How To Understand And Understand The Security Of A Web Browser (For Web Users)



Similar documents
Early Vulnerability Detection for Supporting Secure Programming

Magento Security and Vulnerabilities. Roman Stepanov

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Security Assessment through Google Tools -Focusing on the Korea University Website

Adobe Systems Incorporated

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

OWASP TOP 10 ILIA

Testing the OWASP Top 10 Security Issues

Addressing Cyber Security in Oracle Utilities Applications

Sichere Webanwendungen mit Java

Cloud Security:Threats & Mitgations

Development Processes (Lecture outline)

Web Application Vulnerability Testing with Nessus

How To Fix A Web Application Security Vulnerability

Using Free Tools To Test Web Application Security

Web Application Report

A6- Sensitive Data Exposure

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Model-Based Vulnerability Testing for Web Applications

Secure Coding in Node.js

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Attacks And WAF Evasion

OWASP Top Ten Tools and Tactics

Pentests more than just using the proper tools

Essential IT Security Testing

Web application testing

Pentests more than just using the proper tools

Table of Contents. Page 2/13

Where every interaction matters.

Secure development and the SDLC. Presented By Jerry

Web Application Security

Overview of the Penetration Test Implementation and Service. Peter Kanters

Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

Coverity Scan. Big Data Spotlight

Secure Programming Lecture 12: Web Application Security III

How to complete the Secure Internet Site Declaration (SISD) form

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

How To Write A Web Application Vulnerability Scanner And Security Auditor

College Training Program

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

From the Bottom to the Top: The Evolution of Application Monitoring

Real World Java Web Security

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

OWASP AND APPLICATION SECURITY

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Hacking de aplicaciones Web

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Intrusion detection for web applications

APPLICATION SECURITY AND ITS IMPORTANCE

05.0 Application Development

Web Security - Hardening estudy

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Reducing Application Vulnerabilities by Security Engineering

Ethical Hacking as a Professional Penetration Testing Technique

Attack Vector Detail Report Atlassian

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Network Security Exercise #8

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Sitefinity Security and Best Practices

Hack Proof Your Webapps

(WAPT) Web Application Penetration Testing

Application security testing: Protecting your application and data

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Integrating Security Testing into Quality Control

Thomas Röthlisberger IT Security Analyst

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS

Project 2: Web Security Pitfalls

SQuAD: Application Security Testing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web application security

Passing PCI Compliance How to Address the Application Security Mandates

Enterprise Application Security Program

IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

Web Application Security

Transcription:

Security vulnerabilities: should they be early detected? - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group

Agenda 1. Background; 2.Motivation; 3.Research Questions; 4.Hypotheses; 5.Empirical Method and Evaluation; 6.Work Plan; 7.Expected Contributions; 8.Questions? 2

Background 3

Background What is a good software? 3

Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); 3

Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); Issues of usability, efficiency and others are easy to spot. 3

Background What is a good software? Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability); Issues of usability, efficiency and others are easy to spot. What about Security? 3

Background (2) https://www.whitehatsec.com/assets/wpstatsreport_052013.pdf 4

Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one -- 56 to be precise; https://www.whitehatsec.com/assets/wpstatsreport_052013.pdf 4

Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one -- 56 to be precise; Organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not. https://www.whitehatsec.com/assets/wpstatsreport_052013.pdf 4

Background (2) 86% of all websites had at least one serious* vulnerability, and most of time far more than one -- 56 to be precise; Organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not. Cross-Site Scripting identified in 53%; https://www.whitehatsec.com/assets/wpstatsreport_052013.pdf 4

Background (3) Open Web Application Security Project (OWASP); OWASP Top 10 2003, 2004, 2007, 2010, 2013; Spread the word! 5

Background (4) 2009 6

Background (4) OWASP Top 10 2013 2009 6

Background (4) OWASP Top 10 2013 01 (SQL/Command) Injection; 02 Broken Authentication and Session Management; 03 Cross-Site Scripting (XSS); 04 Insecure Direct Object References; 05 Security Misconfiguration; 06 Sensitive Data Exposure; 07 Missing Function Level Access Control; 08 Cross-Site Request Forgery (CSRF); 09 Using Known Vulnerable Components; 10 Unvalidated Redirects and Forwards; 2009 6

Background >> SQL Injection 7

Background >> SQL Injection It affects all programming languages; 7

Background >> SQL Injection It affects all programming languages; 7

Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' 7

Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' Remove delete from deldeleteete ; 7

Background >> SQL Injection It affects all programming languages; What if: ' or '1'='1 or ';DROP table User;--' Remove delete from deldeleteete ; The same solution works in all programming languages; 7

Motivation Everything is going online; Applications are going global; Reputation is really important; The later you find a problem, the more expensive it will be to fix it. 8

Motivation (2) http://h20427.www2.hp.com/resources/pdfs/tw/zh/2013/0307hp_2012_cyber_risk_report.pdf 9

Motivation (3) http://h20427.www2.hp.com/resources/pdfs/tw/zh/2013/0307hp_2012_cyber_risk_report.pdf 10

Research Questions 11

Research Questions RQ1 - Who should check for security vulnerabilities? 11

Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? 11

Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? 11

Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? 11

Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? 11

Research Questions RQ1 - Who should check for security vulnerabilities? RQ2 - When should be the best moment to check for security vulnerabilities? RQ3 - Where should be the best place to check for security vulnerabilities? RQ4 - Why do they appear? RQ5 - Which of these security vulnerabilities are the most interesting for early detection? 11

Hypotheses 12

Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; 12

Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; 12

Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; 12

Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; H4 - Most security vulnerabilities are introduced by inexperienced developers; 12

Hypotheses H1 - Architects/Developers don t care about security vulnerabilities; H2 - Architects/Developers don t know about security vulnerabilities; H3 - It doesn t exist good tools to help developers find and fix security vulnerabilities; H4 - Most security vulnerabilities are introduced by inexperienced developers; H5 - The deadlines are to blame. 12

Empirical Method and Exploratory Study; Evaluation Analyze existing code with the tools available; Mining on bug reports and forums about the topic; 13

Work Plan Download and use the most used tools that finds security vulnerabilities; Try to identify which are the vulnerabilities most interesting for early detection; 14

Expected Contributions Recommend specific guidelines for development processes to follow; Recommend specific features for tools that finds security vulnerability should have; 15

Questions? 16

Thank you! - lsampaio@inf.puc-rio.br Alessandro Garcia afgarcia@inf.puc-rio.br OPUS Research Group

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information