Web Application Security Roadmap
|
|
- Maximillian Perkins
- 7 years ago
- Views:
Transcription
1 Web Application Security Roadmap Joe White Cyberlocksmith April 2008 Version 0.9
2 Background Web application security is still very much in it s infancy. Traditional operations teams do not understand web application security risk and are ill-equipped to defend against web application threats. Many companies are wrestling with web application security and assigning ownership of the entire web application security effort to one person but these companies are still trying to figure out where this person fits into the organization. Security turf battles are inevitable in these situations. There is no clear separation between where web application security stops and traditional operations security begins.
3 Audience for this presentation Your company does not fully understand how to manage web application security risk. You have been assigned ownership of web application security and you are wrestling with prioritizing and scoping the challenges ahead of you. You are engaged in a security turf battle with your operations security team and your operations security team does not adequately understand web application security risks. You need help proactively managing expectations for securing your web applications.
4 Purpose of this presentation Let you know that you are not alone and that many other security professionals are wrestling with similar web application security concerns and issues. Offer a roadmap for your next steps that will build the confidence of your peers and management in your abilities to manage web application security risk. Help you to proactively manage the expectations of your senior management. Ensure that you understand the current industry best practices for securing web applications. Help you to succeed.
5 Disclaimer This presentation is intended to assist Security professionals by offering objective guidance for deploying effective Web Application Security solutions that are consistent with current industry Best Practices. This Web Application Security Roadmap will include approximate time and expense estimates pulled from a combination of personal experiences and informal colleague discussions. However, your mileage may vary. Vendor references are supplied as reference and are intended to be objective and informative. This presentation is independent of any official vendor affiliation. No vendor was harmed during the making of this presentation.
6 Web Application Security Roadmap Objectives Find Web Application vulnerabilities Address Web Application vulnerabilities Monitor/detect Web Application compromise attempts Decide upon threat classification framework and scoring model Develop Web Application Incident Response plan Scope/prioritize internal Web Application specific projects Proactively increase security awareness Threat Modeling (TM) and Data Flow Diagrams (DFDs) Manual Code Review (outside expert) Other possible Roadmap items to consider Internal projects
7 Find Web Application vulnerabilities Automated component Choose the automated web application security assessment tool that works best with your web application technology. Make sure you are addressing all internet facing web application exposure. Deploy Static Source code analysis tool to scan for security vulnerabilities within the source code. Manual component Manual web application security assessment is required to compliment the automated assessment above. Work to better educate manual assessment teams of the way your web application functions so they can better detect logic flaws and other pieces likely to be missed by automated scans. Integrate both peer code review and manual review of the static source code analysis results into your development life cycle.
8 Find Web Application vulnerabilities - 2 Web Application Security Assessment vendors AppScan - Watchfire ( Core Impact - Core Security ( Hailstorm - Cenzic ( NTOSpider - NT OBJECTives ( WebInspect - SPI Dynamics ( WhiteHat Sentinel - WhiteHat Security ( Static Source Code Analysis vendors Fortify - Fortify Software ( Ounce - Ounce Labs ( Veracode (
9 Find Web Application vulnerabilities - 3 Web Application Security assessment CapEx and deployment times 30 days to evaluate each vendor if conducting a bake-off 0-4 weeks to deploy chosen tool after the evaluation phase CapEx for web application security assessment tools will vary between vendors. Budget for 25K - 50K. Static Source Code Analysis CapEx and implementation times 30 days to evaluate each vendor if conducting a bake-off 3-6 weeks to deploy chosen tool after the evaluation phase CapEx for static source analysis tools will vary between vendors and will likley depend on the chosen deployment scenario as well as how many developers will be using the tool. One FTE should be expected to manage the tool, depending on the scale of environment. Budget for 50K - 100K (1K - 3K per developer).
10 Address Web Application vulnerabilities Mitigate immediate internet facing risk Block your exposure from web application vulnerabilities as close as possible to when they are discovered. THIS IS CRITICAL! Buys you time to fix vulnerabilities in the underlying code. Web Application Firewall (WAF) will minimize threat window for each exposure by blocking access to vulnerability until the vulnerability can be fixed in the code. Address vulnerabilities in the code Web application security assessment tool should assist in locating specific code level changes that need to be made Static Source Code analysis will point directly to specific code level changes that need to be made If possible, map your web application vulnerabilities directly to your bug tracking system.
