Protecting Database Centric Web Services against SQL/XPath Injection Attacks
|
|
- Bernard Carson
- 8 years ago
- Views:
Transcription
1 Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, Internal Report, 2009!
2 Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, Abstract. Web services represent a powerful interface for back end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non vulnerable web services is still a difficult task. In fact, securityrelated concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC App benchmark, showing to be 100% effective in stopping attacks, non intrusive and very easy to use. Keywords: Web services, vulnerabilities, security attacks, SQL Injection, XPath Injection, code instrumentation. 1 Introduction Web services are now widely used to support many businesses, linking suppliers and clients in sectors such as banking and financial services, transportation, or automotive manufacturing, among others. Web services are self describing components that can be used by other software across the web in a platform independent manner, and are supported by standard protocols such as SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language) and UDDI (Universal Description, Discovery, and Integration) [6]. In a service based environment, providers offer a set of services that frequently access a back end database and can be explored and used by service consumers. The web service technology provides a clear service interface for consumers, and this is frequently used to enable the aggregation of services in compositions. These compositions, frequently designated as business processes, are essentially a collection of services working together towards an objective [8]. The composition workflow (i.e., the sequencing and coordination of calls to component services) obviously introduces a degree of dependency between services, where a security failure in a component may compromise the whole composition.
3 A recent McKinsey report indicates web services and SOA as one of the most important trends in modern software development [20]. However, the wide use and exposure of web services results in any existing security vulnerability being most probably uncovered and exploited by hackers. In fact, command injection attacks (e.g., SQL or XPath injection) are frequent types of attacks in the web environment [24]. These attacks take advantage of improperly coded applications to change queries sent to a database, enabling, for instance, access to critical data. Vulnerabilities allowing SQL Injection and XPath injection attacks are particularly relevant in web services [30], as their exposure is high and they frequently use a data persistence solution [29] based either in a traditional relational database or in a XML database. Currently major database vendors and several open source efforts provide XML databases (e.g., Oracle XML DB, SQL Server 2008, Apache Xindice, etc.) and typically, the access to this type of databases uses XPath expressions. While the goal of XPath Injection is to maliciously explore any existing vulnerabilities in XPath expressions used by an application (for instance to access an XML database), SQL Injection tries to change the SQL statements in a similar manner [24]. Different techniques for the identification of security vulnerabilities have been proposed in the past [24], namely: Static vulnerability scanning: consists in analyzing the source code of the application looking for potential vulnerabilities. It is a white box approach that can be done manually or by using automated code analysis. Penetration testing: widely used technique that tries to disclose security vulnerabilities in web applications (including web services). The testing tool stresses the application from the point of view of the attacker ( black box approach) and tries to penetrate it by issuing a huge amount of interactions. Although web services are increasingly being used in complex business critical systems, current development support tools do not provide practical ways to protect applications against security attacks. In this paper, we present a phased approach that is able to: 1) learn the profile of regular client requests by transforming requests into invariant statements; 2) protect web service applications from SQL/XPath injection attacks by matching incoming requests with the valid set of codes previously learned. Note that this work focuses on source code vulnerabilities and not any specific security mechanisms, such as authentication and data encryption. In summary, our approach consists of the following major phases: Service assessment: An optional phase that characterizes the web service code in terms of security vulnerabilities. Penetration testing and static code analysis are used to identify any existing security vulnerabilities (e.g., web services code prone to SQL/XPath Injection); Statement learning: Consists of learning the profile of valid, non malicious data access statements. We provide automatable workload generation approach to create a set of invocations able to exercise the web service code, reaching as much data access statements as possible, and enriching the set of invariant statements learned by our framework; Service protection: The generation of a protective service wrapper that uses the outcome of the learning phase (a set of valid statements) to prevent the success of SQL/XPath injection attacks. All incoming requests are hashed 2
