Copyright Watchfire Corporation. All Rights Reserved.
|
|
- Quentin Greer
- 8 years ago
- Views:
Transcription
1 AppScan Frequently Asked Technical Questions 1. How is AppScan different from other web application scanners? (p. 2) 2. How do I know if I ve covered all of my applications? (p. 3) 3. How is AppScan different from code scanners? (p. 4) 4. Can AppScan test AJAX-based web applications? (p. 5) 5. Does AppScan extract links from JavaScripts and Flash files? (p. 5) 6. Can AppScan test SOAP web services for security issues? (p. 6) 7. How does AppScan update its database of attacks and attack techniques? (p. 6) 8. How many tests does AppScan s database contain? (p. 6) 9. Can I use AppScan on live production web applications, or will it damage/hurt the site? (p. 7) 10. Where does AppScan get its "Fix Recommendation" text from? (p. 8) 11. What kinds of web application technologies (e.g., ASP.NET, J2EE, PHP, etc.) does AppScan support? (p. 8) 12. Can I manually tamper with HTTP requests like I do with free tools like Paros, Burp-Proxy, and WebScarab? How different is AppScan from these free tools? (p. 8) 13. Is there a way for me to add my own tests to AppScan's database? Can I also write my own advisories? (p. 9) 14. If I have a Web Application Firewall installed, do I need to scan my application with AppScan? (p. 10) Copyright Watchfire Corporation. All Rights Reserved.
2 1. Q: How is AppScan different from other web application scanners? A: The main differentiators between AppScan and other scanners are: a. Test Accuracy: the most important trait of a security scanner is its accuracy. Watchfire s patented AppScan software contains the industry s most advanced scanning engine. Accuracy is achieved in several ways, one of which is real-world hacker technique imitation. During the explore phase of application scanning, AppScan will collect information about parameters, and will use this information to specifically tailor the tests it creates to your application. For example: AppScan will add or decrease numeric values out of their observed ranges (e.g., if a parameter called DocumentID was seen with a range of values between 10 to 100, AppScan will attempt to send the values 9 and 101. This is a known web hacking technique that attempts to access resources without authorization). AppScan will attempt to manipulate select-parameters' (pulldown menus) values out of their possible ranges. During a Poison-null byte attack, AppScan will use the original file extension (i.e., /etc/passwd%00.ext where ext is the original file extension that was seen in the original parameter value), in order to bypass validation procedures. When attempting to manipulate a price-parameter (for eshoplifting attacks), AppScan will keep the original price format (e.g., if the original hidden price parameter value was $199.99USD, AppScan will attempt to change the value, but keep the format - $1.99USD). AppScan is the only scanner to incorporate a "Port Listener" validation mechanism. The Port Listener enables AppScan to detect vulnerabilities, such as SQL Injection, with high certainty (where applicable) by using out-of-bounds communications. This validation mimics a known hacker technique, of executing commands on the backend server. For example, when testing an application that uses MS-SQL database for SQL Injection, AppScan will attempt to execute the XP_CMDSHELL stored procedure, which will then issue a TFTP request back to AppScan. When the TFTP request reaches AppScan back, the test will be flagged as successful. b. Scan Performance: customers have reported that in head-to-head comparisons AppScan s scanning speed performs up to 5 times faster than competitive solutions. c. Product Maturity: AppScan is currently the most mature web application scanner in the market (first version of AppScan was released in 2000). Copyright Watchfire Corporation. All Rights Reserved. 2
3 Gartner recently named Watchfire the worldwide market-share leader in the web vulnerability assessment market with more than twice the market share of any competitor. ( IDC recently named Watchfire as the worldwide market-share leader in the Web Application Security Assessment software category. ( d. Actionable Results: AppScan's advisories contain both ASP.NET and J2EE source code examples, which will help in educating developers on how to solve complex security issues, using "best practices" methodologies. The Remediation View of results enables AppScan users to better communicate scan results to developers in an actionable and consolidated report. All fix recommendations are grouped together according to the problematic part of the application, and according to the code fix that is required, and are presented in a task-list manner so that developers don't have to read through hundreds of pages of security reports. 2. Q: How do I know if I covered all of my applications? A: AppScan provides users with several indications of the areas and parts of the web application that were covered during a scan: a. Application Tree: the Application Tree (in AppScan's user interface), is a graphical representation of the areas that were discovered and explored by AppScan. Users can validate that AppScan covered the whole application by viewing this tree and making sure that no application segments were left undiscovered. b. Application Data: the Application Data view (accessed using the View Selector in AppScan's user interface), is a repository of information and data about the structure and contents discovered about the application during the explore phase. This data contains: Visited URLs: URLs that were visited during the explore phase Script Parameters: input parameters sent to the application, such as text fields, radio button values, hidden parameters, link parameters, etc. Interactive URLs: forms, which were not automatically submitted, and require user interaction Copyright Watchfire Corporation. All Rights Reserved. 3
