STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013
|
|
- Job Gyles Garrison
- 8 years ago
- Views:
Transcription
1 STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department of Social and Health Services (DSHS) is requesting information from the vendor community regarding methods and solutions to provide high quality yet cost effective vulnerability code and database scanning. The purpose of this RFI is to gain knowledge of solutions available for source code and database vulnerability scanning. This RFI should not be construed as intent, commitment, or a promise to acquire services or solutions offered. Any prices or estimates provided are non-binding and should only reflect general prices readily available in a commercial environment. No contract will result from any response to this RFI. 1. OVERVIEW AND PURPOSE OF THIS REQUEST FOR INFORMATION: Currently, DSHS has no automated solution for code scanning and database vulnerability scanning, and relies on manual peer review and automated vulnerability/penetration testing of web-facing applications, and peer review for database implementations. Best practice for IT security requires multiple layers of defense; DSHS would like to augment the current practices. This RFI is an opportunity for the vendor community to provide creative and affordable solutions to remedy DSHS s lack of automated code scanning and database vulnerability scanning. DSHS has listed a series of minimal functional requirements but is open to any method which meets the standards listed below. The recommendations from the vendor community can be inclusive of both DSHS needs jointly or address the database and application source code independently 1.1 Application Source Code Scanning DSHS needs a solution to scan application source code to detect security vulnerabilities which could create a risk to the application. The recommendations from the vendor community may be software, appliance, or software as a service. The recommendation should be capable of scanning source code on all significant applications within DSHS, identifying vulnerabilities, providing guidance on mitigation of identified vulnerabilities, and maintaining sufficient documentation of identified vulnerabilities to allow a determination of the efficacy of the source code scanning. The recommendations should support all programming languages used within DSHS for new and existing applications, and support existing DSHS source code repositories and integrated
2 development environments (IDEs) as well as other languages/repositories/ides that might reasonably be used in the future. The following are the basic minimum standards required for the application source code scanning solution(s) Minimum Standards: The solution must support at least four of the following application languages: PHP 3.x and above Java, JSP, J2EE, JSTL, J2SE Classic ASP.NET (v2.0 v4.5) ASP.NET, C#, VB.NET, LINQ, C++ VB6 The solution must work with at least one of the following application version control products: TFS Team Foundation Server v2008 and up Subversion Tortoise The solution must provide support for both of the following Integrated Development Interfaces: Visual Studio version 2008 and above Eclipse 3.0 and above The solution must identify the following vulnerabilities: API Abuse Log forging Code Injection Obsolete functions Command Injection Open redirect CRLF Injection Reflection injection Cross site scripting XSS Weak crypt algorithm File Inclusion Session variable poisoning Hard-coded password SQL injection HTTP response splitting Tag injection Information leak of system Xpath injection data The OWASP Code Review LDAP Injection Top 9 Please note any other vulnerabilities that the product or service is able to identify. 1.2 Database vulnerability scanning:
3 DSHS also needs a solution to scan multiple databases for security vulnerabilities. The recommendations from the vendor community may be for software, appliances or software as a service. The recommendation should be capable of scanning all databases within DSHS, identifying vulnerabilities, providing guidance on mitigation of identified vulnerabilities, and maintaining sufficient documentation of identified vulnerabilities to allow a determination of the efficacy of the database scanning. The following are the basic minimum standards required for the database vulnerability scanning solution(s) Minimum Standards: The solution must support the following databases: Oracle Microsoft SQL Server MySQL IBM Informix DB2 (mainframe, windows, linux. Aux) PostgreSQL The solution must identify the following vulnerabilities: Buffer overflows Privilege escalation Denial of service Default and weak passwords Incorrect configurations Access control issues Missing or out of date security patches The solution must provide compliance reports for: ISO PCI CIS DISA-STIG HIPAA Federal tax information (IRS Publication 1075) 2. SPECIFIC QUESTIONS: Please note that these questions do not comprise an exhaustive list of issues but focus on areas of significant concern to DSHS. You may provide information in addition to the questions listed below if in your knowledge of the subject matter the additional information is relevant to the perceived intent of this RFI. Additional information should be clearly identified and labeled as to its topic, purpose and benefit in this inquiry.
