Click to edit Master text styles

Size: px
Start display at page:

Download "Click to edit Master text styles"

Transcription

1 Frederik Weidemann TITEL bearbeiten Dr. Markus Schumacher Five years of ABAP TM -Code-Reviews A retrospective Virtual Forge GmbH All rights reserved.

2 TITEL About bearbeiten BIZEC

3 TITEL About bearbeiten me Frederik Click to Weidemann edit Master text styles Product Second Owner level CodeProfiler SAP Security Researcher, active since 2005 Speaker at various conferences (RSA, OWASP, DSAG) Trainer for Secure ABAP Programming Co-Author of "Secure ABAP Programming" (SAP Press)

4 CONTENTS TITEL bearbeiten 1. Typical Click to edit attack Master surface text of styles ABAP applications 2. BIZEC APP/11 - Examples of common / critical security defects in ABAP applications 3. Lessons learned for the developer, QA team and the C-level

5 TITEL This talk bearbeiten is related to metrics

6 TITEL This talk bearbeiten is related to metrics

7 TITEL Let s talk bearbeiten about data Benchmarking the real world b/0/09/datatng.jpg/250px-datatng.jpg Results anonymized 24 fresh scans with CodeProfiler on systems of 24 different customers that just started with Code Audits All issues are related to custom coding in either Y*,Z* or 3 rd party namespaces Data acquired between Q4/2011 and Q1/2012

8 TITEL ABAP bearbeiten - Attack Surface

9 TITEL Definitions bearbeiten Click to edit Master text styles Average Mean: AM = 1 n n i=1 Median: The middle Fourth value level that separates the higher half x i from the lower half of the data set LOC = Lines of Code (without comments and empty lines) KLOC = Kilo LOC

10 TITEL The average bearbeiten project within our data Metric Average Median Source Code Lines (LOC) (no blank Second and comment level lines) Comments Inline Comments Percentage of Comments in analyzed Lines 28,54% 28% Pragmas Average Module Size (LOC) 52,33 52,5 Statements Overall Cyclomatic Complexity

11 ABAP Module Metrics TITEL bearbeiten the average project Metric Average Median Packages Classes Function Second Groups level BSP Applications 4 0 BSP Pages 31 0 Web Dynpros 3 0 WD Components 19 0 SAP Enhancements (All) Fifth level SAP Enhancements - User-Exits SAP Enhancements - User-Exits - Within Projects SAP Enhancements - BAdIs Modules (All) Modules Methods Modules - Function Modules Modules Programs Modules Forms Modules - Includes

12 TITEL Security bearbeiten Metrics the average project Metric Average Median Authority Checks Function Modules (RFC) RFC Calls to Server Sources (Total) Sources - Untrusted (HTTP) Sources - Untrusted (SAPGUI) Sources - Untrusted (RFC) Sources - Untrusted (FTP) 3 0 Sources - Untrusted (Indirect via file or OS)

13 TITEL The attack bearbeiten surface Click Mainly to SAP edit GUI Master & RFC text styles Lessons learned from SAP Basis Audits: The average SAP key user has S_RFC = * assigned Attack surface: Metric Average Median Sources per Module ~0,60 ~0,58 approx. every second module processes at least one external input

14 TITEL bearbeiten BIZEC APP/11 Examples of common / critical security defects in ABAP applications

15 TITEL BIZEC bearbeiten APP/ ID Defect Description APP-01 ABAP Command Injection Execution of arbitrary ABAP Code APP-02 OS Command Injection Execution of arbitrary Operating System Commands APP-03 Improper Authorization (Missing, Broken, Proprietary, Generic) Missing or erroneous Authorization Checks APP-04 Generic Module Execution Unauthorized Execution of Modules (Reports, FuMo, etc.) APP-05 Cross-Client Database Access Cross-Client Access to Business Data APP-06 SQL Injection Malicious Manipulation of Database Commands APP-07 Unmanaged SQL Usage of native SQL Commands APP-08 Cross-Site Scripting Manipulation of Browser UI, Authorization Theft APP-09 Cross-Site Request Forgery Execution of Business Logic in the Name of a different User. APP-10 File Upload (Malware) Storage of malicious Files on an SAP Server APP-11 Directory Traversal Unauthorized read/write Access to Files (SAP Server)

16 TITEL Ugly statistic bearbeiten ahead Click C-3PO: to edit Master text styles "Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1! Han Solo: "Never tell me the odds."

