Improving Software Security at the. Source
|
|
- Morris Atkinson
- 8 years ago
- Views:
Transcription
1 Improving Software Security at the Source Greg Snyder Privacy & Security RIT January 28, 2006
2 Abstract While computer security has become a major focus of information technology professionals due to patching and networking, a major source of computer security issues has been consistently overlooked. The software development lifecycle needs to be analyzed to determine what is allowing flawed software to be produced, and can anything be done to fix it. With the internet connecting millions of individuals together the storing, processing, and transfer of information has become more rapid than ever. However, these great benefits also have a darker side to them when information is stolen, corrupted, or erased. Current Computer Security Current computer security is based on three goals: confidentiality, integrity, and availability (confidentiality, integrity, availability). Confidentiality refers to allowing only authorized users to access information and preventing unauthorized users from accessing it. Currently confidentiality is based on verification through something you know, something you are, or something you have (Cieslak). Something you know is a password, pin number, or something similar. Something you are is biometric identification, such as your finger prints or an iris scan. Something you have is a key or an access card. Currently software mainly relies on passwords, something you know, however there has been a move towards biometrics, something you are. However, these systems generally
3 run in parallel instead of a two tired verification. Integrity refers to the reliability of the information, if the information has been tainted all extrapolations from it are invalid. Availability is the act of being able to access the information itself. If a companies website is experiencing a denial of service attack your websites availability to your customers has been compromised. In order to combat this, on the second Tuesday of every month system administrator s panic and work long hours interrupting coworkers and costing them valuable hours of productivity. Patch Tuesday, as it has become known, is when Microsoft releases the latest patches to fix yet another critical software flaw. However, it s unfair to single out Microsoft when there is a slew of software from companies with names such as 3Com, Adobe, AOL, Apple, AT&T, and Cisco, just name a small number, have had critical software security flaws (United States Computer Emergency Readiness Team). The solution to maintaining confidentiality, integrity, and availability has been to patch the software when vulnerability is known to exist; however there is still be a time period before the software is patched when it is vulnerable. When this flawed software is connected to the internet it becomes accessible to millions of individuals dramatically increasing the chances that someone will try to exploit a bug. The problem of the internet exposing software was met with the solution of firewalls which don t block all attacks, so intrusion detection systems were deployed but some attacks can get around those also (McAfee). This results in
4 a constant cycle of penetrating attacks and patching. All of these systems are reactionary to problems as they arise and don t address the real issue. The Problem Over fifty percent of exploits in the CERT vulnerability database are buffer overflows (MacAfee). A buffer overflow is an anomalous condition where a process attempts to store more data in a buffer than there is memory allocated for it, causing the extra data to overwrite adjacent memory locations. The overwritten data may include other buffers, variables and program flow data (Wikipedia Buffer Overflow). To exploit this flaw a malicious user will overwrite a variable to change the behavior of a program, or overwriting a return address on the stack so it points to code the attacker wants to execute (Wikipedia Buffer Overflow). There are four major reasons why the buffer overflow is so dangerous: buffer overflows are easy to exploit, unchecked buffers are extremely common, many buffer overflow exploits give administrator level access to the machine, and current security measures are ineffective against buffer overflows (McAfee). Many programming languages raise exceptions to a buffer overflow, however the most popular C and C++ languages do no protect against it (Wikipedia Buffer Overflow). The simple solution to prevent buffer overflows is with bounds checking, which the complier can accomplish depending on the language or the programmer can add code to do it.
