Application Security & Verification Requirements
|
|
- Jason Chase
- 5 years ago
- Views:
Transcription
1 Application Security & Verification Requirements David Jones July 2014 This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contains content Copyright The OWASP Foundation.
2 Application security for custom development projects is a challenge. Working with customers to determine security requirements and balancing competing demands on a project s budget is made more difficult when there is lack of rigorous experience amongst developers with implementing secure solutions. Graded levels of security verification requirements provide a potential way to work with customers while providing the development team with a clear and directed approach to implementation and verification of the security of a system.
3 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps
4 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps
5 How well are internet technology firms doing?
6 Adobe Breach Impacted At Least 38 Million Users The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset s impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company s Photoshop family of graphical design products
7 Skype users warned of serious security problem - accounts can be hijacked with ease The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their address, and then changing the passwords of their "victims" to lock them out
8 Microsoft rushes out fix after hackers reset passwords to hack Hotmail accounts News of the critical bug spread rapidly across underground hacking forums, and Whitec0de reported earlier this week that hackers were offering to break into any Hotmail account for as little as $20
9 Cisco warns of big remote management hole in tiny routers In simple English, that means a crook could connect to your router via HTTPS and, without entering a username or password, take it over
10 OpenSSL Heartbleed Heartbleed sees first arrest in wake of Canada Revenue Agency breach
11 Apple HTTPS goto fail When you update, be sure to follow the advice below about avoiding insecure networks. The Software Update app uses the buggy Security library!
12 NSA grabbing Cisco shipments en route to be loaded up with physical spyware before they reach the end user
13 What about non-technology companies?
14 Man pleads guilty to bank fraud, 48-hour global operation netted $14 million Code Spaces shuts down following DDoS extortion, deletion of sensitive data Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware Home Depot staffers arrested, stole employee info and opened fraudulent credit cards
15 Lowe's employee info accessible online for about 10 months Computers stolen, health data compromised for 168K in L.A. Web crawlers tap data, put about 146K Indiana Univ. students at risk Phishing scam lures three Calif. physicians, patient data compromised Virginia county school data accidentally posted online
16 It seems anyone can fail Even the best funded and capable internet companies can fail with security. Smaller companies also struggle and they can also experience targeted attacks. Threats can come from staff as well as from external/network sources. Some of these failures could have been detected with a reasonably thorough development and release process.
17 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps
18
19 The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigour available in the market when it comes to performing web application security verification. The ASVS standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL This standard can be injection.1 used to establish a level of confidence in the security of Web applications.
20 The standard defines over one hundred security verification requirements. An example security requirement from the Session management area:! V2.2 Verify that sessions are invalidated when the user logs out.! The rationale for the verifications are not included in the standard, however, they are all based on common threats and security approaches, which can be found in other online resources. The requirements can be manually tested, and in some cases automatically verified through static analysis, penetration testing or functional tests.
21 V1. Authentication V8. Communication Security V2. Session Management V9. HTTP Security V3. Access Control V10. Malicious Controls V4. Input Validation V11. Business Logic V5. Cryptography (at Rest) V12. Files and Resources V6. Error Handling and Logging V13. Mobile V7. Data Protection
22
23
24
25
26 Different threats have different motivations, and some industries have unique information and technology assets as well as regulatory compliance requirements. Although some unique criteria and some differences in threats exist for each industry, a common theme throughout all industry segments is that opportunistic attackers will look for any vulnerable applications reachable through the Internet, which is why ASVS Level 1 is recommended for all Internet-accessible applications regardless of industry.
27
28
29 How could this be used? Collaborating with the customer early in the engagement to identify which of the three requirement levels best matches the risks and expectations of the solution. Consideration of the identified security requirements during the formative technical design and architecture. More rigorous security verification during story DAT and acceptance testing. And a way to deepen the knowledge of practical security skills throughout the course of the project.
30
31 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps
32 The ASVS Verification Requirements opens the door to identifying a security level of an application with the customer and a way to confirm it was reached. How can this be implemented in code when the development staff have a mix of experience implementing secure solutions?
33
34 The OWASP Top 10 for 2013 is based on data that spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas and also provides guidance on where to go from here. The Top 10 critical web security risks are represented at the Application Security Verification Standard (ASVS) Level 2 Standard.
35
36
37 SQL Injection using JPA String empid= req.getparameter( empid"); q = entitymanager.createquery( select e from Employee e WHERE + e.id = ' + empid + ); Expected URL: /api/employees?empid=123 Injection Example: /api/employees?empid=123 or a = a The SQL query will return details for all employees rather than a single employee.
38 Named Parameters is one way to protect against SQL Injection With JPA or Hibernate you should use Named Parameters. Named parameters are parameters in a query that are prefixed with a colon (:). Named parameters in a query are bound to an argument by the javax.persistence.query.setparameter(string name, Object value) method. For example: q = entitymanager.createquery( select e from Employee e WHERE + e.id = ':id' ); q.setparameter( id, empid); This sets the id to the empid in the SQL command and any dangerous characters should be automatically escaped by the JDBC driver.!
