Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time
|
|
- Gwendolyn Evans
- 8 years ago
- Views:
Transcription
1 Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1
2 T Sponsored by: #ISSAWebConf 2
3 Welcome Conference Moderator Phillip Griffin CISM, ISSA Fellow, and ISSA Educational Advisory Council Member April 28, 2015 Start Time: 9am US Pacific 12pm US Eastern/5pm London Time 3
4 Speaker Introduction Mark Kadrich- Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett- Director, Enterprise Security Strategy, Veracode Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function. 4
5 Open Software and Trust Better than Free? Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect
6 Another Model Medical TV Shows Medical Procedures Advice Advised by experts Popularity Waning but still viewed by millions! Legal TV Shows Courtroom Procedures Legal Descriptions of Crimes Forensic Investigations Advised by experts 6
7 Some Medical Numbers Grays Anatomy (4.5) 5.85 Million Viewers! Discuss and depict medical procedures every week Dr. Allan Hamilton, Neurosurgeon and Medical Advisor Doctor OZ (1.6) 2.08 Million Viewers! Viewer Rating of 7.2! (People LOVE him) Medical advice by a doctor! Some issues but people STILL watch Sharing of information via social networks 7
8 Some Legal Numbers Law & Order Franchise (1.64) NCIS Franchise ( ) CSI Franchise ( ) HOLY COW BATMAN OVER 20 MILLION VIEWERS! 8
9 Some Statistics 18.5* Million software developers in the world 11 Million are professionals 7.5 Million are hobbyists 7.7 Million Physicians in the world 7.7 Million are professionals 0.0 Million are hobbyists 1.3 Million Lawyers in the US ALONE 1 Million are active Unknown how many hobbyist lawyers there are... a man who is his own lawyer has a fool for a client... *TechRepublic 9
10 Why This is Important Because you have... Good, Fast Coders Good, Slow Coders Bad, Fast Coders Bad, Slow Coders Where do you think the largest population of coders is? 10
11 Argument for Open Source Security Many eyes looking at code Open nature of code means better security Obfuscation isn t a good security plan 11
12 Open Means Free Range No guarantee of security tools No assurance of review No agreed upon metrics No measurable level of quality 12
13 Closed Code Statistics 85% of bugs removed from code before release Average is errors per KLOC MS has reduced this to per KLOC in-house MS has further reduced this to.5 per KLOC Linux has 10M LOC or potentially 5000 errors... 13
14 It s About Trust To really trust code you must have a rigorous testing and validation methodology Shuttle Code had ZERO errors in 500,000 lines of code. "Harlan Mills pioneered 'cleanroom development', a technique that has been able to achieve rates as low as 3 defects per 1000 lines of code during in-house testing and 0.1 defect per 1000 lines of code in released product(cobb and Mills 1990). A few projects - for example, the spaceshuttle software - have achieved a level of 0 defects in 500,000 lines of code using a system of format development methods, peer reviews, and statistical testing." 14
15 Thank You! Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect 15
16 Question and Answer Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 16
17 Thank you! Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect 17
18 Open Software and Trust Better Than Free? Tim Jarrett Director, Enterprise Security Strategy VERACODE #ISSAWebConf
19 2014: The year of open software bugs 19
20 Heartbleed Remotely exploitable information leak vulnerability in OpenSSL Allows attackers to steal credentials, private keys, s, and other sensitive data Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 3600 web sites About 34% of organizations tested had at least one vulnerable site 20
21 Shellshock Remotely exploitable application-layer vulnerability in Bash Allows attackers to run arbitrary code on the target system (totally controlling it) Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 450 web applications 21
22 For context 6.00% 5.65% 5.00% 4.00% 3.00% 2.00% Heartbleed Shellshock SQL Injection 1.00% 0.00% 0.03% 0.22% Vulnerability Prevalence SQL Injection prevalence data source: Veracode dynamic scan data, authenticated and unauthenticated scans,
23 So why are these bugs such a big deal??? Likelihood of success Reward = Chosen attack Effort 23
24 Also 24
25 And 25
26 And 26
27 Why doesn t my catch this? Antivirus: Because these aren t malicious programs, they re parts of programs you (and your organization) use every day. And there s no signature you can scan for. Source code scanner: Because these vulnerabilities are generally in compiled libraries that your developers include and don t have source for. 27
28 Successful approaches Web vulnerability scanning Software composition analysis Static analysis 28
