Fortify End User Training
|
|
- Ashley Hutchinson
- 7 years ago
- Views:
Transcription
1 Fortify End User Training Day 2: Labs VA SOFTWARE ASSURANCE PROGRAM OFFICE 1
2 Class Logistics Please mute your phones; conference line muted, #6 to unmute, *6 to mute Breaks approximately each hour, with lunch break around noon Please IM questions during the presentation; lengthy questions may be addressed during day 2 open lab VA SOFTWARE ASSURANCE PROGRAM OFFICE 2
3 Day 1 Review Module 1: Software Analysis Overview Module 2: VA Secure Code Review SOP Overview Module 3: Fortify Overview Module 4: Analysis with Fortify Module 5: Fortify Installation Module 6: Scan for Vulnerabilities Module 7: Integration with IDEs Module 8: Fortify Rulepacks Module 9: Auditing Fortify Results Module 10: Integration into Build Process Module 11: Verifying V&V Code Review Package Module 12: Resolving Scan Issues Module 13: OWASP Top 10 and CWE/SANS Top 25 VA SOFTWARE ASSURANCE PROGRAM OFFICE 3
4 Course Outline - Day 2 Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 4
5 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 5
6 Cost Types of Code Reviews Methods Description Considerations Manual Manually reviewing and scanning each source code file, line by line Prior to a visual scan of the source, an analyst(s) uses sizing, metrics, and textual-search tools High levels of accuracy Increased Costs & Levels of Effort Uses a combination of manual analysis and software tools designed to assist in the code inspection process Semi- Automated This software typically uses a combination of target word lists, databases, graphical user interfaces, and report generation engines When a target word is found, a visual inspection of the word and its context in the application is reviewed by the analyst(s) Accuracy Relies entirely on a software tool to test and report known coding vulnerabilities and malicious code. Fully Automated Code analysis tools use known, documented principles as their basis of identifying vulnerabilities and have the ability to discover attacks or mechanisms based on hostile characteristics Less accurate Decreased Costs & Levels of Effort VA SOFTWARE ASSURANCE PROGRAM OFFICE 6
7 Code Review Methodology Planning & Test Preparation Static Code Analysis Manual Review & Finding Categorization Documentation & Reporting Gather background information Determine objectives Set the constraints and goals Document the assumptions Define the vulnerability discovery strategy Identify appropriate tools Gather necessary source code and software libraries Validate code compiles correctly and can be accurately evaluated with automated tools Perform scan Identify preliminary vulnerabilities Review overall application architecture Analyze static code output to validate and/or eliminate false positives Manual review to identify false negatives Categorize findings by severity Document Findings Determine Impacts Develop Recommendations Submit and deliver a final customized report based on agreed upon deliverables Review findings with code developers to understand mitigating controls for vulnerabilities to help determine residual risk Request additional information or missing application components (if applicable) Re-scan as required VA SOFTWARE ASSURANCE PROGRAM OFFICE 7
8 Perform the Automated Code Scan Perform a scan of the code to find an initial set of security issues Discover hot spots where additional security issues are likely to be discovered in later steps. Security issues tend to cluster. If your scan finds a large number of security issues in a particular component or function, then you should carefully examine that area manually to discover security issues that may have been missed by the scanning tool VA SOFTWARE ASSURANCE PROGRAM OFFICE 8
9 False Positives and False Negatives Static analysis tools frequently identify false positives. All positive findings should be verified manually to confirm that they are true positive findings Static analysis tools produce false negatives, frequently failing to identify vulnerabilities The code should be reviewed manually to identify false negatives Static analysis tools can be tuned to significantly reduce the number of false positives and false negatives VA SOFTWARE ASSURANCE PROGRAM OFFICE 9
10 Manual Verification Input Data Validation Does the application have an input validation architecture? Is validation performed on the client, on the server, or both? Is there a centralized validation mechanism, or are validation routines spread throughout the code base? Check error handling to make sure that exceptions are caught consistently and caught close to their source. Check for appropriate use of cryptography Identify areas of the code that appear especially complex Identify architectural flaws Look for configuration issues Use checklists VA SOFTWARE ASSURANCE PROGRAM OFFICE 10
