KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
|
|
- Patience Nicholson
- 8 years ago
- Views:
Transcription
1 TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it
2 FUNDAMENTALS OF SECURE CODING AND HOW TO BREAK SOFTWARE ABOUT THIS SEMINAR Everyone whether they write protocols or internal processes is responsible for using secure programming techniques to minimize the adverse effects of attacks, test the code for software security and know how to fix the software for security. This 3 Part, 5 day class delivers the best of all the Software Security classes and more. It includes items that are classed as defensive in nature (e.g. checking error return codes before using, other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items how to prevent attacks and a step by step process to fix software and lastly provides Solutions and Counter Measures to protect your code. Lastly, its about the Web as the Internet's killer app. Web servers are the target of choice for hackers. 97% of all Web applications are vulnerable and better network security isn't the only answer. We will explore a model for Web application testing as Well as Web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP 10 to look at 19 specific Web application attacks including attacking the client, state, data and the server WHO SHOULD ATTEND Software Testers Software Developers Development and Test Managers Security Auditors and anyone involved in software production for resale or internal use will find it valuable Information Security and IT Managers Information Assurance Programmers Information Security Analysts and Consultants Internal Auditors and Audit Consultants QA Specialists The participants are kindly requested to bring their laptop with wireless connection capability.
3 OUTLINE PART A 1. Introduction to Software Security Common Software Coding and Design Errors and Flaws Students will learn about the range of software development errors and flaws that create application security, reliability, availability and confidentiality failures. Specifically in this section we will deal with those vulnerabilities that are common across language implementations (C, C++ and Java). For each vulnerability type, the course will cover real-world examples illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. System-Level Accepting Arbitrary Files as Parameters; Default or Weak Passwords; Permitting Relative and Default Paths Offering Administrative, Software and Service Back Doors; Dynamic Linking and Loading; Shells, Scripts and Macros Data Issues Parsing Problems Integer Overflows Information Disclosure Storing Passwords in Plain Text The Swap File and Incomplete Deletes Creating Temporary Files Leaving Things in Memory Weakly-Seeded Keys and Random Number Generation On the Wire Trusting the Identity of a Remote Host (Spoofing) Volunteering Too Much Information Proprietary Protocols Loops, Self References and Race Conditions Tools 2. Web Vulnerabilities The Web is different. We will address common Web vulnerabilities, how to find them, how to prevent them. Web Sites Cross Site Scripting; Forceful Browsing; Parameter Tampering; Cookie Poisoning; Trusting SSL; Hidden Field Manipulation; SQL Injection; Security on the Client; Trusting the Domain Security Model 3. Defensive Coding Principles This section is designed to educate developers and testers on the general principles of Secure Coding. This includes a historical perspective on software failure, when good design goes bad, and 18 defensive coding principles to live by. 4. Security Testing and Quality Assurance This includes the difference between functional and security testing, understanding and application's entry points, and spotting three classes of security bugs: dangerous inputs, rigged environment and logic vulnerabilities. PART B Gathering Information on the Target How Web apps are built Attack 1: Looking for information in HTML comments Attack 2: Guessing filenames and directories Attack 3: Vulnerabilities in example applications Attacking the client The need for a rich UI Attack 4: Selections outside of ranges Attack 5: Client side validation Attacking State Why state is important Attack 6: Hidden fields Attack 7: Cgi parameters Attack 8: Cookies Attack 8: Forceful browsing Attack 9: Session hijacking Attacking Data Attack 10: Cross-site scripting Attack 11: SQL Injection Attack 12: Directory traversal Attack 13: Buffer overflows Attack 14: Canonicalization Attack 15: Null-string attacks
4 Attacking the Server Attack 17: SQL injection II stored procedures Attack 18: Command injection Attack 19: Fingerprinting the server Attack 20: Death by 1,000 cuts (DOS) Attack 19: Fake cryptography Attack 20: Breaking basic authentication Attack 21: Cross Site Tracing Web Services Moving to Web Services Common Attacks Constraints on input and output Attack 22: Web Services specific attacks Privacy Who you are, where have you been Methods for gathering data Tool support A review of Web security/vulnerability scanning tools Introduction to HolodeckWeb PART C A step by step methodology and models for effective software testing A plan for on-the-fly testing How to develop an insight to find those hard-to-find bugs How to attack Inputs and Outputs from the User Interface How to attack Data and Computation from the User Interface How to attack the File System Interface How to attack the Software/OS Interface How to use tools to inject faults for File System and OS testing Live vulnerability and exploit tour This is the core of the class. In this section, attendees will go through a wide range of software vulnerabilities and labs to show sample exploits of these vulnerabilities live. Labs include: cross-site scripting, SQL injection, buffer overflows, format string vulnerabilities, and many others software vulnerabilities. Attendees gain awareness and key insights into these vulnerability type, the ease with which the attacker community can exploit them and what to do to prevent these critical attacks. Tools and Threats The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the attendees inside the underground world of the attacker tools. Thinking like the Attacker Threat Modeling. A critical step in securing software or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems. Incorporating Threats Into Software/System Design, Development, Testing and Deployment By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in. We sneek in Reverse Engineering too.
