Metrics, methods and tools to measure trustworthiness
|
|
- Harriet Hensley
- 8 years ago
- Views:
Transcription
1 Metrics, methods and tools to measure trustworthiness Henrique Madeira AMBER Coordination Action University of Coimbra March 9 th,
2 Measuring trustworthiness Trustworthy ICT should be: Secure Dependable Resilient to attacks, operational faults and changes Quite different types of animals Require different metrics, methods and tools 2
3 Measuring trustworthiness Trustworthy ICT should be: Secure Dependable Resilient Measuring, assessing, and benchmarking dependability and resilience is far from being solved to attacks, operational faults and changes Measuring, assessing and benchmarking security is even harder 3
4 What we have in mind when we talk about security measuring? Qualitative and quantitative measurements Quantitative measurement in two flavors: Relative sense (benchmarking), to choose among alternatives Absolute sense, to give guaranties to users Predictive value At different levels Organizational measurements: measure effectiveness of organizational processes Technical measurements: assess/compare technical objects Operational measurements: produced as a part of normal operations Throughout systems lifecycle 4
5 Limitations of existing security measuring methods? In general, are focused on specific aspects of security. Lots of useful methods that help improving security, but none of them can quantify security. Methods based on process guidelines and best practices Red Teams, that may be effective in finding problems Formal methods fail proving absolute security in realistic scenarios, although useful to find problems Vulnerability detection approaches Etc Lack of predictive metrics and methods. Organizational-level and technical security metrics are not integrated to provide a comprehensive view 5
6 Challenge 1 Metrics, methods, and tools Appropriate security metrics? Methods for estimating security metrics Which metrics? Just a small number? Specific of a given context? Metrics purpose (related Effective to evaluation requirements)? tools Metrics at different levels: component, system, infrastructure, organization, Product oriented and process oriented Applied throughout the system lifecycle Metric composition, namely how to relate organizational and technical security metrics. 6
7 Challenge 1 Metrics, methods, and tools Appropriate security metrics? Methods for estimating security metrics Effective evaluation tools Which methods? Formal, experimental, risk assessment, threat & vulnerability assessment, Should be both model and experimentally based 7
8 Challenge 1 Metrics, methods, and tools Example of benchmarking vulnerability scanners tools Appropriate security metrics? Methods for estimating security metrics Effective evaluation 3tools Vulnerability Scanner 3 Effective tools that can be used by practitioners (detected 73/117) Vulnerability Scanner 1 (detected 51/117) Integration of different tools in a toolset, including tools Vulnerability for organizational Scanner 1 = Acunetix and Web technical Vulnerability metrics Scanner 4 Vulnerability Scanner 2 = Watchfire AppScan 7 (aquired by IBM) Vulnerability Scanner 3 = Spi Dynamics WebInspect 6.32 (aquired by HP) Detected by manual scanning only Vulnerability Scanner 2 (detected 27/117) 8 8
9 Challenge 2 Validation Properties Representativeness Repeatability Reproducibility Portability Scalability Generalization Just being pragmatic is enough? 9
10 Challenge 3 Impact and relevance How to select the challenges and research problems that maximize the impact of research outcomes? Metrics that promote security improvement User view Industry Metrics that show the return on investment Regulation policy Benchmarking 10
Metrics, Methods and Tools to Measure Security and Trustworthiness. Measuring trustworthiness
Metrics, Methods and Tools to Measure Security and Trustworthiness Henrique Madeira, University of Coimbra, Portugal Workshop on Recent Advances on Intrusion-Tolerant Systems (WRAITS) Cascais, June 29
More informationEngineering Secure Complex Software Systems and Services
Engineering Secure Complex Software Systems and Services Preparation of FP7-ICT WP 2009-2010 - Mini-Concertation Meeting Henrique Madeira University of Coimbra Portugal University of Coimbra Question 1
More informationProtecting Database Centric Web Services against SQL/XPath Injection Attacks
Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationAbstract. Introduction. Summary
Analyzing the Effectiveness and Coverage of Web Application Security s By Larry Suto Application Security Consultant San Francisco October, 2007 Abstract This paper summarizes my study of web application
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationWHITE PAPER. Analyzing the Effectiveness and Coverage of Web Application Security Scanners
WHITE PAPER Analyzing the Effectiveness and Coverage of Web Application Security Scanners Table of Contents Introduction 3 Summary 3 Methodology 4 Testing 4 Detailed Results 5 Closed Source Internal Corporate
More informationSecurity Testing for Web Applications and Network Resources. (Banking).
