Security Testing and Vulnerability Management Process. e-governance
|
|
- Doreen Rose
- 8 years ago
- Views:
Transcription
1 Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
2 Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11
3 Tablle off Conttentts 1. INTRODUCTION SCOPE PURPOSE PENETRATION TESTING PENETRATION TESTING PROCESS VULNERABILITY MANAGEMENT PROCESS FREQUENCY METHODOLOGY...7 Phase-1: Scoping and Communication... 8 Phase-2: Vulnerability Scanning... 8 Phase 3: Extraction of Reports... 9 Phase 4: Removal of False Positives... 9 Phase 5: Final Report Generation... 9 Phase 6: Tracking Closure of Vulnerabilities... 9 Roles and Responsibilities Matrix for Vulnerability Assessment ANNEXURE For Internal Use Only Page 3 of 11
4 1. INTRODUCTION Security Testing and Vulnerability management encompasses measures taken to review the output from the application from the perspective of application security. The review of the outputs from penetration testing is done in alignment with the updates and recommendation from OWASP (Open Web Application Security Project) as well as WASC (Web Application Security Consortium). The review is also done in compliance with the e- Gov Security Policy. Vulnerability is a flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems. A vulnerability assessment exercise identifies and categorizes all declared vulnerabilities but doesn t permits exploits, whereas penetration testing allows for exploitation of all vulnerabilities found by assessors. 2. SCOPE This process is applicable for all hosted applications in datacenters across all locations where information of e-gov service delivery is processed and/or stored within the application. 3. PURPOSE The objective of creating the vulnerability assessment process is to christen a formal methodology document for conducting vulnerability assessment critical systems; thereby pro-actively discovering to what extent the security of Information systems is threatened by attacks and whether the security measures in place are currently capable of ensuring Information security. This process will address the vulnerabilities before they can be exploited to compromise company resources. The process will end up providing For Internal Use Only Page 4 of 11
5 recommendations for closure of identified vulnerabilities and minimizing loss of confidentiality, integrity and availability of data. 4. PENETRATION TESTING Penetration testing primarily targets the application security mechanisms (e.g., cryptography, data validation, and authentication) implemented in the identified application. The attacks that are tried out during the testing includes OWASP Top 10 vulnerabilities: as well: o Un-validated Input o Broken Access Control o Broken Authentication and Session Management o Cross Site Scripting (XSS) Flaws o Buffer Overflows o Injection Flaws o Improper Error Handling o Insecure Storage o Denial of Service o Insecure Configuration Management On identification of vulnerabilities are reported and prioritized on the basis of impact and likelihood. A timeline is defined by the application Owner for closure of each of the vulnerabilities identified. In case of the remediation being infeasible the risks should be minimized and the residual risks should be documented over with a sign off. For Internal Use Only Page 5 of 11
6 Example: IBM Rational Appscan tool is used for automated penetration testing. Vulnerabilities so found are reviewed manually before publishing the report and sharing with Application owner. Thick client application penetration testing is carried out manually. 5. PENETRATION TESTING PROCESS Penetration testing is to be carried out by any STQC empanelled auditor. In this document we shall be referring to the same as PT (Penetration testing) team. Penetration testing Application CISO PT team Owner Start PT team asks or detail of Pre-prod and test environments Preprod/ Test environ ment Perform port scanning of application Manually validate test findings Generate and share report with App owner PT Report Validate the evidences to confirm fix of vulnerabilities Fix the vulnerabilities and share the evidences with PT Team Stop PT Report Reviews PT report and seeks clarification from PT team if required. a. PT team asks for the details required to initiate the penetration testing. The details include: o Application URL in pre-prod/test environment o Minimum two user credentials (1 administrative level access, 1 normal user) o Any sensitive URLs that are out of scope b. Application Owner ensures that application is stable enough and all the functionalities are working. For Internal Use Only Page 6 of 11
7 c. PT team requires at least 3-4 days for completing penetration testing. d. Port scan is carried out on pre production environment. The findings reported by tool are documented in the final Penetration Testing report which is shared with Application Owner. Automated Penetration Testing is carried out on the application. On completion of the automated testing, manual validation of vulnerabilities is carried out. e. Report is created for the vulnerabilities found and shared with Application Owner. The vulnerabilities are classified and rated High, Medium and Low according to their severity. Severity is categorized based on impact, likelihood and results of tool output. Refer annexure for PT Report template. f. Security gaps are worked on by the concerned team and necessary changes are incorporated to secure the application/environment. g. Application team shares evidence supporting closure, h. PT team then reviews the response and close the observations based on the evidence shared by Application team. If any discrepancy is observed, PT team gets back to Application team to seek clarifications. i. Final Closures are to be approved by CISO. 6. VULNERABILITY MANAGEMENT PROCESS 5.1 FREQUENCY The frequency for Vulnerability assessment cycle is annually. The full cycle covers end to end process staring from Scoping of devices to the closure tracker on scanned devices. 5.2 METHODOLOGY Following diagram depicts the methodology for Vulnerability Management. For Internal Use Only Page 7 of 11
8 Phase-1: Scoping and Communication The scoping and communication phase of vulnerability management comprise the following: Approved list of selected devices for which vulnerability assessment is to be carried out; Approved vulnerability assessment end to end plan Suitable dates for carrying out vulnerability assessment; Time slots for vulnerability assessment; and Communication of final dates and time slots to all stakeholders. Phase-2: Vulnerability Scanning In this phase an attempt is made to determine the existence of known vulnerabilities and to discover if any weak configuration settings are in use/set for the internal systems/devices. This is accomplished by using a tool based vulnerability scanning method. For Internal Use Only Page 8 of 11