29 Web vulnerability scanning Uses web scanning (making browsing requests, filling out forms) to find known vulnerabilities Example products: Qualys, Veracode Benefits Require no developer involvement Look for component vulnerabilities the same way they ll be exploited Server side or app vulns Drawbacks Imprecise identification of vulnerable components; must use per-vulnerability attacks Requires good crawling 29
30 Software composition analysis Enumerates the known components used by applications Associates with vulnerability data Example products: Sonatype, Veracode Benefits Comprehensive application coverage Generates an inventory that can be mined when new vulnerabilities appear Drawbacks Requires development team involvement Doesn t help for some vulnerabilities (e.g. Shellshock) that leverage components on the server 30
31 Static analysis Fully models all the paths of the application Looks for poor coding practices that can be exploited Example products: HP Fortify, Veracode Benefits Comprehensive application coverage Best way to find unsafe coding practices that enable exploitation of a server component vuln Drawbacks Requires development team involvement (usually) Only good for some types of vulns (would miss Heartbleed) 31
32 A scan is not enough Inventory: What components are my applications using? Policy: How do Security and development manage component security issues? Program: How does Security roll out the new standards to the organization? Plan: How will you respond when the next Heartbleed is found? 32
33 THANK YOU 33
34 Thank You Tim Jarrett Director, Enterprise Security Strategy VERACODE 34
35 Question and Answer Tim Jarrett Director, Enterprise Security Strategy VERACODE To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrowsto open this function. 35
36 Thank you! Tim Jarrett Director, Enterprise Security Strategy VERACODE 36
37 Open Panel with Audience Q&A Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett Director, Enterprise Security Strategy VERACODE To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 37
38 Closing Remarks I would like to thank Mark and Tim for lending their time and expertise to this ISSA Educational Program. Thank you to VERACODE for sponsoring this webinar. Thank you Citrix for donating the Webcast service. #ISSAWebConf 38
39 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link Conference-April Open-Software-and-Trust- Better-Than-Free #ISSAWebConf 39
Network Security Testing
Network Security Testing Are There Really Different Types of Testing? July 28, 2015 Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time #ISSAWebConf WebCONFERENCES Network Security Testing
More informationMobile App Security: Who Else is on Your Device? August 27, 2013
Mobile App Security: Who Else is on Your Device? August 27, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1 2 Generously sponsored by: Welcome Conference Moderator Hari Pendyala ISSA Fellow
More informationCyber Analysis Tools:
Cyber Analysis Tools: The State of the Union August 26, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1 Generously sponsored by: #ISSAWebConf 2 Welcome Conference Moderator Matt
More informationBig Data Trust and Reputation, Privacy Cyber Threat Intelligence
Big Data Trust and Reputation, Privacy Cyber Threat Intelligence October 27, 2015 Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time #ISSAWebConf Big Data Trust and Reputation, Privacy
More informationA Network Administrator s Guide to Web App Security
A Network Administrator s Guide to Web App Security Speaker: Orion Cassetto, Product Marketing Manager, Incapsula Moderator: Rich Nass, OpenSystems Media Agenda Housekeeping Presentation Questions and
More informationDorian Grey & The Net: Social Media Monitoring. November 18, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time
Dorian Grey & The Net: Social Media Monitoring November 18, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1 T Brought to you by: #ISSAWebConf 2 Welcome Conference Moderator Matthew
More informationBYOD to the Cloud May 28, 2013
BYOD to the Cloud May 28, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1 2 Generously sponsored by: Welcome Conference Moderator Matt Mosley Northern Virginia, USA Chapter ISSA Web Conference
More informationGRC/Cyber Insurance. February 18, 2014. Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London. Join the conversation: #ISSAWebConf
GRC/Cyber Insurance February 18, 2014 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Join the conversation: 1 Generously sponsored by: 2 Welcome Conference Moderator Allan Wall ISSA Web Conference
More informationStatic & Dynamic Analysis for Web Applications. OWASP Atlanta Chapter March 2010 Meeting. The OWASP Foundation http://www.owasp.
