PENETRATION TESTING IN THE DEVELOPMENTAL ENVIRONMENT Benefiting the Developer Bill Argenbright and Al Pruitt 2 December 2015



Similar documents
Gregg Gerber. Strategic Engagement, Emerging Markets

Information Protection in Today s Changing Mobile and Cloud Environments

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

The only False Positive Free. Web Application Security Scanner

The Comprehensive National Cybersecurity Initiative

The virtual battle. by Mark Smith. Special to INSCOM 4 INSCOM JOURNAL

RISK IDENTIFY SECURITY RISKS SERVICE CORE

How To Manage A Vulnerability Management Program

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Is Penetration Testing recommended for Industrial Control Systems?

CYBERSPACE SECURITY CONTINUUM

Cyber R &D Research Roundtable

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

CYBS Penetration Testing and Vulnerability Assessments. Mid Term Exam. Fall 2015

Application Security in the Software Development Lifecycle

Penetration Testing Walkthrough

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

3 keys to effective service availability management. Visibility. Proactivity. Collaboration.

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

A Channel Company White Paper. Online Security. Beyond Malware and Antivirus. Brought to You By:

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

Network Management and Defense Telos offers a full range of managed services for:

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

How to Get from Scans to a Vulnerability Management Program

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Network Penetration Testing

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

What is Penetration Testing?

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Middle Class Economics: Cybersecurity Updated August 7, 2015

DoD Strategy for Defending Networks, Systems, and Data

Virtual Learning Tools in Cyber Security Education

SCADA Security Example

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

The Queen s Horses, London, May Application Security From Jerry Scott

Security Mgt. Tools and Subsystems

Defending Against Data Beaches: Internal Controls for Cybersecurity

State of the Applications : Only 11% of Information Security Managers Feel Their Applications are Secure. 1/11

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

TECHNOLOGY PARTNER WEBINAR. eeye & Core Security: Integrated Vulnerability Scanning & Penetration Testing

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Vulnerability Management. Joseph Johann ICTN6823. East Carolina University

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

IDS and Penetration Testing Lab ISA656 (Attacker)

The Case for Support: The Center for Cyber Security Studies at the U. S. Naval Academy

Advanced & Persistent Threat Analysis - I

PCI DSS Overview and Solutions. Anwar McEntee

THE TOP 4 CONTROLS.

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 276 Windows Security Management

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

The enemies ashore Vulnerabilities & hackers: A relationship that works

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Process Solutions. Staying Ahead of Today s Cyber Threats. White Paper

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

KUDELSKI SECURITY DEFENSE.

24/7 Visibility into Advanced Malware on Networks and Endpoints

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Scanning for Dollar$ Scanning for fun and profit. Bill Hayes Omaha World-Herald Company

Penetration Testing Report Client: Business Solutions June 15 th 2015

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

The New PCI Requirement: Application Firewall vs. Code Review

Patch and Vulnerability Management Program

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Agenda , Palo Alto Networks. Confidential and Proprietary.

INFORMATION SECURITY TRAINING CATALOG (2015)

Vulnerability management lifecycle: defining vulnerability management

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 275 UNIX and Linux Security Management

How to Justify Your Security Assessment Budget

Risk Analytics for Cyber Security

Application Security and the SDLC. Dan Cornell Denim Group, Ltd.

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

SECURE YOUR BUSINESS WHEREVER IT TAKES YOU. Protection Service for Business

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

A Comprehensive Cyber Compliance Model for Tactical Systems

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

We ve been hacked! We did it! Rick Grandy Lockheed Martin Hanford Site

by Penetration Testing

Cyber Risk Management

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Overview TECHIS Carry out security testing activities

SCADA/ICS Security in an.

