Introduction to OWASP WebGoat and OWTF. by Pawel Rzepa

Size: px
Start display at page:

Download "Introduction to OWASP WebGoat and OWTF. by Pawel Rzepa"

Transcription

1 Introduction to OWASP WebGoat and OWTF by Pawel Rzepa

2 About Me Security Engineer in SoftServe Poland Currently developing advanced fuzzing module in Spirent s Cyberflood OWASP member (OWASP Poland Chapter in Wroclaw)

3 Agenda Problem 1: efficient security training Solution: WebGoat Problem 2: efficient management of multiple penetration testing tasks Solution: Offensive Web Testing Framework

4 Problem of efficient security training Security awareness training for developers are quite common, but reality shows they are still ineffective :( and XSS allows you injecting such horrifying pop up windows!!!

5 Problem of efficient security training

6 arranging internal hands-on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them? What about Finally a security training which isn t an online course to fly through and forget! Internal course that is free and isn t a corpobullshit?! Cannot believe that

7 TO THE RESCUE!!!

8 Few words about WebGoat A deliberately insecure Java-based application, which allows you to test common vulnerabilities, or.net-based: 50+ lessons, index.php/webgoatfor.net After finding a vulnerability, learn to fix it! Easy manageable lessons via plugins, You can create your own lessons without touching code.

9 Only web apps? Hell no!!! Ruby on Rails: index.php/owasp_rails_goat_project WebGoat PHP: index.php/webgoatphp Node.js: OWASP_Node_js_Goat_Project Android: Projects/OWASP_GoatDroid_Project ios: OWASP_iGoat_Project

10 How to run WebGoat? Prerequisites: Java VM 1.8 To start just follow these commands: $> wget releases/download/7.0.1/webgoat-container war-exec.jar $> java -jar webgoat-container war-exec.jar open in you browser: That s all!

11 First view

12 lessons & labs

13 WebGoat Creating your own lesson Plugin = lesson Plugin is just a folder, which follows this format:

14 WebGoat Useful links Project: Category:OWASP_WebGoat_Project Documentation:

15 Problem: how to efficiently manage outputs from many different applications? Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests) Running each of those tests consumes time, right? It s easy to automate those tasks, but analysing a consolidated output is much more difficult :( And finally you have to form a readable report from all those tests oooh :(

16 Typical penetration testing process ( ) <creates a fancy & readable report> <runs a lot of tests> <which generates lots of output> <cpy/pst interesting parts> of course in notepad ;)

17 OFFENSIVE WEB TESTING FRAMEWORK TO THE RESCUE!!!

18 OWTF - an idea A goal of OWTF is to use penetration testing time as efficient as possible. It s done by: Running different tools (Nikto/Arachni/w3af/etc) Running direct tests (header searches/session tests/ etc) Knowledge repository (OWASP mapping/resource links) Helping human analysis (flag severity/manage output) In other words OWTF provides optimal balance between automation and human analysis

19 OWTF: Installation Want to quickly start? Follow this one-liner: $> wget -N bootstrap-script/master/bootstrap.sh; bash bootstrap.sh

20 OWTF

21 OWTF - Set a target

22 OWTF - Choose plugins and run! sends normal traffic to target Testing web apps Testing network services active vulnerability probing assist manual testing probing services (e.g. FTP/SMB ) searches on HTTP transactions test via 3rd parties (no traffic to target)

23 OWTF demo

24 OWTF - Useful links Project: Documentation: Online passive scanner: IRC channel (#owtf on Freenode)

25 Last but not least There are lots of other cool open-source projects, e.g Category:OWASP_Project#tab=Project_Inventory Don t miss local initiatives focused on security like Technology Risk and Information Security or OWASP meet ups ;)

26 Summary Use OWASP WebGoat to provide efficient security trainings in your company. Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test s output analyse and create reports in a fast way. Stay tuned - checkout other open-source projects and don t miss local events!

27 Thank you Questions? feedback?

Notes From The field

Notes From The field Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.