4 domains. As expected, no problem was identified, providing a strong indicator that our framework did not change the application s normal behavior. Additionally, we executed a final test to assess the performance impact related to the execution of the security system. As we were expecting small values, for the security improvement, we tested the worst case scenario found in the TPC App services and executed invocations using that worst case scenario. The security mechanism took on average 0,052 ms (± 0,029) to execute, less than 0,3% of the total time for the fastest executing service. In order to obtain such low measurements we used a Java method that provides nanosecond precision (but however does not guarantee nanosecond accuracy). In summary, our learning mechanism was able to stop all security attacks with a negligible overhead. This is a very significant result, as besides effectively securing the target application, it implied absolutely no extra effort from the developers that implemented the original services. 5 Conclusion Previous works on web application security have shown that SQL/XPath Injection attacks are extremely relevant in web service applications. This paper presents an approach for improving web services security. The proposed approach consists of learning the profile of valid data access statements (SQL and XPath) and using this profile to later prevent the execution of malicious client requests. The approach was illustrated using two different TPC App implementations. Various security issues were disclosed and corrected without additional development effort. In fact, while introducing an extremely low performance overhead, our approach proved to be 100% effective, as it was able to abort all attacks attempted in our experiments. During the whole experimental process, no extra complexity was added to the source code. In fact, as source code is not needed, the mechanism can also be used to easily protect legacy services, which would otherwise require a difficult to implement and hard to maintain procedure. These facts make it an extremely useful tool for developers and service administrators. References 1. Acunetix Web Vulnerability Scanner, scanner/ 2. Atlassian Clover Code Coverage Analysis, 3. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. Proceedings of the 6th international conference on Generative programming and component engineering, Salzburg, Austria: ACM, pp (2007) 4. BrupSuite, 5. Cobertura, 6. Curbera, F. et al.: Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. Internet Computing, IEEE, vol. 6, pp (2002) 7. Databene benerator, benerator 14
5 8. Erl, T.: Service Oriented Architecture: Concepts, Technology, and Design, Prentice Hall Professional Technical Reference (2005) 9. Fagan, M.: Design and code inspections to reduce errors in program development. Software pioneers: contributions to software engineering, Springer Verlag, Inc., pp (2002) 10. FORTIFY Gamja, Halfond, W., Orso, A.: Preventing SQL injection attacks using AMNESIA. 28th international conference on Software engineering, Shanghai, China: ACM, pp : Hovemeyer, D., Pugh, W. : Finding bugs is easy. ACM SIGPLAN Notices, vol. 39, pp (2004) 14. HP WebInspect, IBM Rational AppScan, 01.ibm.com/software/awdtools/appscan/ 16. Kiczales, G. et al.: Aspect Oriented Programming. 11th European Conf. on Objectoriented Programming (1997) 17. Laranjeiro, N., Vieira, M., Madeira, H.: EDEL and Security Improvement for Web Services. security tool.zip (2009) 18. Laranjeiro, N., Vieira, M.: Improving Web Services Robustness. Technical Report, icws robustness submitted.pdf (2009) 19. Livshits, V., Lam, M.: Finding security vulnerabilities in java applications with static analysis. Proceedings of the 14th conference on USENIX Security Symposium Volume 14, Baltimore, MD: USENIX Association, pp (2005) 20. McKinsey&Company: Enterprise Software Customer Survey (2008) 21. Ounce, Pixy, Red Hat Middleware: JBoss Application Server, Stuttard, D., Pinto, M.: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, ISBN 10: , (2007) 25. Sun Microsystems Inc.: JAX WS Reference Implementation, ws.dev.java.net/ 26. The Eclipse Foundation: The AspectJ Project. (2008) 27. Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, v. 51, pp (2009) 28. Thomas, S., Williams, L.: Using Automated Fix Generation to Secure SQL Statements, Third International Workshop on Software Engineering for Secure Systems (2007) 29. Transaction Processing Performance Council: TPC BenchmarkTM App (Application Server) Standard Specification, Version 1.1, (2005) 30. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. Intl. Conf. on Dependable Systems and Networks, Estoril, Lisbon (2009) 31. W3C: W3C XML Schema, (2008) 32. W3C: XQuery 1.0 and XPath 2.0 Functions and Operators, (2008) 15
