Secure coding practices
|
|
- Katherine Barber
- 6 years ago
- Views:
Transcription
1 Secure coding practices Universal Banking Solution Systems Integration Consulting Business Process Outsourcing
2 Secure coding practices Writing good code is an art but equally important is programmers awareness of secure code practices, and the care they take when defining variables and structures and passing references and pointers from one module to another. Overview of code security While defining variables, programmers need to first assess memory space to be allocated, and clearly define the individual scope of reference variables while passing references inside functions. In languages such as C++, defining and using pointers is good practice as it improves performance and speed, especially in the case of applications like core banking where there are multiple users. But on the flip side, this poses enormous risk to data security as pointers can be accessed from outside and variable values can be manipulated. Programmers should follow secure coding practices while dealing with arrays, linked lists, stacks and vectors, which are the linear data structures normally used in coding, always keeping in mind that size of such data structures should be strictly limited to the space required. Location the physical address at which these structures are defined is an important aspect as well. In addition, it is essential to restrict access to the structures using proper access controls such as public, private or protected, inside the code. Another thing to be kept in mind is that variables, used normally for handshaking between two modules say, loans with payments should have a restricted set of values defined. These variables are normally static and their scope should be defined within certain boundaries. Also, it is always reco-mmended to perform code audits before implementation, so that potential code vulnerabilities can be fixed. For that, the code auditors should be enabled with proper know-how about individual languages and related secure code practices. Moreover, programmers should be aware of specific security related features of each programming language. Code review by experts ensures that programmers implement good security practices. Security breach in coding Security breaches in coding are primarily of 4 generic types: Code injections: In most of the functionalities where end users are allowed to upload file content, they can also inject codes in the Web server. These codes can perform malicious acts and pass valuable system information to hackers. Malware passing/hosting: Malware, which is software written to perform malicious activities, can be passed inside Web interfaces if codes are not written securely. Insecure database calls: Generic database calls require variables like database passwords and names and user names that are generally accessed 02
3 through static storage variables or properties files. It is important to write these calls in a manner that passwords and user names can be generated at run time and passed in the program. It has been observed in security audits that many enterprise applications use hardcoding of passwords and other parameters, which is a wrong programming practice. Properties file misuse: Properties files normally used to access basic data, contain lists of unencrypted variables whose values can be modified by system users. If such files are used, the variable values should be stored using interfaces and in encrypted format. However, it is recommended to avoid these files altogether. Further, if the property file of the server is compromised, hackers can overload its access methods and misuse them. It is preferable to create combination keys with two or more resources instead of using just one properties file. These can be run time generated and passed to required modules. Change management and version control In general code writing practices, version control is achieved using version numbering. Secure practices need to be followed during the change management implementation process. The changes in code should be highlighted with details and code review should be done before deployment. Also, the vulnerabilities due to new changes in code should be addressed explicitly. General secure coding practices Concept of no tolerance When coding, the tolerance related to variable length, scope and accessibility should be predetermined and only the required scope should be allowed. The tolerance for variable length should be optimized. Scopes for generated objects should also be predetermined. Ideally, code should not rely on variable scope predefined by the compiler. Certain thumb rules of secure coding Vertical and horizontal code drafting practices/ Code Orientation: Although code drafting methods might change as per language specifications, the normal way of writing code is either vertical cascading or horizontal splitting of code. The vertical cascading method helps programmers to understand the code whereas horizontal splitting enables them to define the scope of functions and variables. Variable declarations: When variables are declared in code, the variable length and scope of variable access should be predetermined; declarations should be made accordingly. Use of fixed length variables should be avoided and preferably, variables should be defined with dynamic memory allocations. Many new compilers like VB and VC++ support postponement of variable declaration by mentioning only the variable name and not the type. In such cases, variable types and properties should be determined within the scope without any overload of unnecessary features. In languages that support object referencing, programmers should avoid making multiple copies of the same variables. System level and semaphore variables: In cases where shell variables are used, variable values have to be sanitized. It is preferable to initialize values and not to assume default 03