Static & Dynamic Analysis for Web Applications Tony UcedaVelez Atlanta, Chapter Lead & Guest Panel: Atlanta Chapter March 2010 Meeting Jeremiah Grossman (WhiteHat Security) Chris Eng (Veracode) Russell
More informationWhy You Need an Application Security Program
Written by Johannes B. Ullrich, PhD January 2016 Sponsored by Veracode 2016 SANS Institute More than a decade ago, when investigating an IRC server used by a criminal gang to control compromised systems,
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationOctober 10, 2013. Report on Web Applications #13-205
Office o f Auditi n g & Advisory Services The University of Texas Health Scie n ce Ce nter a t Ho us to n October 10, 2013 Report on Web Applications #13-205 We have completed our audit of web application
More informationComparing Application Security Tools
Comparing Application Security Tools Defcon 15-8/3/2007 Eddie Lee Fortify Software Agenda Intro to experiment Methodology to reproduce experiment on your own Results from my experiment Conclusions Introduction
More informationStreamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationSecrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security
Secrets of Vulnerability Scanning: Nessus, Nmap and More Ron Bowes - Researcher, Tenable Network Security 1 About me Ron Bowes (@iagox86) My affiliations (note: I m here to educate, not sell) 2 SkullSpace
More informationHow to Avoid an Attack - Security Testing as Part of Your Software Testing Process
How to Avoid an Attack - Security Testing as Part of Your Software Testing Process Recent events in the field of information security, which have been publicized extensively in the media - such as the
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationAsset Management In A Consumerized World
Asset Management In A Consumerized World Generously sponsored by: August 28, 2012 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Allan Wall ISSA Web Conference Committee
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationHarness Your Robot Army for Total Vulnerability Management
Harness Your Robot Army for Total Vulnerability Management 2015 Triangle InfoSeCon Jonathan Knudsen October 8, 2015 2015 Synopsys, Inc. 1 Contents Security Is Easy Builders and Buyers Software Vulnerabilities
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationDeep Security Vulnerability Protection Summary
Deep Security Vulnerability Protection Summary Trend Micro, Incorporated This documents outlines the process behind rules creation and answers common questions about vulnerability coverage for Deep Security
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationHow I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security
How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE
More informationFeeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN
Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Balazs Bucsay A Little About Us Hungarian Hacker 14 years of experience in IT- Security Strictly technical
More informationW16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM
BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA Ryan English Ryan
More informationDOES OPEN MEAN VULNERABLE?
DOES OPEN MEAN VULNERABLE? GENIVI All Members Meeting, Seoul Korea - October 2015 Bill Weinberg, Senior Director, Open Source Strategy Black Duck Software 2015 Black Duck Software, Inc. All Rights Reserved.
More informationThe Case for Information Assurance
Security Assurance: The Times They Are A The Case for Information Assurance Mary Ann Davidson Chief Security Officer Oracle Copyright Oracle Corporation, 2001. All rights reserved. A few lines of code
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationThe Truth About Enterprise Mobile Security Products
The Truth About Enterprise Mobile Security Products Presented by Jack Madden at TechTarget Information Security Decisions 2013 Welcome to my enterprise mobile security product session! Instead of printing
More informationAttacks from the Inside
Attacks from the Inside Eddy Willems, G Data Righard J. Zwienenberg, Norman Attacks from the Inside. Agenda - Social Networking / Engineering - Where are the threats coming from - Infection vectors - The
More informationApplication Security 101. A primer on Application Security best practices
Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration
More informationIdentity Management: Are You Really a Dog Surfing on the Internet? June 25, 2013
Identity Management: Are You Really a Dog Surfing on the Internet? June 25, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1 2 Generously sponsored by: Welcome Conference Moderator Phillip
More informationMicrosoft STRIDE (six) threat categories
Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007
More informationSecurity Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc.
Security Vulnerabilities in Open Source Java Libraries Patrycja Wegrzynowicz CTO, Yonita, Inc. About Me Programmer at heart Researcher in mind Speaker with passion Entrepreneur by need @yonlabs Agenda
More informationPCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv
PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment)
More informationINDUSTRY OVERVIEW: HEALTHCARE
ii IBM MSS INDUSTRY OVERVIEW: HEALTHCARE RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: OCTOBER 7, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER iii TABLE OF CONTENTS EXECUTIVE OVERVIEW/KEY FINDINGS...
More informationON24 Platform 10 Webcasting Industry Standard for Demand Generation and Customer Engagement
ON24 Platform 10 Webcasting Industry Standard for Demand Generation and Customer Engagement ON24 PLATFORM 10 BENEFITS Efficiently and cost-effectively generate sales-qualified leads Influence, nurture,
More informationMobile Application Security Study
Report Mobile Application Security Study 2013 report Table of contents 3 Report Findings 4 Research Findings 4 Privacy Issues 5 Lack of Binary Protection 5 Insecure Data Storage 5 Transport Security 6
More informationIntroduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:
Introduction In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater.
