Nathan Desmet. Lead Engineer

Size: px
Start display at page:

Download "Nathan Desmet. Lead Engineer"

Transcription

1

2 Nathan Desmet Lead Engineer Degree in Applied Informatics - Computer and Cyber Crime Professional Co-founder of Sensei Security (which is merged with SCW) Leading the development of Sensei.

3 Pieter De Cremer, ir. Engineer and Ph.D Candidate M.Eng in Computer Science Engineering Thesis on binary patch diffing Personal grant from Flemish Government to work as a Ph.D. student One of the R&D leads at Secure Code Warrior

4 Vendor Pitch-Free Zone Promise

5 > Today s challenges

6 22M Software developers around the world ~ Evans Data Source:

7 111BN Lines of code written by developers every year ~ CSO Online Source:

8 1 to 4 Exploitable Security Bugs in every Lines of Code Source: StackOverflow

9 90% Security incidents result from defects in the design or code ~ DHS Source:

10 21% Of data breaches caused by software vulnerability ~ Verizon Source: Verizon, Data Breach Report, 2018 (but in there the last 10 years)

11 1 in 3 of newly scanned applications had SQL injections over the past 5 yrs ~ Cisco Source: Cybersecurity as a Growth Advantage, Cisco, 2016

12

13 > How did we end up here?

14 Corporates had a branding website, the Internet was mostly for geeks > AppSec was virtually non-existent in corporate world AppSec in 2000 > Hacking was focussed on exploiting infrastructure vulnerabilities (bof, race conditions, fmt str*) > Research on first web app weaknesses > OWASP started and Top 10 released! > Penetration testing was black magic

15 F**k it. We ve got bigger problems (Y2K) than worrying about Application Security

16 Companies started offering web-based services; Web 2.0 and Mobile are new > Penetration testing was THE thing > Web Application Firewalls will stop everything AppSec in 2010 > Paper-based secure coding guidelines > Static Code Analysis Tools (SAST) emerge

17 Monthly data breaches, Hackers everywhere, Privacy, GDPR, PCI-DSS, HIPAA Putin

18 Everything runs on software. Cybersecurity & AppSec are hot topics. > SAST is still here > Runtime Application Security Protection (RASP) AppSec in 2018 > Dynamic Application Security Testing (DAST) > Interactive Application Security Testing (IAST) > Crowd-Sourced Security Testing (CSST?) > DevSecOps is getting traction - Containerisation - Integrating security and ops into dev - Security pipelining > SHIFT Left

19 Challenge - Pen-testing mostly sucks AppSec in 2018 Security Experts Developers

20 Challenge - Black Hole of security knowledge AppSec in 2018

21 The current black hole of security knowledge TOOLS SECURITY EXPERTS TEST AND FIND VULNERABILITIES DEVELOPER FINDS WAY TO FIX THE PROBLEM KNOWLEDGE DISAPPEARS INTO A BLACK HOLE SIMILAR VULNERABILITY REAPPEARS

22 We re failing in Learning from Our Mistakes

23 Work

24 SHIFT START left Scale and Make an Impact as an AppSec Pro

25 > Where does enforcing coding guidelines come in?

26 Developer 1

27 Coding guideline

28 XXE

29 XXE

30 XXE

31 XXE

32 XXE

33 XXE

34 Preventing XXE

35 Preventing XXE

36 Preventing XXE Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

37 Developer 2

38 Coding guideline

39 Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

40 Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

41 XXE

42 XXE

43 XXE

44 Preventing XXE

45 SDLC Train Develop Build Test Deploy

46 Security started as part of software testing Train Develop Build Test Pen testing Code analysis Deploy Breaches

47 Shift left Train Develop Build Test Code analysis Code review Code analysis Pen testing Deploy Breaches

48 Keep shifting left? Train Develop Build Test Code analysis? Code analysis Code analysis Pen testing Deploy Breaches

49 Code analysis Train Develop Build User input doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

50 Code analysis Train Develop Build Test User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder Deploy

51 Code analysis Train Develop Build User input doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

52 Code analysis Train Develop Build Test User input doget request.getparameter Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

53 Code analysis Train Develop Build User input doget request.getparameter Day 2 isauthorized readxml user.hasrole factory.newdocbuilder Test Deploy

54 Code analysis Train Develop Build Test User input Day 3 doget request.getparameter isauthorized readxml user.hasrole factory.newdocbuilder Deploy

55 Code analysis Train Develop Build Test User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder Deploy

56 Code analysis Train Develop Build Test User input doget request.getparameter Day 4 isauthorized readxml user.hasrole factory.setfeature factory.newdocbuilder Deploy

