How to hack and secure your Java web applications
|
|
- Johnathan Rudolph Wood
- 5 years ago
- Views:
Transcription
1 How to hack and secure your Java web applications Sebastien Deleersnyder Board Member OWASP
2 Speaker s qualifications 5 years developer experience 8 years information security experience Lead application security Telindus, Belgacom ICT Belgian OWASP chapter founder OWASP board member 2
3 Overall Presentation Goal It is easy to hack Java web applications! so is securing them (with a little OWASP help)
4 OWASP?
5 OWASP The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all 5
6 OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks 6
7 OWASP Resources and Community Documentation (Wiki and Books) Code Review, Testing, Building, Legal, more Code Projects Defensive, Offensive (Test tools), Education, Process, more Chapters Over 130 and growing Conferences Major and minor events all around the world
8 9 8
9 130+ Chapters Worldwide 9
10 Hacking Java web applications
11 XSS? 11
12 XSS? 11
13 XSS? 11
14 XSS? 11
15 XSS? XSS = Cross-site Scripting 11
16 XSS? XSS = Cross-site Scripting Web application vulnerability 11
17 XSS? XSS = Cross-site Scripting Web application vulnerability Injection of code into web pages viewed by others 11
18 XSS? XSS = Cross-site Scripting Web application vulnerability Injection of code into web pages viewed by others XSS = new buffer overflow Javascript = new Shell Code 11
19 How is this possible? DATA CODE! Injected XSS (Stored) Blog comment, profile update, guestbook, Reflected XSS (Links!) Search result, error page, 12
20 DEMO XSS WebGoat + Firefox
21 Reality Check XSS on Italian Bank Inject IFRAME Login form from Taiwan Works over SSL! 14
22 XSS In 7 major Dutch Online Banks (яoиald) Postbank ABN AMRO SNS bank Fortis banking Delta Lloyd banking Spaarbeleg banking Insinger de Beaufort banking 15 Source: 0x com
23 SQLi? The ability to inject SQL commands into the database engine through an existing application 17 16
24 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16
25 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16
26 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16
27 DEMO SQLi WebGoat + WebScarab + Firefox
28 Reality Check MLSGear SQLi names, addresses, credit and debit card data, and passwords of an unknown number of people (169 New Hampshire residents) exposed 40 million credit cards from CardSystems, Inc Hackers Take Down Pennsylvania Government RIAA web site cleared An SQL injection Mass Robot Infamous Russian malware gang used SQL injection to penetrate US government sites Tucson, Arizona police web site defaced using SQL injection 18
29 Fixes XSS SQLi Input validation Output encoding Input validation Parameterized queries Least privilege 19
30 Securing Java web applications
31 OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard 21
32 Key Application Security Vulnerabilities A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A8: Insecure Cryptographic Storage A7: Broken Authentication and Session A6: Information Leakage and Improper Error A5: Cross Site Request Forgery (CSRF) A9: Insecure Communications A10: Failure to Restrict URL Access 22
33 The Big 4 Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)
34 The Guide Complements OWASP Top p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Project Leader and Editor Andrew van der Stock,
35 Each Topic Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets - even Java
36 Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors 26
37 What Is the OWASP Testing Guide? Testing Principles Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing 27
38 How the Guide helps securing applications Testers A structured approach to the testing activities A checklist to be followed A learning and training tool Organisations A tool to understand web vulnerabilities and their impact A way to check the quality of security tests More generally, the Testing Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its customers. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications 28
39 OWASP Java Project Produce materials that show J2EE architects, developers and deployers how to deal with most common application security problems throughout the lifecycle. 29
40 J2EE Security for developers 2.1 Noteworthy Frameworks 2.2 Java Security Basics 2.3 Input Validation Overview 2.4 Input Validation 2.5 Authentication 2.6 Session Management 2.7 Authorization 2.8 Encryption o Preventing SQL Injection in Java 2.9 Error Handling & Logging o Preventing LDAP Injection in 2.10 JavaWeb Services Security o XPATH Injection 2.11 Code Analysis Tools o Miscellaneous Injection Attacks 30
41 Tools Best known OWASP Tools WebGoat WebScarab Exhaustive list: Tools
42 Tools At Best 45% Coverage 5,00 MITRE found that all application security tool vendors claims put together cover only 45% of the known vulnerability types (over 600 in CWE) Not Covered 55,00 They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
43 ESAPI Using security controls is different from building All the security guidelines, courses, tutorials, websites, books, etc are all mixed up because everyone builds their own controls Most developers shouldn t build security controls When to use a control How to use a control Why to use a control (maybe) Most enterprises need the same set of calls 33
44 The OWASP Enterprise Security API Cus Ent Authentic User AccessCo AccessRef Validator Encoder HTTPUtiliti Encryptor Encrypted Randomiz Exception Logger IntrusionD SecurityC Existing Enterprise Security Services/Libraries 34