11 Manual Verification, Cont d Control flow analysis. Control flow analysis is the mechanism used to step through logical conditions in the code. The process is as follows: - Examine a function and determine each branch condition. These can include loops, switch statements, if statements, and try/catch blocks. Dataflow analysis. Trace data from the points of input to the points of output. Some common sources and sinks are: - Public interfaces - User interface - Database interaction - Socket interaction - File I/O - Pipes VA SOFTWARE ASSURANCE PROGRAM OFFICE 11
12 Classification of Vulnerabilities Vulnerabilities Input Validation Cross-site Scripting Unbound Sizes Injection Attacks Secure State and Session Management Sensitive Information in Test and Debug Code Non-Compiled Code Malicious Code Documentation / Comments Public Variables, Objects, User Authentication Methods Principle of Least Privilege Buffer Overflow/Underflow Error Handling Coding Best Practices Non-security related defects CRITICAL HIGH MEDIUM LOW INFO The finding must be mitigated immediately Failure to address the finding may have a serious adverse impact to the system The finding must be mitigated in the nearterm Failure to address the finding may have a considerable adverse impact to the system. The finding should be mitigated in the nearterm, but mid-term mitigation is acceptable Failure to address the finding may have an adverse impact to the system The finding should be mitigated as time permits Failure to address the finding may have a minimal adverse impact to the system The finding was included as information that developers should consider when writing code. VA SOFTWARE ASSURANCE PROGRAM OFFICE 12
13 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 13
14 OWASP WebGoat Open Web Application Security Project (OWASP) provides a deliberately insecure web application in Java: WebGoat J2EE VA SOFTWARE ASSURANCE PROGRAM OFFICE 14
15 Lab 1 Goals In this lab we will: Install the Eclipse plugin Scan WebGoat project using the plugin Explore the Fortify interface Explore how to audit issues with Fortify VA SOFTWARE ASSURANCE PROGRAM OFFICE 15
16 MORNING BREAK 1 VA SOFTWARE ASSURANCE PROGRAM OFFICE 16
17 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Lab 3: Scanning Objective-C source code Module 15: Reporting Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 17
18 OWASP WebGoat.NET Open Web Application Security Project (OWASP) provides a deliberately insecure web application written in.net: WebGoat.Net ASP.Net VA SOFTWARE ASSURANCE PROGRAM OFFICE 18
19 Lab 2 Goals In this lab we will: Scan WebGoat.NET using the Visual Studio plugin Explore the Fortify interface Demonstrate merging FPR files VA SOFTWARE ASSURANCE PROGRAM OFFICE 19
20 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 20
21 Reporting: How it Fits into the Process As described earlier, reporting the issues discovered in the code review is an important part of the process Planning & Test Preparation Static Code Analysis Manual Review & Finding Categorization Documentation & Reporting Gather background information Determine objectives Set the constraints and goals Document the assumptions Define the vulnerability discovery strategy Identify appropriate tools Gather necessary source code and software libraries Validate code compiles correctly and can be accurately evaluated with automated tools Perform scan Identify preliminary vulnerabilities Review overall application architecture Analyze static code output to validate and/or eliminate false positives Manual review to identify false negatives Categorize findings by severity Document Findings Determine Impacts Develop Recommendations Submit and deliver a final customized report based on agreed upon deliverables VA SOFTWARE ASSURANCE PROGRAM OFFICE 21
22 Report Information Information to include in a report: Type of vulnerability Severity Standards violated (CWE, STIG, etc) Location Code sample Description of why it is a vulnerability and its impact Recommendation to mitigate the issue Fortify has a built-in reporting feature that will generate reports from the FPR including this information VA SOFTWARE ASSURANCE PROGRAM OFFICE 22
23 Sample Report Cover VA SOFTWARE ASSURANCE PROGRAM OFFICE 23
24 Sample Report Table of Contents VA SOFTWARE ASSURANCE PROGRAM OFFICE 24
25 Sample Results - Introduction VA SOFTWARE ASSURANCE PROGRAM OFFICE 25
26 Sample Report Issue Reporting VA SOFTWARE ASSURANCE PROGRAM OFFICE 26