4 2.1 - For the source code scanner, tell us what your solution can do. Technological Requirements. We would like to know what each solution provider recommends as minimal and optimal hardware specifications. Equipment and Software. We would like to know whether each solution provider supplies software, appliance(s) or software as a service. What are the optimal hardware configurations if any? Encryption and Security. We would like to know what each solution provider recommends as minimal and optimal specifications for encryption and data security requirements. Confidentiality. How can we ensure that the selected solution adequately protects the confidentiality of DSHS system information? For the database scanner tell us what your solution can do. Technological Requirements. We would like to know what each solution provider recommends as minimal and optimal hardware specifications. Equipment and Software. We would like to know whether each solution provider supplies software, appliance(s) or software as a service. What are the optimal hardware configurations if any? Encryption and Security. We would like to know what each solution provider recommends as minimal and optimal specifications for encryption and data security requirements. Confidentiality. How can we ensure that the selected solution adequately protects the confidentiality of DSHS system information? 3. IMPORTANT GENERAL INFORMATION Information submitted in response to this RFI will become the property of The State of Washington, Department of Social and Health Services. The State of Washington, DSHS will not pay for any information herein requested nor is it liable for any cost incurred by the vendor. Participation in this RFI is voluntary and will not be a mandatory requirement for any subsequent competitive procurement. Due Date for Responses: Please respond to this RFI by 3 pm, PST on November 15, 2013.
5 Electronic Submittal: Responses to this RFI will only be accepted electronically at Procedural or administrative questions may be directed to the RFI Coordinator listed above. Technical or requirement questions may be directed to Pablo Matute DSHS IT security We appreciate your response to this request.
MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationSANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security
SANDCAT WHAT IS SANDCAT? THE WEB APPLICATION SECURITY ASSESSMENT SUITE Sandcat is a hybrid multilanguage web application security assessment suite - a software suite that simulates web-based attacks. Sandcat
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationDatabase Security & Auditing
Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationMatriXay Database Vulnerability Scanner V3.0
MatriXay Database Vulnerability Scanner V3.0 (DAS- DBScan) - - - The best database security assessment tool 1. Overview MatriXay Database Vulnerability Scanner (DAS- DBScan) is a professional tool with
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationExecutive Summary On IronWASP
Executive Summary On IronWASP CYBER SECURITY & PRIVACY FOUNDATION 1 Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationAppSentry Application and Database Security Auditing
AppSentry Application and Database Security Auditing May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and Microsoft
More informationWeb Application Security
About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationUsing Nessus In Web Application Vulnerability Assessments
Using Nessus In Web Application Vulnerability Assessments Paul Asadoorian Product Evangelist Tenable Network Security pasadoorian@tenablesecurity.com About Tenable Nessus vulnerability scanner, ProfessionalFeed
More informationAppDefend Application Firewall Overview
AppDefend Application Firewall Overview May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Agenda Web Application Security AppDefend Overview Q&A 1 2 3 4 5 Oracle EBS Web Architecture
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationIs your software secure?
Is your software secure? HP Fortify Application Security VII konferencja Secure 2013 Warsaw - October 9, 2013 Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172)
More informationIntroduction to the HP Server Automation system security architecture
Introduction to the HP Server Automation system security architecture Technical white paper Table of contents Introduction to the HP Server Automation system security architecture... 2 Enforcing strict
More informationWebCruiser Web Vulnerability Scanner User Guide
WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction... 3 2. Main Function... 4 2.1. Web Vulnerability Scanner... 4 2.2. SQL Injection Tool... 6 2.3. Cross Site Scripting...