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationPenetration Testing Ninjitsu 2: Crouching Netcat, Hidden Vulnerabilities. By Ed Skoudis
Penetration Testing Ninjitsu 2: Crouching Netcat, Hidden Vulnerabilities By Ed Skoudis Copyright 2008, SANS Version 2Q08 Network Pen Testing & Ethical Hacking - 2008, Ed Skoudis 1 This Webcast and the
More informationSuccessful Strategies for QA- Based Security Testing
Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More information2013 Ruby on Rails Exploits. CS 558 Allan Wirth
2013 Ruby on Rails Exploits CS 558 Allan Wirth Background: Ruby on Rails Ruby: Dynamic general purpose scripting language similar to Python Ruby on Rails: Popular Web app framework using Ruby Designed
More informationUsing Nessus In Web Application Vulnerability Assessments
Using Nessus In Web Application Vulnerability Assessments Paul Asadoorian Product Evangelist Tenable Network Security pasadoorian@tenablesecurity.com About Tenable Nessus vulnerability scanner, ProfessionalFeed
More informationSecuring the Database Stack
Technical Brief Securing the Database Stack How ScaleArc Benefits the Security Team Introduction Relational databases store some of the world s most valuable information, including financial transactions,
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationBest Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.
Best Practices for Threat & Vulnerability Management Don t let vulnerabilities monopolize your organization. Table of Contents 1. Are You in the Lead? 2. A Winning Vulnerability Management Program 3. Vulnerability
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationAttacks 2011: How Complexity Evaded Defenses and Strategies for Prevention TOMER TELLER CHECK POINT SOFTWARE TECHNOLOGIES. Session Classification:
Attacks 2011: How Complexity Evaded Defenses and Strategies for Prevention TOMER TELLER CHECK POINT SOFTWARE TECHNOLOGIES Session ID: SPO1-303 Session Classification: General Interest Welcome to RSA 2013.
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationProcedure of Secure Development Tool Adoption Study
Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these
More informationLecture Embedded System Security A. R. Sadeghi, @TU Darmstadt, 2011 2012 Introduction Mobile Security
Smartphones and their applications have become an integral part of information society Security and privacy protection technology is an enabler for innovative business models Recent research on mobile
More information2015 TRUSTWAVE GLOBAL SECURITY REPORT
2015 TRUSTWAVE GLOBAL SECURITY REPORT Rahul Samant Trustwave Australia WHY DO CYBERCRIMINALS DO WHAT THEY DO? 1,425% Return on Investment (ROI) Estimated ROI for a one-month ransomware campaign Based on
More informationStarting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden
Starting your Software Security Assurance Program May 21, 2015 ITARC, Stockholm, Sweden Presenter Max Poliashenko Chief Enterprise Architect Wolters Kluwer, Tax & Accounting Max leads the Enterprise Architecture
More informationCyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015
Cyber Threats Insights from history and current operations Prepared by Cognitio May 5, 2015 About Cognitio Cognitio is a strategic consulting and engineering firm led by a team of former senior technology
More informationProduct Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company
Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to
More informationSECURITY ASPECTS OF OPEN SOURCE
SECURITY ASPECTS OF OPEN SOURCE Phyto Michael 1 2015 Black Duck Software, Inc. All Rights Reserved. THE OPEN SOURCE SECURITY LANDSCAPE March 2015 2 2015 Black Duck Software, Inc. All Rights Reserved. OPEN
More informationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization Dan Cornell! CTO, Denim Group! @danielcornell My Background Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET,
More informationCybersecurity Vulnerability Management:
Cybersecurity Vulnerability Management: Finding Your Enterprise s Security Product Partner William L Brown Jr. Senior Engineering Manager, Regulatory and Product Security Is your security system doing
More informationState of Security. Top Five Critical Issues Affecting Servers. Decisive Security Intelligence You Can Use. Read Our Predictions for 2013 and Beyond
July 2014 State of Security Top Five Critical Issues Affecting Servers Decisive Security Intelligence You Can Use Read Our Predictions for 2013 and Beyond Cyber security has never been more important in
More informationInformation Security for Modern Enterprises
Information Security for Modern Enterprises Kamal Jyoti 1. Abstract Many enterprises are using Enterprise Content Management (ECM) systems, in order to manage sensitive information related to the organization.
