Architectural Risk Analysis for Android Applications

Size: px
Start display at page:

Download "Architectural Risk Analysis for Android Applications"

Transcription

1 Architectural Risk Analysis for Android Applications ComNets - AG RN-Kolloquium, Karsten Sohr TZI Universität Bremen 1

2 Outline Software security as an own discipline Security problems in Android apps Research project ZertApps Outlook 2

3 Software Security as an Own Discipline Current security mechanisms such as firewalls anti-virus software or intrustion dectection systems are reactive Cause of many security problems: security issues in software McGraw: Trinity of trouble 1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?) 2. Increasing connectivity (SOA, Internet of Things, industrial controllers ) 3. Extensibility of systems (installation of apps, plugins for browsers) Tools and processes to improve software security Security development lifecycle (SDL) 3

4 Code Review through Static Code Analysis Security analysis of the source code of applications Detection of common programming bugs, such as buffer overflows, SQLinjection- and cross-site-scripting vulnerabilities Automated analysis Use of compiler-construction techniques Intermediate representation of the program e.g. by abstract syntax trees, static single assignment (SSA) Data- and control flow analyses False positives, false negatives Non-Decidability Commercial tools: HP-Fortify SCA, IBM AppScan, Coverity Prevent (for C/C++ code) 4

5 Architectural Risk Analysis as Part of the SDL Security analysis of the software architecture At design time Detection of basic security problems ( flaws vs. bugs ) Examples of flaws: Missing encryption; only integrity protection, although confidentiality is required; inconsistent role-based access control; overprivilegation; wrong usage of software frameworks Two approaches Threat Modeling/STRIDE (Microsoft) Architectural risk analysis from McGraw Core idea in both approaches: Discussion of basic security aspects with the help of diagrams (forest-level overview) 5

6 Threat Modeling with Dataflow Diagrams 6

7 Security Holes in Mobile Apps Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger Overprivileged apps Confused-deputy problems Massive vulnerabilities in SSL-implementation of Android apps Injection of JavaScript code into apps with web functionality Faulty usage of software frameworks Basic weaknesses in systems consisting of a remote-control app and a backend 7

8 An of a Colleague If you are interested in the SSL-stuff again: The app is implemented as a WebView, i.e., all is HTML. What speaks to a big error is this: public void onreceivedsslerror(android.webkit.webview, android.webkit.sslerrorhandler, android.net.http.sslerror){ } com.webdevs.spcanywhere.mywebviewclient $r0; android.webkit.webview $r1; android.webkit.sslerrorhandler $r2; android.net.http.sslerror $r3; $r0 com.webdevs.spcanywhere.mywebviewclient; $r1 android.webkit.webview; $r2 android.webkit.sslerrorhandler; $r3 android.net.http.sslerror; virtualinvoke $r2.<android.webkit.sslerrorhandler: void proceed()>(); return; 8

9 Decompiled to Java public void onreceivedsslerror(webview paramwebview, SslErrorHandler paramsslerrorhandler, SslError paramsslerror) { } paramsslerrorhandler.proceed(); 9

10 Insecure Usage of the Android Framework: Telekom Online Manager Intent localintent1 = new Intent("de.telekom.hotspot.intent.action.SMS_STATUS"); localintent1.putextra("status", CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED); localintent1.putextra("username", str2); localintent1.putextra("password", str3); sendbroadcast(localintent1); 10

11 Problem Statement We need cost-efficient analysis methods and evaluation processes that assure that Android apps show an appropriate security level. 11

12 Current Research Project ZertApps BMBF-funded project ZertApps: Certified Security for Mobile Applications Project partners: Universität Bremen, Fraunhofer SIT, TU Darmstadt, OTARIS Interactive Service GmbH, datenschutz cert GmbH, SAP AG 12

13 Project Goals /1 Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot If necessary, dynamic analysis to improve static analysis Interaction of several apps ( confused deputy problem) Consideration of hybride apps (apps with Java and web parts) E.g., analysis of PhoneGap-based apps 13

14 Project Goals /2 Comprehensible presentation of analysis results for different groups of users Security administrators, evaluators, developers, users? Conception of a lightweight certification process / scheme Low cost Graded certification concept Tool-support for certification 14

15 Our Contribution: Architectural Risk Analysis Extraction and security analysis of the software architecture of apps Reverse engineering of dataflow diagrams (DFDs) with the help of static analysis (Soot) Automated analysis of these extracted DFDs against known architectural weaknesses (e.g., CWE entries) Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke 15