5 INFORMATION PARTICIPATION FEE 2500 The fee includes all seminar documentation, luncheon and coffee breaks. VENUE Residenza di Ripetta Via di Ripetta, 231 Rome (Italy) SEMINAR TIMETABLE 9.30 am pm 2.00 pm pm HOW TO REGISTER You must send the registration form with the receipt of the payment to: TECHNOLOGY TRANSFER S.r.l. Piazza Cavour, Rome (Italy) Fax within March 5, 2007 PAYMENT Wire transfer to: Technology Transfer S.r.l. Banca Intesa Sanpaolo S.p.A. Agenzia 3 di Roma Iban Code: IT-34-Y GENERAL CONDITIONS If anyone registered to participate is unable to attend, a substitute may participate in their place. A full refund is given for any cancellation received more than 15 days before the seminar starts. Cancellations less than 15 days prior the event are liable for 50% of the fee. Cancellations less than one week prior to the event are liable for the full fees as invoiced. In case of cancellation of the seminar, Technology Transfer s responsibility only applies to the refund of the participation fees which have already been forwarded. KEN VAN WIK FUNDAMENTALS OF SECURE CODING AND HOW TO BREAK SOFTWARE first name... surname... March 19-23, 2007 Residenza di Ripetta Via di Ripetta, 231 Rome (Italy) Registration fee: 2500 job title... organisation... address... postcode... Stamp and signature city... country... If registered participants are unable to attend, or in case of cancellation of the seminar, the general conditions mentioned before are applicable. telephone... fax Send your registration form with the receipt of the payment to: Technology Transfer S.r.l. Piazza Cavour, Rome (Italy) Tel Fax info@technologytransfer.it
6 SPEAKER Ken Van Wyk is an internationally recognized information security expert and author of the O Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthly columnist for on-line security Portal, esecurityplanet and a Visiting Scientist at Carnegie Mellon University s Software Engineering Institute. Mr. Van Wyk has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. Mr.Van Wyk also served a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Mr. Van Wyk was one of the founders of the Computer Emergency Response Team (CERT ).
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK BREAKING AND FIXING WEB APPLICATIONS SECURITY PENETRATION TESTING IOS APPS JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
More informationOur Security Education Curriculum PREPARED FOR ASPE TECHNOLOGY BY SI, INC. www.aspetech.com toll-free: 877-800-5221
Our Security Education Curriculum PREPARED FOR ASPE TECHNOLOGY BY SI, INC www.aspetech.com toll-free: 877-800-5221 Security Training for Developers, Testers and Managers Security Innovation, Inc. 187 Ballardvale
More informationTECHNOLOGY TRANSFER PRESENTS JEN UNDERWOOD ADVANCED WORKSHOP MAY 6, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS JEN UNDERWOOD ADVANCED ANALYTICS WORKSHOP MAY 6, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it ADVANCED
More informationTECHNOLOGY TRANSFER PRESENTS MARK BUSINESS INTELLIGENCE ESTENDING BI TO SUPPORT ONLINE MARKETING AND CUSTOMER ANALYSIS
TECHNOLOGY TRANSFER PRESENTS MARK MADSEN SOCIAL MEDIA, WEB ANALYTICS AND BUSINESS INTELLIGENCE ESTENDING BI TO SUPPORT ONLINE MARKETING AND CUSTOMER ANALYSIS ROME MAY 12-13, 2011 VISCONTI PALACE HOTEL
More informationJOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS JOHN KNEILING CREATING XML AND WEB SERVICES SOLUTIONS SECURING THE WEB SERVICES ENVIRONMENT APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME
More informationTECHNOLOGY TRANSFER PRESENTS JOHN O BRIEN MODERN DATA PLATFORMS APRIL 14-15 2014 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS JOHN O BRIEN MODERN DATA PLATFORMS APRIL 14-15 2014 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it MODERN DATA
More informationSTEPHEN FEW SHOW ME THE NUMBERS
TECHNOLOGY TRANSFER PRESENTS STEPHEN FEW SHOW ME THE NUMBERS Designing Tables and Graphs to Enlighten MAY 6, 2009 DATA VISUALIZATION FOR DISCOVERY AND ANALYSIS Simple Graphing Techniques for Analyzing
More informationKEVIN CARDWELL. Q/SA (Qualified Security Analyst) Penetration Tester. & Optional Q/PTL (Qualified Penetration Licence) Workshop
TECHNOLOGY TRANSFER PRESENTS KEVIN CARDWELL Q/SA (Qualified Security Analyst) Penetration Tester & Optional Q/PTL (Qualified Penetration Licence) Workshop MAY 18-22, 2009 VISCONTI PALACE HOTEL - VIA FEDERICO
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationSONDRA SCHNEIDER JOHN NUNES
