Introduction to OWASP WebGoat and OWTF. by Pawel Rzepa
|
|
- Magdalene Edwards
- 6 years ago
- Views:
Transcription
1 Introduction to OWASP WebGoat and OWTF by Pawel Rzepa
2 About Me Security Engineer in SoftServe Poland Currently developing advanced fuzzing module in Spirent s Cyberflood OWASP member (OWASP Poland Chapter in Wroclaw)
3 Agenda Problem 1: efficient security training Solution: WebGoat Problem 2: efficient management of multiple penetration testing tasks Solution: Offensive Web Testing Framework
4 Problem of efficient security training Security awareness training for developers are quite common, but reality shows they are still ineffective :( and XSS allows you injecting such horrifying pop up windows!!!
5 Problem of efficient security training
6 arranging internal hands-on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them? What about Finally a security training which isn t an online course to fly through and forget! Internal course that is free and isn t a corpobullshit?! Cannot believe that
7 TO THE RESCUE!!!
8 Few words about WebGoat A deliberately insecure Java-based application, which allows you to test common vulnerabilities, or.net-based: 50+ lessons, index.php/webgoatfor.net After finding a vulnerability, learn to fix it! Easy manageable lessons via plugins, You can create your own lessons without touching code.
9 Only web apps? Hell no!!! Ruby on Rails: index.php/owasp_rails_goat_project WebGoat PHP: index.php/webgoatphp Node.js: OWASP_Node_js_Goat_Project Android: Projects/OWASP_GoatDroid_Project ios: OWASP_iGoat_Project
10 How to run WebGoat? Prerequisites: Java VM 1.8 To start just follow these commands: $> wget releases/download/7.0.1/webgoat-container war-exec.jar $> java -jar webgoat-container war-exec.jar open in you browser: That s all!
11 First view
12 lessons & labs
13 WebGoat Creating your own lesson Plugin = lesson Plugin is just a folder, which follows this format:
14 WebGoat Useful links Project: Category:OWASP_WebGoat_Project Documentation:
15 Problem: how to efficiently manage outputs from many different applications? Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) Running each of those tests consumes time, right? It s easy to automate those tasks, but analysing a consolidated output is much more difficult :( And finally you have to form a readable report from all those tests oooh :(
16 Typical penetration testing process ( ) <creates a fancy & readable report> <runs a lot of tests> <which generates lots of output> <cpy/pst interesting parts> of course in notepad ;)
17 OFFENSIVE WEB TESTING FRAMEWORK TO THE RESCUE!!!
18 OWTF - an idea A goal of OWTF is to use penetration testing time as efficient as possible. It s done by: Running different tools (Nikto/Arachni/w3af/etc) Running direct tests (header searches/session tests/ etc) Knowledge repository (OWASP mapping/resource links) Helping human analysis (flag severity/manage output) In other words OWTF provides optimal balance between automation and human analysis
19 OWTF: Installation Want to quickly start? Follow this one-liner: $> wget -N bootstrap-script/master/bootstrap.sh; bash bootstrap.sh
20 OWTF
21 OWTF - Set a target
22 OWTF - Choose plugins and run! sends normal traffic to target Testing web apps Testing network services active vulnerability probing assist manual testing probing services (e.g. FTP/SMB ) searches on HTTP transactions test via 3rd parties (no traffic to target)
23 OWTF demo
24 OWTF - Useful links Project: Documentation: Online passive scanner: IRC channel (#owtf on Freenode)
25 Last but not least There are lots of other cool open-source projects, e.g Category:OWASP_Project#tab=Project_Inventory Don t miss local initiatives focused on security like Technology Risk and Information Security or OWASP meet ups ;)
26 Summary Use OWASP WebGoat to provide efficient security trainings in your company. Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test s output analyse and create reports in a fast way. Stay tuned - checkout other open-source projects and don t miss local events!
27 Thank you Questions? feedback?
Notes From The field
Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.
