ShiftLeft. Real-World Runtime Protection Benchmarking

Size: px
Start display at page:

Download "ShiftLeft. Real-World Runtime Protection Benchmarking"

Transcription

1 ShiftLeft Real-World Runtime Protection Benchmarking

2 Table of Contents Executive Summary Testing Approach ShiftLeft Technology Test Application Results SQL injection exploits (OWASP A1) Insecure Deserialization exploit (OWASP A8) Using Components with Known Vulnerabilities: Jackson-Databind Deserialization Exploit (OWASP A9) HTTP data as file path (OWASP A5)...11 Sensitive Data breach to file (OWASP A3)...12 Conclusion

3 EXECUTIVE SUMMARY In the industry s first such test, ShiftLeft subjected its application protection capabilities to the expertise of real-world penetration testing from Cobalt Labs (a leader in penetration testing). During the 14-day penetration test, ShiftLeft was able to detect and block all attempted exploits against a vulnerable test application. This included protection for vulnerabilities such as SQL injection, Java deserialization, and sensitive data leakage, among many others. The results demonstrated that ShiftLeft s unique approach protected the comprehensively application (zero false negatives) while minimizing operational overhead (minimal false positives). Key highlights ShiftLeft blocked all exploits to all the six (6) OWASP Top 10 vulnerabilities present in the test application. The vulnerabilities include A1-SQL Injection, A2-Broken Authentication, A4-XML External Entities, A5-Broken Access Control, A8-Insecure Deserialization, and A9-Known Vulnerabilities. The test application also had an A3-Sensitive Data Exposure vulnerability 1, which was inherently out of scope for external penetration testing. ShiftLeft did detect and protect against exposure of such data. TESTING APPROACH ShiftLeft is the industry s first solution that uses modern code analysis to automatically build a runtime-protection security profile. ShiftLeft s Code Property Graph (CPG) extracts the application s Security DNA to automatically create a custom security profile. The security profile is then enforced, with surgical precision, by ShiftLeft s Microagent in production to protect the application. ShiftLeft s security profile is based on the CPG s ability to analyze the application s entire composition, including: custom business code 3rd party libraries and SDKs OSS libraries OSS frameworks. In order to benchmark ShiftLeft s runtime protection in the most real-world possible scenario, 1 As traditional penetration testing is done from a black-box perspective, most data leakages (barring leaks on web sockets) are impossible to verify from external perspective. Data leaks may happen to logs, DB, files, etc., all of which are not accessible to an external penetration tester. 2

4 we constructed a testing methodology to mimic the adversarial nature of a hacker. Usually, the testing of a security solution is done in a controlled lab setting where the device-under-test (DUT) is subjected to traffic from well-known penetration tools. Such testing is not comprehensive, as it 1) focuses on measuring efficacy against known attacks without understanding the actual application attack surface, and 2) allows vendors to pre-tune their signature database to provide favorable results during the test. The approach used for this test, hiring white-hat hackers, most closely mimics the real-world scenario where hackers bring all their tools and their know-how to compromise an application. The approach used for this test, therefore, provides the most realistic assessment of the efficacy of a security solution to protect an application. The testing methodology started by developing an application in isolation with numerous OWASP Top 10 vulnerabilities embedded into it. Next, two instances of the application were created. One instance was hosted without any security protection. Another instance was instrumented and protected with ShiftLeft by a second team that had no knowledge of how the application was developed or how it was vulnerable. Finally, Cobalt Labs performed a 14-day penetration test against both applications. Cobalt Labs had 3 white-hat hacking experts attack both applications with any and all tools and methods. 3