27 V&V Reporting A V&V secure code review report from the SwA Team will include: A description of any scanning errors Indications where the scanned code doesn t match the delivered code Lists of any unmitigated issues and associated comments: Issues that have not been audited Issues that have been hidden or suppressed Issues where the audit indicates they are true positives Issues where the team disagrees with a tag of Not an Issue Additional issues that may have been spotted during the review A description of any problems with custom rule files Other issues that may be noted as the code review package is reviewed VA SOFTWARE ASSURANCE PROGRAM OFFICE 27
28 MORNING BREAK 2 VA SOFTWARE ASSURANCE PROGRAM OFFICE 28
29 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 29
30 OWASP igoat Open Web Application Security Project (OWASP) provides a deliberately insecure ios application: igoat Contains a series of lessons to teach about security issues VA SOFTWARE ASSURANCE PROGRAM OFFICE 30
31 Lab 3 Goals In this lab we will: Load a pre-scanned igoat FPR into Audit Workbench Explore the Fortify interface Demonstrate report generation VA SOFTWARE ASSURANCE PROGRAM OFFICE 31
32 LUNCH VA SOFTWARE ASSURANCE PROGRAM OFFICE 32
33 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 33
34 Open Lab Open Lab forum Bring code to scan Demonstrate other features Integration in build systems Questions Samate - Fortify SCA BenchMark VA SOFTWARE ASSURANCE PROGRAM OFFICE 34
35 Samate Fortify SCA BenchMark NIST Software Assurance Metrics And Tool Evaluation (Samate) provides a number of test suites for static analysis tools. Fortify SCA BenchMark C & Java code Demo only looks at the Java VA SOFTWARE ASSURANCE PROGRAM OFFICE 35
36 Course Agenda Module 14: Auditing Lab 1: Scanning Java source code Lab 2: Scanning.NET source code Module 15: Reporting Lab 3: Scanning Objective-C source code Lab 4: Open Lab Day 2 Wrap Up VA SOFTWARE ASSURANCE PROGRAM OFFICE 36
37 Day 2 Wrap Up Summary: Writing secure code is every VA application developer s responsibility. Secure code reviews have been included as activities in the VA ProPath System Development Life Cycle (SDLC) Product Build (BLD) processes Fortify can be used to scan source code for vulnerabilities during development Fortify should be used according to the VA OIS Secure Code Review Standard Operating Procedures Fortify software that is licensed for VA use can be requested through the NSD help desk V&V secure code review validations of final scans during the A&A process can be requested through the NSD help desk Resources that you may find helpful: VA OIS Software Assurance Program Office support site: Fortify product documentation is included as part of Fortify software distribution OWASP Top Ten: CWE/SANS TOP 25: VA SOFTWARE ASSURANCE PROGRAM OFFICE 37
38 Additional Resources For more data sets to scan: Samples included with Fortify OWASP: Samate: More information on software vulnerabilities: VA SOFTWARE ASSURANCE PROGRAM OFFICE 38
VA SOFTWARE ASSURANCE PROGRAM OFFICE
VA Code Review Process elearning Module Start >> VA Code Review Process elearning Module Getting Started About Fortify About VA This section provides an introduction to this elearning course. This section
More informationOFFICE OF INFORMATION SECURITY. Secure Code Review Standard Operating Procedures
OFFICE OF INFORMATION SECURITY Secure Code Review Standard Operating Procedures JUNE 2014 Table of Contents 1. Introduction... 1 1.1 Document Audience... 1 1.2 Secure Code Review Overview... 2 1.3 V&V
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationProduct Build. ProPath. Office of Information and Technology
Product Build ProPath Office of Information and Technology Table of Contents Product Build Process Maps... 1 Process: Product Build... 3 Product Build and Goals... 4... 4 Goals... 4 Product Build RACI
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More information1000 Projects later. Security Code Scans at SAP
1000 Projects later Security Code Scans at SAP About Us Ruediger Bachmann is a Development Architect at SAP AG working, as member of the central code analyses team, in the areas application security and
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationBraindumps.C2150-810.50 questions
Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the
More informationIBM Security AppScan Source for Analysis Version 9.0.3.3. User Guide IBM
IBM Security AppScan Source for Analysis Version 9.0.3.3 User Guide IBM IBM Security AppScan Source for Analysis Version 9.0.3.3 User Guide IBM (C) Copyright IBM Corp. and its licensors 2003, 2016. All
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationFive Steps to Secure Outsourced Application Development
Five Steps to Secure Outsourced Application Development Contents Executive Summary... 3 Software: Today s Biggest Security Risk... 4 Offshore Development Trends... 5 Five Key Steps... 6 Step 1 Risk Assessment
More informationFortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA
Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationExcellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited
Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationHP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training
HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training HP and HP Enterprise Security Products are committed to your success as an HP Partner. In the Fortify Proof of Concept Boot Camp Training,
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationFortify. Securing Your Entire Software Portfolio
Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,
More informationSoftware Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security
Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security Nominee International Security Executives (ISE ) Information Security Project of the Year
More informationNSFOCUS Web Vulnerability Scanning System
NSFOCUS Web Vulnerability Scanning System Overview Most Web application systems are tailor-made and delivered in source codes by Customer Benefits Accurate Analysis on Website Vulnerabilities Fast scan
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationConfiguration Management
Configuration Management ProPath Office of Information and Technology Table of Contents Configuration Management Process Map... 1 Process: Configuration Management... 2 Configuration Management Description
More informationIBM Security AppScan Source for Analysis Version 9.0.3.1. User Guide IBM
IBM Security AppScan Source for Analysis Version 9.0.3.1 User Guide IBM IBM Security AppScan Source for Analysis Version 9.0.3.1 User Guide IBM (C) Copyright IBM Corp. and its licensors 2003, 2015. All
More informationTesting for Security
Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is
More informationAssessment and Authorization
Assessment and Authorization ProPath Office of Information and Technology Table of Contents Assessment and Authorization Process Maps... 1 Process: Assessment and Authorization... 5 Assessment and Authorization
More informationHow To Use Qqsguard At The University Of Minneapolis
Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased
More informationLinux Kernel. Security Report
Linux Kernel Security Report September 25 Authors: Andy Chou, Bryan Fulton and Seth Hallem Coverity has combined two years of analysis work carried out in a commercial setting at Coverity with four years
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationSecure Development Lifecycle. Eoin Keary & Jim Manico
Secure Development Lifecycle Jim Manico @manicode OWASP Volunteer Global OWASP Board Member OWASP Cheat-Sheet Series Manager VP of Security Architecture, WhiteHat Security 16 years of web-based, database-driven
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationTOOL EVALUATION REPORT: FORTIFY
TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify
More informationSource Code Review Using Static Analysis Tools
Source Code Review Using Static Analysis Tools July-August 05 Author: Stavros Moiras Supervisor(s): Stefan Lüders Aimilios Tsouvelekakis CERN openlab Summer Student Report 05 Abstract Many teams at CERN,
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSoftware Security. Group project: application security verification using OWASP ASVS
Software Security Group project: application security verification using OWASP ASVS Brainstorm What would you do if you if someone asked you to check if some application they use (and possibly bought)
More informationAn Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006
An Introduction to Application Security In ASP.NET Environments Houston.NET User Group February 23 rd, 2006 Overview Background What is Application Security and Why Is It Important? Examples ASP.NET Specific
More informationSoftware Security. Group project: application security verification using OWASP ASVS
Software Security Group project: application security verification using OWASP ASVS Brainstorm What would you do if you if someone asked you to check if some piece of software that they use (and possibly
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationEarly Vulnerability Detection for Supporting Secure Programming
Early Vulnerability Detection for Supporting Secure Programming Luciano Sampaio - lsampaio@inf.puc- rio.br Alessandro Garcia - afgarcia@inf.puc- rio.br OPUS Research Group LES DI PUC- Rio - Brazil OPUS
More informationWhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program
WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
More informationCITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard
CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationComparing Application Security Tools