Protecting Database Centric Web Services against SQL/XPath Injection Attacks
Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationUsing Web Security Scanners to Detect Vulnerabilities in Web Services
FACULDADE DE CIÊNCIAS E TECNOLOGIA DA UNIVERSIDADE DE COIMBRA DEPARTAMENTO DE ENGENHARIA INFORMÁTICA Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira Nuno Antunes Henrique
More informationDissertation Masters in Informatics Engineering
Dissertation Masters in Informatics Engineering Evaluating Web Services Security Nuno Manuel dos Santos Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira 10-07-2009 Department of Informatics Engineering
More informationWeb services commonly provide the strategic. Penetration Testing for Web Services
COVER FEATURE Penetration Testing for Web Services Nuno Antunes and Marco Vieira, University of Coimbra, Portugal Web services are often deployed with critical software security faults that open them to
More informationUsing Web Security Scanners to Detect Vulnerabilities in Web Services
DSN 2009 Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira,, Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt CISUC Department of Informatics Engineering University
More informationThe Devils Behind Web Application Vulnerabilities
The Devils Behind Web Application Vulnerabilities Defending against Web Application Vulnerabilities IEEE Computer, February 2012 Nuno Antunes, Marco Vieira {nmsa, mvieira}@dei.uc.pt Postgrad Colloquium
More informationDetecting SQL Injection Vulnerabilities in Web Services
Detecting SQL Injection Vulnerabilities in Web Services Nuno Antunes, {nmsa, mvieira}@dei.uc.pt LADC 2009 CISUC Department of Informatics Engineering University of Coimbra Outline n Web Services n Web
More informationTesting Web Services for Robustness: A Tool Demo
Testing Web Services for Robustness: A Tool Demo Nuno Laranjeiro, Marco Vieira To cite this version: Nuno Laranjeiro, Marco Vieira. Testing Web Services for Robustness: A Tool Demo. Hélène WAESELYNCK.
More informationMetrics, methods and tools to measure trustworthiness
Metrics, methods and tools to measure trustworthiness Henrique Madeira AMBER Coordination Action University of Coimbra March 9 th, 2009 1 Measuring trustworthiness Trustworthy ICT should be: Secure Dependable
More informationComparing the Effectiveness of Penetration Testing and Static Code Analysis
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services PRDC 2009 Nuno Antunes, nmsa@dei.uc.pt, mvieira@dei.uc.pt University
More informationRobustness and Security Testing in SOA
Outline n The SOA trend Robustness and Security Testing in SOA Challenges & Opportunities n Robustness and security testing in Web Services n Are Web Services robust and/or secure? n Is it done? No, there
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationEngineering Secure Complex Software Systems and Services
Engineering Secure Complex Software Systems and Services Preparation of FP7-ICT WP 2009-2010 - Mini-Concertation Meeting Henrique Madeira University of Coimbra Portugal University of Coimbra Question 1
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationSQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS
SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS Manas Kumar 1, S. Senthil kumar 2 and D. Sarvanan 3 1 M.C.A. (Final Year) Abstract Sql injection: a recently discovered application
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationCHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS
66 CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS 5.1 INTRODUCTION In this research work, two new techniques have been proposed for addressing the problem of SQL injection attacks, one
More informationDetection and mitigation of Web Services Attacks using Markov Model
Detection and mitigation of Web Services Attacks using Markov Model Vivek Relan RELAN1@UMBC.EDU Bhushan Sonawane BHUSHAN1@UMBC.EDU Department of Computer Science and Engineering, University of Maryland,
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationSecuring PHP Based Web Application Using Vulnerability Injection
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 5 (2013), pp. 391-398 International Research Publications House http://www. irphouse.com /ijict.htm Securing
More informationActiveVOS Server Architecture. March 2009
ActiveVOS Server Architecture March 2009 Topics ActiveVOS Server Architecture Core Engine, Managers, Expression Languages BPEL4People People Activity WS HT Human Tasks Other Services JMS, REST, POJO,...
More informationIntegrigy Corporate Overview
mission critical applications mission critical security Application and Database Security Auditing, Vulnerability Assessment, and Compliance Integrigy Corporate Overview Integrigy Overview Integrigy Corporation
More informationEnterprise Application Designs In Relation to ERP and SOA
Enterprise Application Designs In Relation to ERP and SOA DESIGNING ENTERPRICE APPLICATIONS HASITH D. YAGGAHAVITA 20 th MAY 2009 Table of Content 1 Introduction... 3 2 Patterns for Service Integration...