17 Vulnerabilities per KLOC TITEL APP/11 bearbeiten Hit Density CodeProfiler vulnerabilities per KLOC 2,5 2 1,5 1 APP/11 Vulnerabilities per KLOC 0,5 0 Series Series Series 16 Series 13 Series 10 Series 7 Series 4 Series 1

18 Vulnerabilites per KLOC TITEL Top 10 bearbeiten Security Findings CodeProfiler vulnerabilities per KLOC 0,4 0,35 0,3 0,25 0,2 0,15 0,1 0,05 0 Median Average Directory Traversal (Write) happens more often than Directory Traversal (Read)

19 TITEL Top 7 bearbeiten Compliance CodeProfiler vulnerabilities per KLOC 0, , , , , , , , Median Average Average Median

20 TITEL Top 10 bearbeiten Performance CodeProfiler vulnerabilities per KLOC 0, , , , , , , , , , Median Average Average Median

21 TITEL WTF/Minute? bearbeiten = WTF?

22 TITEL Parsing bearbeiten the input LOCs per vulnerability Category Average Median APP-01 ABAP Command Injection APP-02 OS Command Injection n/a n/a APP-03 Improper Authorization APP-04 Generic Module Execution APP-05 Cross-Client Database Access APP-06 SQL Injection APP-07 Unmanaged SQL APP-08 Cross-Site Scripting APP-09 Cross-Site Request Forgery n/a n/a APP-10 File Upload (Malware) APP-11 Directory Traversal Improper Authorizations and Directory Traversal are the issues most often found APP-02: No issues detected in current dataset (different CodeProfiler test case) APP-08: Almost no issues detected in current dataset (only 3 proj. with small Web-Apps) APP-09: Not yet detected with CP central SAP Note available to fix the framework: SAP Note

23 TITEL bearbeiten Lessons learned for the developer, QA team Click and to edit the Master C-level text styles

24 TITEL Lessons bearbeiten learned Click The sad to edit story Master about text a common styles misunderstanding Before the analysis 95,83% of the customers thought they re secure

25 TITEL Lessons bearbeiten learned cont d GRC tools show green : but it s not only about SOD and authorizations Even Third if it is, level people made mistakes in authorizations every 1892 LOC in our Fourth set level The current average scan report has a 62,5% likelihood of having at least 1 ABAP command injection ( complete system compromise) 100% of the projects have authorization issues with CALL TRANSACTION 95,83% of the projects have Directory Traversal issues (Read or Write) jpg

26 TITEL Lessons bearbeiten learned cont d If management isn t security aware then you re lost Awareness <> Finding bugs Finding bugs <> Fixing the bugs Fixing bugs is a lot of unexpected extra work Determining whether a bug is a false positive requires decent security knowledge from an analyst Prioritize and get rid of bugs as early as possible in your SDLC* *SDLC = Software Development Life Cycle

27 TITEL How to bearbeiten mitigate the threats Click Consider to edit application Master text security styles in ABAP projects Provide secure ABAP development guidelines Define ABAP security requirements Internally For 3 rd parties Perform (automated) ABAP code audits before putting an application into production

28 TITEL Go, get bearbeiten some data =)

29 TITEL Live Demos bearbeiten DEMO RFC

30 TITEL Live Demos bearbeiten DEMO RFC for fun and profit

31 TITEL RFC for bearbeiten fun and profit Click Patch to available edit Master since text December styles 2010 Patched with SAP Note:

32 TITEL Live Demos bearbeiten RFC Architectural Issues

33 TITEL Executing bearbeiten Operating System Commands SXPG_COMMAND_EXECUTE SXPG_COMMAND_EXECUTE_LONG SXPG_STEP_COMMAND_START SXPG_COMMAND_CHECK SXPG_COMMAND_GET Resolve OS alias RFC RFC RFC RFC RFC check_execute_authority Check authorization of user SXPG_STEP_XPG_START Execute resolved OS command RFC

34 TITEL Defense bearbeiten in Depth? SXPG_COMMAND_EXECUTE SXPG_COMMAND_EXECUTE_LONG SXPG_STEP_COMMAND_START SXPG_COMMAND_CHECK SXPG_COMMAND_GET Resolve OS alias check_execute_authority Check authorization of user RFC Execute OS command (ALIAS) with authorization check RFC RFC RFC RFC SXPG_STEP_XPG_START Execute resolved OS command RFC

35 TITEL How To bearbeiten Mitigate The Threat Click All SAP to edit releases Master were text affected styles Patch available since Feb 2011 Apply SAP Note

36 TITEL Live Demos bearbeiten DEMO SAP Gui Attack

37 TITEL SAP GUI bearbeiten Attack Click Patch to available edit Master since text August styles 2011 Patched with SAP Note:

38 TITEL bearbeiten Contact Frederik Weidemann Virtual Forge GmbH Speyerer Str Heidelberg Tel /

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom

More information

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex

More information

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office Case Study: The Evolution of EMC s Product Security Office Dan Reddy, CISSP, CSSLP EMC Product Security Office 1 The Evolution of EMC Product Security 2000-2004 2005-2009 2010-Beyond External Drivers Hackers

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

TestBraindump. Latest test braindump, braindump actual test

TestBraindump.   Latest test braindump, braindump actual test TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid

More information

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012 WHITEHAT SECURITY DECEMBER 2012 T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com WhiteHat Security Company Overview Headquartered in Santa Clara, CA WhiteHat Sentinel SaaS end-to-end website

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY Layer Seven Security ADVISORY SAP Security Notes November 01 SAP issued a critical bulletin in November to raise awareness of three Security Notes related to SAProuter and a new malware variant that is

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 5 Host, Application, and Data Security Objectives List the steps for securing a host computer Define application security Explain

More information

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start

More information

Web App Testing: RECON. MAPPING. ANALYSIS.

Web App Testing: RECON. MAPPING. ANALYSIS. www.pandoralabs.net Expert Advice. Experience Advantage. Proactive Security Solutions Through Cutting-Edge Research. Web App Testing: RECON. MAPPING. ANALYSIS. By @isaacsabas We are a Security-as-a-Service

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

Important Points to Note

Important Points to Note Important Points to Note All Participating colleges are requested to mute your telephone lines during the webinar session. Participants are requested to make note of questions / responses to questions,

More information

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client

More information

INNOV-09 How to Keep Hackers Out of your Web Application

INNOV-09 How to Keep Hackers Out of your Web Application INNOV-09 How to Keep Hackers Out of your Web Application Michael Solomon, CISSP PMP CISM Solomon Consulting Inc. www.solomonconsulting.com What is a Web Application? Any access to your data via the Internet

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

Automating the Top 20 CIS Critical Security Controls

Automating the Top 20 CIS Critical Security Controls 20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises

More information

epldt Web Builder Security March 2017

epldt Web Builder Security March 2017 epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

EAS- SEC: Framework for Securing Enterprise Business Applica;ons Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan

More information

Copyright

Copyright 1 SECURITY TEST Data flow -- Can you establish an audit trail for data, what goes where, is data in transit protected, and who has access to it? Data storage -- Where is data stored, and is it encrypted?

More information

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.

More information

Using Threat Modeling To Find Design Flaws

Using Threat Modeling To Find Design Flaws Using Threat Modeling To Find Design Flaws Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software

More information

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright

More information

Rootkits and Trojans on Your SAP Landscape

Rootkits and Trojans on Your SAP Landscape Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

Attack Vectors in Computer Security

Attack Vectors in Computer Security Attack Vectors in Computer Security Who Am I @WillGoard My first proper hacksoc talk I speak fluent greek Sell more pizzas have more fun Why attack vectors? Didn t know what to do for my dissertation Started

More information

Secure Programming Techniques

Secure Programming Techniques Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP

More information

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013 Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Analysis Tool Project

Analysis Tool Project Tool Overview The tool we chose to analyze was the Java static analysis tool FindBugs (http://findbugs.sourceforge.net/). FindBugs is A framework for writing static analyses Developed at the University

More information

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION GUIDE BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION CONTINUOUS SECURITY With attackers getting more sophisticated every day, manual methods of locating and testing web-based apps

More information

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CIS 700/002 : Special Topics : OWASP ZED (ZAP) CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference Dan Cornell Email: dan@denimgroup.comd Twitter: @danielcornell March 26 th, 2009 Agenda Background SharePoint Basics Securing SharePoint Common Approaches

More information

Security Solution. Web Application

Security Solution. Web Application Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,

More information

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets

More information

Web 2.0, Consumerization, and Application Security

Web 2.0, Consumerization, and Application Security Web 2.0, Consumerization, and Application Security Chenxi Wang, Ph.D. Principal Analyst Forrester Research OWASP, New York City September 25, 2008 Today s enterprises face multitude of challenges Business-driven

More information

Presentation Overview

Presentation Overview Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application

More information

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch

More information

How Breaches Really Happen

How Breaches Really Happen How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony

More information

Developing Secure Systems. Associate Professor

Developing Secure Systems. Associate Professor Developing Secure Systems Introduction Aug 27, 2014 James Joshi, Associate Professor Contact t James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall14/

More information

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM,

More information

STING: Finding Name Resolution Vulnerabilities in Programs

STING: Finding Name Resolution Vulnerabilities in Programs STING: Finding Name Resolution ulnerabilities in Programs Hayawardh ijayakumar, Joshua Schiffman, Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department

More information

Improving Security in the Application Development Life-cycle

Improving Security in the Application Development Life-cycle Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com

More information

SAP Security anno Tim Lynen, Manager axl & trax 2017

SAP Security anno Tim Lynen, Manager axl & trax 2017 SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction

More information

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions? Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords

More information

How to Secure Your Cloud with...a Cloud?

How to Secure Your Cloud with...a Cloud? A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud

More information

Vulnerabilities in online banking applications

Vulnerabilities in online banking applications Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison

More information

16th Annual Karnataka Conference

16th Annual Karnataka Conference 16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu OWASP Top 10 An Overview The Open Web Application Security

More information

Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping

More information

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO tom.stiehm@coveros.com 1 About Coveros Coveros helps organizations accelerate the delivery of business value through

More information

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris if (slide == introduction) System.out.println("I m David Rook"); Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH

More information

Web Applications (Part 2) The Hackers New Target

Web Applications (Part 2) The Hackers New Target Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

How NOT To Get Hacked

How NOT To Get Hacked How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?

More information

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY. SAP Security Notes Layer Seven Security ADVISORY SAP Security Notes August 2017 Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by

More information

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

The PKI Lie. The OWASP Foundation  Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,

More information

EAS- SEC: Framework for Securing Enterprise Business ApplicaCons

EAS- SEC: Framework for Securing Enterprise Business ApplicaCons SAP in Internet EAS- SEC: Framework for Securing Enterprise Business ApplicaCons Alexander Polyakov CTO ERPScan erpscan.com ERPScan invest in security to secure investments 1 SAP in Internet erpscan.com

More information

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009 Welcome

More information

Top 10 Web Application Vulnerabilities

Top 10 Web Application Vulnerabilities Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

Overview of Web Application Security and Setup

Overview of Web Application Security and Setup Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security

More information

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP.  Solving the Software Quality Puzzle Application Security Doug Ashbaugh CISSP, CISA, CSSLP Page 1 It security Page 2 Page 3 Percent of Breaches Page 4 Hacking 5% 15% 39% Page 5 Common Attack Pathways Page 6 V u ln e ra b ilitie s / We a k

More information

V Conference on Application Security and Modern Technologies

V Conference on Application Security and Modern Technologies V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2

More information

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY Layer Seven Security ADVISORY SAP Security Notes August 2014 SAP released a Hot News fix in August for a critical vulnerability effecting the SAP Afaria Mobile Device Management (MDM) server. Note 2044175

More information

The OWASP Foundation

The OWASP   Foundation Application Bug Chaining July 2009 Mark Piper User Catalyst IT Ltd. markp@catalyst.net.nz Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Threat Modeling. SecAppDev Copyright 2016, Cigital and/or its affiliates. All rights reserved.

Threat Modeling. SecAppDev Copyright 2016, Cigital and/or its affiliates. All rights reserved. Threat Modeling SecAppDev 2017 whoami Run Cigital's Architecture Analysis practice 30+ years in software development in many different domains 15+ years focusing on software security @jimdelgrosso Executive

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI Developing Secure Systems Introduction Aug 30, 2017 James Joshi, Professor, SCI Contact James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall17/

More information

Software Security and CISQ. Dr. Bill Curtis Executive Director

Software Security and CISQ. Dr. Bill Curtis Executive Director Software Security and CISQ Dr. Bill Curtis Executive Director Why Measure IT Applications? Six Digit Defects now affect Board of Directors CEO, COO, CFO Business VPs Corporate Auditors CIO accountable

More information

Un SOC avanzato per una efficace risposta al cybercrime

Un SOC avanzato per una efficace risposta al cybercrime Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Simplifying Application Security and Compliance with the OWASP Top 10

Simplifying Application Security and Compliance with the OWASP Top 10 Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management

More information

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose

More information

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo Exam : JK0-015 Title : CompTIA E2C Security+ (2008 Edition) Exam Version : Demo 1.Which of the following logical access control methods would a security administrator need to modify in order to control

More information

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large

More information

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M Matias Madou Ph.D., Secure Code Warrior Matias Madou, Ph.D. CTO and Co-Founder Ph.D. in Computer Engineering from Ghent

More information

Hacking by Numbers OWASP. The OWASP Foundation

Hacking by Numbers OWASP. The OWASP Foundation Hacking by Numbers OWASP Tom Brennan WhiteHat Security Inc. tom.brennan@whitehatsec.com 973-506-9303 skype: jinxpuppy Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify

More information