TECHNOLOGY TRANSFER PRESENTS SONDRA SCHNEIDER JOHN NUNES CERTIFIED ETHICAL HACKER TM THE ONLY WAY TO STOP A HACKER IS TO THINK LIKE ONE MAY 21-25, 2007 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME
More informationMAX DOLGICER THE INTERNET OF THINGS NAVIGATING THE FUTURE OF INFORMATION TECHNOLOGY
LA TECHNOLOGY TRANSFER PRESENTS PRESENTA MAX DOLGICER THE INTERNET OF THINGS NAVIGATING THE FUTURE OF INFORMATION TECHNOLOGY DECEMBER 14-15, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationMICHAEL SCHMITZ NOVEMBER 20-22, 2006 NOVEMBER 23-24, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MICHAEL SCHMITZ DATA WAREHOUSING Advanced Design and Implementation Issues ETL FOR THE DATA WAREHOUSE A Template-Driven Approach NOVEMBER 20-22, 2006 NOVEMBER 23-24, 2006 RESIDENZA
More informationTECHNOLOGY TRANSFER PRESENTS MITCHELL WEISBERG. Strategic Management of the IT Organization
TECHNOLOGY TRANSFER PRESENTS MITCHELL WEISBERG Strategic Management of the IT Organization DEVELOPING A BALANCED SCORECARD TO MEASURE IT PERFORMANCE AND TO ALIGN IT AND BUSINESS ROME NOVEMBER 11-13, 2015
More informationMAX DOLGICER EAI (ENTERPRISE APPLICATION INTEGRATION) OCTOBER 11-13, 2006 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER EAI (ENTERPRISE APPLICATION INTEGRATION) Architectures, Technologies and Best Practices OCTOBER 11-13, 2006 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationTECHNOLOGY TRANSFER PRESENTS OCTOBER 16 2012 OCTOBER 17 2012 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS RICK VAN DER LANS Data Virtualization for Agile Business Intelligence Systems New Database Technology for Data Warehousing OCTOBER 16 2012 OCTOBER 17 2012 RESIDENZA DI RIPETTA
More informationTECHNOLOGY TRANSFER PRESENTS MAX DOLGICER THE NEW INTEGRATION MANIFESTO APPLICATIONS, DATA, CLOUD, MOBILE, AND THE INTERNET OF THINGS
TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER THE NEW INTEGRATION MANIFESTO APPLICATIONS, DATA, CLOUD, MOBILE, AND THE INTERNET OF THINGS DECEMBER 10-11, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME
More informationTECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON BIG DATA MULTI-PLATFORM JUNE 25-27, 2014 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON BIG DATA MULTI-PLATFORM ANALYTICS JUNE 25-27, 2014 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationTECHNOLOGY TRANSFER PRESENTS VLADIMIR NOVEMBER 26-27, 2015 NOVEMBER 30 DECEMBER 2, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS VLADIMIR BACVANSKI MODERN INFORMATION ARCHITECTURE DEVELOPING WITH SCALA NOVEMBER 26-27, 2015 NOVEMBER 30 DECEMBER 2, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationTECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON NEXT GENERATION DATA MANAGEMENT BUILDING AN ENTERPRISE DATA RESERVOIR AND DATA REFINERY
TECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON NEXT GENERATION DATA MANAGEMENT BUILDING AN ENTERPRISE DATA RESERVOIR AND DATA REFINERY MAY 11-13, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
More informationTECHNOLOGY TRANSFER PRESENTS MAX. From EAI to SOA ACHIEVING BUSINESS AGILITY THROUGH INTEGRATION
TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER From EAI to SOA to Cloud Integration ACHIEVING BUSINESS AGILITY THROUGH INTEGRATION DECEMBER 12-14, 2011 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationTECHNOLOGY TRANSFER PRESENTS MAX DOLGICER CLOUD 2.0 MOVING FROM COST SAVINGS TO AGILE IT
TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER CLOUD 2.0 MOVING FROM COST SAVINGS TO AGILE IT APRIL 27-29, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationDANIEL EKLUND UNDERSTANDING BIG DATA AND THE HADOOP TECHNOLOGIES NOVEMBER 2-3, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
LA TECHNOLOGY TRANSFER PRESENTS PRESENTA DANIEL EKLUND UNDERSTANDING BIG DATA AND THE HADOOP TECHNOLOGIES NOVEMBER 2-3, 2015 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationTECHNOLOGY TRANSFER PRESENTS SHAKU. Is it the new face of APRIL 8-10, 2013 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS SHAKU ATRE DASHBOARD Is it the new face of Business Intelligence? APRIL 8-10, 2013 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationTECHNOLOGY TRANSFER PRESENTS MAX DOLGICER IT S ALL ABOUT CLOUD CONCEPTS, STRATEGIES, ARCHITECTURES, PLAYERS, AND TECHNOLOGIES
TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER IT S ALL ABOUT CLOUD CONCEPTS, STRATEGIES, ARCHITECTURES, PLAYERS, AND TECHNOLOGIES APRIL 2-4, 2014 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationMIKE FERGUSON ENTERPRISE SERVICE ORIENTED APRIL 14-15, 2008 APRIL 16-17, 2008 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON ENTERPRISE SERVICE ORIENTED ARCHITECTURE AND INTEGRATION ENTERPRISE DATA INTEGRATION AND MASTER DATA MANAGEMENT APRIL 14-15, 2008 APRIL 16-17, 2008 RESIDENZA