More informationUsing ESB and BPEL for evolving healthcare systems towards SOA
ehealth Beyond the Horizon Get IT There S.K. Andersen et al. (Eds.) IOS Press, 2008 2008 Organizing Committee of MIE 2008. All rights reserved. 747 Using ESB and BPEL for evolving healthcare systems towards
More informationA clustering Approach for Web Vulnerabilities Detection
A clustering Approach for Web Vulnerabilities Detection Mohamed Kaâniche Rim Akrout, Eric Alata, Yann Bachy, Anthony Dessiatnikoff, Vincent Nicome?e Design and Assessment of application Level Intrusion
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More informationSix Strategies for Building High Performance SOA Applications
Six Strategies for Building High Performance SOA Applications Uwe Breitenbücher, Oliver Kopp, Frank Leymann, Michael Reiter, Dieter Roller, and Tobias Unger University of Stuttgart, Institute of Architecture
More informationDistributed systems. Distributed Systems Architectures
Distributed systems Distributed Systems Architectures Virtually all large computer-based systems are now distributed systems. Information processing is distributed over several computers rather than confined
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationResearch on the Model of Enterprise Application Integration with Web Services
Research on the Model of Enterprise Integration with Web Services XIN JIN School of Information, Central University of Finance& Economics, Beijing, 100081 China Abstract: - In order to improve business
More informationBeeple, B-Pel, Beepul? Understanding BPEL and Its Role in SOA
Beeple, B-Pel, Beepul? Understanding BPEL and Its Role in SOA presented by John Jay King King Training Resources john@kingtraining.com Download this paper and code examples from: http://www.kingtraining.com
More informationSODDA A SERVICE-ORIENTED DISTRIBUTED DATABASE ARCHITECTURE
SODDA A SERVICE-ORIENTED DISTRIBUTED DATABASE ARCHITECTURE Breno Mansur Rabelo Centro EData Universidade do Estado de Minas Gerais, Belo Horizonte, MG, Brazil breno.mansur@uemg.br Clodoveu Augusto Davis
More informationA Generic Database Web Service
A Generic Database Web Service Erdogan Dogdu TOBB Economics and Technology University Computer Engineering Department Ankara, Turkey edogdu@etu.edu.tr Yanchao Wang and Swetha Desetty Georgia State University
More informationIntroduction to Service-Oriented Architecture for Business Analysts
Introduction to Service-Oriented Architecture for Business Analysts This course will provide each participant with a high-level comprehensive overview of the Service- Oriented Architecture (SOA), emphasizing
More informationProtocol Based Approach on Vulnerability Detection Tools of SQLIA along with Monitoring Tools D. Naga Swetha 1, B. Shyam Kumar 2
IJCSET November 2012 Vol 2, Issue 11, 1476-1483 www.ijcset.net ISSN:2231-0711 Protocol Based Approach on Vulnerability Detection Tools of SQLIA along with Monitoring Tools D. Naga Swetha 1, B. Shyam Kumar
More informationSecurity for a Smarter Planet. 2011 IBM Corporation All Rights Reserved.