4 Broken Links: links that AppScan cannot retrieve (either because they are missing, or because the application returned an error during the explore phase) Filtered URLs: URLs that were not explored due to explore filters (e.g., path exclusions, file type exclusions, depth limit, etc.) Comments: HTML comments extracted from each page that were discovered during the explore phase JavaScripts: JavaScript code that was extracted from each page that was discovered during the explore phase Cookies: HTTP cookies that were used during the explore phase (set either by a "Set-Cookie" header, or by client-side technologies such as JavaScript) Both the Application Tree and Application Data view enable users to easily understand if AppScan covered all of the application during the scan. 3. Q: How is AppScan different from code scanners? A: Testing software for security issues can be done at three different stages of the application development lifecycle. You can scan the source code before you compile it (static code analysis), you can scan the compiled code before you build the whole application (dynamic code analysis), or you can scan the application once it has been built (Blackbox scanning). Code scanners (Whitebox scanners) are a group of tools that receive pre-built software and test it for functionality and security problems within the code. In general, there are two types of code analysis techniques: Static code analysis Dynamic (runtime) analysis Static code analyzers mainly use text pattern matching techniques in order to easily locate problems within the source code. These scanners are somewhat simplistic and prone to missing many issues due in part to the fact that they cannot follow the application's flow. Dynamic (runtime) analyzers are more complex scanners and can find flaws in the application that static analyzers cannot detect. Their main problem is that they are farther away from the actual code, so locating the specific line in the code where the problem has occurred is sometimes difficult. AppScan, on the other hand, uses a Blackbox approach to scanning applications. This approach treats the application as a "Blackbox," and attempts to interact with it like a user (or a hacker) would. Testing is done by attempting to manipulate the Copyright Watchfire Corporation. All Rights Reserved. 4
5 input sent to the application and analyzing the output in order to locate security or functionality issues. The biggest advantage of the Blackbox approach is accuracy. Vulnerabilities that are discovered using AppScan are always real. In code scanning, not all issues that are discovered can be exploited by users of the applications. Some of these issues are only theoretical. In addition, since AppScan can run against the web application when it is installed in its designated production environment, it can also detect vulnerabilities that are related to that specific environment, such as: Known vulnerabilities in components such as the web servers, application servers, XML or SOAP parsers, etc. Vulnerabilities that are caused due to improper configuration and settings Vulnerabilities in the application's logic, which can only be detected by looking at the application as a whole when it is running To sum things up, AppScan and code scanners perform security testing in different layers, and they complement each other. 4. Q: Can AppScan test AJAX-based web applications? A: Yes. Since AJAX itself is the technology that runs on the client side, all of the testing techniques (e.g., SQL Injection, XSS, Buffer Overflows, etc.) are still relevant. In addition, when performing automatic crawling of an AJAX-based web application, AppScan will execute JavaScript code (assuming that JavaScript execution is enabled), and will automatically send requests that were created by XMLHttpRequest objects. Finally, AppScan users who prefer to traverse the AJAX application manually can do so by using AppScan's embedded browser, just like they do with a regular browser. 5. Q: Does AppScan extract links from JavaScripts and Flash files? A: Yes. AppScan can extract links from JavaScript code in order to discover new areas of the site by using three different techniques: JavaScript Execution: AppScan will execute JavaScript code and analyze the results to collect links, including dynamic links that may not be discovered by parsing alone. Static JavaScript Code Analysis: AppScan will statically parse JavaScript code, looking for new links. Flash File Link Extractions: AppScan will parse Flash files, looking for new links. Copyright Watchfire Corporation. All Rights Reserved. 5
6 6. Q: Can AppScan test SOAP web services for security issues? A: Yes. AppScan v7.0 enables users to perform Web Services scanning, using the Web Services Explorer, a graphical utility that invokes Web Services and lets users interact with them. The Web Services Explorer reads your Web Service s WSDL file and displays the individual services and methods available in a simple tree format, enabling you to input parameters and view the responses. It can do this either as a standalone program or in conjunction with AppScan and using it as the proxy. This second option enables AppScan to create tests for the service based on your input. In addition, AppScan s test database contains many tests for SOAP web services. The tests can be divided into three main groups: a. Tests for SOAP/XML Parsers: tests that attack the SOAP or XML parser component b. Application-layer Tests: these are similar to regular web application tests, such as SQL Injections, XSS, Buffer Overflows, etc. c. Known Vulnerabilities: these are known problems related to Web Services technologies. 7. Q: How does AppScan update its database of attacks and attack techniques? A: AppScan's database of attacks and attack techniques can be updated through the "Live Update" feature. This feature allows you to decide if you want to receive updates whenever AppScan is launched ("Check for updates on startup" in AppScan's options), or by pressing the "Check for updates" button. Once the update process ends, updates are automatically installed in AppScan, and information regarding the specific update will appear in the "Updates log" (Help Updates Log). New updates are available several times a week. Special updates are provided when needed (e.g., discovery of critical vulnerabilities). 8. Q: How many tests does AppScan's database contain? A: AppScan's database contains thousands of tests which cover all categories of the WASC (Web Application Security Consortium) Threat Classification. Since updates are issued several times a week, the exact number of tests changes rapidly. Updates for new attacks are added by: a. Monitoring numerous web application security resources (newsgroups, mailing lists, etc.) Copyright Watchfire Corporation. All Rights Reserved. 6
