Amadeus Shaping the future of travel

Similar documents
Application Security Testing

Adobe Systems Incorporated

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

FORBIDDEN - Ethical Hacking Workshop Duration

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Bring Your Own Internet of Things: BYO IoT

Web Application Security

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

PENTEST. Pentest Services. VoIP & Web.

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Cyber R &D Research Roundtable

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Loophole+ with Ethical Hacking and Penetration Testing

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

ensuring security the way how we do it

Web application testing

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Reducing Application Vulnerabilities by Security Engineering

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Security Testing for Developers using OWASP ZAP

A white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Glinda Cummings World Wide Tivoli Security Product Manager

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Learn Ethical Hacking, Become a Pentester

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

Secure Development Lifecycle. Eoin Keary & Jim Manico

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Web AppSec How-to: The Defenders Toolbox

EC Council Certified Ethical Hacker V8

! Resident of Kauai, Hawaii

elearning for Secure Application Development

Detailed Description about course module wise:

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

OWASP Top Ten Tools and Tactics

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Secure Programming Lecture 9: Secure Development

Security Testing for Web Applications and Network Resources. (Banking).

Information Security. Training

8070.S000 Application Security

Ethical Hacking & Cyber Security Workshop

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

A Network Administrator s Guide to Web App Security

CEH Version8 Course Outline

Cloud Security:Threats & Mitgations

Bringing Security Testing to Development. How to Enable Developers to Act as Security Experts

Security Risk Management Strategy in a Mobile and Consumerised World

Cloud Courses Description

Integrigy Corporate Overview

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

[CEH]: Ethical Hacking and Countermeasures

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Microsoft SDL: Agile Development

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014

INFORMATION SECURITY TRAINING CATALOG (2015)

Enterprise Application Security Workshop Series

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

An approach to Web Application Penetration Testing. By: Whiskah

Security aspects of e-tailing. Chapter 7

New IBM Security Scanning Software Protects Businesses From Hackers

The Top Web Application Attacks: Are you vulnerable?

Thanks for showing interest in Vortex IIT Delhi & What After College (WAC) Ethical Hacking Workshop.

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Tobias Gondrom (OWASP Global Board Member)

HP Application Security Center

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Application Security Testing How to find software vulnerabilities before you ship or procure code

Software Development: The Next Security Frontier

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Hack Proof Your Webapps

EC-Council. Certified Ethical Hacker. Program Brochure

Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)

The Security Development Lifecycle

CYBERTRON NETWORK SOLUTIONS

Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN

Web Application Penetration Testing

How to hack VMware vcenter server in 60 seconds

Transcription:

2015 Amadeus IT Group SA Amadeus Shaping the future of travel Neill Cameron Application Security Office 9 July 2015

2015 Amadeus IT Group SA Amadeus in a few words Amadeus is a technology and SaaS company dedicated to the global travel industry. We are present in 195 countries with a worldwide team of more than 12,000 people. Our solutions help improve the business performance of travel agencies, corporations, airlines, airports, hotels, railways and more. Page 2

Amadeus IT Group SA Revenues Distribution & IT (Figures in million euros) 3 500 2,910 3 000 2,707 3,103.7 3,417.7 265ced1609a17cf1a5979880a2ad364653895ae8 2 500 2 000 1 500 1 000 500 0 IT Distribution 2011 2012 2013 2014 Page 3

Amadeus 2015 Amadeus IT Group IT Group SA SA Distribution An overview Customer service Learning Delivery & Implementation Operations Support Page Consultancy 4

Amadeus 2015 Amadeus IT Group IT Group SA SA IT An overview Customer service Learning Delivery & Implementation Operations Support Page Consultancy 5

Amadeus 2015 Amadeus IT Group IT Group SA SA Robust global operations 3 _ Amadeus today 1.6+ billion data requests processed per day 525+ million travel agency bookings processed in 2014 695+ million Passengers Boarded (PBs) in 2014 95% of the world s scheduled network airline seats Page 6

Amadeus 2015 Amadeus IT Group IT Group SA SA Close to our customers Page 7

Changing context Our customers are pentesting us all the time Laws changing (PCI-DSS 3.0, EU Data Privacy Directive) Organized hackers behind botnets and professional hacking Google, Microsoft, Facebook bug bounties new army of hackers

Amadeus 2015 Amadeus IT Group IT Group SA SA Our management team CISO Page 9

Amadeus Security Offices Amadeus IT Group SA CISO Policies, Regional/Information Security Officers, etc. Production Data Center Internal IT security offices R&D Applications Page 10

Amadeus IT Group SA R&D Application Security Office Mission Make Amadeus products sufficiently resilient against fraud & data breaches, and ensure compliance with applicable legislation, standards and regulations PCI-DSS audits & compliance Secure product design & architecture Incident management support Secure Development Lifecycle (SDL) Page 11

Ages and phases of security Amadeus IT Group SA Page 12

Application Attack Vector examples CSRF Directory Traversal XML injection webservice Firewall/DMZ SQL/CMD Injection webserver MiTB: XSS Clickjacking Cache Poisoning MiTM: Param Fuzzing Proxy sniffing Forged Tokens datastore Direct Object Reference filestore

Building security into software development lifecycle

Run Test Amadeus IT Group SA Build Design People & skills Secure Development Lifecycle 12 touchpoints SecDev Training Classes (WebApp, C++, QA) WhiteHat elearning WhiteHat Awareness Sessions SDL Portal WhiteHat deployment support 1 Risk Identification Threat Modelling 2 3 Technical Policy Compliance 4 Developer SecTools 5 Security Code Review 6 Code Signing Source code/static Application Scans 7 8 FOSS libs and 3rd party binary analysis 9 Web Application Scans 10 Penetration Tests 11 PRD load validation 12 Public Attack Surface audits Page 16

Amadeus IT Group SA Examples of some SDL tools and activities Risk Identification Microsoft Threat Modeling Tool Threat modeling workshops Internal security lab Page 17

Examples of some SDL tools and activities Amadeus IT Group SA Configuration file scanner Web & Application Servers Java Dependency Checker Source Code Scans Web App Scans Penetration Tests Page 18

Amadeus IT Group SA Microsoft Threat Modeling Tool Page 19

Amadeus IT Group SA Configuration file scanner Web & Application Servers Page 20

Amadeus IT Group SA Key takeaways Pentest & patch is not enough full SDL needed Design security-in from the start Educating/involving developers is key Page 21

2015 Amadeus IT Group SA Amadeus IT Group SA Thank you You can follow us on: AmadeusITGroup amadeus.com/blog amadeus.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information