2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess
More informationComparing the Effectiveness of Penetration Testing and Static Code Analysis
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services PRDC 2009 Nuno Antunes, nmsa@dei.uc.pt, mvieira@dei.uc.pt University
More informationESKISP6055.01 Manage security testing
Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting
More informationProcedure of Secure Development Tool Adoption Study
Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these
More informationUsing Web Security Scanners to Detect Vulnerabilities in Web Services
FACULDADE DE CIÊNCIAS E TECNOLOGIA DA UNIVERSIDADE DE COIMBRA DEPARTAMENTO DE ENGENHARIA INFORMÁTICA Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira Nuno Antunes Henrique
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationASE STUDY. Performance Testing & Security Testing for Web Applications.
2011 Performance Testing & Security Testing for Web Applications. ASE STUDY The client is a leading FMCG brand, they wanted to protect their web application from security threats and provide a trusted.
More informationEvaluating and Comparing the Impact of Software Faults on Web Servers
Evaluating and Comparing the Impact of Software Faults on Web Servers April 2010, João Durães, Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra {naaliel, jduraes, henrique}@dei.uc.pt
More informationWeb services commonly provide the strategic. Penetration Testing for Web Services
COVER FEATURE Penetration Testing for Web Services Nuno Antunes and Marco Vieira, University of Coimbra, Portugal Web services are often deployed with critical software security faults that open them to
More informationA clustering Approach for Web Vulnerabilities Detection
A clustering Approach for Web Vulnerabilities Detection Mohamed Kaâniche Rim Akrout, Eric Alata, Yann Bachy, Anthony Dessiatnikoff, Vincent Nicome?e Design and Assessment of application Level Intrusion
More informationDissertation Masters in Informatics Engineering
Dissertation Masters in Informatics Engineering Evaluating Web Services Security Nuno Manuel dos Santos Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira 10-07-2009 Department of Informatics Engineering
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationPUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE
PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE Since Congress instituted the Federal Information Security Management Act (FISMA) of 2002 to address the rapid proliferation
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationApplication Security Testing as a Foundation for Secure DevOps
Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016 Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical.
More informationDANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability
More informationIntelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference
Intelligent Vulnerability Management The Art of Prioritizing Remediation An IANS Interactive Phone Conference SUMMARY OF FINDINGS F e b r u a ry 2010 Context Joel Scambray shared IANS point of view on
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationStreamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationSECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY
SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationIntegrating Tools Into the SDLC
Integrating Tools Into the SDLC FIRST Conference 2007 The problem Too many organizations have either: Failed to try software security tools at all Tried tools, but became overwhelmed Tools relegated to
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationSecuring PHP Based Web Application Using Vulnerability Injection
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 5 (2013), pp. 391-398 International Research Publications House http://www. irphouse.com /ijict.htm Securing
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationTrust and Dependability in Cloud Computing
Trust and Dependability in Cloud Computing Claus Pahl IC4 Principal Investigator November 7 th, 2013 Research Philosophy design for growth design for best service provision design for widest acceptance
More informationEnterprise Software Security Strategies
Enterprise Software Security Strategies Summary Results October 2014 Program Overview Between June and September, 2014, Gatepoint Research invited IT and Security executives to participate in a survey
More informationHow To Manage Cloud Data Safely
Information Governance In The Cloud Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions Topics Cloud Characteristics And Risks Information Management In
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationF5 Silverline Web Application Firewall Onboarding: Technical Note
F5 Silverline Web Application Firewall Onboarding: Technical Note F5 Silverline Web Application Firewall Onboarding With organizations transitioning application workloads to the cloud, traditional centralized
More informationUsing Web Security Scanners to Detect Vulnerabilities in Web Services
DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt CISUC Department of Informatics Engineering University
More informationProcess-Based Security Testing in a Carrier Environment
Process-Based Security Testing in a Carrier Environment Sven Weizenegger, Heikki Kortti 02.07.2008 1 Introduction Sven Weizenegger T-Systems Lead of Security Testing and Senior Consultant Heikki Kortti
More informationBaseline: Metrics for setting a baseline for web vulnerability scanners