7 b. Monitoring hackers websites for new 0-day attacks c. Proprietary research performed by Watchfire's Security Team 9. Q: Can I use AppScan on live production web applications, or will it damage/hurt the site? A: Yes, you can use AppScan to test live production web applications, but here are several issues that need to be taken into consideration when scanning such a website: Possible overloading of the web application. The application might not be able to handle the amount of HTTP requests sent by AppScan in such a short time. Your live production database may be filled with "non-real" information as a result of the automatic crawling and automatic form filling performed by AppScan A large amount of s or other notifications may be sent to the administrator or site moderator as a result of the automatic crawling and automatic form filling performed by AppScan. There are several actions you can take in order to reduce the impact on a live production web application: a. Turn off the "Invasive" tests (Scan Configuration Test Policy): doing so will ensure that no Denial of Service, or other tests that might cause the application or web server to crash (e.g., Buffer Overflows), are sent. Important note: Web applications often contain vulnerabilities that will only be discovered by AppScan's "Invasive" tests. Watchfire highly recommends that you test your application for these kinds of vulnerabilities and that you do so in coordination with your site owner or administrator. You should also consider performing these tests during offpeak hours when the application is likely to be idle. b. Turn off the "Automatic Form Filler" (Scan Configuration User Input): will ensure that AppScan does not fill forms automatically and submit information that might flood a database, bulletin board, online forum systems or send s to an administrator/moderator account. Important note: turning the "Automatic Form Filler" off may limit AppScan's ability to reach certain areas of the site which are best accessed by submitting forms. In this mode of operation, AppScan will only access areas of the site that can be accessed by following links (with or without parameters). Copyright Watchfire Corporation. All Rights Reserved. 7
8 c. Throttle down AppScan's scan speed by reducing the amount of threads used (Scan Configuration Communication Number of Threads) 10. Q: Where does AppScan get its "Fix Recommendation" text from? A: The fix recommendations in AppScan are written as a part of each test's advisory. Unlike other tools, AppScan's advisories are written in-house, and are not copied as is from public resources. Each test (and fix recommendation(s)) that is added to AppScan is first researched by Watchfire's Security Team and validated before it is added to the next product update. 11. Q: What kinds of web application technologies (e.g., ASP.NET, J2EE, PHP, etc.) does AppScan support? A: In general, since AppScan treats the web application as a "Blackbox" (see Question 3,"How is AppScan different from Code Scanners"), it is usually technologyagnostic. AppScan interacts with the web application like a user would, without caring about the underlying programming language or application technology. In several cases, AppScan does attempt to detect the web technologies used by your application in order to modify and adapt specific tests, so that they will have better chances of succeeding. For example, when trying to download system files, AppScan will attempt certain techniques for Windows-based applications, and different techniques for UNIX-based (or any other OS) systems. In addition, some of AppScan's "Infrastructure" tests (known vulnerabilities) are sent according to the underlying technology that was detected during the explore phase. Note: users can choose to disable automatic server detection and launch all of the infrastructure tests, without paying attention to AppScan's automatic detection (Scan Configuration Application Automatic Server Detection), but this is not recommended in most cases, as it may cause inaccuracies in the results. 12. Q: Can I manually tamper with HTTP requests like I do with free tools like Paros, Burp-Proxy, and WebScarab? How different is AppScan from these free tools? A: Of course. You can manually tamper with any part of the HTTP request by using AppScan's "Manual Test" utility. You can use this utility for: a. Manipulating "valid" HTTP requests that were sent to the application during the explore phase. This can be done by switching to the "Application Data" view, choosing a specific request in the Visited URLs, and then right-clicking on the URL and choosing "Manual Test" (or just by clicking on the "Manual Test" button). Copyright Watchfire Corporation. All Rights Reserved. 8
9 b. Manipulating test HTTP requests (creating your own "user defined" tests). This can be done by switching to the "Issues" view, choosing a specific issue, drilling down to a specific test variant and either rightclicking on the vulnerable element and choosing "Manual Test", or through the Tools Manual Test menu. AppScan's "Manual Test" utility has several important advantages over other HTTP testing tools: a. AppScan will automatically handle the application's login process for you. You don't have to log into the application in order to manually test parts of the application that are behind the login mechanism. b. AppScan will automatically handle SSL encryption for you, including the usage of SSL client side certificates. c. AppScan will automatically calculate the "Content-Length" HTTP header for you when applicable (e.g., when manipulating HTTP POST requests). In addition, if you still want to use an HTTP proxy for intercepting HTTP requests and responses, you can download and use "HTTP Proxy," which is one of Watchfire's free PowerTools at: Q: Is there a way for me to add my own tests to AppScan's database? Can I also write my own advisories? A: Definitely. AppScan users can add their own new tests by using AppScan's "User Defined Tests" feature. This feature allows the addition of Application-specific tests (e.g., Parameter Tampering tests), Infrastructure tests (known vulnerabilities) or Pattern searching tests (e.g. locate certain text in all responses). The addition of new tests is done through a simple wizard, which is accessed through the Tools User Defined Tests menu. For each new test that you add, you can also set its relevant information, such as: Test name Test advisory (impact, description, fix recommendation, etc) Test severity level Test validation criteria (when is this test considered successful) User Defined Tests persist across scans, and you can turn them on or off according to your needs. Copyright Watchfire Corporation. All Rights Reserved. 9