Security for a Smarter Planet The Smarter Planet Our world is getting Instrumented Our world is getting Interconnected Our world is getting Intelligent Growing Security Challenges on the Smarter Planet
More informationSecurity Test s i t ng Eileen Donlon CMSC 737 Spring 2008
Security Testing Eileen Donlon CMSC 737 Spring 2008 Testing for Security Functional tests Testing that role based security functions correctly Vulnerability scanning and penetration tests Testing whether
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationeservices for Hospital Equipment
eservices for Hospital Equipment Merijn de Jonge 1, Wim van der Linden 1, and Rik Willems 2 1 Healthcare Systems Architecture Philips Research, The Netherlands 2 Strategy and Innovation Management/Technical
More informationRes. J. Appl. Sci. Eng. Technol., 8(5): 658-663, 2014
Research Journal of Applied Sciences, Engineering and Technology 8(5): 658-663, 2014 ISSN: 2040-7459; e-issn: 2040-7467 Maxwell Scientific Organization, 2014 Submitted: May 09, 2014 Accepted: June 16,
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationEvaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario
Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario M. Durai Ganesh (Research Scholars) Information Technology, St. Peter s University, Chennai- 54, Tamil Nadu, India Dr. G.Gunasekaran,
More informationBayesian Classification for SQL Injection Detection
Bayesian Classification for SQL Injection Detection Brandon Skari College of Engineering and Applied Science University of Wyoming Laramie, Wyoming 82070 brandon.skari@gmail.com April 6, 2011 Overview
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationAutomating Security Testing. Mark Fallon Senior Release Manager Oracle
Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage
More informationA Unified Messaging-Based Architectural Pattern for Building Scalable Enterprise Service Bus
A Unified Messaging-Based Architectural Pattern for Building Scalable Enterprise Service Bus Karim M. Mahmoud 1,2 1 IBM, Egypt Branch Pyramids Heights Office Park, Giza, Egypt kmahmoud@eg.ibm.com 2 Computer
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationHow To Prevent An Sql Injection Attack
CHAPTER 1 PROJECT OVERVIEW 1.1 Introduction Database security is the degree to which all data is fully protected from tampering or unauthorized acts. Security vulnerability, security threat and security
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationMiddleware for Heterogeneous and Distributed Information Systems
Prof. Dr.-Ing. Stefan Deßloch AG Heterogene Informationssysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@informatik.uni-kl.de Middleware for Heterogeneous and Distributed Information Systems http://wwwlgis.informatik.uni-kl.de/cms/courses/middleware/
More informationPenetration Testing Workshop
Penetration Testing Workshop Who are we? Carter Poe Nathan Ritchey Mahdi Shapouri Fred Araujo Outline Ethical hacking What is penetration testing? Planning Reconnaissance Footprinting Network Endpoint
More informationEvaluating and Comparing the Impact of Software Faults on Web Servers
Evaluating and Comparing the Impact of Software Faults on Web Servers April 2010, João Durães, Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra {naaliel, jduraes, henrique}@dei.uc.pt
More informationApplication Security Center overview
Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &
More informationAir Force SOA Enterprise Service Bus Study Using Business Process Management Workflow Orchestration for C4I Systems Integration
Air Force SOA Enterprise Service Bus Study Using Business Process Management Workflow Orchestration for C4I s Integration Dr. Timothy D. Kehoe, Irene Chang, Dave Czulada, Howard Kong, Dr. Dino Konstantopoulos
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationOracle BPEL Nuts and Bolts
Oracle BPEL Nuts and Bolts Paper 743 presented by John Jay King King Training Resources john@kingtraining.com Download this paper from: http://www.kingtraining.com Copyright @ 2009, John Jay King 1/68
More informationCore Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems
Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary
More informationMobile, Cloud, Advanced Threats: A Unified Approach to Security
Mobile, Cloud, Advanced Threats: A Unified Approach to Security David Druker, Ph.D. Senior Security Solution Architect IBM 1 Business Security for Business 2 Common Business Functions Manufacturing or
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationJBoss security: penetration, protection and patching. David Jorm djorm@redhat.com
JBoss security: penetration, protection and patching David Jorm djorm@redhat.com Contents The problem Background Historical vulnerabilities JBoss worm Security response for products The solution The Problem
More informationIBM Rational Asset Manager
Providing business intelligence for your software assets IBM Rational Asset Manager Highlights A collaborative software development asset management solution, IBM Enabling effective asset management Rational
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationResearch on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1
International Conference on Informatization in Education, Management and Business (IEMB 2015) Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology
More informationINTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY
INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY Asst.Prof. S.N.Wandre Computer Engg. Dept. SIT,Lonavala University of Pune, snw.sit@sinhgad.edu Gitanjali Dabhade Monika Ghodake Gayatri
More informationKeywords: 2013, IJARCSSE All Rights Reserved Page 451
Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Vulnerability
More informationGetting started with API testing
Technical white paper Getting started with API testing Test all layers of your composite applications, not just the GUI Table of contents Executive summary... 3 Introduction... 3 Who should read this document?...