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationHow to Reduce Web Vulnerability Scanning Times
How to Reduce Web Vulnerability Scanning Times www.alliancetechpartners.com How to Reduce Web Vulnerability Scanning Times It shouldn t be surprising cyber crime is costly to any business. Between the
More informationApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager Bryan Beverly June 2 nd, 2010 Today's Presentation The challenges of application security scanning and remediation What Vulnerability
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationElevation of Mobile Security Risks in the Enterprise Threat Landscape
March 2014, HAPPIEST MINDS TECHNOLOGIES Elevation of Mobile Security Risks in the Enterprise Threat Landscape Author Khaleel Syed 1 Copyright Information This document is an exclusive property of Happiest
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationWeb Application Security: Connecting the Dots
Web Application Security: Connecting the Dots Jeremiah Grossman Founder & Chief Technology Officer OWASP AsiaPac 04.13.2012 2012 WhiteHat Security, Inc. 1 Jeremiah Grossman Ø Founder & CTO of WhiteHat
More information2012 Application Security Gap Study: A Survey of IT Security & Developers
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
More informationLearning Course Curriculum
Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early
More informationTurning your managed Anti-Virus
Turning your managed Anti-Virus into my Botnet Jérôme NOKIN http://funoverip.net About me # id Jérôme Nokin http://funoverip.net jerome.nokin@gmail.com # job Penetration Tester Verizon Enterprise Solutions
More informationInjecting Trojans via Patch Management Software & Other Evil Deeds. Chris Farrow/Steve Manzuik BlackHat Europe 2005
Injecting Trojans via Patch Management Software & Other Evil Deeds Chris Farrow/Steve Manzuik BlackHat Europe 2005 Today s Key Topics Patching up close Anatomy of a patch The process & the system Design
More informationThe Hacker Strategy. Dave Aitel dave@immunityinc.com. Security Research
1 The Hacker Strategy Dave Aitel dave@immunityinc.com Security Research Who am I? CTO, Immunity Inc. History: NSA->@stake -> Immunity Responsible for new product development Vulnerability Sharing Club
More informationRecon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you
More informationWeb Conferencing Glossary
Web Conferencing Glossary Ad-Hoc Meeting a meeting that can be held immediately, on-the-fly Adobe Connect Adobe Connect is a Web Conferencing solution that provides rich, interactive, multimedia experiences
More informationINDUSTRY OVERVIEW: FINANCIAL
ii IBM MSS INDUSTRY OVERVIEW: FINANCIAL RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: NOVEMBER 5, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER iii TABLE OF CONTENTS EXECUTIVE OVERVIEW... 1 MAJOR FINANCIAL
More informationFinding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft
Finding and Preventing Cross- Site Request Forgery Tom Gallagher Security Test Lead, Microsoft Agenda Quick reminder of how HTML forms work How cross-site request forgery (CSRF) attack works Obstacles
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationComputer Networks & Computer Security
Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:
More informationRSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst
ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents
More informationSoftware Security Testing
Software Security Testing Elizabeth Sanders Department of Electrical & Computer Engineering Missouri University of Science and Technology ejwxcf@mst.edu 2015 Elizabeth Sanders Pop Quiz What topics am I
More informationFive Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline
IBM Security Thought Leadership White Paper Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline July 2015 2 Five Steps to Achieve
More informationInfoSphere Guardium Tech Talk Data privacy and dynamic masking for web applications: InfoSphere Guardium for Applications
InfoSphere Guardium Tech Talk Data privacy and dynamic masking for web applications: InfoSphere Guardium for Applications Nick Briers, WW Product Manager Ariel Farkash, Lead Developer Logistics This tech
More informationBCS Bristol Autumn School Testing your App. Jim Thomas Director of Software Testing
BCS Bristol Autumn School Testing your App Jim Thomas Director of Software Testing TVS background TVS UK (2008) TVS Germany (2011) TVS France (2012) T&VS India (2011) Delivering tailored solutions for
More information應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊
應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊 HP Enterprise Security 林 傳 凱 (C. K. Lin) Senior Channel PreSales, North Asia HP ArcSight, Enterprise Security 1 Rise Of The Cyber Threat Enterprises and Governments are experiencing
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationBest Practices Top 10: Keep your e-marketing safe from threats
Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign
More informationof firms with remote users say Web-borne attacks impacted company financials.
Introduction As the number of users working from outside of the enterprise perimeter increases, the need for more efficient methods of securing the corporate network grows exponentially. In Part 1 of this
More information