More information

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved. Getting Ready In order to get the most from this session, please download / install: OWASP ZAP, which requires a Java runtime A virtualization package, such as the free VirtualBox, free VMware Player,

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

OWASP Romania Chapter

OWASP Romania Chapter OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org OWASP Romania Chapter Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com Copyright

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

IronWASP (Iron Web application Advanced Security testing Platform)

IronWASP (Iron Web application Advanced Security testing Platform) IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability

More information

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee OWASP ESAPI SwingSet OWASP 26 April 2011 Fabio Cerullo Ireland Chapter Leader Global Education Committee fcerullo@owasp.org +353 87 7817468 Copyright The OWASP Foundation Permission is granted to copy,

More information

N different strategies to automate OWASP ZAP

N different strategies to automate OWASP ZAP OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 The OWASP Foundation http://www.owasp.org N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor

More information

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference. Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Improving Security in the Application Development Life-cycle

Improving Security in the Application Development Life-cycle Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com

More information

Protect your apps and your customers against application layer attacks

Protect your apps and your customers against application layer attacks Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web

More information

Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas Moving Targets: Assessing the Security of Mobile Devices March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas Conflict of Interest Kevin Johnson Has no real or apparent conflicts of interest to report. Kevin

More information

Security Course. WebGoat Lab sessions

Security Course. WebGoat Lab sessions Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

Overview of Web Application Security and Setup

Overview of Web Application Security and Setup Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security

More information

BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS

BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS Use one form per registrant. BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS This form is for those who have existing USA 2013 Training Registration and have an existing Confirmation Number. If

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Introductions. Jack Katie

Introductions. Jack Katie Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,

More information

Online Intensive Ethical Hacking Training

Online Intensive Ethical Hacking Training Online Intensive Ethical Hacking Training Feel the heat of Security and Learn something out of the box 0 About the Course This is a 7 Days Intensive Training Program on Ethical Hacking & Cyber Security.

More information

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut. OWASP Review Amherst Security Group June 14, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

XCOLD Information Leak

XCOLD Information Leak XCOLD Information Leak New Functionality for Developers, New Security Concerns Based on my original article: http://zaproxy.blogspot.co. uk/2016/01/zap-newsletter-2016-january.html#feature Intro Ottawa

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

Multi-Post XSRF Web App Exploitation, total pwnage

Multi-Post XSRF Web App Exploitation, total pwnage Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.

More information

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2

More information

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,

More information

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

WEB APPLICATION SCANNERS. Evaluating Past the Base Case WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work

More information

Application security : going quicker

Application security : going quicker Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

More information

Securing Production Applications & Data at Runtime. Prevoty

Securing Production Applications & Data at Runtime. Prevoty Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in

More information

Providing Secure, Fast and Available

Providing Secure, Fast and Available Providing Secure, Fast and Available SharePoint with F5 BIG-IP John Lee, Federal Systems Engineer Version 3.0 Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express ASM Web Accel 3

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

INTERACTIVE APPLICATION SECURITY TESTING (IAST) WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

OWASP Broken Web Application Project. When Bad Web Apps are Good

OWASP Broken Web Application Project. When Bad Web Apps are Good OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

String Analysis for the Detection of Web Application Flaws

String Analysis for the Detection of Web Application Flaws String Analysis for the Detection of Web Application Flaws Luca Carettoni l.carettoni@securenetwork.it Claudio Merloni c.merloni@securenetwork.it CONFidence 2007 - May 12-13, Kraków, Poland 04/05/07 1

More information

Remediate the Flag Practical AppSec Training Platform. Andrea Scaduto

Remediate the Flag Practical AppSec Training Platform. Andrea Scaduto Practical AppSec Training Platform Bio Interests: Web / Mobile Apps Pentesting Optimization of costs in addressing security issues Training developers in remediation and secure coding Application Security

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

WTF. Amichai Shulman, CTO Yaniv Azaria, Security Research TL

WTF. Amichai Shulman, CTO Yaniv Azaria, Security Research TL WTF Amichai Shulman, CTO Yaniv Azaria, Security Research TL Imperva, the Imperva logo and SecureSphere are trademarks of Imperva, Inc. 1 Amichai Shulman CTO Imperva 20 year information security veteran

More information

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV

More information

WebGoat& WebScarab. What is computer security for $1000 Alex?

WebGoat& WebScarab. What is computer security for $1000 Alex? WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack

More information

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation Application Security for the Masses Konstantinos Papapanagiotou Greek Chapter Leader Syntax IT Inc Greek Chapter Meeting 16/3/2011 Konstantinos@owasp.org Copyright The Foundation Permission is granted

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may

More information

ShiftLeft. Real-World Runtime Protection Benchmarking

ShiftLeft. Real-World Runtime Protection Benchmarking ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits

More information

Hands-on Security Tools

Hands-on Security Tools Hands-on Security Tools SecAppDev 2011 Caveats and Warnings This is not a sales pitch for any product(s) If you want to talk to a sales person, tell me Otherwise, you will NOT get calls or spam You are

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Getting started with OWASP WebGoat 4.0 and SOAPUI. Getting started with OWASP WebGoat 4.0 and SOAPUI. Hacking web services, an introduction. Version 1.0 by Philippe Bogaerts mailto:philippe.bogaerts@radarhack.com http://www.radarhack.com 1. Introduction

More information

DefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider

DefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider DefectDojo The Good, the Bad and the Ugly OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider 2018-05-31 PREFACE CIO: What is the security posture of our applications? How do you handle and communicate

More information

Code review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult.

Code review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult. Code review guide Author: Jameel Nabbo Website: www.jameelnabbo.com Table of contents Introduction Code review Checklist Steps to perform on code review task Tips for code review Starting the Code review

More information

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018 Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018 About Me About Me IT Security Consultant (https://subbotin.de) Penetration Tester/Ethical

More information

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar Training: An Introduction to Burp Suite Part One By Mike Sheward Burp suite provides a solid platform for launching a web application security assessment. In this guide we re going to introduce the features

More information

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Automated Security Scanning in Payment Industry

Automated Security Scanning in Payment Industry Digital Transformation Specialist Automated Security Scanning in Payment Industry Michał Buczko Michał Buczko Test Consultant Public Speaker Security enthusiast Agenda 1.) Why security? 2.) How hard it

More information

OWASP Application Security Building and Breaking Applications

OWASP Application Security Building and Breaking Applications OWASP Application Security Building and Breaking Applications Welcome Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net OWASP: About US OWASP = Open Web Application Security Project Dedicated

More information

Git, Atom, virtualenv, oh my! Learn about dev tools to live by!

Git, Atom, virtualenv, oh my! Learn about dev tools to live by! BRKDEV-2633 Git, Atom, virtualenv, oh my! Learn about dev tools to live by! Ashley Roach, Principal Engineer Evangelist Agenda Introduction Why are developer tools useful? What s in the toolbelt? Tool

More information

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies Objectives Present a working tool (prototype-poc) to test the security of a given web

More information

9 th CA 2E/CA Plex Worldwide Developer Conference 1

9 th CA 2E/CA Plex Worldwide Developer Conference 1 1 Introduction/Welcome Message Organizations that are making major changes to or replatforming an application need to dedicate considerable resources ot the QA effort. In this session we will show best

More information

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide

More information

Man-In-The-Browser Attacks. Daniel Tomescu

Man-In-The-Browser Attacks. Daniel Tomescu Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:

More information

Web Application Security GVSAGE Theater

Web Application Security GVSAGE Theater Web Application Security GVSAGE Theater B2B Tech Expo Oct 29, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GSEC, GCIH, GGSC Network Security and Software Development

More information

Secure Development Processes

Secure Development Processes Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially

More information

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101 OWASP German Chapter Stammtisch Initiative/Ruhrpott Android App Pentest Workshop 101 About What we will try to cover in the first session: Setup of a Mobile Application Pentest Environment Basics of Mobile

More information

About Me. Rohit Salecha

About Me. Rohit Salecha Serialization Bugs About Me Rohit Salecha Senior Security Consultant @ NotSoSecure 7+ yrs of Corporate Experience Pentesting (Web, Mobile, Infra) and Development in Java Trainer : AppSec for Developers,

More information

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? Exploring Different Approaches to Penetration Testing Cara Marie NCC Group ISSA-LA Aug 2017 Obligatory About Me NCC Group Principal

More information

Andrés Riancho sec.com H2HC, 1

Andrés Riancho sec.com H2HC, 1 Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1 Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion

More information

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials The most practical and comprehensive training course on Web App Penetration testing WAPT in pills: Self-paced, online, flexible access 1000+ interactive slides 4+ hours of video materials Learn the most

More information

Making the web secure by design

Making the web secure by design Making the web secure by design Glenn ten Cate Security Engineer @Schuberg Philis Riccardo ten Cate Security Researcher Agenda Why SKF What you will get/learn Stages of development Intro & how to Hands

More information

Secure Web Application Development: Hands-on Teaching Modules

Secure Web Application Development: Hands-on Teaching Modules Secure Web Application Development: Hands-on Teaching Modules Presenter: Li-Chiou Chen ACM SIGCSE 2011 Workshop 27 March 12 th, 2011 Project Team: Li-Chiou Chen, Lixin Tao and Chienting Lin, Pace University

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Cisco Firepower NGIPS Tuning and Best Practices

Cisco Firepower NGIPS Tuning and Best Practices Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the