5 SHIFTLEFT TECHNOLOGY ShiftLeft s technology is a unique combination of modern code analysis and runtime security that is customized for every application and all subsequent releases. ShiftLeft s modern code analysis extracts an application s Security DNA from its CPG, which is a detailed graphical representation of security posture based on the application s source code.the Security DNA of an application is used to identify software vulnerabilities and sensitive data flows by combining data flow, control flow, and dependence flow analyses. It also analyzes third-party and OSS dependencies separately from custom code. Furthermore, ShiftLeft s Policy Engine understands which variables are sensitive in order to map critical data flows and identify mishandling and external leakage. Thus, Security DNA defines how an application is vulnerable, whether via known vulnerabilities, unknown vulnerabilities, or data mishandling/leakage situations. THE CPG PYRAMID Service Dependency Graph Component graph - Application, Dependencies Security critical information flows Methods, Types, Call Graph, Type Hierarchy Instruction level -Syntax, control flow, data-flow semantics 4

6 ShiftLeft s runtime security is enforced by the Microagent that runs inside the application. The Microagent enforces policies, defined in a security profile, that are automatically created from the application s Security DNA to block exploit attempts. Derived from source code and only looking for vulnerable routes, the Microagent is surgical in its precision. Apart from the performance benefits of surgical precision, the Microagent also helps developers prioritize real positive vulnerabilities for the fix cycle. 5

7 TEST APPLICATION The test application is a simple REST-based multi tenant application emulating the functions of a retail-banking interface, including routes. The application was built with examples of seven (7) of the relevant OWASP Top 10 vulnerabilities embedded into it. Hence, if the penetration testing team were able to breach runtime protection, the application would be exploitable. Test Application Routes GET GET POST POST POST POST POST /account /account/:id /account /checkaccount /checkaccountsimple /account/:id/deposit /account/:id/withdraw POST /account/:id/addinterest GET GET PUT DELETE GET GET GET POST /rawcustomersbyname/:firstname /customers/:id /customers/:id /customers/:id /customers /createcustomer /customersxml /customers In order to make the application more vulnerable, it was built without support for any authorization or authentication scheme. All endpoints specified above can be exercised by any user. Hence, Cross-site Request Forgery (CSRF) and resulting Cross-site Scripting (XSS) were inherently out of scope. Following vulnerabilities are present in the application: Vulnerability category A1-Injection A2-Broken Authentication (*) A3-Sensitive data exposure A4-XML External Entities A5-Broken Access Control A8-Insecure Deserialization A9-Known Vulnerabilities Type SQLi Appropriate cookie protection Leaking data to a file XXE Path traversal Java deserialization A known deserialization issue 6

8 RESULTS The Cobalt Labs team was able to identify and exploit all of the vulnerabilities present in the unprotected version of test application except for A3-Sensitive Data Exposure, which is inherently out of scope for the external penetration testing they performed. However, during the 14-day testing period, Cobalt Labs was unable to exploit any of the same vulnerabilities in the application protected by ShiftLeft. Cobalt Labs was able to identify the presence of vulnerabilities, but ShiftLeft was able to block their exploit attempts. OWASP Category Vulnerability Type Endpoint Unprotected Application Protected Application Identified Exploited Identified Exploited A1-Injection SQLi /rawcustomersbyname A2-Broken Authentication A4-XML External Entities A5-Broken Access Control A8-Insecure Deserialization A9-Known Vulnerabilities Appropriate cookie protection XXE Path traversal Java deserialization Known OSS vulnerability /admin /customersxml /savesettings /check /checkfast YES YES YES NO YES YES YES NO YES YES YES NO YES YES YES NO YES YES YES NO YES YES YES NO 7

9 SQL INJECTION EXPLOITS (OWASP A1) ShiftLeft detected and blocked all attempts to exploit the SQL injection vulnerability. There were 6.5K (thousand) SQL injection exploit attempts as a result of fuzzing and all of them were blocked. ShiftLeft also showed the exact line of vulnerable code as well as all the associated flows that were being targeted. This information is extremely valuable for the developers, allowing them to quickly understand why the vulnerability is present and what they can do to fix it. 8

