further
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationIBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance
IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security
More information... Lecture 10. Network Security I. Information & Communication Security (WS 2014) Prof. Dr. Kai Rannenberg
Lecture 10 Network Security I Information & Communication Security (WS 2014) Prof. Dr. Kai Rannenberg T-Mobile Chair of Mobile Business & Multilateral Security Goethe University Frankfurt a. M. Introduction
More informationProduct Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company
Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationEECS 588: Computer and Network Security. Introduction
EECS 588: Computer and Network Security Introduction January 13, 2014 Today s Cass Class Welcome! Goals for the course Topics, what interests you? Introduction to security research Components of your grade
More informationApplication Backdoor Assessment. Complete securing of your applications
Application Backdoor Assessment Complete securing of your applications Company brief BMS Consulting is established as IT system integrator since 1997 Leading positons in Eastern Europe country Product
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More information