More informationGetting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.
Getting Ready In order to get the most from this session, please download / install: OWASP ZAP, which requires a Java runtime A virtualization package, such as the free VirtualBox, free VMware Player,
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationOWASP Romania Chapter
OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org OWASP Romania Chapter Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com Copyright
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationIronWASP (Iron Web application Advanced Security testing Platform)
IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability
More informationOWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee
OWASP ESAPI SwingSet OWASP 26 April 2011 Fabio Cerullo Ireland Chapter Leader Global Education Committee fcerullo@owasp.org +353 87 7817468 Copyright The OWASP Foundation Permission is granted to copy,
More informationN different strategies to automate OWASP ZAP
OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 The OWASP Foundation http://www.owasp.org N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor
More informationApplication Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.
Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationMoving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas
Moving Targets: Assessing the Security of Mobile Devices March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas Conflict of Interest Kevin Johnson Has no real or apparent conflicts of interest to report. Kevin
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationApplication. Security. on line training. Academy. by Appsec Labs
Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationOverview of Web Application Security and Setup
Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security
More informationBLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS
Use one form per registrant. BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS This form is for those who have existing USA 2013 Training Registration and have an existing Confirmation Number. If
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationIntroductions. Jack Katie
Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,
More informationOnline Intensive Ethical Hacking Training
Online Intensive Ethical Hacking Training Feel the heat of Security and Learn something out of the box 0 About the Course This is a 7 Days Intensive Training Program on Ethical Hacking & Cyber Security.
More informationOWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.
OWASP Review Amherst Security Group June 14, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationXCOLD Information Leak
XCOLD Information Leak New Functionality for Developers, New Security Concerns Based on my original article: http://zaproxy.blogspot.co. uk/2016/01/zap-newsletter-2016-january.html#feature Intro Ottawa
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationChat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev
Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2
More informationIntegrity attacks (from data to code): Malicious File upload, code execution, SQL Injection
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,
More informationWEB APPLICATION SCANNERS. Evaluating Past the Base Case
WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationSecuring Production Applications & Data at Runtime. Prevoty
Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in
More informationProviding Secure, Fast and Available
Providing Secure, Fast and Available SharePoint with F5 BIG-IP John Lee, Federal Systems Engineer Version 3.0 Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express ASM Web Accel 3
More informationApplications Security
Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger
More informationPEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech
PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationINTERACTIVE APPLICATION SECURITY TESTING (IAST)
WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals
More informationWeb Applications Penetration Testing
Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like
More informationOWASP Broken Web Application Project. When Bad Web Apps are Good
OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationString Analysis for the Detection of Web Application Flaws
String Analysis for the Detection of Web Application Flaws Luca Carettoni l.carettoni@securenetwork.it Claudio Merloni c.merloni@securenetwork.it CONFidence 2007 - May 12-13, Kraków, Poland 04/05/07 1
More informationRemediate the Flag Practical AppSec Training Platform. Andrea Scaduto
Practical AppSec Training Platform Bio Interests: Web / Mobile Apps Pentesting Optimization of costs in addressing security issues Training developers in remediation and secure coding Application Security
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationWTF. Amichai Shulman, CTO Yaniv Azaria, Security Research TL
WTF Amichai Shulman, CTO Yaniv Azaria, Security Research TL Imperva, the Imperva logo and SecureSphere are trademarks of Imperva, Inc. 1 Amichai Shulman CTO Imperva 20 year information security veteran
More informationOWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST
OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV
More informationWebGoat& WebScarab. What is computer security for $1000 Alex?
WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack
More informationApplication Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation
Application Security for the Masses Konstantinos Papapanagiotou Greek Chapter Leader Syntax IT Inc Greek Chapter Meeting 16/3/2011 Konstantinos@owasp.org Copyright The Foundation Permission is granted
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationHands-on Security Tools
Hands-on Security Tools SecAppDev 2011 Caveats and Warnings This is not a sales pitch for any product(s) If you want to talk to a sales person, tell me Otherwise, you will NOT get calls or spam You are
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationGetting started with OWASP WebGoat 4.0 and SOAPUI.