10 INSECURE DESERIALIZATION EXPLOIT (OWASP A8) The ShiftLeft agent blocked all attempts to exploit the java deserialization vulnerability in the test application. A total of 25 such incidents were detected and blocked in real time. As in the previous case, ShiftLeft identifies the actual line of code and all the associated flows in the test application causing the vulnerability. 9

11 USING COMPONENTS WITH KNOWN VULNERABILITIES : JACKSON DATABIND DESERIALIZATION EXPLOIT (OWASP A9) ShiftLeft, unlike most SAST or IAST solutions, is able to look at third-party code, identify vulnerabilities, and block attempts to exploit such solutions. In this case, ShiftLeft was able to block attempts to exploit a deserialization vulnerability in the Jackson data-bind library (OSS dependency) included as part of the core application. As in the case of other vulnerabilities, ShiftLeft also identified the line number of the code with the actual vulnerability. 10

12 HTTP DATA AS FILE PATH (OWASP A5) The ShiftLeft agent, as part of this penetration test, was able to identify and block attempts to exploit a broken-access-control vulnerability present in the test application. ShiftLeft also identified the line number of the code where this vulnerability is present in the application. 11

13 SENSITIVE DATA BREACH TO FILE (OWASP A3) The ShiftLeft agent is also able to discover numerous sensitive data breaches that are triggered by inadvertent or mal-intentioned code execution. In this case, penetration testers inadvertently executed some code path where personal data was leaked to file amongst many others. Following is an example for sensitive data leakage 12

14 CONCLUSION Traditional application security is broken into two silos: Application Security Tools (AST) Static Application Security Testing Dynamic Application Security Testing Interactive Application Security Testing Runtime protection tools Web Application Firewall Runtime Application Self Protection Next Generation Firewal Source Code Composition Analysis Each silo creates numerous false positives, which slow down the organization and increase the operational overhead of protecting applications. ShiftLeft is the first company to bring together knowledge of development and production environments via automated workflows that integrated with DevOps accelerate the pace of execution and innovation. As this test demonstrates, understanding source code is the best way to automatically protect an application is runtime, while ensuring comprehensive coverage and operational efficiency of both talent and compute resources. 13

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Top 6 WAF Essentials to Achieve Application Security Efficacy The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER WHITEPAPER CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM CONTENTS What is Interactive

More information

OWASP TOP OWASP TOP

OWASP TOP OWASP TOP ANALYZING THE OWASP TOP 10 TOP APPLICATION SECURITY THREATS & HOW TO MITIGATE THEM Cars require seatbelts. Pill bottles need safety caps. Applications need web application firewalls, and for good reason.

More information

THE CONTRAST ASSESS COST ADVANTAGE

THE CONTRAST ASSESS COST ADVANTAGE WHITEPAPER THE CONTRAST ASSESS COST ADVANTAGE APPLICATION SECURITY TESTING COSTS COMPARED WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM EXECUTIVE SUMMARY Applications account for

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria

More information

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

Application security : going quicker

Application security : going quicker Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...

More information

Protect your apps and your customers against application layer attacks

Protect your apps and your customers against application layer attacks Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web

More information

Continuously Discover and Eliminate Security Risk in Production Apps

Continuously Discover and Eliminate Security Risk in Production Apps White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application

More information

Securing Production Applications & Data at Runtime. Prevoty

Securing Production Applications & Data at Runtime. Prevoty Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in

More information

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises AI-driven website & network protection service that secures online businesses from today's

More information

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5

More information

WEB APPLICATION VULNERABILITIES

WEB APPLICATION VULNERABILITIES WEB APPLICATION VULNERABILITIES CONTENTS Introduction... 3 1. Materials and methods... 3 2. Executive summary... 4 3. Client snapshot... 4 4. Trends... 5 5. Manual web application security assessment...

More information

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017. Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations Table of Contents

More information

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren Security in a Mainframe Emulator Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren October 25, 2017 Table of Contents Introduction... 2 About this paper...