57 Keep shifting left? Train Develop Code analysis? Coding guidelines Build Test Code analysis Code review Code analysis Pen testing Deploy Breaches

58 Code analysis Train Develop Build Test User input doget request.getparameter Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

59 Code analysis Train Develop Build Test User input doget request.getparameter! Day 1 isauthorized readxml user.hasrole factory.newdocbuilder Deploy

60 Code analysis Train Develop Build Test User input doget request.getparameter! Day 1 isauthorized readxml user.hasrole factory.setfeature factory.newdocbuilder Deploy

61 > Other advantages for coding guidelines

62 Scalable User input doget request.getparameter! isauthorized readxml user.hasrole factory.newdocbuilder

63 Scalable User input? readxml factory.newdocbuilder

64 Scalable User input! readxml factory.newdocbuilder

65 Uniformity User input readxml factory.newdocbuilder

66 Protect from future use User input 2 months later readxml factory.newdocbuilder

67 Protect from future use User input 2 months later! readxml factory.newdocbuilder

68 Protect from future use User input 2 months + 1 day? readxml factory.setfeature factory.newdocbuilder

69 > Final case for tool-based support

70 You

71 Coding guideline? Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

72 Coding guideline Secure coding guideline On DocumentBuilderFactory call setfeature with these parameters before calling newdocumentbuilder

73

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M Matias Madou Ph.D., Secure Code Warrior Matias Madou, Ph.D. CTO and Co-Founder Ph.D. in Computer Engineering from Ghent

More information

THE ART OF SECURING 100 PRODUCTS. Nir

THE ART OF SECURING 100 PRODUCTS. Nir THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!

More information

Application Security at Scale

Application Security at Scale Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale AppSec at Scale Delivering Timely Security Solutions / Services to Meet

More information

Application security : going quicker

Application security : going quicker Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

More information

Taking Control of Your Application Security

Taking Control of Your Application Security EDUCAUSE Wednesday, May 3 rd Taking Control of Your Application Security 2017 SANS Institute All Rights Reserved INTRODUCTION Eric Johnson, CISSP, GSSP-Java, GSSP-.NET, GWAPT Application Security Curriculum

More information

Discover Best of Show März 2016, Düsseldorf

Discover Best of Show März 2016, Düsseldorf Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf 2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify The case for Application Security

More information

An Introduction to Runtime Application Self-Protection (RASP)

An Introduction to Runtime Application Self-Protection (RASP) Product Analysis June 2016 An Introduction to Runtime Application Self-Protection (RASP) The Transformational Application Security Technology that Improves Protection and Operations Highly accurate. Easy

More information

An Introduction to the Waratek Application Security Platform

An Introduction to the Waratek Application Security Platform Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.

More information

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017 Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder

More information

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology Securing Cloud Applications with a Distributed Web Application Firewall www.riverbed.com 2013 Riverbed Technology Primary Target of Attack Shifting from Networks and Infrastructure to Applications NETWORKS

More information

Achieving Java Application Security With Parasoft Jtest

Achieving Java Application Security With Parasoft Jtest Achieving Java Application Security With Parasoft Jtest Cloud computing continues to gain traction as enterprises increasingly embrace the shift to Internet-based environments. Unfortunately, this also

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

Background FAST FACTS

Background FAST FACTS Background Terra Verde was founded in 2008 by cybersecurity, risk and compliance executives. The founders believed that the market needed a company that was focused on using security, risk and compliance

More information

Weaving Security into Every Application

Weaving Security into Every Application Weaving Security into Every Application Paul Fox AVP Technology AT&T 2018 TM Forum 1 Cyber Security Accelerating Threat Telecom Breaches 300,000 Number of complaints filed with the FBI Internet Crime Complaint

More information

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018 THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018 1 Application Security Continues to Evolve This September, consumer credit reporting agency Equifax reported a security breach that occurred

More information

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government

More information

PT Unified Application Security Enforcement. ptsecurity.com

PT Unified Application Security Enforcement. ptsecurity.com PT Unified Application Security Enforcement ptsecurity.com Positive Technologies: Ongoing research for the best solutions Penetration Testing ICS/SCADA Security Assessment Over 700 employees globally Over

More information

Hardening Attack Vectors to cars by Fuzzing

Hardening Attack Vectors to cars by Fuzzing Hardening Attack Vectors to cars by Fuzzing AESIN 2015 Ashley Benn, Regional Sales manager 29 th October, 2015 2015 Synopsys, Inc. 1 Today, there are more than 100m lines of code in cars 2015 Synopsys,

More information

TRAINING CURRICULUM 2017 Q2

TRAINING CURRICULUM 2017 Q2 TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training