4 vales as per system usage. Normally for interprocess communications where semaphores are implemented, the variables used to control the semaphores should be initialized in advance and then further modified as per system usage. As the semaphore controlling variable values are generally global in nature, it is important to determine entry and exit point values in advance. Object oriented principles Partial and full implementation of Object Oriented Programming (OOP) and security: OOP is in line with best security practices, with some exceptions. For instance, high usage of friend and virtual functions makes code more insecure and prone to compromise. Well-defined scopes like public, private and protected, secure the code. Certain programming languages like Java do not support multiple inheritances, thus protecting the methods defined under classes. Data abstraction and multiple inheritance linkages: Programmers should avoid using multiple inheritances as it adds to code vulnerability. Making major variable declarations in public scope enables easy access, thereby compromising OOP abstraction. Prevention of inheritance by key words like Final : In certain languages like C++ and Java, inheritance can be restricted using key words such as Final, thus disallowing users from inheriting class methods available in base class. This can be done when programmers do not want any further extensions and use defined class members. Security for software deployment Secure deployments, keys protection in code deployment: Generally, codes are deployed through popular deployment tools which compress the files and serially deploy them on the destination server. The deployment codes might be insecure, resulting in holes in the applications. Preferably, deployments should be done serially and manual handling should be strictly avoided. Keys used for secure deployments should be dynamic, with a specified time period to avoid code misuse. Code level security for Web applications While SQL injection is a common Web vulnerability, it is also important to write optimized queries in order to secure the data objects. This ensures the safety of the SQL output artifacts and also improves performance of database calls. Also, retrieval of unnecessary database column values should be avoided. Web server secure practices: Web server logs should always be configured to another drive where they can be stored. This will enable the tracing of hacking attacks. In addition, error messages (such as page not found ) should be altered to prevent the user from getting details like Web server configuration and version path. Web server default passwords and paths should also be changed as per specific requirement. Secure way of code deployment on Web: Web-based code deployment, being very unsecure, should be managed well. Handshakes should happen on key exchange mechanism and both client and server application should authenticate the connection between them. 04
5 Best security practices at the individual language level Each programming language has its own features around which security practices are set. C/C++ Even if declared implicitly, array bounds in C++ should be set explicitly, and should not be left open-ended. The structures should be defined dynamically as well. Also, loop arrays should not be allowed to iterate beyond the end of the array, so as to reduce buffer overflow attacks. In addition, conversions using void pointers should be avoided, while the automatic variables used need to be initialized before declaration. Java Sanitization of all data input irrespective of the source, substantially reduces risk of attacks such as code injections. It is also advisable to declare data variables of a class as private, thereby restricting access. Even in the case of nested classes, the methods accessing the private members of the outer class should be declared as private. Besides, exceptions should not be allowed to expose sensitive information. The outcomes of exceptions should be changed by proper exception handling, so that users get only valid exceptions. Use of the key word Finally while handling the exception significantly reduces data vulnerability. Null pointers should not be de-referenced, as this can cause the null pointer exception. Error messages passed to the user through servlets should be appropriate and should not display any confidential data. ASP.Net When using the popular programming language ASP.Net, data input from all users should be thoroughly sanitized. Stored procedures should be used to filter malicious user inputs, thereby mitigating code injection attacks. Also, session hijacking attacks can be reduced by disparate transmission of authentication and session cookies and using only the HTTPS network for the same. Authentication credentials should also be passed only over HTTPS. Network eaves dropping can be reduced by transmitting all information between client and browser over Secure Sockets Layer (SSL). Programmers should also ensure that client side options such as view state /hidden variables are not used to store sensitive data. Further, sensitive information must be stored on the server and not on the client side. Additionally, appropriate error messages should be displayed just like in Java. PHP In the server-side programming language, PHP, the majority of attacks can be reduced by sanitizing the input; functions like filter_input/ filter_id can be used. While using MySQL, it would be preferred to change password frequently. Malicious scripts can be prevented from running on the browser by removing content like special characters before it is sent to the users. Attacks such as Remote File Inclusion/Local File Inclusion can be reduced by sanitizing the inputs, restricting dynamic inputs that come from the user and placing strict access controls for critical files. Again, error messages sent to the user must be generic and not disclose any information. Shell scripts When using shell scripts, a popular scripting language mainly based on the Unix platform, restricted access must be ensured, with read, write and execute permissions for individual scripts given according to users privilege. In fact, Unix is considered the most secure Operating System because of the security features offered though shell scripts. Programmers should restrict privileges for specific command execution as well. For instance, those given permission to view the directory should not be allowed to make any changes. Additionally, the access controls for individual files and directories should be predetermined. Segregation of users based on privileges is very important too. 05
6 While writing and executing filters, steps to prevent data exposure should be taken care of in advance. During processing, programmers should exercise caution when exposing kernel calls and switches to end users. They should also ensure that fork calls are finite and controlled by defined system variables as they are highly sensitive to memory usage. In addition, TCP/IP stack gets exposed to programmers directly through shell script and C programs and programmers should avoid display of unnecessary stack information to end users. There have been instances of companies preparing their own protocol to avoid content exposure through the TCP/IP stack. Conclusion Application coding security is not restricted to just drafting ways of coding. Rather, it calls for a comprehensive approach that encompasses methods of Web and database server configuration, ways of making calls on Web servers and databases, techniques of handling properties files et al. Best security practices should be formulated keeping in mind language specific features and should be applied during configuration, coding and implementation. Bibliography 1. Session Hijacking: Refers to the exploitation of the session, done mainly by theft of the session key used to authenticate a valid user and gain access to services. 2. Network Eavesdropping: Refers to the sniffing of the data packets transmitted along a network to gain access to sensitive information. This is done using sniffers. 3. Semaphores: Used in operating systems, for coordinating activities between multiple processes that compete for using the resources of the operating system. Depending on the value of the semaphore the process will know whether to utilize the resource or to wait. 4. SQL Injection attack: SQL queries are drafted and inserted in Web forms maliciously to extract sensitive information from databases. 5. Array: Term referred to the use of a collection of variables belonging to a single type. 6. Pointers: A variable which is used to store the address of another variable. Makarand Madhukar Baji Senior Consultant, Finacle Payments, Infosys Sandhya Ravikumar Technology Analyst, Finacle E-Banking and Channel Support, Infosys 06
7 About Finacle Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with accelerated innovation that is key to building tomorrow s bank. For more information, contact Finacleweb@infosys.com Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.
SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationFile Transfer and the GDPR
General Data Protection Regulation Article 32 (2): In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More information# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS
As SharePoint has proliferated across the landscape there has been a phase shift in how organizational information is kept secure. In one aspect, business assets are more secure employing a formally built
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCPTE: Certified Penetration Testing Engineer
www.peaklearningllc.com CPTE: Certified Penetration Testing Engineer (5 Days) *Includes exam voucher, course video, an exam preparation guide About this course Certified Penetration Testing Engineer certification
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationRecommendations for Device Provisioning Security
Internet Telephony Services Providers Association Recommendations for Device Provisioning Security Version 2 May 2017 Contact: team@itspa.org.uk Contents Summary... 3 Introduction... 3 Risks... 4 Automatic
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationPracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam
PracticeDump http://www.practicedump.com Free Practice Dumps - Unlimited Free Access of practice exam Exam : SY0-501 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : DEMO Get Latest
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationDefine information security Define security as process, not point product.