39
40
41
42
43
44
45
46 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps
47 How could you apply verification requirements on your current project?
48 Identify which of the three verification levels (Opportunistic, Standard, or Advanced) best match the needs of your current project. Use the industry segment descriptions to guide you. The standard PDF includes some additional segments. Which verification requirements in Level One (Opportunistic) apply to your current development story? Test each of the verification requirements of Level One (Opportunistic) against your current system. For each failed requirement consider whether they should be added to your project s backlog of work. Can you explain the rationale for the inclusion of the Level One and Level Two verification requirements? Use the Top 10 list and other online resources to help you. Can you automate the verification of any of the requirements that seem significant to your project? Consider also using static analysis tools, for example those that come with Sonar as well as third party tools.
49 Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps Questions?!
50 Appendix - Resources
51 A. Resources OWASP Application Security Verification Standard Project Category:OWASP_Application_Security_Verification_Standard_Project ASVS 2.0 beta used by presentation Creative Commons Attribution ShareAlike 3.0 OWASP Top Ten Creative Commons Attribution ShareAlike 3.0
52 Appendix - A9 Components with Vulnerabilities
53 B. Components with vulnerabilities 88% of code in today s applications come from libraries and frameworks 31 most popular Java frameworks/libs 26% had known vulnerabilities
54
55
56
57 Dependency-Checker Tool Dependency-check scans directories and files and if it contains an Analyzer that can scan a particular file type then information from the file is collected. This information is then used to identify the Common Platform Enumeration (CPE). If a CPE is identified a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report Analyzes Java &.Net libraries Triggered by CLI, Ant Task, Maven Plugin, and Jenkins plugin
58
59
Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationDeveloping Secure Systems. Associate Professor
Developing Secure Systems Introduction Aug 27, 2014 James Joshi, Associate Professor Contact t James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall14/
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationKeep the Door Open for Users and Closed to Hackers
Keep the Door Open for Users and Closed to Hackers A Shift in Criminal Your Web site serves as the front door to your enterprise for many customers, but it has also become a back door for fraudsters. According
More informationProfessional Services Overview
Professional Services Overview Internet of Things (IoT) Security Assessment and Advisory Services IOT APPLICATION MOBILE CLOUD NETWORK Company Overview HISTORY HISTORY Founded in 2010 Headquartered in
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationSecure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO
Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO tom.stiehm@coveros.com 1 About Coveros Coveros helps organizations accelerate the delivery of business value through
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation
ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP
More informationSecuring Cloud Applications with a Distributed Web Application Firewall Riverbed Technology
Securing Cloud Applications with a Distributed Web Application Firewall www.riverbed.com 2013 Riverbed Technology Primary Target of Attack Shifting from Networks and Infrastructure to Applications NETWORKS
More informationCross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationDIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance
DIGITAL ACCOUNTANCY FORUM CYBER SESSION Sheila Pancholi Partner, Technology Risk Assurance Section 1: The background World s biggest data breaches 10 years ago 2007 2006 accidentally published hacked inside
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationEmployee Security Awareness Training
Employee Security Awareness Training September 2016 Purpose Employees have access to sensitive data through the work they perform for York. Examples of sensitive data include social security numbers, medical
More informationCISO Success Strategies: On Becoming a Security Business Leader
SESSION ID: CXO W03 CISO Success Strategies: On Becoming a Security Business Leader Frank Kim CISO SANS Institute @fykim Outline Build Your Business Case Rocket Your Relationships Master Your Message 2
More informationMitigating Security Breaches in Retail Applications WHITE PAPER
Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationAURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo
ETHICAL HACKING (CEH) CURRICULUM Introduction to Ethical Hacking What is Hacking? Who is a Hacker? Skills of a Hacker? Types of Hackers? What are the Ethics and Legality?? Who are at the risk of Hacking
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationTHE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY
THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY DATA CENTER WEB APPS NEED MORE THAN IP-BASED DEFENSES AND NEXT-GENERATION FIREWALLS table of contents.... 2.... 4.... 5 A TechTarget White Paper Does
More informationAchieving End-to-End Security in the Internet of Things (IoT)
Achieving End-to-End Security in the Internet of Things (IoT) Optimize Your IoT Services with Carrier-Grade Cellular IoT June 2016 Achieving End-to-End Security in the Internet of Things (IoT) Table of
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationIBM Future of Work Forum
IBM Cognitive IBM Future of Work Forum The Engaged Enterprise Comes Alive Improving Organizational Collaboration and Efficiency While Enhancing Security on Mobile and Cloud Apps Chris Hockings IBM Master
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More informationApplication Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle
Application Security Doug Ashbaugh CISSP, CISA, CSSLP Page 1 It security Page 2 Page 3 Percent of Breaches Page 4 Hacking 5% 15% 39% Page 5 Common Attack Pathways Page 6 V u ln e ra b ilitie s / We a k
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationTHE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 2 EXECUTIVE SUMMARY The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively.