More information

You ve Been Hacked: Why Web Application Security Programs Should Start with RASP

You ve Been Hacked: Why Web Application Security Programs Should Start with RASP You ve Been Hacked: Why Web Application Security Programs Should Start with RASP Authored by for IMMUNIO /ebooks You ve Been Hacked: Why Web Application Security Programs Should Start with RASP Introduction

More information

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1 Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously:

More information

Gujarat Forensic Sciences University

Gujarat Forensic Sciences University Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat

More information

ShiftLeft. Real-World Runtime Protection Benchmarking

ShiftLeft. Real-World Runtime Protection Benchmarking ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits

More information

Lookout's cybersecurity predictions

Lookout's cybersecurity predictions LOOKING FORWARD AND LOOKING BACK: Lookout's cybersecurity predictions by Kevin Mahaffey Every year, cybersecurity pundits cast predictions for which issues will make headlines in the year to come. We ve

More information

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform Fintech District The First Testing Cyber Security Platform In collaboration with CISCO Cloud or On Premise Platform WHAT IS SWASCAN? SWASCAN SERVICES Cloud On premise Web Application Vulnerability Scan

More information

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo

More information

Presentation Overview

Presentation Overview Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application

More information

The Divine and Felonious Nature of Cyber Security

The Divine and Felonious Nature of Cyber Security The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe https://github.com/botchagalupe/my-presentations The Felonious Nature of Cyber Security Infecting

More information

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers Computer Information Systems (CIS) CIS 101 Introduction to Computers This course provides an overview of the computing field and its typical applications. Key terminology and components of computer hardware,

More information

Vendor Security Questionnaire

Vendor Security Questionnaire Business Associate Vendor Name Vendor URL Vendor Contact Address Vendor Contact Email Address Vendor Contact Phone Number What type of Service do You Provide Covenant Health? How is Protected Health Information

More information

locuz.com SOC Services

locuz.com SOC Services locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security

More information

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE: BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE: 15 Questions to Ask Yourself and Your DAST Vendor > An Introduction to the AppSec Market Page 3 Dynamic Application Security Testing Requirements Page

More information

hidden vulnerabilities

hidden vulnerabilities hidden vulnerabilities industrial networks in 30 minutes Cyber Security introduction Frank Kemeling Certified Ethical Hacker [CEH] EC-Council Certified Security Analyst [ESCA] Licensed Penetration Tester

More information

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief 5 Trends That Will Impact Your IT Planning in 2012 Layered Security Executive Brief a QuinStreet Excutive Brief. 2011 Layered Security Many of the IT trends that your organization will tackle in 2012 aren

More information

Cyber Security. It s not just about technology. May 2017

Cyber Security. It s not just about technology. May 2017 Cyber Security It s not just about technology May 2017 Introduction The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked. - World Economic Forum

More information

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec, An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec, or zane@signalsciences.com @zanelackey Who you ll be heckling today Started out in offense Pentester / researcher at isec Partners / NCC Group

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers Computer Information Systems (CIS) CIS 101 Introduction to Computers This course provides an overview of the computing field and its typical applications. Key terminology and components of computer hardware,

More information

In collaborazione con

In collaborazione con In collaborazione con 1. Software Security Introduction 2. SDLC frameworks: how OWASP can help on software security 3. OWASP Software Security 5 Dimension Framework 4. Apply the models to a real

More information

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Brochure. Security. Fortify on Demand Dynamic Application Security Testing Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application

More information

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business

More information

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director / Security and Compliance Powered by the Cloud Ben Friedman / Strategic Accounts Director / bf@alertlogic.com Founded: 2002 Headquarters: Ownership: Houston, TX Privately Held Customers: 1,200 + Employees:

More information

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should

More information

V Conference on Application Security and Modern Technologies

V Conference on Application Security and Modern Technologies V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2

More information

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous

More information

Cybersecurity Today Avoid Becoming a News Headline

Cybersecurity Today Avoid Becoming a News Headline Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity

More information

Continuously Discover and Eliminate Security Risk in Production Apps

Continuously Discover and Eliminate Security Risk in Production Apps White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application

More information

Think Like an Attacker

Think Like an Attacker Think Like an Attacker Using Attack Intelligence to Ensure the Security of Critical Business Assets Current State of Information Security Focused on detection and response Desire to reduce detection to

More information

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.) We b Ap p A t ac ks U ser / Iden tity 33% 53% Apps And Identities Initial Targets In 86% Of Breaches P hysi ca l 11% Other (VPN, PoS,infra.) 3% Fix vulnerabilities Stop web attacks Risk & compliance What