45 Coverage OWASP Top Ten A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController
46 Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code 36
47 Want More? OWASP.NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project 37
48 OWASP Projects Are Alive!
49 SDLC & OWASP Guidelines OWASP Framework 39
50 OWASP near you
51 56 videos - 40 h 41
52 Upcoming Conferences Colorado Mar 2009 AppSecUS DC Oct 2009 Dublin Jun 2009 Italy Feb 2009 AppSecEU Poland May 2009 Gold Coast Feb
53 Belgium Chapter Meetings Local Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals & developers Create (Web)AppSec awareness Local projects?
54 Subscribe to Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get OWASP news letters Contribute to discussions! 44
55 Concluding statement YOU are part of the solution
56 Q&A
57 Thanks for your attention!
Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation
Welcome to OWASP Bay Area Application Security Summit July 23rd, 2009 OWASP July 23 rd, 2009 Mandeep Khera OWASP Bay Area Chapter Leader mkhera@owasp.org mandeep@cenzic.com Phone: 408-200-0712 Copyright
More informationDeveloping Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch
Developing Secure Applications with OWASP Martin Knobloch martin.knobloch@owasp.org OWASP OWASP NL Chapter Board OWASP Global Education Committee Chair Copyright The OWASP Foundation Permission is granted
More informationNotes From The field
Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.
More informationApplication Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation
Application Security for the Masses Konstantinos Papapanagiotou Greek Chapter Leader Syntax IT Inc Greek Chapter Meeting 16/3/2011 Konstantinos@owasp.org Copyright The Foundation Permission is granted
More informationOWASP InfoSec Romania 2013
OWASP InfoSec Romania 2013 Secure Development Lifecycle, The good, the bad and the ugly! October 25 th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Applications are about information! 3 pillars
More informationAndrew van der Stock OWASP Foundation
Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, and AusCERT, and is a leading Australian
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationV Conference on Application Security and Modern Technologies
V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationOWASP Romania Chapter
OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org OWASP Romania Chapter Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com Copyright
More informationApplication. Security. on line training. Academy. by Appsec Labs
Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationOWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP
OWASP ROI: Optimize Security Spending using OWASP OWASP Austin Chapter Matt Tesauro OWASP Global Projects Committee Member OWASP Live CD Project Lead mtesauro@gmail.com Copyright The OWASP Foundation Permission
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationTRAINING CURRICULUM 2017 Q2
TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training
More informationWhere we are.. Where we are going!
The OWASP Foundation! http://www.owasp.org! Where we are.. Where we are going!! International Board of Directors! OWASP Foundation" " ~ Quick Update ~" Mission! Make application security visible so that
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationApplication Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle
Application Security Doug Ashbaugh CISSP, CISA, CSSLP Page 1 It security Page 2 Page 3 Percent of Breaches Page 4 Hacking 5% 15% 39% Page 5 Common Attack Pathways Page 6 V u ln e ra b ilitie s / We a k
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationOpen Web Application Security Project
The OWASP Foundation http://www.owasp.org Open Web Application Security Project Antonio Fontes antonio.fontes@owasp.org SWISS CYBER STORM Conference May 2011 Rapperswil Copyright The OWASP Foundation Permission
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationOWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee
OWASP ESAPI SwingSet OWASP 26 April 2011 Fabio Cerullo Ireland Chapter Leader Global Education Committee fcerullo@owasp.org +353 87 7817468 Copyright The OWASP Foundation Permission is granted to copy,
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationGetting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.