Comparing Application Security Tools Defcon 15-8/3/2007 Eddie Lee Fortify Software Agenda Intro to experiment Methodology to reproduce experiment on your own Results from my experiment Conclusions Introduction
More informationApplication Security and the SDLC. Dan Cornell Denim Group, Ltd. www.denimgroup.com
Application Security and the SDLC Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference Examples Integrating Security
More informationThe AppSec How-To: Achieving Security in DevOps
The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationSoftware Assurance Marketplace Use Case
Software Assurance Marketplace Use Case Overview Software Assurance Tool Developer May 2013 - Revision 1.0 The Software Assurance Marketplace (SWAMP) will support five user communities as shown in the
More informationUBS Training Course Catalog
2014 COURSE CATALOG SECURITY COURSES Advanced Ethical Hacking Secure Android Development Secure ios Development C/C++ Programming Security Complete Windows Security Cryptography Overview Designing Secure
More informationHP Fortify Static Code Analyzer
HP Fortify Static Code Analyzer Software Version 4.10 Installation and Configuration Guide Document Release Date: April 2014 Software Release Date: April 2014 Legal Notices Warranty The only warranties
More informationBridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011
Bridging the Gap - Security and Software Testing Roberto Suggi Liverani ANZTB Test Conference - March 2011 1 Agenda Roberto, what test are you doing? Is this a defect, vulnerability or both? What can we
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationDeveloping ASP.NET MVC 4 Web Applications MOC 20486
Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationApplication Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group
Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group Overview What is Application Security? Examples of Potential Vulnerabilities Potential Strategies
More informationDeveloping ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led
Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationProduct Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company
Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationHybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim Group@danielcornell
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together Dan Cornell CTO, Denim Group@danielcornell This presentation contains information about DHS-funded research: Topic Number:
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationGetting software security Right
Getting software security Right Haiyun Xu, Theodoor Scholte April 24 2015 Table of contents 2 I 23 1. Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design
More informationAgile Security Successful Application Security Testing for Agile Development
WHITE PAPER Agile Security Successful Application Security Testing for Agile Development Software Security Simplified Abstract It is an imperative to include security testing in application development.
More informationState of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net
Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net Ralph Durkee Founder of Durkee Consulting since 1996 Founder of Rochester OWASP since 2004 President of Rochester ISSA chapter
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationISA CERTIFIED AUTOMATION PROFESSIONAL (CAP ) CLASSIFICATION SYSTEM
ISA CERTIFIED AUTOMATION PROFESSIONAL (CAP ) CLASSIFICATION SYSTEM Domain I: Feasibility Study - identify, scope and justify the automation project Task 1: Define the preliminary scope through currently
More informationMIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016
MIS 5203 Lifecycle Management 1 Week 13 April 14, 2016 Study Objectives Systems Implementation contd Configuration Management Monitoring and Incident Management Post implementation Reviews Project Success
More informationDetecting and Defending Against Security Vulnerabilities for Web 2.0 Applications
Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using
More informationContinuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
???? 1 Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Application Delivery is Accelerating Surge in # of releases per app
More informationChristchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard
Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard Corporate Policies & Procedures Section 1: General Administration Document
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationUsing the Juliet Test Suite to compare Static Security Scanners
Using the Juliet Test Suite to compare Static Security Scanners Andreas Wagner 1, Johannes Sametinger 2 1 GAM Project, IT Solutions, Schwertberg, Austria 2 Dept. of Information Systems Software Engineering,
More information