CSA 223 Network and Web Security Chapter One What is information security. Look at: Define information security Define security as process, not point product. Define information security Information is
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationHost Website from Home Anonymously
Abstract Host Website from Home Anonymously Prerna Mahajan 1 and Kashish Gupta 2 1 Professor, Department of Computer Science, IITM Janakpuri, New Delhi, India 2 Research Scholar, Department of Computer
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationDIABLO VALLEY COLLEGE CATALOG
COMPUTER SCIENCE COMSC Despina Prapavessi, Dean Math and Computer Science Division Math Building, Room 267 The computer science department offers courses in three general areas, each targeted to serve
More informationCERTIFICATE IN WEB PROGRAMMING
COURSE DURATION: 6 MONTHS CONTENTS : CERTIFICATE IN WEB PROGRAMMING 1. PROGRAMMING IN C and C++ Language 2. HTML/CSS and JavaScript 3. PHP and MySQL 4. Project on Development of Web Application 1. PROGRAMMING
More informationNext Generation Privilege Identity Management
White Paper Next Generation Privilege Identity Management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep
More informationSecure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract
Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Nicolas Hammond NJH Security Consulting, Inc. 211 East Wesley Road Atlanta, GA 30305-3774
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationMobility, Security Concerns, and Avoidance
By Jorge García, Technology Evaluation Centers Technology Evaluation Centers Mobile Challenges: An Overview Data drives business today, as IT managers and security executives face enormous pressure to
More information12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents
Contents MWR InfoSecurity Security Advisory WebSphere MQ xcsgetmem Heap Overflow Vulnerability 12 th January 2009 2009-01-05 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationTop 10 Application Security Vulnerabilities in Web.config Files Part One
Top 10 Application Security Vulnerabilities in Web.config Files Part One By Bryan Sullivan These days, the biggest threat to an organization s network security comes from its public Web site and the Web-based
More information- Table of Contents -
- Table of Contents - 1 INTRODUCTION... 1 1.1 OBJECTIVES OF THIS GUIDE... 1 1.2 ORGANIZATION OF THIS GUIDE... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 5 2 BASIC KNOWLEDGE
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSHA-1 to SHA-2. Migration Guide
SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationNetwork Integration Guide Planning
Title page Nortel Application Gateway 2000 Nortel Application Gateway Release 6.3 Network Integration Guide Planning Document Number: NN42360-200 Document Release: Standard 04.01 Date: October 2008 Year
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationIMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP
IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP North America Latin America Europe 877.224.8077 info@coalfire.com coalfire.com Coalfire sm and CoalfireOne sm are registered service
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationAchieving End-to-End Security in the Internet of Things (IoT)
Achieving End-to-End Security in the Internet of Things (IoT) Optimize Your IoT Services with Carrier-Grade Cellular IoT June 2016 Achieving End-to-End Security in the Internet of Things (IoT) Table of
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationBuilding Trust in the Internet of Things
AN INTEL COMPANY Building Trust in the Internet of Things Developing an End-to-End Security Strategy for IoT Applications WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Recent security breaches
More informationSecurity Enhancements in Informatica 9.6.x
Security Enhancements in Informatica 9.6.x 1993-2016 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationSECURE DATA EXCHANGE
POLICY-DRIVEN SOLUTIONS FOR SECURE DATA EXCHANGE Sending and receiving data is a fundamental part of daily business for nearly every organization. Companies need to share financial transaction details,
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationEC-Council V9 Exam
Volume: 203 Questions Question: 1 TCP/IP model is a framework for the Internet Protocol suite of computer network protocols that defines the communication in an IP-based network. It provides end-to-end
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationPowerApps Security Features
TABLE OF CONTENTS 1 Introduction 2 Security features PowerApps offers the ability to deploy a secure HR system globally and remain worry-free about losing control of your critical HR data. INTRODUCTION
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSiebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E
Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 May 2015 Siebel Security Hardening Guide, Siebel Innovation Pack 2015 E24815-01 Copyright 2005, 2015 Oracle and/or its affiliates.
More information19.1. Security must consider external environment of the system, and protect it from:
Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT 19.1 The Security Problem Security must consider external
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationEV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE
EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE UtiliNet Europe Cyber Security Workshop Brussels, Belgium Dr. Christian Hille Dr. Manuel Allhoff
More information