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing DON T GUESS. TEST. Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. If you re concerned about cyberattacks
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationThis ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.
EC Council Certified Ethical Hacker V9 This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process. Here, you will be exposed to an entirely different
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationExposing The Misuse of The Foundation of Online Security
Exposing The Misuse of The Foundation of Online Security HLA ID: 90FZSBZFZSB 56BVCXVBVCK 23YSLUSYSLI 01GATCAGATC Cyber space is very similar to organic realm Keys & certificates are like HLA tags But,
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationCAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR
PDF NESSUS VULNERABILITY SCANNER - BASICS - SECURITYLEARN CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR 1 / 6 2 / 6 3 / 6 website vulnerability scanner pdf Basics vulnerability scanning with NESSUS...
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationINTERACTIVE APPLICATION SECURITY TESTING (IAST)
WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals
More informationEntertaining & Effective Security Awareness Training
Entertaining & Effective Security Awareness Training www.digitaldefense.com Technology Isn t Enough Improve Security with a Fun Training Program that Works! Social engineering, system issues and employee
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationCyber-Threats and Countermeasures in Financial Sector
Michael Mavroforakis, PhD Group CISO & CDO SEV: Workshop on Digital Enablers (Cloud & Cybersecurity) 27th March 2018 Agenda: CYBERSECURITY Potential Targets Attack Examples Insider vs Outsider Threats
More informationThe requirements were developed with the following objectives in mind:
FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationStreamline IT with Secure Remote Connection and Password Management
Streamline IT with Secure Remote Connection and Password Management Table of Contents Introduction Identifying IT pain points Selecting a secure remote connection and password management solution Turning
More informationQUICK WINS: Why You Must Get Defensive About Application Security
QUICK WINS: Why You Must Get Defensive About Application Security IN TODAY S COMPETITIVE BUSINESS ENVIRONMENT, DEMONSTRATING IMMEDIATE PAYOFFS WILL HELP YOU PROVE JUST HOW VALUABLE AN APPLICATION SECURITY
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationTRAINING CURRICULUM 2017 Q2
TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationThe Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It
The Credential Phishing Handbook Why It Still Works and 4 Steps to Prevent It Introduction Phishing is more than 20 years old, but still represents more than 90% of targeted attacks. The reason is simple:
More informationWho We Are! Natalie Timpone
Who We Are! Natalie Timpone Manager of Security Business Management Office Enterprise Security Awareness Manager Carmelo Walsh Security, Risk, and Compliance Security Awareness Subject Matter Expert Who
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationSecuring Today s Mobile Workforce
WHITE PAPER Securing Today s Mobile Workforce Secure and Manage Mobile Devices and Users with Total Defense Mobile Security Table of Contents Executive Summary..................................................................................
More informationHave breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?
The financial sector struggles with data leakage in part because many such organizations rely on dinosaurs - security solutions that struggle to protect data outside the corporate network. These orgs also
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationPanda Security 2010 Page 1
Panda Security 2010 Page 1 Executive Summary The malware economy is flourishing and affecting both consumers and businesses of all sizes. The reality is that cybercrime is growing exponentially in frequency
More informationTop 10 Application Security Vulnerabilities in Web.config Files Part One
Top 10 Application Security Vulnerabilities in Web.config Files Part One By Bryan Sullivan These days, the biggest threat to an organization s network security comes from its public Web site and the Web-based
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationAre You Avoiding These Top 10 File Transfer Risks?
Are You Avoiding These Top 10 File Transfer Risks? 1. 2. 3. 4. Today s Agenda Introduction 10 Common File Transfer Risks Brief GoAnywhere MFT Overview Question & Answer HelpSystems Corporate Overview.
More informationWeak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann
Weak Spots Enterprise Mobility Management Dr. Johannes Hoffmann Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dr. Johannes Hoffmann IT Security Business Security & Privacy Main focus: Mobile
More informationWordPress Security Plugins vs. WAF Services. A Comparative Test of WAF Accuracy in Security Solutions
WordPress Security Plugins vs. WAF Services A Comparative Test of WAF Accuracy in Security Solutions Contents Abstract... 3 Introduction... 3 WAF Evaluation Criteria... 4 Results... 5 Pattern Analysis...
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why
More informationUnique Phishing Attacks (2008 vs in thousands)
The process of attempting to acquire sensitive information, such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In the 2 nd half
More informationQualys Cloud Platform
Qualys Cloud Platform Quick Tour The Qualys Cloud Platform is a platform of integrated solutions that provides businesses with asset discovery, network security, web application security, threat protection
More informationAll the Latest Data Security News. Best Practices and Compliance Information From the PCI Council
All the Latest Data Security News Best Practices and Compliance Information From the PCI Council 1 What is the PCI Security Standards Council? Collaboration Education Simplified solutions for merchants
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More information