Software Security: Services and Products

Transcription

1 Software Security: Services and Products

2 Minded Security Management & Business Profile Senior Management Business Profile Matteo Meucci CEO and Minded Security SRL co-founder Founded in 2007 in Italy Marco Morana Managing Director and partner UK focusing on software security services Limited Steady Business Growth Giorgio Fedon COO, Technical Director and co- revenues up 40% vs. previous year founder Invested in Minded Security Stefano Di Paola CTO and co-founder UK from 2014 with focus on security products for web security

3 Minded Security Customers & Global Reach Product and services presence in 17 countries Industry sectors include: E-commerce, Energy Banking Finance Software Telecoms

4 Minded Security in The News

5 R&D Security Research on vulnerabilities Disclosed hundreds of vulnerabilities of Internet Explorer, Mozilla, Adobe (UXSS),MySQL. Development of open source tools Developing of tool ad hoc as Flash Testing, DOMInatorPRO Develop new testing techniques HTTP Parameter Pollution, Universal XSS Key Role of Minded Security in OWASP OWASP Italy founder in 2005 OWASP CISO Guide leader OWASP Testing Guide leader from 2006 OWASP Anti Malware leader from 2011 OWASP SAMM contributors from 2010

6 Client Side Vulnerability Detection Solutions

7 DOMinator Pro: Securing Next Generation of Web Applications

8 DOMinator Pro: Securing Next Generation of Web Applications

9 DOMinator Pro: Securing Next Generation of Web Applications Google Plus One DOM XSS This video demonstrates how to use the DOMinatorPro Fuzzer feature and how to identify a DOM HTML injection vulnerability on a google.com page. DOMinatorPro is able to understand if the Javascript code loaded by the page looks for a particular pattern. This finding was also cited by the Department of Homeland Security in its daily report Google.com DOMXSS Here, a DOM XSS is shown on a Google Plus One button which can lead to external JavaScript execution. This vulnerability was particularly interesting because it was present on every page containing a Google +1 button. DOMinatorPro identifies this vulnerability as URL Redirection and in its description it gives some interesting advice in order to understand if this issue is actually exploitable.

10 Malware Detection and Fraud Prevention Solutions

11 AMT Banking Malware Detector: the scenario Non infected customer I would like to know which users are infected by malware to manage the risk I will modify the IBAN and money data Infected customer Infected customers On-line Banking Nowadays the number of infected users that are using on-line banking services is increasing dramatically. On-line Banking Fraud Office needs tools to know in real time which users are infected and could be defrauded using the on-line banking service.

12 AMT Detection and Fraud Prevention Solution Main Features Uses threat modeling to engineer modules that can be adapted to detect malware attacks based upon modus of operandi Scans the user s browser to detect compromise of its integrity (millions of devices can be scanned without impact) Agent-less that is it is installed on the web server of the online banking site Integrates with existing fraud detection systems used at the bank as well as with partner s fraud detection systems Sends real-time fraud alerts to fraud managers so transactions can be monitored or blocked (detailed risk and attack information)

13 AMT Banking Malware Detector: the answer Not infected customer I would like a technology to identify malware victims before they will be defrauded I will modify the IBAN and money data Infected customer Infected customers On-line Banking AMT Banking Malware Detector

14 AMT Banking Malware Detector: agentless Agentless solution: it is not invasive for your users Transparent to the user experience

15 AMT Control Panel Real time control of user infected Managing of infected clients risk Detailed attack information Daily custom report

16 Secure Software Engineering 19

17 Consulting Services Software Security Maturity Assessment This is a high level assessment of the maturity and capability of the organization in software security practices. Minded Security will use the OWASP SAMM standard to conduct the assessment. The goal is to evaluate the current state of the maturity of the organization in conducting software security activities within the SDLC and derive a roadmap that the organization can follow to improve his capabilities in software security. Benefit

18 Consulting Services Secure Design Minded Security can help creating a secure design process inside your company or support it during the design phase conducting a threat modeling assessment Secure Architecture Minded Security experts can review your architectures analyzing the threats and designing a secure architecture. Secure Coding Guidelines Security Specialists can support your Company to deliver Secure Coding Guidelines to adopt inside the organization. Outsourcing Development Governance Minded Security can support you to develop a Secure Software Assurance process with the aim to define all the criteria and all the steps necessary to guarantee an Assurance of the software that you will buy.

19 Consulting Services Process for Attack Simulation and Threat Analysis The identification of design flaws in application architecture as well as of countermeasures to detect and protect from targeted and sophisticated cyber-attacks requires businesses to focus on specific threats and attacks rather then on common vulnerabilities. To address this shortcomings of Minded Security Director Marco Morana developed a new process for threat modeling, the Process For Attack Simulation and Threat Analysis (PASTA) that is co-authored by Minded Security director Marco Morana and published in the book Application Threat Modeling by Wiley. The main objective of PASTA is to help organizations to engineer applications and systems that are resilient to targeted cyber attacks such as Distributed Denial of Service (DDoS) and malware automated/botnet based attacks. To help businesses roll out PASTA internally, Minded Security consultants provide the training and an initial remotely managed risk management and threat modeling service.

20 Training Series Educational Paths For who Introduction to Application Security: threats and defence strategies (1/2 day) Software Security Governance (1 day) Building Security in SDLC (5days) Managers Developers Architects Auditors Testers Business Analyst/ Project manager Process for Attack Simulation and Threat Analysis (2 days) Building Secure Mobile Applications - Android, ios (2 days) Building Secure Software - J2EE,.NET, PHP (2-5 days) Developers Architects JavaScript Security and DOMinatorPro training For Developers or for Testers (2 days) Developers Architects Auditors Testers Secure Code Review (2 days) Developers Architects Auditors Testers Testing Web Applications (5 days) Auditors Testers Application Security for Business Analysts (2days) Business Analysts

21 Testing Services Secure Code Review Network Penetration Testing Application Penetration Testing Testing Services Flash Security Testing Mobile Security Assessment Web Services Testing

22 Mobile Security Services Mobile Application Security Assessment Assessment of Mobile Applications for Apple ios, Android, Blackberry and Windows Mobile environments. Review of client and server side software (Secure Code Review). Given the source code of the client and server application (Web Services), we perform a Secure Code Review of the source code. Then we perform a Penetration Test of the Application. PT of the running applications client and server side. Secure Coding Guidelines Building Mobile Secure Software Course Minded Security delivers Secure Coding Guidelines and checklist for all your mobile environments. This training gives to your developers all the knowledge and several practical examples necessary to write secure mobile applications.

23 Thanks! Minded Security Srl Via Duca D Aosta, Firenze - Italy Mail: [email protected] Minded Security UK Limited One Canada Square Canary Wharf, E14 5AB London - UK Office +44 (0) Mobile +44 (0) Mail: [email protected] Company Profile: Site: Blog: Twitter: YouTube: Magazine: