Remedy Application Data Security Risks & Mitigations
|
|
- Philip Dennis
- 5 years ago
- Views:
Transcription
1 Remedy Application Data Security Risks & Mitigations Web-Access related Dinesh Singh Panwar 8/8/2012 This Document describes risks related to web access for Remedy. It also shows how those risks and the cause and how these could be mitigated by simple customizations
2 Contents 1. Introduction Approval Inbox Security Risks and Mitigation Overview of Approval Inbox Security Risk How the risk could be exploited How the risk could be mitigated Session Security User Spoofing Overview of Session Security Risk How the risk could be exploited How the risk could be mitigated dinesh.s.panwar@gmail.com
3 1. Introduction Many a times Custom and Out-of-Box Applications and Features of Remedy are subjected to Data Security penetration tests and concerns are raised about Data Security. This document tries to suggest resolutions to some of the critical Data Security concerns. The Core Out-of-Box ITSM Application is generally secure with respect to Data by extensive use of Assignee Groups Field to enforce multitenancy. Custom Applications and Peripherals features like Approval Inbox however have potential leakages from where sensitive information could be retrieved out without Authorization. The Document is essentially meant for Development Team to provide immediate resolutions to Security concerns on Remedy based Application, if the local environment/policies/guidelines allow. The Document is on the basis of Remedy v7.1, however may still be valid for subsequent versions. 2. Approval Inbox Security Risks and Mitigation This section highlights the Security flaws in the Approval Inbox and discusses the ways to make it secure depending on Organization s Policy. 2.1 Overview of Approval Inbox Security Risk The Out-of-Box Approval Inbox is OOTB Tool to view the Approval Signatures. Technically, it lists down the Records in the Form AP: Detail-Signature, on the basis of the below query: Status = Pending AND ( Approvers LIKE %;$USER$;% OR Approvers LIKE $USER$;% OR Approvers LIKE %;$USER$ ) In a typical web-environment, the flow of information is depicted by below schematic diagram. The arrow highlighted in RED, denotes the area where a vulnerability of Client Side manipulation exists. 3 dinesh.s.panwar@gmail.com
4 Now, interestingly Remedy Table Qualifications are shared to and fro between the browser and the Mid- Tier in a Remedy encoded Format (which is not hard to break) and it is possible to change that appropriately to retrieve whatever query we want to pass on to the Server. This makes it vulnerable. From a Business Logic perspective, an Approver shall only sees pending requests where he appears as Approver or Alternate Approver. From authorization perspective, he should not be able to view request in the queue of other users or at-least other Companies (Multi-tenancy). However, it s possible to manipulate the communication between Browser and Mid-Tier to retrieve the Approval request of other users, even if the user belongs to other Companies! Company level multitenancy of Companies isn t implemented out-of-box for Approval Records. There is, however, a silver lining that viewing the original request using the View Button would fail if relevant permission are not there (because in such case control goes back to relevant ITSM App where multitenancy and Functional restriction are in place) 2.2 How the risk could be exploited In a typical interaction between browser and the Mid-Tier, there are various HTTP Request and Response that are interacted before any Remedy Page is rendered on the user s screen. These requests are termed as Back channel calls. In a Remedy Page that contains a Table (like Approval Inbox), the query is sent to Mid-Tier in one of these Backchannel calls that can be easily manipulated to retrieve the unauthorized Data (in case of Approval it will be the Approval request of other users or other Companies) Proxy tools such as BURP can be used to intercept the outgoing and incoming HTTP requests and responses. Such tools act a proxy and allow the Request/Response to be intercepted and manipulated. If we were to intercept the HTTP Requests from Browser to the Mid-Tier (using Tools like BURP Proxy), then a typical request containing the Table Qualification, would be like below POST HTTP/1.0 <<Some Web Info>> 286/ServerRunProcess/37/the_backend-Applicationsvr_or_lb_fqdn 26/AP:Central- SetInternalQual1/01/09/ /0/2/0/2/0/13/1/9/ /1/138/ 'Approval Status' = 0 AND ('Approvers' = "usr1" OR 'Approvers' LIKE "usr1;%" OR 'Approvers' LIKE "%;usr1" OR 'Approvers' LIKE "%;usr1;%")5/1/1/ dinesh.s.panwar@gmail.com
5 This request can, for instance, be changed to below to list down all the Pending Approvals for all the users POST HTTP/1.0 <<Some Web Info>> 195/ServerRunProcess/37/the_backend-Applicationsvr_or_lb_fqdn26/AP:Central- SetInternalQual1/01/09/ /0/2/0/2/0/13/1/9/ /1/49/ 'Approval Status' = 0 AND ('Approvers' LIKE "%")5/1/1/ How the risk could be mitigated The Risk mitigation to such a security risk is done by performing Data restrictions in the Application Server in addition to the Table Qualifications which are vulnerable in a web transaction. Since Application Server is behind the Data Centre firewalls, so the risk is greatly reduced. To apply this Data restriction, Core Fields like Assigned To or the Assignee Groups could be utilized. The use of Assignee Groups (Field ID 112) is same as it is used in OOTB ITSM Applications. Typically the steps involved are Note that, 1. Give Assignee Groups permissions in the Request ID Field (ID =1) 2. Remove any Public permission if any from the Request ID 3. Write Filter on AP:Signature on every Submit/Modify RUN IF: Approvers!= DB.Approvers ACTION: Assignee Groups = Approvers This will enforce a strict Row Level Restriction on the Approval Signatures where access is strictly allowed for the Approvers (& Alternates). This is different from Multi-tenancy where Row level Access is little relieved as it s there for Company Wide. Row Level Restriction like this is enforced automatically at Application Server and hence any manipulation at Client Side doesn t impact this restriction. Depending on the Security Policy, the above implementation could be eased and kept at Company Level. However, for that the Company Group ID needs to be pushed/looked up from the corresponding Application Request Record, since Company information is NOT present in Approval Forms. 5 dinesh.s.panwar@gmail.com
6 Below Diagram shows the rough Data Flow across the 4 Tiers as it happens. As we can see, the manipulation risk exists on the Presentation Layer and it s mitigated by Row Level Restriction at the Application Layer. 6 dinesh.s.panwar@gmail.com
7 3. Session Security User Spoofing This section deals with the possibility of changing an active session to that of a different user without knowing the Password. It will also discuss on the Customization that could be done to mitigate such a risk. 3.1 Overview of Session Security Risk Remedy uses popular Web-Server and Servlet Engine (like IIS/Apache and Tomcat) as the underlying Platform for the Web-Server, so the actual Platform session is secure. But, Remedy Applications have another layer of user session which is the Remedy Session that deals with the Remedy Profile and Group Permissions. Underlying Web-Technology is, if you like, unaware of this and additional Mid-Tier Code manages this additional layer of Session using Out-of-box Mid-tier code JavaScript & java. To maintain that session layer across the App-server, Web-Server & Browser, there is Remedy Specific Code that share Remedy Profile data (like user ID) using JavaScript. This could be intercepted using Tools like BURP on the Browser Side. Below diagram (Source: BMC Software Inc.), shows the role of Mid-Tier. Typically, it replaces the Remedy Thick Client (AR User), in conjugation with the Browser (also called thin Client). So, theoretically, most of the core functionalities of AR User - including Authentication are split 7 dinesh.s.panwar@gmail.com
8 apart into components running in Browser and that running on Mid-Tier. These components share the data over HTTP Protocol & Java Scripts. Tools like BURP can be used to eavesdrop. 3.2 How the risk could be exploited Proxy tools could be set up such that request are routed through this tool. Now, the Mid-Tier would send back the responses and in one of the responses it would send some of the User Profile Information in some java-script file. The Contents would look something like below The Browser Code hence forth uses this Profile information while executing various Client Side Code such as some actions of Active Links where references to $USER$ is made UserData_Init(){ARKWSetup(2,"<<the user ID>>" If you change the User Id before forwarding this response to the browser, then various functionalities are vulnerable to be done on behalf of the new User ID. For instance, if we submit a Record where submitter is defaulted to $USER$, then the record would show to be submitted by that new User. It should be noted that this breach is possible only on the Client Side (i.e. Browser) and the corresponding Server session still maintains the Original $USER$. This means, most of the Functionalities running on Server (like Filters) are NOT impacted. 3.3 How the risk could be mitigated The risk mitigation lies on the fact that Server Side session is remains safe. Now, this sharing of User Data happens before a FORM is rendered on the Browser. Therefore, if we somehow cross-check if the $USER$ of client side is indeed same as $USER$ of the corresponding Server Session, and the user could be logged out in case it s different. This can be made possible by having below implementing below Login using Active Link, Service Call and Filter 8 dinesh.s.panwar@gmail.com
9 Thing to be noted here is that, this workflow based solution in not an ideal solution due to overhead of back-channel calls. Ideal solution shall be done at the Platform Level itself. 9 dinesh.s.panwar@gmail.com
Application Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationConnect with Remedy Smart IT 2.0: Configurability and Customization Webinar Q&A
Connect with Remedy Smart IT 2.0: Configurability and Customization Webinar Q&A Presentation References BMC Remedy with Smart IT 2.0 User Documentation: Administering https://docs.bmc.com/docs/smartit20/administering-749669934.html
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationWeb Gate Keeper: Detecting Encroachment in Multi-tier Web Application
Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application Sanaz Jafari Prof.Dr.Suhas H. Patil (GUIDE) ABSTRACT The Internet services and different applications become vital part of every person
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationA Practical Evaluation of Security Patterns
A Practical Evaluation of Security Patterns Spyros T. HALKIDIS, Alexander CHATZIGEORGIOU, George STEPHANIDES Department of Applied Informatics University of Macedonia, Thessaloniki, Greece halkidis@java.uom.gr,
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationRICOH Unified Communication System. Security White Paper (Ver. 3.5) RICOH Co., Ltd.
RICOH Unified Communication System Security White Paper (Ver. 3.5) - UCS terminals P3500, P1000 P3000, S7000 - Apps (for Windows) (for ipad/iphone) (for Mac) (for Android) - UCS for IWB RICOH Co., Ltd.
More informationSecure coding practices
Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationOverview of Web Application Security and Setup
Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationAdaptive Authentication
Adaptive Authentication 1 Business need for Adaptive Authentication? Existing Single factor authentication has various risks associated- Single and hence weak control Key logger Trojans Malware attacks
More informationParent Account Tutorial
Parent Account Tutorial The Rank One Sport Parent Account is meant to simplify the online forms submittal and tracking progress. Creating a Parent Account 1. From the Home Page of the school district s
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationHOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE
HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE HIFIS Development Team May 16, 2014 Contents INTRODUCTION... 2 HIFIS 4 SYSTEM DESIGN... 3
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationAttacking CAPTCHAs for Fun and Profit
Attacking Author: Gursev Singh Kalra Managing Consultant Foundstone Professional Services Table of Contents Attacking... 1 Table of Contents... 2 Introduction... 3 A Strong CAPTCHA Implementation... 3
More information1. Introduction. IJCTA Nov-Dec 2015 Available ISSN:
A Web Based Automated Data Ordering System for Multiple Satellite Vendors JayaSudha Tigiripalli, Sonu SinghTomar, B. Radhika, Manju Sarma, B. Gopalakrishna National remote sensing centre Indian space research
More informationSSO Plugin. Installation for BMC AR System. J System Solutions. Version 5.1
SSO Plugin Installation for BMC AR System J System Solutions http://www.javasystemsolutions.com Version 5.1 Introduction... 3 Compatibility... 4 Operating systems... 4 BMC Action Request System / ITSM...
More informationW is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation
W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationWeb Services - Overview
Web Services - Overview Gonzalo de Salterain BMC Support- Onboarding Agenda What is a Web Service? How does this feature benefit my company? Architecture of a Web Service Consuming Web Services Publishing
More informationDreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com
DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com By Bill Appleton, CTO, DreamFactory Software billappleton@dreamfactory.com Introduction DreamFactory
More informationChoosing The Best Firewall Gerhard Cronje April 10, 2001
Choosing The Best Firewall Gerhard Cronje April 10, 2001 1. Introduction Due to the phenomenal growth of the Internet in the last couple of year s companies find it hard to operate without a presence on
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationTeamViewer 12 Manual Management Console. Rev
TeamViewer 12 Manual Management Console Rev 12.1-201704 TeamViewer GmbH Jahnstraße 30 D-73037 Göppingen www.teamviewer.com Table of content 1 About the TeamViewer Management Console 4 1.1 About the Management
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationBMC Remedy Incident Management Quick Start User Guide Training Manual. Version 3.0
BMC Remedy Incident Management Quick Start User Guide Training Manual Version 3.0 2 Table Contents: Quick Start User Guide How to set up your Profile... 3 How to set up your Preferences... 3 How to create
More informationFirewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003
Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More information2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,
2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows, Windows Server, and other product names are or may be registered
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationBuilding your own BMC Remedy AR System v7 Applications. Maruthi Dogiparthi
Building your own BMC Remedy AR System v7 Applications Maruthi Dogiparthi Agenda Introduction New Goodies Navigation, tree widgets Data Visualization Plug-in framework Development Guidelines Tools BMC
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationNotes From The field
Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationBMC Remedy Knowledge Management Administration Guide
BMC Remedy Knowledge Management 7.6.04 Administration Guide January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain
More informationClientNet. Portal Admin Guide
ClientNet Portal Admin Guide Document Revision Date: June 5, 2013 ClientNet Portal Admin Guide i Contents Introduction to the Portal... 1 About the Portal... 1 Logging On and Off the Portal... 1 Language
More informationLive Guide Co-browsing
TECHNICAL PAPER Live Guide Co-browsing Netop develops and sells software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers over
More informationNon conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.
Non conventional attacks Some things your security scanner won t find 23/05/2011 Tom Van der Mussele Security Analyst Verizon Business Security Solutions tom.vandermussele@verizonbusiness.com +352691191974
More informationCompTIA Cybersecurity Analyst+
CompTIA Cybersecurity Analyst+ Course CT-04 Five days Instructor-Led, Hands-on Introduction This five-day, instructor-led course is intended for those wishing to qualify with CompTIA CSA+ Cybersecurity
More informationVMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources
VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources Workspace ONE UEM v9.6 Have documentation feedback? Submit a Documentation Feedback
More informationExcel4apps Wands 5 Architecture Excel4apps Inc.
Excel4apps Wands 5 Architecture 2014 Excel4apps Inc. Table of Contents 1 Introduction... 3 2 Overview... 3 3 Client... 3 4 Server... 3 4.1 Java Servlet... 4 4.2 OAF Page... 4 4.3 Menu and Function... 4
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More informationHOW THE FIELDS MAP FROM TOOL TO TOOL (Infra to Remedy)
The Quick n Dirty 1-Page How To Create Remedy Change Request (for just the Application Support group) 1. Launch Remedy Web Client (cmr.stanford.edu or remedyweb.stanford.edu) 2. Click Create button and
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More information13. Databases on the Web
13. Databases on the Web Requirements for Web-DBMS Integration The ability to access valuable corporate data in a secure manner Support for session and application-based authentication The ability to interface
More informationForeScout Amazon Web Services (AWS) Plugin
ForeScout Amazon Web Services (AWS) Plugin Version 1.1.1 and above Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic Segmentation
More informationIntroduction...4. Purpose...4 Scope...4 Manitoba ehealth Incident Management...4 Icons...4
Remedy Incident Management Version 3.2 Modified: 08/24/2017 TABLE OF CONTENTS Introduction...4 Purpose...4 Scope...4 Manitoba ehealth Incident Management...4 Icons...4 Incident Stages Overview...5 Identification
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationThe NoPlsql and Thick Database Paradigms
The NoPlsql and Thick Database Paradigms Part 2: Adopting ThickDB Toon Koppelaars Real-World Performance Oracle Server Technologies Bryn Llewellyn Distinguished Product Manager Oracle Server Technologies