5 So a majority of computer security problems can be traced back to errors in programming. The reason these errors occur is because software of the complexity of software with numerous programmers all contributing code to a project, and now some code is being computer generated (Usher). Also, it doesn t just have to be mistakes that result in security flaws, poor quality leads to security problems just as the unplanned use of well-coded features can (Usher). Bruce Schneier and Adam Shostack sum up the problem of the relationship with security, complexity is the worst enemy of security, and systems that are loaded with features, capabilities, and options are much less secure than simple systems do a few things reliably, (Schneier). To remain competitive software manufactures are releasing software in the bleeding-edge phase in which products are less reliable (Suppa). To summarize, a majority of software flaws occur due to poor quality programming, unnecessary complexity, and the constant push for bleeding edge products. Software Development With so many flaws due resulting from development, there are a number of steps that need to be addressed to lower the number of flaws in programs. One step is to take a security oriented approach to the software development life cycle. At section 3.1 phase one a preliminary threat and risk assessment should be performed along with identifying the security requirements based on the three goals of confidentiality, integrity, and availability (Gupta). One of the
6 considerations that also should take place in phase one is the regulatory environment, it should be determined laws such as HIPAA need to be taken into consideration (Gupta). At section 3.2 phase two, the architecture and design phase, analysis for risks, threats, and vulnerabilities should be done and planning for mitigating these issues (Gupta). This is a very important phase, generally most projects fall behind schedule and to make up time considerations of security is sacrificed. Sufficient resources must be given to ensure that security is implemented in the software development life cycle (Gupta). At section 3.3 phase three; software coding, coding and code submission practices should be strictly followed. This section includes unit testing the code and conducting unit tests on the code. As mentioned previously, many software projects fall behind schedule and important steps such as unit testing and code reviews are dropped to meet deadlines that were optimistically set. Luckily there are a number of software tools to expedite testing. PScan is a C scanner that will find buffer overflow and format string attack exploits (La). Flawfinder is another C scanner that uses an internal database and can find the same errors as PScan along with a few others such as race conditions and system calls (La). The Rough Auditing Tool for Security can scan C, C++, Perl, PHP, and Python and looks for common buffer overflows and race conditions and generates HTML reports (La). Splint is another C scanner like the others, but it also checks for coding mistakes, style mistakes, undeclared variables, proper return statements, and missing arguments (La). ESC/Java is a Java scanner and searches for errors at compile time such as null dereferences, has modular checking techniques, and can scan
7 libraries with no subclasses defined (La). Finally, MOPS is a C scanner that enforces the sequence of operations, for example root should drop its privilege before executing an un-trusted program (La). At section 3.4 phase four, test and verification, vulnerability and threat testing should be done to try and find any flaws that were not previously found (Gupta). While checking that the software meets the customer s requirements the mitigation techniques that were implemented should also be thoroughly tested to ensure they did not cause any unknown flaws (Gupta). Finally, at section 3.5 phase five, the deployment and maintenance phase, continuing identification of any security issues should be done with corrections to those issues (Gupta). This is the classic patch cycle referred to earlier, however it is impossible to ship a software system that is completely secure (Gupta). The security oriented approach to the software development life cycle results in a dramatic decrease in the number of bugs in the software that can be exploited, yet there will always be bugs. Another way that security can be increased in development is by combining the extreme programming process and the capability maturity model. The capability maturity model outlines what to do to create quality software, and the extreme programming process tells developers how to do it (Usher). While many view a security oriented approach to software development to be costly and time consuming the resultant higher quality program will result in a satisfied consumer and cost savings for the developer in not having to release as many patches. In summarization the existing software development models do not need to be
8 changed, a more security oriented approach to the current processes can accomplish it. Other Considerations One major risk to the security oriented approach to software development is the issue of outsourcing. Outsourcing is defined as, the delegation of non-core operations or jobs from internal production within a business to an external entity (such as a subcontractor) that specializes in that operation, (Wikipedia Outsourcing). One reason outsourcing is such a risk it the loss of control, you are handing control of development to another company (Ramer). Another issue with the loss of control is that testing is done to ensure the delivered product meets requirements, however rarely is the code inspected for secret back doors or other built in security vulnerabilities (Ramer). Another issue with outsourcing is clashing security policies and procedures (Ramer). Another company s policies and procedures are unlikely to be the same, and ensuring that the ones followed by your company are followed by another company can only be confirmed through constant audits (Ramer). A third threat involving outsourcing is to intellectual property, you are sharing sensitive information about your company with another company (Ramer). Many secondary companies also may perform work for a direct competitor and accidental or even deliberate sharing of information may possibly occur, the risk of this must be taken into consideration when considering outsourcing. The final security problems with outsourcing are
9 legal issues, with companies in other states or even countries different laws apply (Ramer). When considering outsourcing companies should understand that they will not be able to obtain the level of security that they can internally, but they can define what security should be followed in the requirements and check that they are being met by audits. Conclusion With computer security being a major issue of the modern world some easy steps can be taken to cut down on the number of vulnerabilities. Making security a key priority in the development of software will cut down on a significant number of flaws that can be found in software. However, there will always be flaws in software and the cycle of patching, but to lesson the volume at which it happens would be a significant gain. It is not an easy path to follow, more time needs to be given for projects, and cost cutting techniques such as outsourcing need to be reevaluated to see if their short term benefit outweighs the long term benefit of better quality software. While preventing flaws from occurring at the source will help, software security will continue to be a significant issue in the coming years.