16 Example Dataflow Diagram 16

17 Example Dataflow Diagram: Hybride App 17

18 Summary & Outlook Software security becomes more relevant Mobile apps, Internet of Things, Industrie 4.0, Systematic and cost-efficient prcosses for software security are needed Especially relevant: security of apps Tool support New supporting kinds of analysis: Static (and dynamic) code analyses for the extraction and validation of the implemented security architecture 18

19 Thank you very much for your attention! Questions? 19

Automatic vs. Manual Code Analysis

Automatic vs. Manual Code Analysis Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process

More information

Who, What, Where, How: Five Big Questions in Mobile Security

Who, What, Where, How: Five Big Questions in Mobile Security Who, What, Where, How: Five Big Questions in Mobile Security Jacob West CTO, Fortify Products HP Enterprise Security Session ID: ASEC-R31 Session Classification: Intermediate Why is mobile security an

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Bringing Security Testing to Development. How to Enable Developers to Act as Security Experts

Bringing Security Testing to Development. How to Enable Developers to Act as Security Experts Bringing Security Testing to Development How to Enable Developers to Act as Security Experts Background: SAP SE SAP SE Business Software Vendor Over 68000 employees Worldwide development Myself Security

More information

How to Build a Trusted Application. John Dickson, CISSP

How to Build a Trusted Application. John Dickson, CISSP How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

A Holistic Approach to Security Testing

A Holistic Approach to Security Testing Ruediger Bachmann and Achim D. Brucker Developing Secure Software A Holistic Approach to Security Testing Building secure software requires a well-selected combination of security testing techniques during

More information

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt. 04.10.2015 Secure Software Engineering Group Steven Arzt 1

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt. 04.10.2015 Secure Software Engineering Group Steven Arzt 1 All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect Steven Arzt 04.10.2015 Secure Software Engineering Group Steven Arzt 1 04.10.2015 Secure Software Engineering Group Steven Arzt

More information

1000 Projects later. Security Code Scans at SAP

1000 Projects later. Security Code Scans at SAP 1000 Projects later Security Code Scans at SAP About Us Ruediger Bachmann is a Development Architect at SAP AG working, as member of the central code analyses team, in the areas application security and

More information

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Revision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org

Revision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org SDLA-312 ISA Security Compliance Institute Security Development Lifecycle Assurance - Security Development Lifecycle Assessment v3.0 Lifecycle Phases Number Phase Name Description PH1 Security Management

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

D. Best Practices D.1. Assurance The 5 th A

D. Best Practices D.1. Assurance The 5 th A Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and

More information

Interactive Application Security Testing (IAST)

Interactive Application Security Testing (IAST) WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,

More information

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1 LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT

More information

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Software security specification and verification

Software security specification and verification Software security specification and verification Erik Poll Security of Systems (SoS) group Radboud University Nijmegen Software (in)security specification and verification/detection Erik Poll Security

More information

Threat Modeling for Secure Embedded Software

Threat Modeling for Secure Embedded Software SECURITY INNOVATION & KLOCWORK WHITE PAPER JUNE 2011 Threat Modeling for Secure Embedded Software As embedded software becomes more ubiquitous and connected powering everything from home appliances and

More information

Software security assessment based on static analysis

Software security assessment based on static analysis Software security assessment based on static analysis Christèle Faure Séminaire SSI et méthodes formelles Réalisé dans le projet Baccarat cofinancé par l union européenne Context > 200 static tools for

More information

TOOL EVALUATION REPORT: FORTIFY

TOOL EVALUATION REPORT: FORTIFY TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify

More information

Extracting and Analyzing the Implemented Security Architecture of Business Applications

Extracting and Analyzing the Implemented Security Architecture of Business Applications Extracting and Analyzing the Implemented Security Architecture of Business Applications Bernhard J. Berger, Karsten Sohr and Rainer Koschke Center for Computing Technologies (TZI), Universität Bremen Bremen,

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Cenzic Product Guide. Cloud, Mobile and Web Application Security Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies

More information

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National

More information

Crosscheck Web Services Patent Pending Automated SOA Compliance and Security Assessment