11 Address Web Application vulnerabilities - 2 Web Application firewall (WAF) vendors WebDefend - Breach ( ModSecurity - Open Source ( support offered by Breach SecureSphere - Imperva ( Application Security Manager - F5 ( Citrix Application Firewall - Citrix ( Web Application Controller - Barracuda ( Honorable mention Fortify Real-Time Analysis (RTA) (Formerly called Fortify Defender) (
12 Address Web Application vulnerabilities - 3 Web Application Firewall CapEx and deployment times 30 days to evaluate each vendor if conducting a bake-off 4-8 weeks to deploy chosen tool after the evaluation phase Ongoing management and fine-tuning can be expected after deployment CapEx for Web Application Firewalls will vary between vendors. Expect approx. 25K-40K per appliance and you will need at least two for redundancy. Budget for 75K-100K
13 Detect Web Application compromise attempts Deploy Web Application Firewall (WAF)
14 What is a Web Application Firewall? Looks at Web Application (Layer 7) data and acts upon it. Similar to a traditional network (Layer 4) firewall,. But not really a firewall after all More like a gateway than a firewall, But not really like a gateway either
15 Where Web Application Firewall fits into traditional deployment architecture.
16 Traditional network layer security is blind to application layer threats
17 Web Application Firewall Use Cases (Ivan Ristic s Blog, ModSecurity author) Web intrusion detection and prevention! Continuous security assessment! Virtual (or just-in-time) patching! HTTP traffic logging and monitoring! Network building blocks! Web application hardening
18 Detect Web Application compromise attempts Deploy Web Application Firewall (WAF) You cannot protect what you cannot see.
19 Detect Web Application compromise attempts Deploy Web Application Firewall (WAF) You cannot protect what you cannot see.
20 Detect Web Application compromise attempts Deploy Web Application Firewall (WAF) You cannot protect what you cannot see. You will need greater visibility into application layer traffic. This is usually the piece that traditional operations security folks do not understand. WAF should monitor and detect application anomalies and compromise attempts from users. WAF offers greater visibility into application security events. As WAF market matures, you can expect the WAF to be fed real-time vulnerabilities by your web application security assessment tool in order to proactively block newly discovered attacks. The tricky part here is that you will likely need the help of the traditional operations security guys in order to successfully deploy your WAF into production environment.
21 Decide upon threat classification framework Lots of framework options available to choose from. Check out WASC and OWASP for more guidance here. Should be consistent with the web application security assessment tool you have chosen Whitehat Sentinel uses Web Application Security Consortium Threat Classification scheme ( Authentication Authorization Client-side Attacks Command Execution Information Disclosure Logical Attacks
22 Develop Web Application Incident Response plan This is the piece overlooked by most organizations. You do NOT want to be blind-sided by a web application security event while you are earning the trust of both your management and peers. The operations security guys may actually want you to fail. Expect a lot of policy writing and approx. 4-8 weeks until total sign-off A web Application focused Incident Response plan will: 1. offer a predetermined course of action in the event of an Application Security incident. 2. allow for an expedited reaction to an application incident or occurrence. 3. leverage all tools/personnel available in a timely, effective and predetermined way. 4. Build confidence within your organization of your abilities.