More information

Engineering Your Software For Attack

Engineering Your Software For Attack Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

Security Solutions. Overview. Business Needs

Security Solutions. Overview. Business Needs Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.

More information

Atlassian Crowdsourced Penetration Test Results: January 2018

Atlassian Crowdsourced Penetration Test Results: January 2018 Atlassian Software Development and Collaboration Tools Atlassian Crowdsourced Penetration Test Results: January 2018 Bugcrowd Ongoing program results Report created on February 16, 2018 Report date range:

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business

More information

Penetration testing.

Penetration testing. Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external

More information

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German

More information

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large

More information

SensePost Training Overview 2011/2012

SensePost Training Overview 2011/2012 Training 08 July 2011 About SensePost Information Security... 3 Training Overview... 3 A. Cadet Edition... 4 B. Bootcamp Edition... 6 C. BlackOps Edition... 8 D. Combat Edition... 10 E. W^3 Edition...

More information

RiskSense Attack Surface Validation for IoT Systems

RiskSense Attack Surface Validation for IoT Systems RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing

More information

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

INTERACTIVE APPLICATION SECURITY TESTING (IAST) WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference. Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,

More information

Tools for Security Testing

Tools for Security Testing Tools for Security Testing 2 Due to cloud and mobile computing, new security breaches occur daily as holes are discovered and exploited. Security Testing Tools-When, What kind and Where Due to cloud and

More information

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.

More information

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Brochure. Security. Fortify on Demand Dynamic Application Security Testing Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers

More information

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT FEBRUARY 18, 2016 This engagement was performed in accordance with the Statement of Work, and the procedures were limited to those described

More information

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family WHITEHAT PRODUCT FAMILY WhiteHat Sentinel Product Family Combining technology with human intelligence to deliver the world's most powerful and accurate application security WhiteHat Sentinel is a software-as-a-service

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED 01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

ShiftLeft. OWASP SAST Benchmark

ShiftLeft. OWASP SAST Benchmark ShiftLeft OWASP SAST Benchmark Table of Contents Overview... 2 Towards a new generation of static analysis products... 2 Results on the OWASP benchmark... 3 Ingredient #1: Our data flow tracker... 4 Ingredient

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun Reading This lecture [McGraw]: Ch. 7-9 2 Seven Touchpoints 1. Code review 2. Architectural

More information

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints Reading This lecture [McGraw]: Ch. 7-9 CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun 2 Seven Touchpoints Application of Touchpoints

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational

More information

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Under the hood testing - Code Reviews - - Harshvardhan Parmar Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites

More information

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services.  #truecybersecurity Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services

More information

ForeScout ControlFabric TM Architecture

ForeScout ControlFabric TM Architecture ForeScout ControlFabric TM Architecture IMPROVE MULTI-VENDOR SOLUTION EFFECTIVENESS, RESPONSE AND WORKFLOW AUTOMATION THROUGH COLLABORATION WITH INDUSTRY-LEADING TECHNOLOGY PARTNERS. The Challenge 50%

More information

Train as you Fight: Are you ready for the Red Team?

Train as you Fight: Are you ready for the Red Team? Train as you Fight: Are you ready for the Red Team? An inside look at Red Teaming Yves Morvan Twitter: @morvan_yves Email: Yves@securenorth.ca Agenda Introduction What is Red Teaming? VA s vs. Penetration

More information

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

WEB APPLICATION SCANNERS. Evaluating Past the Base Case WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

Protect Your Organization from Cyber Attacks

Protect Your Organization from Cyber Attacks Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers

More information

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.

More information

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.

More information

Cybersecurity for Service Providers

Cybersecurity for Service Providers Cybersecurity for Service Providers Alexandro Fernandez, CISSP, CISA, CISM, CEH, ECSA, ISO 27001LA, ISO 27001 LI, ITILv3, COBIT5 Security Advanced Services February 2018 There are two types of companies:

More information

Framework for Application Security Testing. September 11th, 2018

Framework for Application Security Testing. September 11th, 2018 Framework for Application Security Testing September 11th, 2018 Create thousands of security tests from existing functional tests automatically Wallarm FAST enables secure CI / CD Wallarm FAST has many

More information

Vulnerabilities in online banking applications

Vulnerabilities in online banking applications Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

hidden vulnerabilities

hidden vulnerabilities hidden vulnerabilities industrial networks in 30 minutes Cyber Security introduction Frank Kemeling Certified Ethical Hacker [CEH] EC-Council Certified Security Analyst [ESCA] Licensed Penetration Tester

More information

A Risk Management Platform

A Risk Management Platform A Risk Management Platform Michael Lai CISSP, CISA, MBA, MSc, BEng(hons) Territory Manager & Senior Security Sales Engineer Shift to Risk-Based Security OLD MODEL: Prevention-Based Security Prevention

More information

Hacking Web Sites OWASP Top 10

Hacking Web Sites OWASP Top 10 Hacking Web Sites OWASP Top 10 Emmanuel Benoist Spring Term 2018 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1 Web Security: Overview of other security risks

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

SIEMLESS THREAT MANAGEMENT

SIEMLESS THREAT MANAGEMENT SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.

More information

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Course 834 EC-Council Certified Secure Programmer Java (ECSP) Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class

More information

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com

More information

Tools For Vulnerability Scanning and Penetration Testing

Tools For Vulnerability Scanning and Penetration Testing Tools For Vulnerability Scanning and Penetration Testing becky.santos@provandv.com jack.cobb@provandv.com 2017 National Conference State Certification Testing of Voting Systems Austin, Texas wledge To

More information

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive

More information

Imperva Incapsula Website Security

Imperva Incapsula Website Security Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as

More information

Fortify Software Security Content 2017 Update 4 December 15, 2017

Fortify Software Security Content 2017 Update 4 December 15, 2017 Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research

More information

AKAMAI CLOUD SECURITY SOLUTIONS

AKAMAI CLOUD SECURITY SOLUTIONS AKAMAI CLOUD SECURITY SOLUTIONS Whether you sell to customers over the web, operate data centers around the world or in the cloud, or support employees on the road, you rely on the Internet to keep your

More information

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security ISSN: 2278 0211 (Online) Web Security Katkar Anjali S. M.E.(Pursuing) in computer science and engineering walchand institute of technology, Sholapur, India Kulkarni Raj B. PhD in computer science Assistance

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

Secure DevOps: A Puma s Tail

Secure DevOps: A Puma s Tail Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code

More information

Product Security Program

Product Security Program Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,

More information

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018 THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018 1 Application Security Continues to Evolve This September, consumer credit reporting agency Equifax reported a security breach that occurred

More information

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS 2017 Contents Introduction... 3 1. Materials and methods... 3 2. Executive summary... 4 3. Participant portrait... 5 4. Trends... 6 5. Manual web

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

Integrity attacks (from data to code): Cross-site Scripting - XSS

Integrity attacks (from data to code): Cross-site Scripting - XSS Pattern Recognition and Applications Lab Integrity attacks (from data to code): Cross-site Scripting - XSS Igino Corona igino.corona (at) diee.unica.it Computer Security April 12, 2018 Department of Electrical

More information

PRESENTED BY:

PRESENTED BY: PRESENTED BY: scheff@f5.com APPLICATIONS ARE The reason people use the Internet The business the target The gateway to DATA 765 Average # of Apps in use per enterprise 6 min before its scanned 1/3 If vulnerable,

More information

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry

More information

Ingram Micro Cyber Security Portfolio

Ingram Micro Cyber Security Portfolio Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training

More information

Hacking 102 Integrating Web Application Security Testing into Development

Hacking 102 Integrating Web Application Security Testing into Development Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology

More information