Getting started with OWASP WebGoat 4.0 and SOAPUI. Hacking web services, an introduction. Version 1.0 by Philippe Bogaerts mailto:philippe.bogaerts@radarhack.com http://www.radarhack.com 1. Introduction
More informationDefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider
DefectDojo The Good, the Bad and the Ugly OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider 2018-05-31 PREFACE CIO: What is the security posture of our applications? How do you handle and communicate
More informationCode review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult.
Code review guide Author: Jameel Nabbo Website: www.jameelnabbo.com Table of contents Introduction Code review Checklist Steps to perform on code review task Tips for code review Starting the Code review
More informationTales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018
Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018 About Me About Me IT Security Consultant (https://subbotin.de) Penetration Tester/Ethical
More informationjava -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar
Training: An Introduction to Burp Suite Part One By Mike Sheward Burp suite provides a solid platform for launching a web application security assessment. In this guide we re going to introduce the features
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationAutomated Security Scanning in Payment Industry
Digital Transformation Specialist Automated Security Scanning in Payment Industry Michał Buczko Michał Buczko Test Consultant Public Speaker Security enthusiast Agenda 1.) Why security? 2.) How hard it
More informationOWASP Application Security Building and Breaking Applications
OWASP Application Security Building and Breaking Applications Welcome Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net OWASP: About US OWASP = Open Web Application Security Project Dedicated
More informationGit, Atom, virtualenv, oh my! Learn about dev tools to live by!
BRKDEV-2633 Git, Atom, virtualenv, oh my! Learn about dev tools to live by! Ashley Roach, Principal Engineer Evangelist Agenda Introduction Why are developer tools useful? What s in the toolbelt? Tool
More informationgfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies
gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies Objectives Present a working tool (prototype-poc) to test the security of a given web
More information9 th CA 2E/CA Plex Worldwide Developer Conference 1
1 Introduction/Welcome Message Organizations that are making major changes to or replatforming an application need to dedicate considerable resources ot the QA effort. In this session we will show best
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationWeb Application Security GVSAGE Theater
Web Application Security GVSAGE Theater B2B Tech Expo Oct 29, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GSEC, GCIH, GGSC Network Security and Software Development
More informationSecure Development Processes
Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially
More informationOWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101
OWASP German Chapter Stammtisch Initiative/Ruhrpott Android App Pentest Workshop 101 About What we will try to cover in the first session: Setup of a Mobile Application Pentest Environment Basics of Mobile
More informationAbout Me. Rohit Salecha
Serialization Bugs About Me Rohit Salecha Senior Security Consultant @ NotSoSecure 7+ yrs of Corporate Experience Pentesting (Web, Mobile, Infra) and Development in Java Trainer : AppSec for Developers,
More informationAll the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?
All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? Exploring Different Approaches to Penetration Testing Cara Marie NCC Group ISSA-LA Aug 2017 Obligatory About Me NCC Group Principal
More informationAndrés Riancho sec.com H2HC, 1
Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1 Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion
More informationWAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials
The most practical and comprehensive training course on Web App Penetration testing WAPT in pills: Self-paced, online, flexible access 1000+ interactive slides 4+ hours of video materials Learn the most
More informationMaking the web secure by design
Making the web secure by design Glenn ten Cate Security Engineer @Schuberg Philis Riccardo ten Cate Security Researcher Agenda Why SKF What you will get/learn Stages of development Intro & how to Hands
More informationSecure Web Application Development: Hands-on Teaching Modules
Secure Web Application Development: Hands-on Teaching Modules Presenter: Li-Chiou Chen ACM SIGCSE 2011 Workshop 27 March 12 th, 2011 Project Team: Li-Chiou Chen, Lixin Tao and Chienting Lin, Pace University
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation
OWASP AppSec EU Hamburg 2013 The OWASP Foundation http://www.owasp.org ZAP Innovations OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright The
More informationMonitoring Attack Surface and Integrating Security into DevOps Pipelines
Monitoring Attack Surface and Integrating Security into DevOps Pipelines Dan Cornell @danielcornell 0 Agenda Background Importance of Attack Surface What Does Attack Surface Have to Do with DevOps? Hybrid
More informationAgenda. Introduce the Tale of Two developers. Domino Top Secret. Back to the Future with the Domino
Agenda Introduce the Tale of Two developers Domino Top Secret Industry Scenario based demo and the reach of Domino Apps Back to the Future with the Domino the Secure NOSQL Database with Node.js Hint: June
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationME?
ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims
More informationAdditional Security Services on AWS
Additional Security Services on AWS Bertram Dorn Specialized Solutions Architect Security / Compliance / DataProtection AWS EMEA The Landscape The Paths Application Data Path Path Cloud Managed by Customer
More informationEthical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters
Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters - Durkee Consulting, Inc. Background Founder of Durkee Consulting since 1996 Founder of Rochester
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationSUG Breakout Session: OSC OnDemand App Development
SUG Breakout Session: OSC OnDemand App Development Basil Mohamed Gohar Web and Interface Applications Manager Eric Franz Senior Engineer & Technical Lead This work is supported by the National Science
More informationHow to hack and secure your Java web applications
How to hack and secure your Java web applications Sebastien Deleersnyder Board Member OWASP Speaker s qualifications 5 years developer experience 8 years information security experience Lead application
More informationWhat someone said about junk hacking
What someone said about junk hacking Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a! whole track called "Junk
More informationAdvanced Techniques for DDoS Mitigation and Web Application Defense
Advanced Techniques for DDoS Mitigation and Web Application Defense Dr. Andrew Kane, Solutions Architect Giorgio Bonfiglio, Technical Account Manager June 28th, 2017 2017, Amazon Web Services, Inc. or
More informationBreaking and Securing Mobile Apps
Breaking and Securing Mobile Apps Aditya Gupta @adi1391 adi@attify.com +91-9538295259 Who Am I? The Mobile Security Guy Attify Security Architecture, Auditing, Trainings etc. Ex Rediff.com Security Lead
More informationCloud Foundry Bootcamp
Cloud Foundry Bootcamp GOTO 2012 Josh Long Spring Developer Advocate josh.long@springsource.com 2012 VMware, Inc. All rights reserved Josh Long Spring Developer Advocate josh.long@springsource.com About
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationSeth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents
Seth & Ken s Excellent Adventures in Secure Code Review Training Course 17th & 18th of October Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review 1 Course Abstract 2 What attendees
More informationInvestigating Source Code Reusability for Android and Blackberry Applications
Investigating Source Code Reusability for Android and Blackberry Applications Group G8 Jenelle Chen Aaron Jin 1 Outline Recaps Challenges with mobile development Problem definition Approach Demo Detailed
More informationInstalling Visual Studio for Report Design
Introduction and Contents This file contains the final set of instructions needed for software installation for HIM 6217. It covers items 4 & 5 from the previously introduced list seen below: 1. Microsoft
More informationCloud platforms. T Mobile Systems Programming
Cloud platforms T-110.5130 Mobile Systems Programming Agenda 1. Motivation 2. Different types of cloud platforms 3. Popular cloud services 4. Open-source cloud 5. Cloud on this course 6. Mobile Edge Computing
More informationSpark SDK Video - Overview and Coding Demo
DEVNET-2026 Spark SDK Video - Overview and Coding Demo Olivier Proffit - Sr. Product Manager David Staudt DevNet Developer Evangelist Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationWebGoat Lab session overview
WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More information