10 Bibliography Cieslak, David M. Why authentication technology can help your business. Microsoft. 22 Jan < ntication_technology_can_help_your_business.mspx>. confidentiality, integrity, availability (confidentiality, integrity, availability). University of Miami Ethics Programs Privacy / Data Protection Project. 11 May 2005 < bility.htm>. Gupta, Sandeep. A Proactive Approach Toinformation Security. SANS. 24 July La, Thien. Secure Software Development and Code Analysis Tools. SANS. 30 Sept < MacAfee. Server Protection for Today and Tomorrow. Dec < ontodaytomorrow.pdf>.
11 Ramer, Rob. The Security Challenges of Offshore Development. SANS. 26 Sept < Schneier, Bruca and Shostack, Adam. Results, Not Resolutions, A guide to judging Microsoft s security progress. 24 Jan < Suppa, Carly. Computer theft hits CCRA. Computer World Canada 17 October 2003 (2003): 1, 3. United States. Computer Emergency Readiness Team. Vulnerability Notes Database. 22 Jan < Usher, Robert W. Improving Software Security During Development. SANS. 26 March 2002 < Wikipedia. Outsourcing. 22 Jan < Wikipedia. Buffer overflow. 22 Jan <
X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation 2006. IBM System p, AIX 5L & Linux Technical University
X05 An Overview of Source Code Scanning Tools Loulwa Salem Las Vegas, NV Objectives This session will introduce better coding practices and tools available to aid developers in producing more secure code.
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationCoverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing
Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationHands-on Hacking Unlimited
About Zone-H Attacks techniques (%) File Inclusion Shares misconfiguration SQL Injection DNS attack through social engineering Web Server external module intrusion Attack against the administrator/user
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationD. Best Practices D.1. Assurance The 5 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPayment Card Industry (PCI) Terminal Software Security. Best Practices
Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationUnderstanding and evaluating risk to information assets in your software projects
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationWebsite Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions
Website Security: How to Avoid a Website Breach Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions www.caretech.com > 877.700.8324 An enterprise s website is now
More informationWhite paper. Web Application Security: The Overlooked Vulnerabilities
White paper Web Application Security: The Overlooked Vulnerabilities Abstract Are you adequately protecting the web applications that your business depends on? Software flaws are rapidly becoming the vulnerabilities
More informationAPPLICATION SECURITY: ONE SIZE DOESN T FIT ALL
APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL Charles Henderson Trustwave SpiderLabs Session ID: Session Classification: SPO2-W25 Intermediate AGENDA One size rarely fits all Sizing up an application
More informationSpooks in the Machine
A Higher Education Services Company Spooks in the Machine Proactive Strategies for Securing the Network Steven M. Helwig, CISSP Technical Director shelwig@sungardcollegis.com Contents of Presentation Aligning
More informationRecall the Security Life Cycle
Lecture 7: Threat Modeling CS 436/636/736 Spring 2014 Nitesh Saxena Recall the Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance So far what we have learnt
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationHomeland Security Red Teaming
Homeland Security Red Teaming Directs intergovernmental coordination Specifies Red Teaming Viewing systems from the perspective of a potential adversary Target hardening Looking for weakness in existing
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationCourse Title: Penetration Testing: Network & Perimeter Testing
Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationCSE331: Introduction to Networks and Security. Lecture 1 Fall 2006
CSE331: Introduction to Networks and Security Lecture 1 Fall 2006 Basic Course Information Steve Zdancewic lecturer Web: http://www.cis.upenn.edu/~stevez E-mail: stevez@cis.upenn.edu Office hours: Tues.