Implementing Program Protection and Cybersecurity

Company Profile

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

PROMOTION // TECHNOLOGY. The Economics Of Cyber Security

CyberSecurity Solutions. Delivering

ESKISP Assist security testing, under supervision

Penetration Testing and Vulnerability Scanning

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Transcription:

PENETRATION TESTING IN THE DEVELOPMENTAL ENVIRONMENT Benefiting the Developer Bill Argenbright and Al Pruitt 2 December 2015

SLIDE 2 Incorporating Security into the Software Development Life Cycle (SDLC) Introduction Engineering V-Model Security Initiation Vulnerability Scan vice Penetration Test When to Test Web Testing

SLIDE 3 Biggest Revolution in Warfare The increasingly wired nature of the world means cyberspace will likely be the world's next large battlefield (if it isn't already). Israel, always at the forefront of military technology, is paying close attention to the way the wind is blowing. Major General Aviv Kochavi, speaking at the annual conference of the Institute for National Security Studies in Tel Aviv, went on record as saying "cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century."

SLIDE 4 Introduction Engineering V- Model System Development Software Development (Applications/Widgets) Two Streams Specification Testing Stream

SLIDE 5 Cyber Threat Tiers Tier I II III Description Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits). Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities). Practitioners who focus on the discovery and use of unknown malicious code, are adept at installing user and kernel mode root kits, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data with the expressed purpose of selling the information to other criminal elements. IV V VI Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits. State actors who create vulnerabilities through an active program to influence commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest. States with the ability to successfully execute full spectrum (cyber capabilities in combination with all of their military and intelligence capabilities) operations to achieve a specific outcome in political, military, economic, etc. domains and apply at scale.

SLIDE 6 Security Initiation Phase

SLIDE 7 Vulnerability Scan vice Penetration Test Assured Compliance Assessment Solution (ACAS) 5 Pieces or Options Continuous visibility across the enterprise by coupling active and passive scanning. eeye Retina Network Security Scanner As software or as a hardware appliance Provides cross-platform vulnerability management. Identify not only known vulnerabilities, but zero-day vulnerabilities as well. Rapid 7 Vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation.

SLIDE 8 Vulnerability Scan vice Penetration Test Pen Testing is Tool Based with Manual Input Metasploit Pro (Cost) / Backtrack 5 r3 (freeware) Core Impact (Cost) Social-Engineer Toolkit (SET) (Freeware) Wireshark (Freeware) Burp Suite (Cost) Cain & Able (Freeware) Nmap (Freeware) Nexpose (Cost) Nessus (Cost) W3af Web Application (Freeware) Netsparker Web Application (Cost)

SLIDE 9 When penetration testing should be performed Pen tests should be scheduled and performed on a regular basis. The number of times a pen test is performed per year will depend on factors such as environment and industry. In addition to scheduled pen tests, additional testing should be performed when: New network infrastructure or applications are added. Significant upgrades or modifications are applied to infrastructure or applications. New office locations are established. Security patches are applied. End user policies are modified. Well known vulnerability is revealed to the public.

SLIDE 10 New Battlefield President Obama stated, America's economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Lt. Gen. George Flynn, then-deputy commandant commanding the Marine Corps Combat Development Command, was dual-hatted as the first head of MARFORCYBER. He summed up the Marine role as ensuring defense of the Corps and DoD cyber turf. The cyberspace domain is the newest and possibly the most complicated we must now dominate. If we are to be dominant on land, at sea, and in the air, we must be dominant in cyber, he said.

SLIDE 11 What Type of Pen Testing Should be Performed What exactly is a Web Application A Web application is an application, generally comprised of a collection of scripts that reside on a Web server and interact with databases or other sources of dynamic content. Web Application Penetration Testing Application Pen Testing Software Pen Testing, better known as Code Review

SLIDE 12 Greatest Threat The Army has over 200 years experience dealing with the physical threats of the battlefield, and leaders are pretty confident in their ability to overcome them. These days, it is the other kind of threat that has them concerned. "The greatest threat I face as a brigade commander on the battlefield is not tanks, snipers or IEDs," Col. Chuck Masaracchia said as the Army got started hosting the largest-ever joint forces network exercise. "It's defending the network."

SLIDE 13 QUESTIONS?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information