More informationHow To Understand A Services-Oriented Architecture
Introduction to Service Oriented Architecture CSCI-5828 Foundations of Software Engineering Ming Lian March 2012 Executive Summary This Executive Summary gives the straight word to the fresh that have
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationA Performance Comparison of Vulnerability Detection between Netclarity Auditor and Open Source Nessus
A Performance Comparison of Vulnerability Detection between Netclarity Auditor and Open Source Nessus SANON CHIMMANEE, THANYADA VEERAPRASIT, KRITSADA SRIPHAEW, ANIWAT HEMANIDHI Faculty of Information Technology
More informationAUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR
AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR Pragya Singh Baghel United College of Engineering & Research, Gautama Buddha Technical University, Allahabad, Utter Pradesh, India ABSTRACT
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationWireless Computing and IT Ecosystems
Wireless Computing and IT Ecosystems William R Simpson Institute for Defense Analyses, 4850 Mark Center Drive, Alexandria, Virginia 22311 USA, rsimpson@ida.org Abstract. We have evolved an IT system that
More informationJava Program Vulnerabilities
Java Program Vulnerabilities Sheetal Thakare, Dr.B.B.Meshram Abstract The Java programming language provides a lot of security features, build directly into the language and also supplied by security relevant
More informationAn analysis on Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries
An analysis on Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries Jaskanwal Minhas Dept. of Computer Science and Engineering, Sant Baba Bhag Singh Institute of Engineering and Technology,
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationJAVA/J2EE DEVELOPER RESUME
1 of 5 05/01/2015 13:22 JAVA/J2EE DEVELOPER RESUME Java Developers/Architects Resumes Please note that this is a not a Job Board - We are an I.T Staffing Company and we provide candidates on a Contract
More informationDesign For a Patient-Centric Medical Information System Using XML Web Services
Design For a Patient-Centric Medical Information System Using XML Web Services Elridge D'Mello, Jerzy Rozenblit University of Arizona, Tucson, Arizona Department of Electrical and Computer Engineering
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationChapter 4 IT Infrastructure and Platforms
Chapter 4 IT Infrastructure and Platforms Essay Questions: 1. Identify and describe the stages of IT infrastructure evolution. 2. Identify and describe the technology drivers of IT infrastructure evolution.
More informationA QoS-aware Method for Web Services Discovery
Journal of Geographic Information System, 2010, 2, 40-44 doi:10.4236/jgis.2010.21008 Published Online January 2010 (http://www.scirp.org/journal/jgis) A QoS-aware Method for Web Services Discovery Bian
More informationWhite Paper Delivering Web Services Security: The Entrust Secure Transaction Platform
White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More informationWhat is it? What does it do? Benefits
JBoss Enterprise SOA Platform What is it? The JBoss Enterprise SOA Platform includes serviceoriented architecture (SOA) open source middleware such as JBoss Enterprise Service Bus (ESB), JBoss jbpm, JBoss
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationAn Effective Approach for Detecting and Preventing Sqlinjection Attacks
An Effective Approach for Detecting and Preventing Sqlinjection Attacks M. Roslinmary 1, S. Sivasakthi 2, A. Shenbaga Bharatha Priya 3 1, 2, 3 PG scholar, Department of IT, Dr. Sivanthi Aditanar College
More informationAnalyses on functional capabilities of BizTalk Server, Oracle BPEL Process Manger and WebSphere Process Server for applications in Grid middleware
Analyses on functional capabilities of BizTalk Server, Oracle BPEL Process Manger and WebSphere Process Server for applications in Grid middleware R. Goranova University of Sofia St. Kliment Ohridski,
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationStreamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationManipulating Microsoft SQL Server Using SQL Injection
Manipulating Microsoft SQL Server Using SQL Injection Author: Cesar Cerrudo (sqlsec@yahoo.com) APPLICATION SECURITY, INC. WEB: E-MAIL: INFO@APPSECINC.COM TEL: 1-866-9APPSEC 1-212-947-8787 INTRODUCTION
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationDetection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts
Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts Suman Saha 1, Shizhen Jin 2,3 and Kyung-Goo Doh 3 1 LIP6-Regal, France Suman.Saha@lip6.fr 2 GTOne, Seoul, Korea jinshzh@gmail.com
More information