Crosscheck Web Services Patent Pending Automated SOA Compliance and Security Assessment Pagina 1 di 5 Hacking News Malwares Cyber Attack Vulnerabilities Hacking Groups Spying e.g. Hacking Facebook +1,310,745 163,900 392,600 +10m Follow Firing Range Open Source Web App Vulnerability Scanning

More information

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com TEAM Academy Catalog 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 TEAM ACADEMY OVERVIEW 2 Table of Contents TEAM Academy Overview... 4 TEAM Professor Overview... 4 Security Awareness and

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Fortify. Securing Your Entire Software Portfolio

Fortify. Securing Your Entire Software Portfolio Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,

More information

Software & Hardware Security

Software & Hardware Security Software & Hardware Security Erik Poll Digital Security group Radboud University Nijmegen The Netherlands Nijmegen 2 Digital Security group Rigorous & formal methods to design & analyse secure ICT systems

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

Java Web Application Security

Java Web Application Security Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting

More information

(In-)Security of Backend-as-a-Service

(In-)Security of Backend-as-a-Service (In-)Security of Backend-as-a-Service Siegfried Rasthofer (TU Darmstadt / CASED) Steven Arzt (TU Darmstadt / CASED) Robert Hahn (TU Darmstadt) Max Kolhagen (TU Darmstadt) Eric Bodden (Fraunhofer SIT /

More information

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability

More information

BYOD: End-to-End Security

BYOD: End-to-End Security BYOD: End-to-End Security Alen Lo MBA(CUHK), BSc(HKU), CISA, CCP, CISSP, CISM, CEH IRCA Certified ISMS Lead Auditor, itsmf ISO 20000 Auditor Principal Consultant i-totalsecurity Consulting Limited alenlo@n2nsecurity.com

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Mike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011

Mike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011 Mike Zusman 3/7/2011 OWASP Goes Mobile SANS AppSec Summit 2011 Agenda Introductions OWASP Summit Recap OWASP Mobile Top 10 v0.1 (DRAFT) 2 Who Are We Other than carbon-based multi-cellular life forms 3

More information

Thru. Secure File Sync And Share - For The Enterprise

Thru. Secure File Sync And Share - For The Enterprise Thru Secure File Sync And Share - For The Enterprise An Introduction Built exclusively for the business user and enterprises, Thru is an end to end file sharing and collaboration solution, that not only

More information

Software Security Touchpoint: Architectural Risk Analysis

Software Security Touchpoint: Architectural Risk Analysis Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Security Testing and Vulnerability Management Process. e-governance

Security Testing and Vulnerability Management Process. e-governance Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

More information

Continuous Prevention Testing

Continuous Prevention Testing Continuous Prevention Testing By Andre Gironda OWASP October 2007 Bio Andre Gironda OWASP Phoenix, Chicago, MSP Other projects involved in WASC WASSEC NIST SAMATE Web Application Scanner Focus Group Web

More information

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Using Web Security Scanners to Detect Vulnerabilities in Web Services DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt CISUC Department of Informatics Engineering University

More information

Web application security: automated scanning versus manual penetration testing.

Web application security: automated scanning versus manual penetration testing. Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents

More information

Agile Secure Software Development in a Large Software Development Organisation Security Testing

Agile Secure Software Development in a Large Software Development Organisation Security Testing Agile Secure Software Development in a Large Software Development Organisation Security Testing Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP SE, Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe,

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Software Security. Software Security Touchpoints. Touchpoints. March 27, 2006. March 27, 2006. Three pillars of security. Risk Management.

Software Security. Software Security Touchpoints. Touchpoints. March 27, 2006. March 27, 2006. Three pillars of security. Risk Management. Software Security Touchpoints March 27, 2006 March 27, 2006 Three pillars of security Software Security Risk Management Touchpoints Knowledge Architectural risk analysis Applied risk management Sometimes

More information

IBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

IBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006 Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application

More information

Overview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink. fatih.bilger@prolink.com.tr

Overview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink. fatih.bilger@prolink.com.tr Overview of F5 Networks Fatih Bilger Senior Systems Engineer, Prolink fatih.bilger@prolink.com.tr Company Snapshot Leading provider of Application Delivery Networking products that optimize the security,

More information

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4

SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges

More information

keep your Passwords secure!

keep your Passwords secure! keep your Passwords secure! architectures for secure identity ManageMent: a bottom View Secure Identity Management is is a a key key aspect for corporate security. It It comprises modern technical solutions