More informationMANAGED SECURITY TESTING
MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More informationMIKE FERGUSON OCTOBER 1-2, 2007 OCTOBER 3-4, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON BUSINESS INTELLIGENCE AND PERFORMANCE MANAGEMENT: BI 2.0 in the Real-Time Intelligent Enterprise ENTERPRISE DATA INTEGRATION AND MASTER DATA MANAGEMENT OCTOBER
More informationProgramming Flaws and How to Fix Them
19 ö Programming Flaws and How to Fix Them MICHAEL HOWARD DAVID LEBLANC JOHN VIEGA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City- Milan New Delhi San Juan Seoul Singapore
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationTECHNOLOGY TRANSFER PRESENTS MIKE MARCH 22-23, 2010 MARCH 24-25, 2010 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS MIKE FERGUSON ENTERPRISE BUSINESS INTEGRATION USING BUSINESS INTELLIGENCE, BAM AND EVENT PROCESSING FOR BUSINESS OPTIMIZATION MARCH 22-23, 2010 MARCH 24-25, 2010 RESIDENZA
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationLearning Course Curriculum
Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationNew IBM Security Scanning Software Protects Businesses From Hackers
New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationSecurity Goals Services
1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationlocuz.com Professional Services Security Audit Services
locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY Governance and Risk Management YOUR LAST LINE OF DEFENSE Aug 06 2009 ANSES RAH RAH Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Prolog
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationEC-Council E C S P.NET. EC-Council. EC-Council Certified Secure Programmer (.NET)
E C S P.NET (.NET) ECSP.NET Course Software defects, bugs, and flaws in the logic of the program are consistently the cause for software vulnerabilities. Analysis by software security professionals has
More informationAuditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1
Auditing a Web Application Brad Ruppert SANS Technology Institute GWAS Presentation 1 Objectives Define why application vulnerabilities exist Address Auditing Approach Discuss Information Interfaces Walk
More informationDesigning and Coding Secure Systems
Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationCommon Security Vulnerabilities in Online Payment Systems
Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited
More informationMobile App Security. Using Threat Modeling to Review Mobile Devices and Apps. Copyright 2012 KRvW Associates, LLC
Mobile App Security Using Threat Modeling to Review Mobile Devices and Apps Your Instructor Ken van Wyk ken@krvw.com Work Experience 20+ years in Information Security l l l l CMU CERT/CC Founder DoD CERT
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationThe Logical Data Warehouse
TECHNOLOGY TRANSFER PRESENTS RICK VAN DER LANS The Logical Data Warehouse Design, Architecture, and Technology Incorporating Big Data, Hadoop and NoSQL in Data Warehouse and Business Intelligence Systems
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationWeb Applications The Hacker s New Target
Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1 Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationSecuring ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH
Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview
More informationApplication Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com
Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationSENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0
SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN Final Version 1.0 Preconditions This security testing plan is dependent on the following preconditions:
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationG- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview
Description C Service Overview G- Cloud Specialist Cloud Services Security and Penetration Testing This document provides a description of TVS s Security and Penetration Testing Service offered under the
More informationPayment Card Industry (PCI) Terminal Software Security. Best Practices
Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationMicrosoft STRIDE (six) threat categories
Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007
More information