More information

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation OWASP AppSec EU Hamburg 2013 The OWASP Foundation http://www.owasp.org ZAP Innovations OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright The

More information

Monitoring Attack Surface and Integrating Security into DevOps Pipelines

Monitoring Attack Surface and Integrating Security into DevOps Pipelines Monitoring Attack Surface and Integrating Security into DevOps Pipelines Dan Cornell @danielcornell 0 Agenda Background Importance of Attack Surface What Does Attack Surface Have to Do with DevOps? Hybrid

More information

Agenda. Introduce the Tale of Two developers. Domino Top Secret. Back to the Future with the Domino

Agenda. Introduce the Tale of Two developers. Domino Top Secret. Back to the Future with the Domino Agenda Introduce the Tale of Two developers Domino Top Secret Industry Scenario based demo and the reach of Domino Apps Back to the Future with the Domino the Secure NOSQL Database with Node.js Hint: June

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

ME?

ME? ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims

More information

Additional Security Services on AWS

Additional Security Services on AWS Additional Security Services on AWS Bertram Dorn Specialized Solutions Architect Security / Compliance / DataProtection AWS EMEA The Landscape The Paths Application Data Path Path Cloud Managed by Customer

More information

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters - Durkee Consulting, Inc. Background Founder of Durkee Consulting since 1996 Founder of Rochester

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

SUG Breakout Session: OSC OnDemand App Development

SUG Breakout Session: OSC OnDemand App Development SUG Breakout Session: OSC OnDemand App Development Basil Mohamed Gohar Web and Interface Applications Manager Eric Franz Senior Engineer & Technical Lead This work is supported by the National Science

More information

How to hack and secure your Java web applications

How to hack and secure your Java web applications How to hack and secure your Java web applications Sebastien Deleersnyder Board Member OWASP Speaker s qualifications 5 years developer experience 8 years information security experience Lead application

More information

What someone said about junk hacking

What someone said about junk hacking What someone said about junk hacking Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a! whole track called "Junk

More information

Advanced Techniques for DDoS Mitigation and Web Application Defense

Advanced Techniques for DDoS Mitigation and Web Application Defense Advanced Techniques for DDoS Mitigation and Web Application Defense Dr. Andrew Kane, Solutions Architect Giorgio Bonfiglio, Technical Account Manager June 28th, 2017 2017, Amazon Web Services, Inc. or

More information

Breaking and Securing Mobile Apps

Breaking and Securing Mobile Apps Breaking and Securing Mobile Apps Aditya Gupta @adi1391 adi@attify.com +91-9538295259 Who Am I? The Mobile Security Guy Attify Security Architecture, Auditing, Trainings etc. Ex Rediff.com Security Lead

More information

Cloud Foundry Bootcamp

Cloud Foundry Bootcamp Cloud Foundry Bootcamp GOTO 2012 Josh Long Spring Developer Advocate josh.long@springsource.com 2012 VMware, Inc. All rights reserved Josh Long Spring Developer Advocate josh.long@springsource.com About

More information

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review Training Course 17th & 18th of October Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review 1 Course Abstract 2 What attendees

More information

Investigating Source Code Reusability for Android and Blackberry Applications

Investigating Source Code Reusability for Android and Blackberry Applications Investigating Source Code Reusability for Android and Blackberry Applications Group G8 Jenelle Chen Aaron Jin 1 Outline Recaps Challenges with mobile development Problem definition Approach Demo Detailed

More information

Installing Visual Studio for Report Design

Installing Visual Studio for Report Design Introduction and Contents This file contains the final set of instructions needed for software installation for HIM 6217. It covers items 4 & 5 from the previously introduced list seen below: 1. Microsoft

More information

Cloud platforms. T Mobile Systems Programming

Cloud platforms. T Mobile Systems Programming Cloud platforms T-110.5130 Mobile Systems Programming Agenda 1. Motivation 2. Different types of cloud platforms 3. Popular cloud services 4. Open-source cloud 5. Cloud on this course 6. Mobile Edge Computing

More information

Spark SDK Video - Overview and Coding Demo

Spark SDK Video - Overview and Coding Demo DEVNET-2026 Spark SDK Video - Overview and Coding Demo Olivier Proffit - Sr. Product Manager David Staudt DevNet Developer Evangelist Cisco Spark How Questions? Use Cisco Spark to communicate with the

More information

WebGoat Lab session overview

WebGoat Lab session overview WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in

More information

Secure DevOps: A Puma s Tail

Secure DevOps: A Puma s Tail Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code

More information