9 Phase 3: Extraction of Reports In this phase, the team conducting vulnerability assessment collects the output of vulnerability assessment from all relevant remote VA servers and extracts individual vulnerability data items. The information provided by vulnerability assessment about the target host includes, but not limited to the following. OS version, open ports, active services, Protocol etc. Vulnerabilities and rating of vulnerabilities risk Remediation steps Phase 4: Removal of False Positives The objective of this phase shall be to weed out any false positives appearing in the output of VA tools. These false positives may involve: Wrong reporting for existence of a vulnerability that may not be applicable to the target environment / host Highlighting a configuration setting that is required for business purpose and the risk is acceptable or is mitigated by other measures Reporting a service/open port which is actually not running/open The execution of this phase may involve the need to have administrative privileges on the system/device under VA scope. Phase 5: Final Report Generation In this phase, the output of VA tools is used to formulate a management report for presenting to the key management representatives. This report presents an overall summary of VA findings and also consists of the detailed vulnerability observations. Refer Annexure for VA report template. Phase 6: Tracking Closure of Vulnerabilities Tracking the closure of identified vulnerabilities plays a very important role in the vulnerability management process. Once the report containing a final set of vulnerabilities is generated and For Internal Use Only Page 9 of 11
10 handed over to CISO; closure tracking needs to be done so that every critical-vulnerability is patched, remediation steps are followed and operating systems are hardened. Roles and Responsibilities Matrix for Vulnerability Assessment The roles and responsibilities matrix for accomplishing the tasks for conducting vulnerability management is given hereunder: Role Team lead- Data center Operations Team Member- VA Infra and Operations Team Composite Team- Security Responsibility Team lead - VA has the overall responsibility for ensuring that VA objectives are met. Responsibilities include: Maintaining VA measurements for reporting Ensuring proper implementation of Vulnerability Management Process Analyze trends and compliance thresholds Establish thresholds and exception (alerts) reporting procedures Implement approved VA process changes according to requirements Managing the VA Team resources Creation of VA Cycle Audit Plan Ensuring availability of all resources (people and technical) before every VA cycle Team member - VA has responsibility for providing support to the Team lead for VA activities. Specific responsibilities include: Provide technical support and advise to address VA gaps closure issues Performing VA Audit on selected devices as per the plan Create management report on the basis of VA report and take sign-off on the same from relevant business representatives Advise the VA Team Lead of any required system configuration or modifications to meet VA objectives Provide Sign-Off on the Audit Plan Implement recommendations in the VA report as per set schedule Identify false positives from the tool report Raise change management requests for implementing patches / vulnerability closure recommendations Submit closure status to Composite team - Security on a weekly basis Provide the approved breakup plan for annual phases of vulnerability audits Drive closure for identification of target devices For Internal Use Only Page 10 of 11
11 CISO Role Responsibility Track the closure of vulnerabilities found as per required frequency Provide feedback for improvisation of VA process Provide Sign-Off on the Management Report Provide management support to achieve set objectives for the success of VM process 7. ANNEXURE PT report.xlsx VA report.xlsx PT Indemnity Agreement.doc For Internal Use Only Page 11 of 11
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More information8070.S000 Application Security
8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationPatch Management Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationwhite SECURITY TESTING WHITE PAPER
white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationlocuz.com Professional Services Security Audit Services
locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationThird Party Security Guidelines. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationApplication Security Framework. e-governance
Application Security Framework for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationFinal Audit Report AUDIT OF THE INFORMATION SECURITY POSTURE OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S USAJOBS SYSTEM FY 2012
u.s. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION SECURITY POSTURE OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S USAJOBS
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationSecurity Testing & Load Testing for Online Document Management system
1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationVulnerability Scanning & Management
Vulnerability Scanning & Management (An approach to managing the risk level of a vulnerability) Ziad Khalil 1, Mohamed Elammari 2 1 Higher Academy, 2 Rogue Wave Software Ottawa, Canada Abstract Vulnerability
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationSmart (and safe) Lighting:
Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationOverview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015
Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Tripwire Evolution 18+ Years of Innovation 1997 Tripwire File System Monitoring from open source
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationSNS Funding and IT Strategic Plan
FY 07-08 IT Budget Proposal IST: Systems & Network Security (SNS) ABBA Category One: Institutional Effectiveness ABBA Category Two: Information Technology For more information about this proposal, contact:
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationApplication Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant
Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationFinal Audit Report -- CAUTION --
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationInfrastructure Information Security Assurance (ISA) Process
Infrastructure Information Security Assurance (ISA) Process Handbook AS-805-B March 2005 Transmittal Letter A. Explanation. As part of the Postal Service s efforts to enhance security across all technology
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationRemote Access Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationPerforming a Web Application Security Assessment
IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationMore Than A Microsoft World. Marc Maiffret Co-Founder Chief Hacking Officer
More Than A Microsoft World Marc Maiffret Co-Founder Chief Hacking Officer The eeye Marketing Slide We Make Security Software Retina Network Security Scanner Blink Host Based Security REM Enterprise Vulnerability/Threat
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationIceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program
Blue bar should align at far right with the far right text of the title IceCube Cybersecurity Improvement Plan Recommendations to Enhance IceCube s Cybersecurity Program January 2014 Version 1.0 For Public
More informationDANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More information