More information

Course Modules for Software Security

Course Modules for Software Security Course Modules for Software Security Austin Frazier, Xiaohong Yuan, Yaohang Li, Stephan Hudson, North Carolina A&T State University Abstract Each year the reported number of security vulnerabilities increases

More information

EECS 588: Computer and Network Security. Introduction January 14, 2014

EECS 588: Computer and Network Security. Introduction January 14, 2014 EECS 588: Computer and Network Security Introduction January 14, 2014 Today s Class Welcome! Goals for the course Topics, what interests you? Introduction to security research Components of your grade

More information

IBM Security Strategy

IBM Security Strategy IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security

More information

MOBILIZING ORACLE APPLICATIONS ERP. An Approach for Building Scalable Mobility Solutions. A RapidValue Solutions Whitepaper

MOBILIZING ORACLE APPLICATIONS ERP. An Approach for Building Scalable Mobility Solutions. A RapidValue Solutions Whitepaper MOBILIZING ORACLE APPLICATIONS ERP An Approach for Building Scalable Mobility Solutions A RapidValue Solutions Whitepaper TABLE OF CONTENTS Executive Overview Typical Architecture for Mobilizing Oracle

More information

Mobile Application Security Sharing Session May 2013

Mobile Application Security Sharing Session May 2013 Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers

More information

Web Application Scanners: Definitions and Functions

Web Application Scanners: Definitions and Functions Web Application Scanners: Definitions and Functions Elizabeth Fong and Vadim Okun Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8970 {efong,vadim.okun}@nist.gov

More information

Establishing a Continuous Process for PCI DSS Compliance

Establishing a Continuous Process for PCI DSS Compliance Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview

More information

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits

More information

Procedure of Secure Development Tool Adoption Study

Procedure of Secure Development Tool Adoption Study Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these

More information

Architecture of Enterprise Mobile Apps

Architecture of Enterprise Mobile Apps Architecture of Enterprise Mobile Apps November 22, 2011 Sergey Zabaluev http://mobile.ctco.eu Setting the context Business trends need for speed and agility Highly competitive, global marketplace Increasing

More information

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470 Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Contenu du Cours : IBM Mobile Application

Contenu du Cours : IBM Mobile Application Contenu du Cours : IBM IBM Middle East and Africa University IBM Copyright 2014 IBM CONFIDENTIAL - Why IBM? IBM MARKET LEADER IN THE MOBILE APPLICATION SPACE GARTNER Magic Quadrant Development Platforms

More information

Software Security Analysis - Execution Phase Audit

Software Security Analysis - Execution Phase Audit Software Security Analysis - Execution Phase Audit Bengt Carlsson * and Dejan Baca # * School of Engineering, Blekinge Institute of Technology ; PO Box 520, S-372 25 Ronneby, SWEDEN; bengt.carlsson;@bth.se

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY Governance and Risk Management YOUR LAST LINE OF DEFENSE Aug 06 2009 ANSES RAH RAH Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Prolog

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing

More information

Secure Programming with Static Analysis. Jacob West jacob@fortify.com

Secure Programming with Static Analysis. Jacob West jacob@fortify.com Secure Programming with Static Analysis Jacob West jacob@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity U Unforeseen Consequences Software Security Today The line between

More information

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure KEMP LoadMaster Enabling Hybrid Cloud Solutions in Microsoft Azure Introduction An increasing number of organizations are moving from traditional on-premises datacenter architecture to a public cloud platform

More information

IBM Rational AppScan Source Edition

IBM Rational AppScan Source Edition IBM Software November 2011 IBM Rational AppScan Source Edition Secure applications and build secure software with static application security testing Highlights Identify vulnerabilities in your source

More information

Trustworthy Software Systems

Trustworthy Software Systems Trustworthy Software Systems Greg Morrisett Cutting Professor of Computer Science School of Engineering & Applied Sciences Harvard University Little about me Research & Teaching Compilers, Languages, Formal

More information

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise

More information

Braindumps.C2150-810.50 questions

Braindumps.C2150-810.50 questions Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Research Article Automating Risk Analysis of Software Design Models

Research Article Automating Risk Analysis of Software Design Models e Scientific World Journal, Article ID 805856, pages http://dx.doi.org/0.55/04/805856 Research Article Automating Risk Analysis of Software Design Models Maxime Frydman, Guifré Ruiz, Elisa Heymann, Eduardo

More information