10 14. Q: If I have a Web Application Firewall installed, do I need to scan my application with AppScan? A: Achieving good security (physical, network and/or application), is all about adding more and more layers of protection. There is no silver bullet solution for security. Let's take network security as an example everyone knows that you shouldn't leave a server un-patched, even if it is behind a firewall, because if the firewall is not configured properly, or if someone manages to bypass the firewall, then the server is left totally exposed. Application security is not much different - it's all about adding more and more layers of protection. You can scan the source code in order to make sure that the code is robust and doesn't contain low-level problems (such as buffer overflows), you can scan the web application using a Blackbox approach (using AppScan) to help ensure that problems such as SQL Injection, XSS, other kinds of parameter tampering attacks and even logical problems do not exist. And you can also use an application firewall in order to supply another layer of protection in front of the application. In addition, since Application Firewalls are a complex piece of software, which require a lot of configuration, they are error prone. Using AppScan together with a web application firewall provides assurance that your Application Firewall has been properly configured. About Watchfire Watchfire provides Online Risk Management software and services to help ensure the security and compliance of websites. More than 500 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to audit and report on issues impacting their online business. Watchfire has been the recipient of several industry honors including the HP/IAPP Privacy Innovation Award, InfoSecurity Product Guide s Hot Security Company 2006, Computerworld s Innovative Technology Award, and Recommended rating by Computer Reseller News. Watchfire was named by Gartner and IDC as the worldwide market-share leader in web application vulnerability assessment software. Watchfire's partners IBM Global Services, Sapient, WebTrends, PricewaterhouseCoopers, Fortify, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit Copyright Watchfire Corporation. All Rights Reserved. 10
DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability
More informationAUTOMATED TESTING OF PRIVILEGE ESCALATION IN WEB APPLICATIONS
AUTOMATED TESTING OF PRIVILEGE ESCALATION IN WEB APPLICATIONS ORY SEGAL, DIRECTOR OF SECURITY RESEARCH WATCHFIRE A whitepaper from Watchfire TABLE OF CONTENTS PREFACE...1 PRIVILEGE ESCALATION IN WEB APPLICATIONS...1
More informationAMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM
AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM A whitepaper from Watchfire TABLE OF CONTENTS Introduction 1 Full Explanation The XSS Technique. 1 Scope and Feasibility.. 3 Variations on
More informationPerforming a Web Application Security Assessment
IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform
More informationDANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB RISK EXPOSURE DON T FORGET YOUR INTRANET DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 The Changing State of the Intranet... 1 Threat Modeling
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationQualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014
QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
More informationWhy Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS
Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Acknowledgements Ed Barlow Technical Director EMEA Ed sends his apologies. The following presentation is based on the talk
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationDetecting and Defending Against Security Vulnerabilities for Web 2.0 Applications
Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using
More informationNew IBM Security Scanning Software Protects Businesses From Hackers
New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationSecurity Products Development. Leon Juranic leon@defensecode.com
Security Products Development Leon Juranic leon@defensecode.com Security Products Development Q: Why I picked this boring topic at all? A: Avoidance of any hackingrelated topics for fsec (khm.) :) Security
More informationThe only False Positive Free. Web Application Security Scanner
The only False Positive Free Web Application Security Scanner State of Security of Web Applications Verizon: 96% of victims subject to PCI DSS have not achieved compliance. 96% of hack attacks were not
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationQualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015
QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationBank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM
Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM Agenda Introduction to Application Hacking Demonstration of Attack Tool Common Web Application Attacks Live Bank Hacking Demonstration
More informationWeb application security: Testing for vulnerabilities
Web application security: Testing for vulnerabilities Using open source tools to test your site Jeff Orloff Technology Coordinator/Consultant Sequoia Media Services Inc. Skill Level: Intermediate Date:
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationIBM Rational AppScan: enhancing Web application security and regulatory compliance.
Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationClient vs. Server Implementations of Mitigating XSS Security Threats on Web Applications
Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationDISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES
DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES By Michael Crouse Dr. Errin W. Fulp, Ph.D., Advisor Abstract The increasingly high volume of users on the web and their use of web
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationAdvanced Administration for Citrix NetScaler 9.0 Platinum Edition
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
More informationApplication Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag
Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2
More informationLearn Ethical Hacking, Become a Pentester
Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationAcunetix Web Vulnerability Scanner. Manual V6.5. By Acunetix Ltd.
Acunetix Web Vulnerability Scanner Manual V6.5 By Acunetix Ltd. Acunetix Ltd. http://www.acunetix.com E-mail: info@acunetix.com Information in this document is subject to change without notice. Companies,
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationHP WebInspect Tutorial
HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationPenetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, 2011. Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.
1 Penetration Testing NTS330 Unit 1 Penetration V1.0 February 20, 2011 Juan Ortega Juan Ortega, juaorteg@uat.edu 1 Juan Ortega, juaorteg@uat.edu 2 Document Properties Title Version V1.0 Author Pen-testers
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationT320 E-business technologies: foundations and practice
T320 E-business technologies: foundations and practice Block 3 Part 2 Activity 2: Generating a client from WSDL Prepared for the course team by Neil Simpkins Introduction 1 WSDL for client access 2 Static
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationBarracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper
Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category
More informationBitrix Site Manager ASP.NET. Installation Guide
Bitrix Site Manager ASP.NET Installation Guide Contents Introduction... 4 Chapter 1. Checking for IIS Installation... 5 Chapter 2. Using An Archive File to Install Bitrix Site Manager ASP.NET... 7 Preliminary
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationSENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0
SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN Final Version 1.0 Preconditions This security testing plan is dependent on the following preconditions:
More informationSecure Web Development Teaching Modules 1. Threat Assessment
Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationSecure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification
Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationHögskoleexamen. Web application Security. Sektionen för informationsvetenskap, data- och elektroteknik. Rapport för Högskoleexamen, January 2013
Rapport för Högskoleexamen, January 2013 Högskoleexamen Sektionen för informationsvetenskap, data- och elektroteknik Web application Security Jose Enrique Charpentier Rojas Web application security Network
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationCommon Security Vulnerabilities in Online Payment Systems
Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationChallenges of Automated Web Application Scanning
1 Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." Blackhat Windows 2004 Seattle, WA Jeremiah Grossman (CEO) WhiteHat Security, Inc. 2 Speaker Bio
More informationSANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security
SANDCAT WHAT IS SANDCAT? THE WEB APPLICATION SECURITY ASSESSMENT SUITE Sandcat is a hybrid multilanguage web application security assessment suite - a software suite that simulates web-based attacks. Sandcat
More informationNSFOCUS Web Vulnerability Scanning System
NSFOCUS Web Vulnerability Scanning System Overview Most Web application systems are tailor-made and delivered in source codes by Customer Benefits Accurate Analysis on Website Vulnerabilities Fast scan
More informationNetWrix SQL Server Change Reporter. Quick Start Guide
NetWrix SQL Server Change Reporter Quick Start Guide NetWrix SQL Server Change Reporter Quick Start Guide Contents Introduction...3 Product Features...3 Licensing...4 How It Works...5 Getting Started...6
More informationBasic & Advanced Administration for Citrix NetScaler 9.2
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More information