Getting Ready In order to get the most from this session, please download / install: OWASP ZAP, which requires a Java runtime A virtualization package, such as the free VirtualBox, free VMware Player,
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationHacker Attacks on the Horizon: Web 2.0 Attack Vectors
IBM Software Group Hacker Attacks on the Horizon: Web 2.0 Attack Vectors Danny Allan Director, Security Research dallan@us.ibm.com 2/21/2008 Agenda HISTORY Web Eras & Trends SECURITY Web 2.0 Attack Vectors
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationFeb 28, :01-02:30 Welcome note & Introduction to OWASP : Somen Das, OWASP BBSR Chapter Lead
Agenda Feb 28, 2014 Time (PM) Web Application Security Education Program 01:15-01:45 Arrival, Registration and Coffee 01:45-02:00 Inaugural Address by Jibitesh Mishra HOD IT Dept. CET Bhubaneswar 02:01-02:30
More informationOnline Intensive Ethical Hacking Training
Online Intensive Ethical Hacking Training Feel the heat of Security and Learn something out of the box 0 About the Course This is a 7 Days Intensive Training Program on Ethical Hacking & Cyber Security.
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationCLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance
IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM,
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationA D V I S O R Y S E R V I C E S. Web Application Assessment
A D V I S O R Y S E R V I C E S Web Application Assessment March 2009 Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2 Definitions
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationIn collaborazione con
In collaborazione con 1. Software Security Introduction 2. SDLC frameworks: how OWASP can help on software security 3. OWASP Software Security 5 Dimension Framework 4. Apply the models to a real
More informationOWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation
OWASP Top 10 2010 The Top 10 Most Critical Web Application Security Risks Dave Wichers COO, Aspect Security OWASP Board Member dave.wichers@aspectsecurity.com dave.wichers@owasp.org Copyright The OWASP
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationIngram Micro Cyber Security Portfolio
Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationMinds.com Platform Full Disclosure
18/06/15 security@voidsec.com Minds.com Platform Full Disclosure Performers: Paolo Stagno ( aka voidsec voidsec@voidsec.com ) Luca Poletti ( aka kalup kalup@voidsec.com ) 1 18/06/15 security@voidsec.com
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationOWASP Broken Web Application Project. When Bad Web Apps are Good
OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationTraining Program Catalog SECURITY INNOVATION
Training Program Catalog SECURITY INNOVATION Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 - Information Privacy and Security Awareness for Executives (Duration:
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationTesting from the Cloud: Is the sky falling?
AppSec USA 2011 The OWASP Foundation http://www.owasp.org Testing from the Cloud: Is the sky falling? Matt Tesauro OWASP Foundation Board Member, WTE Project Lead matt.tesauro@owasp.org In between Jobs
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationSimplifying Application Security and Compliance with the OWASP Top 10
Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management
More informationWAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials
The most practical and comprehensive training course on Web App Penetration testing WAPT in pills: Self-paced, online, flexible access 1000+ interactive slides 4+ hours of video materials Learn the most
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationWeb Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
More informationWhiteboard Hacking / Hands-on Threat Modeling. Introduction
Whiteboard Hacking / Hands-on Threat Modeling Introduction Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationSecure Coding, some simple steps help. OWASP EU Tour 2013
Secure Coding, some simple steps help. OWASP EU Tour 2013 About Me Steven van der Baan - Dutch - 7Safe, part of PA Consulting Group - Developer - Pentester - Consultant - CISSP, OSCP It's amazing how
More informationWAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material
The most practical and comprehensive training course on Web App Pentest WAPTv2 at a glance: Self-paced, online, flexible access 1850+ interactive slides and 5+ hours of video material Downloadable material
More informationApplications Security
Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced
More informationWeb Applications Part 1 The Weak Link in Information Security Your Last Line of Defense
Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009 Welcome
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationF5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationUsing Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach
Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German
More informationWebGoat& WebScarab. What is computer security for $1000 Alex?
WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationWEB APPLICATION PENETRATION TESTING VERSION 2
WEB APPLICATION PENETRATION TESTING VERSION 2 The most practical and comprehensive training course on web application pentesting elearnsecurity has been chosen by students in over 140 countries in the
More information