Baseline: Metrics for setting a baseline for web vulnerability scanners Huning Dai, Michael Glass, and Gail Kaiser Department of Computer Science, Columbia University, New York, NY 10027 USA {dai,mgg2102,kaiser}@cs.columbia.com
More informationCORE Security and NIST
CORE Security and NIST Putting NIST Guidelines for Information Security Continuous Monitoring into Practice CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com blog.coresecurity.com
More informationTHE BENEFITS OF UNDERSTANDING TROUBLESHOOTING AND TUNING FOR ACUNETIX WEB VULNERABILITY SCANNING
THE BENEFITS OF UNDERSTANDING TROUBLESHOOTING AND TUNING FOR ACUNETIX WEB VULNERABILITY SCANNING www.alliancetechpartners.com www.alliancetechpartners.com THE BENEFITS OF UNDERSTANDING TROUBLESHOOTING
More informationDynamic Trust Management for the Internet of Things Applications
Dynamic Trust Management for the Internet of Things Applications Fenye Bao and Ing-Ray Chen Department of Computer Science, Virginia Tech Self-IoT 2012 1 Sept. 17, 2012, San Jose, CA, USA Contents Introduction
More informationGSBI Social Enterprise Stage Assessment Tool
GSBI Social Enterprise Stage Assessment Tool PRE-RELEASE DRAFT FOR PARTNER FEEDBACK Rev.: August 29, 2014-1 - About this Document This document is a pre-release version of a tool that the Global Social
More informationThink like an MBA not a CISSP
Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com Goals Security is a business
More informationBuilding a Corporate Application Security Assessment Program
Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationMOBILE MALWARE REPORT
TRUST IN MOBILE MALWARE REPORT THREAT REPORT: H2/2014 CONTENTS At a Glance 03-03 Forecasts and trends 04-04 Current situation: 4.500 new Android malware instances every day 05-05 Third-party App-Stores
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationSoftware Engineering Compiled By: Roshani Ghimire Page 1
Unit 7: Metric for Process and Product 7.1 Software Measurement Measurement is the process by which numbers or symbols are assigned to the attributes of entities in the real world in such a way as to define
More informationAnalyzing the Accuracy and Time Costs of Web Application Security Scanners
Analyzing the Accuracy and Time Costs of Web Application Security Scanners By Larry Suto Application Security Consultant San Francisco February, 2010 Abstract This paper is intended as a follow-on study
More informationProtecting Database Centric Web Services against SQL/XPath Injection Attacks
Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationHKITPC Competency Definition
HKITPC Competency Definition for the Certification copyright 2011 HKITPC HKITPC Competency Definition Document Number: HKCS-CD-L1L2 Version: 1.0 Date: June 2011 Prepared by Hong Kong IT Professional Certification
More informationQAIassist Software Development Methodology Implementation Guide
QAIassist Software Development Methodology Implementation Guide QAIassist Integrated Methodology is an effective process-based methodology incorporating the three (project management, software development,
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationAgile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation
More informationRisk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.
Risk mitigation for business resilience White paper A comprehensive, best-practices approach to business resilience and risk mitigation. September 2007 2 Contents 2 Overview: Why traditional risk mitigation
More informationTable of contents. Web application security: too costly to ignore. White paper
Web application security: too costly to ignore White paper Table of contents Web application security: too costly to ignore.... 2 Web application security: solving a complex challenge.... 3 Toward continuous
More informationBuilding Security Into The Software Life Cycle
Building Security Into The Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services a Division of McAfee Email: marco.morana@foundstone.com Outline» Glossary»
More informationHow To Integrate Security Into Your Application Development
Six Best Practices of IT Security 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 2 Table of Contents 1. Make a Self-Assessment...3 2. Believe the Application Security Hype...3 3. Ask Tough
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationEFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA
EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016 PERSONAL BACKGROUND
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationCloud Security Specialist Certification Self-Study Kit Bundle
Cloud Security Specialist Certification Bundle CloudSchool.com CLOUD CERTIFIED Technology Professional This certification bundle provides you with the self-study materials you need to prepare for the exams
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationPenetration Testing Tools
Penetration Testing Tools Ken van Wyk January 2007 ABSTRACT: This article provides a primer on the most commonly used tools for traditional penetration testing. (A related article provides an overview
More informationFlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk
Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk 2012 The Flynt Group, Inc., All Rights Reserved FlyntGroup.com Enterprise Risk Management and Business
More informationBackground. HSBC DOD VA Masters in Computer Science Somerset Recon. Avid CTF Competitor
Penetration Testing Background HSBC DOD VA Masters in Computer Science Somerset Recon Avid CTF Competitor Table Of Contents 0. Information Security Risks 1. Why Pentest 2. Pentest Methodology/Process 3.