More informationWHITE PAPER. Good Mobile Intranet Technical Overview
WHITE PAPER Good Mobile Intranet CONTENTS 1 Introduction 4 Security Infrastructure 6 Push 7 Transformations 8 Differential Data 8 Good Mobile Intranet Server Management Introduction Good Mobile Intranet
More informationInstallation guide for Choic Multi User Edition
Installation guide for ChoiceMail Multi User Edition March, 2004 Version 2.1 Copyright DigiPortal Software Inc., 2002 2004 All rights reserved ChoiceMail Multi User Installation Guide 1. Go to the URL
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationSecurity Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]
Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION Services provided to: [LOGO(s) of company providing service to] Version V1.0 V1 February 13 th, 2014 Prepared By: Denis Calderone TBG
More informationASSURANCE PENETRATION TESTING
ASSURANCE PENETRATION TESTING Datasheet 1:300 1 Assurance testing February 2017 WHAT IS PENETRATION TESTING? Penetration testing goes beyond that which is covered within a vulnerability assessment. Vulnerability
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationProduct Release Notes Alderstone cmt 2.0
Alderstone cmt product release notes Product Release Notes Alderstone cmt 2.0 Alderstone Consulting is a technology company headquartered in the UK and established in 2008. A BMC Technology Alliance Premier
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSalesforce.com Winter 18 Release
Salesforce.com Winter 18 Release October 2017 Copyright 2017 Veeva Systems Inc., all rights reserved veeva.com 1 Table of Contents SFDC Release Schedule and Deck Intentions Summary of Enhancements and
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationWEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices
WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices Chris Steel, Ramesh Nagappan, Ray Lai www.coresecuritypatterns.com February 16, 2005 15:25 16:35
More informationPUBLIC FINANCIAL MANAGEMENT SYSTEM
PUBLIC FINANCIAL MANAGEMENT SYSTEM USER MANUAL ON DSC (DIGITAL SIGNATURE CERTIFICATE) ENROLMENT IN R/O of DDOs (DRAWING & DISBURSING OFFICERS) Prepared For CONTROLLER GENERAL OF ACCOUNTS, MINISTRY OF FINANCE,
More informationNetDespatch Velocity Connector User Guide
NetDespatch Velocity Connector User Guide XML version Customised guide specifically for use with XML Integrations Guide refers to Microsoft Windows 7 Requirements before Proceeding You will need to have:
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationZendesk Instructions for End-Users
Zendesk Instructions for End-Users Ver. 1.00 July, 2013 Ver. 1.00 July, 2013 Zendesk Instructions for End-Users Getting Started Registering & Logging in to Zendesk To submit and then track your support
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationSecure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract
Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Nicolas Hammond NJH Security Consulting, Inc. 211 East Wesley Road Atlanta, GA 30305-3774
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationConnect with Remedy: SmartIT: Social Event Manager Webinar Q&A
Connect with Remedy: SmartIT: Social Event Manager Webinar Q&A Q: Will Desktop/browser alerts be added to notification capabilities on SmartIT? A: In general we don't provide guidance on future capabilities.
More informationDepending on the modules that have been implemented by your company, you may have access to the following information:
Employee Self Service (ESS) User Quick Reference Guide Introduction to ESS The Employee Self Service (ESS) Application is a web-based application that gives you access to information from your employee
More informationWHAT IS THE CONFIGURATION TROUBLESHOOTER?
Paper 302-2008 Best Practices for SAS Business Intelligence Administrators: Using the Configuration Troubleshooter to Keep SAS Solutions and SAS BI Applications Running Smoothly Tanya Kalich, SAS Institute
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationUCR AP RECRUIT: BEST PRACTICES FOR MANAGING APPROVALS IN AP RECRUIT FOR APPROVERS
EMAIL NOTIFICATIONS SENT VIA AP RECRUIT SYSTEM Effective 9/8/14, AP Recruit sends email notification approval requests to those named as approvers on Search Plans, Diversity Reports (Shortlist), and Search
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationChecklist for Testing of Web Application
Checklist for Testing of Web Application Web Testing in simple terms is checking your web application for potential bugs before its made live or before code is moved into the production environment. During
More informationIntroduction to application management
Introduction to application management To deploy web and mobile applications, add the application from the Centrify App Catalog, modify the application settings, and assign roles to the application to
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationRAVEPC: Remotely Accessible Visualizer & Explorer of Point Cloud
RAVEPC: Remotely Accessible Visualizer & Explorer of Point Cloud An Interactive Visualization Application for LiDAR Data : Part III Authors: Beena Kumari, Avijit Ashe and Jaya Sreevalsan Nair Graphics
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More information