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationBraindumps.C2150-810.50 questions
Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the
More informationAutomating Security Testing. Mark Fallon Senior Release Manager Oracle
Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationWebCruiser Web Vulnerability Scanner Test Report. Input Vector Test Cases Cases Count Report Pass Rate. Erroneous 200 Responses 19 19 100%
WebCruiser Web Vulnerability Scanner Test Report V3.4.0 Made by Janusec (http://www.janusec.com ) 1. Test Report 1.1. SQL Injection Test Report Input Vector Test Cases Cases Count Report Pass Rate Erroneous
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationWhite Paper BMC Remedy Action Request System Security
White Paper BMC Remedy Action Request System Security June 2008 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationReal-Time Database Protection and. Overview. 2010 IBM Corporation
Real-Time Database Protection and Monitoring: IBM InfoSphere Guardium Overview Agenda Business drivers for database security InfoSphere Guardium architecture Common applications The InfoSphere portfolio
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationPerforming a Web Application Security Assessment
IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform
More informationNSFOCUS Web Application Firewall White Paper
White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect
More informationHP Device Manager 4.7
Technical white paper HP Device Manager 4.7 Database Troubleshooting Guide Table of contents Overview... 2 Using MS SQL Server... 2 Using PostgreSQL... 3 Troubleshooting steps... 3 Migrate Database...
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More information8070.S000 Application Security
8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx
More informationDatabase Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions
Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional
More informationTrustwave MANAGED SECURITY TESTING
Trustwave MANAGED SECURITY TESTING DON T GUESS. TEST. Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. If you re concerned about cyberattacks
More informationSAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.
SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0 Secure Software Development at SAP Table of Contents 4
More informationIntegrigy Corporate Overview
mission critical applications mission critical security Application and Database Security Auditing, Vulnerability Assessment, and Compliance Integrigy Corporate Overview Integrigy Overview Integrigy Corporation
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationTop Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP
Top Web Application Security Issues Daniel Ramsbrock, CISSP, GSSP daniel ramsbrock.com Presentation Overview Background and experience Financial services case study Common findings: Weak input validation
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationData Platform Security. Vinod Kumar Technology Evangelist www.extremeexperts.com http://blogs.sqlxml.org/vinodkumar
Data Platform Security Vinod Kumar Technology Evangelist www.extremeexperts.com http://blogs.sqlxml.org/vinodkumar Agenda Problem Statement Security for Enterprise Security Defaults - Vulnerabilities Configurations
More informationInternal Penetration Test
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationGuardium Change Auditing System (CAS)
Guardium Change Auditing System (CAS) Highlights. Tracks all changes that can affect the security of database environments outside the scope of the database engine Complements Guardium's Database Activity
More informationWeb application vulnerability statistics for 2010-2011
Web application vulnerability statistics for 2010-2011 SERGEY GORDEYCHIK DMITRY EVTEEV ALEXANDER ZAITSEV DENIS BARANOV SERGEY SCHERBEL ANNA BELIMOVA GLEB GRITSAI YURI GOLTSEV TIMUR YUNUSOV ILYA KRUPENKO
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationDOS ATTACKS USING SQL WILDCARDS
DOS ATTACKS USING SQL WILDCARDS Ferruh Mavituna www.portcullis-security.com This paper discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers. This can be achieved using only
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationState of Iowa REQUEST FOR INFORMATION. RFI #1217005002 State of Iowa ERP System Maintenance, Upgrades and Services
State of Iowa REQUEST FOR INFORMATION RFI #1217005002 State of Iowa ERP System Maintenance, Upgrades and Services Section 1- Background and Objectives 1.1 Purpose The objective of this Request for Information
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationStronger database security is needed to accommodate new requirements
Enterprise Database Security A Case Study Abstract This Article is a case study about an Enterprise Database Security project including the strategy that addresses key areas of focus for database security
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationIBM Rational AppScan Source Edition
IBM Software November 2011 IBM Rational AppScan Source Edition Secure applications and build secure software with static application security testing Highlights Identify vulnerabilities in your source
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Technical and Operational Requirements for Approved Scanning Vendors (ASVs) Version 1.1 Release: September 2006 Table of Contents Introduction...1-1 Naming
More informationDTWMS Required Software Engineers. 1. Senior Java Programmer (3 Positions) Responsibilities:
DTWMS Required Software Engineers 1. Senior Java Programmer (3 Positions) Responsibilities: Responsible to deliver quality software solutions using standard end to end software development cycle Collaborate
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationProgramming Flaws and How to Fix Them
19 ö Programming Flaws and How to Fix Them MICHAEL HOWARD DAVID LEBLANC JOHN VIEGA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City- Milan New Delhi San Juan Seoul Singapore
More informationThreat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)
Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /
More information