More information

Internet infrastructure

Internet infrastructure Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 04/03/2014 1 Topic Vulnerability and patch management (c) A. Mariën 04/03/2014 2 Requirements Security principle: Everything can and will

More information

DOWNLOAD OR READ : WEB APPLICATION SECURITY TESTING THIRD EDITION PDF EBOOK EPUB MOBI

DOWNLOAD OR READ : WEB APPLICATION SECURITY TESTING THIRD EDITION PDF EBOOK EPUB MOBI DOWNLOAD OR READ : WEB APPLICATION SECURITY TESTING THIRD EDITION PDF EBOOK EPUB MOBI Page 1 Page 2 web application security testing third edition web application security testing pdf web application security

More information

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference. Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,

More information

Addressing penetration testing and vulnerabilities, and adding verification measures

Addressing penetration testing and vulnerabilities, and adding verification measures Addressing penetration testing and vulnerabilities, and adding verification measures July 25, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT ALL ATTENDEES ARE MUTED UPON JOINING

More information

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY! De-risk Your Applications SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY! With the exponential increase in Web, Mobile, Cloud and IoT applications, the security risks and challenges in

More information

Penetration testing.

Penetration testing. Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external

More information

Security

Security Security +617 3222 2555 info@citec.com.au Security With enhanced intruder technologies, increasingly sophisticated attacks and advancing threats, your data has never been more susceptible to breaches from

More information

Cyber Attacks & Breaches It s not if, it s When

Cyber Attacks & Breaches It s not if, it s When ` Cyber Attacks & Breaches It s not if, it s When IMRI Team Aliso Viejo, CA Trusted Leader with Solution Oriented Results Since 1992 Data Center/Cloud Computing/Consolidation/Operations 15 facilities,

More information

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

.NET JAVA C ASE. Certified. Certified. Application Security Engineer. .NET C ASE Certified Application Security Engineer JAVA C ASE Certified Application Security Engineer Certified Application Security Engineer www.eccouncil.org EC-Council Course Description The Certified

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,

THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams, THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU Jeff Williams, CTO @planetlevel CONTRAST SECURITY 291 Lambert Avenue Palo Alto, California 94306 www.contrastsecurity.com ARE YOU

More information

Security Solution. Web Application

Security Solution. Web Application Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,

More information

Application Security Buyer s Guide

Application Security Buyer s Guide BU Y ER S GUIDE Application Security Buyer s Guide 15 questions to ask yourself and your DAST vendor TABLE OF CONTENTS An Introduction to the AppSec Market 3 Dynamic Application Security Testing Requirements

More information

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Cloudy with a chance of hack. OWASP November, The OWASP Foundation  Lars Ewe CTO / VP of Eng. Cenzic Cloudy with a chance of hack November, 2010 Lars Ewe CTO / VP of Eng. Cenzic lars@cenzic.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms

More information

The Value of Automated Penetration Testing White Paper

The Value of Automated Penetration Testing White Paper The Value of Automated Penetration Testing White Paper Overview As an information security expert and the security manager of the company, I am well aware of the difficulties of enterprises and organizations

More information

Sage Data Security Services Directory

Sage Data Security Services Directory Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

Robots with Pentest Recipes:

Robots with Pentest Recipes: Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins Abhay Bhargav - CTO, we45 Yours Truly Co-author of Secure Java For Web Application Development Author of PCI Compliance: A Definitive

More information

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational

More information

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Who is Who? Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant

More information

SIEMLESS THREAT DETECTION FOR AWS

SIEMLESS THREAT DETECTION FOR AWS SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting

More information

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis DevSecOps Shift Left Security Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis Themes Vulnerabilities are Low Hanging Fruit Why so many breaches that Anti-Virus

More information

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association

More information

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are PROGRAM Objective Cyber Security is the most sought after domain, and NASSCOM projects a requirment of over 1 million trained professionals by 2025. Tevel training program is an industry & employability

More information

AppSec in a DevOps World

AppSec in a DevOps World AppSec in a DevOps World Peter Chestna Director of Developer Engagement 1 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Who am I? 27 Years Software Development Experience 12 Years Application Security

More information

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult. Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult

More information

The Hidden Risk of OSS. The Dawn of Software Assembly

The Hidden Risk of OSS. The Dawn of Software Assembly The Hidden Risk of OSS The Dawn of Software Assembly The Language of Security is Risk What is Risk What does the snail tell us? we owe a duty of reasonable care to our neighbor Lord Atkin: Donoghue v.

More information

Overcoming the Challenges of Automating Security in a DevOps Environment

Overcoming the Challenges of Automating Security in a DevOps Environment SESSION ID: LAB-W02 Overcoming the Challenges of Automating Security in a DevOps Environment Murray Goldschmidt Chief Operating Officer Sense of Security @ITsecurityAU Michael McKinnon Director, Commercial

More information

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

En partenariat avec CA Technologies. Genève, Hôtel Warwick, SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security

More information

Will your application be secure enough when Robots produce code for you?

Will your application be secure enough when Robots produce code for you? SESSION ID: ASD-W02 Will your application be secure enough when Robots produce code for you? Hasan Yasar Technical Manager, Faculty Member SEI CMU @securelifecycle With the speed of DevOps It is me! I

More information

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences Undergraduate Programs - Bachelor B.S. Computer Game Design Upon completion of the B.S. degree in Computer Game Design, students

More information

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat? Reducing Liability and Threats through Effective Cybersecurity Risk Measurement Does Your Security Posture Stand Up to Tomorrow s New Threat? Christopher Strand Security Compliance and Risk Officer 1 The

More information

SECURITY PRACTICES OVERVIEW

SECURITY PRACTICES OVERVIEW SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim

More information

Micro Focus Fortify Application Security

Micro Focus Fortify Application Security Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea

More information

SAP Security anno Tim Lynen, Manager axl & trax 2017

SAP Security anno Tim Lynen, Manager axl & trax 2017 SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction

More information

Carbon Black PCI Compliance Mapping Checklist

Carbon Black PCI Compliance Mapping Checklist Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and

More information

DevOps A How To for Agility with Security

DevOps A How To for Agility with Security DevOps A How To for Agility with Security Murray Goldschmidt, COO Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne

More information

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity How NSFOCUS Protected the G20 Summit Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity SPONSORED BY Rosefelt is responsible for developing NSFOCUS threat intelligence and web

More information

OWASP InfoSec Romania 2013

OWASP InfoSec Romania 2013 OWASP InfoSec Romania 2013 Secure Development Lifecycle, The good, the bad and the ugly! October 25 th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Applications are about information! 3 pillars

More information

IT Vulnerabilities: What an IT Auditor Should be Thinking About

IT Vulnerabilities: What an IT Auditor Should be Thinking About IT Vulnerabilities: What an IT Auditor Should be Thinking About Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF Agenda 1. About the Speaker 2. IT Vulnerability: The Term Defined 3. Identification

More information

BHConsulting. Your trusted cybersecurity partner

BHConsulting. Your trusted cybersecurity partner Your trusted cybersecurity partner BH Consulting Securing your business BH Consulting is an award-winning, independent provider of cybersecurity consulting and information security advisory services. Recognised

More information

DHS Hackers and the Lawyers Who Advise Them

DHS Hackers and the Lawyers Who Advise Them SESSION ID: LAW-T08 DHS Hackers and the Lawyers Who Advise Them MODERATOR: Gabriel Taran Assistant General Counsel, Cybersecurity DHS Office of General Counsel (OGC) PANELISTS: From the Cybersecurity and

More information

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas Presentation to WVONGA Jack L. Shaffer, Jr. Business Transformation Director vcio/ vciso 2017 Cybersecurity in the news Ransomware Wanacry,

More information

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Copyright 2018 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written

More information

Creating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days

Creating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days Creating an AppSec Pipeline with containers in a week How we failed and succeeded Jeroen Willemsen OWASP benelux days About me Jeroen Willemsen @commjoenie jwillemsen@xebia.com Security architect Full-stack

More information

Cybersecurity for Service Providers

Cybersecurity for Service Providers Cybersecurity for Service Providers Alexandro Fernandez, CISSP, CISA, CISM, CEH, ECSA, ISO 27001LA, ISO 27001 LI, ITILv3, COBIT5 Security Advanced Services February 2018 There are two types of companies:

More information

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Vulnerability Management From B Movie to Blockbuster Rahim Jina Vulnerability Management From B Movie to Blockbuster Rahim Jina 5 December 2018 Rahim Jina COO & Co-Founder Edgescan & BCC Risk Advisory @rahimjina rahim@edgescan.com HACKED Its (not) the $$$$ Information

More information

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11 AUDITING ROBOTICS AND THE INTERNET OF THINGS (IOT) APRIL 9, 2018 PRESENTERS Kara Nagel Manager, Information Security Accenture Ryan Hopkins Assistant Director, Internal Audit Services Packaging Corp. of

More information

Device Discovery for Vulnerability Assessment: Automating the Handoff

Device Discovery for Vulnerability Assessment: Automating the Handoff Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are

More information

Product Security Program

Product Security Program Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,

More information