23 Scope/prioritize internal Web Application specific projects Ideally, you should try to build the general foundation for web application security as referenced in the prior slides before addressing the sample internal projects listed below. If necessary you can do them concurrently but understand that you will need to build a strong web application security foundation as soon as possible in order to be successful. Integrate security into SDLC Secured development lifecycle Secure design review Web Services / API architecture Document coding standards Integrate security into QA process Remote access to source code from offshore developers Integrate security into your application design process Tighten up the platform framework Internal projects
24 Increase security awareness Executive web application security risk awareness Developer Training Java black belt ( Online development courses Recurring Presentations/events Security hack contests (hack-a-thon) Secure development training Strive to get everyone to start thinking like an attacker Internal projects
25 Threat Modeling and Data Flow Diagrams Threat Modeling Understand all entry and exit points into the web application Understand threat scenarios Understand trust boundaries in the application Understand most likely data to be targeted by attackers Know your crown jewels Data Flow Diagrams Understand anticipated user activity within the application flow Understand expected data flow from one application component to the next Internal projects
26 Manual code review (outside expert) Manual line-by-line code review for all application code by a Subject Matter Expert (SME) in your application technology. Include all tiers in the application architecture: client side within presentation tier the application tier the backend database tier If budget restrictions require you to prioritize between tiers, address internet facing code first and then move on to application tier and then backend database tier. Note: if presentation tier in your architecture can make database calls directly then you will need to review all code at the same time. CapEx should be budgeted at between K. A phased approach may spread the cost across multiple quarters/years. Internal projects
27 Other possible Roadmap items to consider Distributed Denial of Service Attacks (DDoS) WAF should offer defense against Web Application Denial of Service (DoS) attacks up to a point but it is not clear how much defense WAF will offer against a focused and coordinated DDoS attack. May require additional services from co-lo and/or upstream ISP. Anti-Phishing Companies/Services offer focused defense against targeted phishing and other attacks at your organization s brand name. These brand protection services are great to have in advance but can usually be ramped up quickly after targeted attacks are discovered. Security Center Reporting features of WAF should be available for users to increase security awareness and proactively address security weaknesses. Web Application Security metrics Internal projects
28 Just remember this, Information security risks and threats change over time. You must adapt to these changes. Web application security is the current threat that you need to understand and be adapting to. If you are new to web application security, it is OK because there is still time to change and adapt. Don t be an information security dinosaur!
29 Questions????? Latest version of this presentation:
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationCenzic Product Guide. Cloud, Mobile and Web Application Security
Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous
More informationStaying Ahead of the Hacker Curve Turn-key Web Application Security Solution
White Paper and Cenzic Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution Website Testing / Vulnerability Scanning (Cenzic) & Web Application Firewall (Citrix) www.citrix.com
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationProactive risk mitigation within the Software Development Lifecycle (SDLC)
Proactive risk mitigation within the Software Development Lifecycle (SDLC) Real world examples that have worked for me, Joe White, CISSP, CSSLP joe@cyberlocksmith.com @cyberlocksmith 20+ years technical
More informationRealize That Big Security Data Is Not Big Security Nor Big Intelligence
G00245789 Realize That Big Security Data Is Not Big Security Nor Big Intelligence Published: 19 April 2013 Analyst(s): Joseph Feiman Security intelligence's ultimate objective, enterprise protection, is
More informationOpenSAMM Software Assurance Maturity Model
Libre Software Meeting Brussels 10-July-2013 The OWASP Foundation http://www.owasp.org Open Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationF5 Silverline Web Application Firewall Onboarding: Technical Note
F5 Silverline Web Application Firewall Onboarding: Technical Note F5 Silverline Web Application Firewall Onboarding With organizations transitioning application workloads to the cloud, traditional centralized
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationWe protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationApplication Security Testing as a Foundation for Secure DevOps
Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016 Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical.
More informationReference Architecture: Enterprise Security For The Cloud
Reference Architecture: Enterprise Security For The Cloud A Rackspace Whitepaper Reference Architecture: Enterprise Security for the Cloud Cover Table of Contents 1. Introduction 2 2. Network and application
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationProduction Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com
Production Security and the SDLC Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com Building Security Into the Development Process Production Test existing deployed apps Eliminate security
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationEnd-to-End Application Security from the Cloud
Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationMoving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010
Moving to the Cloud? Take Your Application Security Solution with You September 2010 A WhiteHat Security Whitepaper 3003 Bunker Hill Lane, Suite 220 Santa Clara, CA 95054-1144 www.whitehatsec.com Introduction
More informationIntegrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper
Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility
More informationApplication Security Manager ASM. David Perodin F5 Engineer
Application Security Manager ASM David Perodin F5 Engineer 3 Overview BIG-IP Application Security Manager (ASM) a type of Web application firewall ASM s advanced application visibility, reporting and analytics
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationA Strategic Approach to Web Application Security
WhiteHat Security White Paper A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle Jerry Hoff WhiteHat Security The problem: websites are
More informationApplication and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium
Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium Organizations need an end-to-end web application and database security solution to protect data, customers, and their businesses.
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationWebsite Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?