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationChapter 4 Application, Data and Host Security
Chapter 4 Application, Data and Host Security 4.1 Application Security Chapter 4 Application Security Concepts Concepts include fuzzing, secure coding, cross-site scripting prevention, crosssite request
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014
Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer
More informationKaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com
Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two
More informationContents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers
Contents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers 1 Introduction 2 Essential Concepts 3 Servers, Services, and Clients 3
More information- Table of Contents -
- Table of Contents - 1 INTRODUCTION... 1 1.1 TARGET READERS OF THIS DOCUMENT... 1 1.2 ORGANIZATION OF THIS DOCUMENT... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 4 2 OVERVIEW
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationINTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:
PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationHost-based Protection for ATM's
SOLUTION BRIEF:........................................ Host-based Protection for ATM's Who should read this paper ATM manufacturers, system integrators and operators. Content Introduction...........................................................................................................
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationDeep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison
Deep Security/Intrusion Defense Firewall - IDS/IPS Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security and Intrusion Defense Firewall. The document
More informationMore Than A Microsoft World. Marc Maiffret Co-Founder Chief Hacking Officer
More Than A Microsoft World Marc Maiffret Co-Founder Chief Hacking Officer The eeye Marketing Slide We Make Security Software Retina Network Security Scanner Blink Host Based Security REM Enterprise Vulnerability/Threat
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationLinux Kernel. Security Report
Linux Kernel Security Report September 25 Authors: Andy Chou, Bryan Fulton and Seth Hallem Coverity has combined two years of analysis work carried out in a commercial setting at Coverity with four years
More informationW16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM
BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA Ryan English Ryan
More informationSecurity Recommendations for Multifunction Printers Will Urbanski, Virginia Tech IT Security Office and Lab
Security Recommendations for Multifunction Printers Will Urbanski, Virginia Tech IT Security Office and Lab September, 2010 Security Recommendations for Multifunction Printers 2 Overview With the rise
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationIBM Managed Security Services Vulnerability Scanning:
IBM Managed Security Services August 2005 IBM Managed Security Services Vulnerability Scanning: Understanding the methodology and risks Jerry Neely Network Security Analyst, IBM Global Services Page 2
More informationSecurity aspects of e-tailing. Chapter 7
Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationHow Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationDeep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison
Deep Security Intrusion Detection & Prevention (IDS/IPS) Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security. The document also outlines a comparison
More informationHow To Manage Web Content Management System (Wcm)
WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationCS52600: Information Security
CS18000: Programming I CS52600: Information Security Vulnerability Analysis 15 November 2010 Prof. Chris Clifton Vulnerability Analysis Vulnerability: Lapse in enforcement enabling violation of security
More informationOPEN SOURCE SECURITY
OPEN SOURCE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationSecrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security
Secrets of Vulnerability Scanning: Nessus, Nmap and More Ron Bowes - Researcher, Tenable Network Security 1 About me Ron Bowes (@iagox86) My affiliations (note: I m here to educate, not sell) 2 SkullSpace
More informationComputer Software Bugs and Other IT Threats to Critical Infrastructure: A Preliminary Set of Considerations for IT Governance
Computer Software Bugs and Other IT Threats to Critical Infrastructure: A Preliminary Set of Considerations for IT Governance Presentation for the Seventh European Academic Conference on Internal Audit
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationAPPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING
APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING Katie Moussouris Senior Security Strategist Microsoft Security Response Center http://twitter.com/k8em0 (that s a zero) Session ID: ASEC-T18
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationThe Security Development Lifecycle
The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation Context and History 1960s penetrate and patch 1970s
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Security Products Must Be Secure by Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI April 2007 Software Vulnerabilities in the
More informationREPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
More information