More informationBest Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper
Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationCyber Security Controls Assessment : A Critical Discipline of Systems Engineering
Cyber Controls : A Critical Discipline of Systems 14 th Annual NDIA Systems San Diego, CA October 24-28, 2011 Bharat Shah Lockheed Martin IS&GS bharat.shah@lmco.com Purpose Provide an overview on integrating
More informationReflective Summary Project Risk Management. Anthony Bowen. Northcentral University
Northcentral University Spring 2010 - BowenAPM7004-7 1 Reflective Summary Project Risk Management Anthony Bowen Northcentral University March 20, 2010 Northcentral University Spring 2010 - BowenAPM7004-7
More informationAgile and Secure: Can We Be Both?
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Keith Landrus Director of Technology Denim Group Ltd. keith.landrus@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation Permission
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationNetwork Security: A Critical Component to Any Business IT Plan. www.cognoscape.com
Network Security: A Critical Component to Any Business IT Plan www.cognoscape.com Network Security: A Critical Component to Any Business IT Plan In this day and age, every business, no matter its size
More informationCHAPTER - 4: QUALITY STANDARDS: THE MISSED OPPORTUNITIES
CHAPTER - 4: QUALITY STANDARDS: THE MISSED OPPORTUNITIES 79 Chapter - 4: Quality Standards: The Missed Opportunities 4.1 Introduction Conventional Engineering streams like Mechanical, Electrical and Civil
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationESKISP6053.01 Assist security testing, under supervision
Overview This standard covers the competencies required to assist security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
More informationWeb Application Security Roadmap
Web Application Security Roadmap Joe White joe@cyberlocksmith.com Cyberlocksmith April 2008 Version 0.9 Background Web application security is still very much in it s infancy. Traditional operations teams
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationNew IBM Security Scanning Software Protects Businesses From Hackers
New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications
More informationSOFTWARE TESTING PROCESSES PRESENTATION
SOFTWARE TESTING PROCESSES PRESENTATION Agenda 1. Software testing (ST) tasks and objectives 2. ST documentation 3. Types of tests 4. Functional testing process 5. Process supporting tools 6. Performance
More information74. Selecting Web Services with Security Compliances: A Managerial Perspective
74. Selecting Web Services with Security Compliances: A Managerial Perspective Khaled Md Khan Department of Computer Science and Engineering Qatar University k.khan@qu.edu.qa Abstract This paper proposes
More informationHybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim Group@danielcornell
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together Dan Cornell CTO, Denim Group@danielcornell This presentation contains information about DHS-funded research: Topic Number:
More informationGOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts
GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen
More informationRisk-Informed Security: Summary of Three Workshops
Risk-Informed Security: Summary of Three Workshops N. Siu Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Presented at INMM/ANS Workshop on Safety-Security Risk-Informed Decision-Making
More informationInformation Assurance Metrics Highlights
Information Assurance Metrics Highlights Dr. Michael Schildcrout Naval Security Group 1 Outline Metrics Development Process Joint Service Effort DOT&E Sponsorship Risk Levels Remaining Issues 2 Information
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationService management White paper. Manage access control effectively across the enterprise with IBM solutions.
Service management White paper Manage access control effectively across the enterprise with IBM solutions. July 2008 2 Contents 2 Overview 2 Understand today s requirements for developing effective access
More informationBlind SQL Injection Are your web applications vulnerable?
Blind SQL Injection Are your web applications vulnerable? By Kevin Spett Introduction The World Wide Web has experienced remarkable growth in recent years. Businesses, individuals, and governments have
More informationBusiness Case Outsourcing Information Security: The Benefits of a Managed Security Service
Business Case Outsourcing Information Security: The Benefits of a Managed Security Service seccuris.com (866) 644-8442 Contents Introduction... 3 Full- Time Experts vs. a Part- Time In- House Staff...
More informationInformation Technology Strategic Plan 2014-2017
Information Technology Strategic Plan 2014-2017 Leveraging information technology to create a competitive advantage for UW-Green Bay Approved December 2013 (Effective January 2014 December 2017) Contents
More informationCIPS 2011 Awarded Grants. Project number Applicant's name Ctry Title Description Grant
CIPS 2011 Awarded Grants Project number Applicant's name Ctry Title Description Grant HOME/2011/CIPS/AG/2012 NATIONAL INSTUTE COMMUNICATION TECHNOLOGIES (INTECO) ES SCADA laboratory and testbed as a service
More informationRisk and Security Assessment. Zbigniew Kalbarczyk
Risk and Security Assessment Zbigniew Kalbarczyk 1 TCIPG Cluster Arrangement Communication and Data Delivery for Wide-Area Monitoring and Control Trustworthy cyber infrastructure and technologies for wide-area
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationPanel: SwA Practices - Getting to Effectiveness in Implementation
Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,
More information