Datasheet: Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-ofbreed
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationBuilding Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationWhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program
WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
More informationWAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales
WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales The Cost of Cybercrime Sony $171m PlayStation 3 data breach (April 2011) $3 trillion
More informationIntegrating Tools Into the SDLC
Integrating Tools Into the SDLC FIRST Conference 2007 The problem Too many organizations have either: Failed to try software security tools at all Tried tools, but became overwhelmed Tools relegated to
More informationWeb Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006. The OWASP Foundation http://www.owasp.org/
Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006 Ivan Ristic Thinking Stone ivanr@webkreator.com +44 7766 508 210 Copyright 2006 - The OWASP Foundation Permission is granted
More informationStreamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationThe New PCI Requirement: Application Firewall vs. Code Review
The New PCI Requirement: Application Firewall vs. Code Review The Imperva SecureSphere Web Application Firewall meets the new PCI requirement for an application layer firewall. With the highest security
More informationApplication Security Center overview
Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &
More informationProtect the data that drives our customers business. Data Security. Imperva s mission is simple:
The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent
More information2012 Data Breach Investigations Report
2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information
More informationHow to Instrument for Advanced Web Application Penetration Testing
How to Instrument for Advanced Web Application Penetration Testing Table of Contents 1 Foreword... 3 2 Problem... 4 3 Background... 4 3.1 Dynamic Application Security Testing (DAST)... 4 3.2 Static Application
More informationHP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise
HP ENTERPRISE SECURITY Protecting the Instant-On Enterprise HP SECURITY INTELLIGENCE AND RISK MANAGEMENT PLATFORM Advanced Protection Against Advanced Threats 360 Security Monitoring to Detect Incidents
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationA Network Administrator s Guide to Web App Security
A Network Administrator s Guide to Web App Security Speaker: Orion Cassetto, Product Marketing Manager, Incapsula Moderator: Rich Nass, OpenSystems Media Agenda Housekeeping Presentation Questions and
More informationIBM Security QRadar Vulnerability Manager
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationSmarter Balanced Assessment Consortium. Recommendation
Smarter Balanced Assessment Consortium Recommendation Smarter Balanced Quality Assurance Approach Recommendation for the Smarter Balanced Assessment Consortium 20 July 2012 Summary When this document was
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationBreaking down silos of protection: An integrated approach to managing application security
IBM Software Thought Leadership White Paper October 2013 Breaking down silos of protection: An integrated approach to managing application security Protect your enterprise from the growing volume and velocity
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationFIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationSmart Grid Security: A roadmap
Smart Grid Security: A roadmap Klaus Kursawe Klaus.Kursawe @ ENCS.EU VDI Fachkonferenz Industrial IT Security, 2014 What is The Smart Grid? The electric grid is an engineering marvel, arguably the single
More informationGlobal Web Application Firewall Market 2015-2019
Global Web Application Firewall Market 2015-2019 Global Web Application Firewall Market 2015-2019 Sector Publishing Intelligence Limited (SPi) has been marketing business and market research reports from
More information10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
More informationManaging Vulnerabilities For PCI Compliance
Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationContinuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
???? 1 Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Application Delivery is Accelerating Surge in # of releases per app
More informationAttack Intelligence: Why It Matters
Attack Intelligence: Why It Matters WHITE PAPER Core Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com A Proactive Strategy Attacks against your organization are more prevalent than ever,
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationSociety for Information Management
Society for Information Management The Projected Top 5 Security Issues of 2010 Steve Erdman CSO and Staff Security Consultant of SecureState Network +, MCP Precursor 2009 has been a difficult year in Information
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationWeb Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research
Web Hacking Incidents Revealed: Trends, Stats and How to Defend Ryan Barnett Senior Security Researcher SpiderLabs Research Ryan Barnett - Background Trustwave Senior Security Researcher Web application
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationThe Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationObtaining Enterprise Cybersituational
SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational
More informationNASCIO 2015 State IT Recognition Awards
NASCIO 2015 State IT Recognition Awards Title: State of Georgia Private Security Cloud Implementation Category: Cybersecurity Contact: Mr. Calvin Rhodes CIO, State of Georgia Executive Director, GTA calvin.rhodes@gta.ga.gov
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More information