Outline. 1 Introduction. 2 Security Architecture and Design. 3 Threat Risk Modelling. 4 Phishing. 5 Web Services. 6 Secure Coding Guidelines
|
|
- Blaze Rice
- 6 years ago
- Views:
Transcription
1 Web Security Prakash Chandrasekaran Microsoft Research India prakash on leave from Chennai Mathematical Institute ISEA, IMSc, 25 & 26 May 2006 Overview Web Applications MVC This presentation is licensed under the Free Documentation License. Permission is granted to copy, distribute, and/or modify this document provided this copyright notice and the acknowledgement and reference slides are retained. Copyright c 2006, Prakash Chandrasekaran. All Rights Reserved. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Introduction In this talk we will look at various aspects of security involved in web communication: What are Web Applications Secure Architecture and Design Threat Risk Modelling Secure Coding Guidelines PHP Guidelines Web Applications In the early days of the web, web sites consisted of static pages. Then came CGI that allowed execution of external programs. But CGI is not very useful has lots of disadvantages more overhead due to process creation, lack of session management, lack of authorization controls. Scripting - The interpreters run script code within the web server process. Scripting languages too have some disadvantages They are in general not very strongly typed They are very slow compared to native code in CGI Its difficult to write multi-tier large scale applications Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
2 Web Applications Small to Medium Scale Applications Most applications fall into this category. The usual architecture is a simple liner procedural script. Its easy to develop, and not much skill is required to maintain the codebase. typically has lots of security issues, mostly due to insufficiently validated input data. Large Scale Applications Larger applications need a different architecture than that of a simple feedback form. Scalable application architecture is often divided into different tiers, and modules. One of the most common web application architecture is model-view-controller (MVC). MVC MVC implements the Smalltalk 80 application architecture. MVC is typical of most Apache Foundation Jakarta Struts J2EE applications. Code behind ASP.NET can be considered a partial implementation of this approach. For PHP, the WACT project aims to implement the MVC paradigm. MVC - View - The font rendering code often called the presentation tier. Controller - Takes input from the users and gates it through various workflows. Model - Encapsulates functionality, and is transparent to the caller and provides a method to deal with high-level business processes. A good model will allow pseudo code like oaccount TransferFunds(fromAcct,toAcct,amount) rather than a long piece of code that checks for funs availability, withdraws the amount from fromacct, then deposits in toacct. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Policy Frameworks Secure Coding Principles Policy Framework Secure applications so not just happen - they are the result of organizational policy decision. To develop a secure application, a well written security policy is very important. The development cycle should have adequate security checkpoints. Ad-Hoc development is not structured enough to produce secure applications. Coding standards are also very important. Methodologies are not coding standards. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
3 Secure Coding Principles Classify assets. Consider potential attackers. Put yourself in the shoes of the attackers. Minimize attack surface area. Have secure default values. Principle of least privilege. Principle of Defense in Depth - tier based validation Fail Securely External systems are insecure Separation of Duties Do not trust Security through Obscurity Simplicity Fix security issues correctly. Introduction Using Microsoft TM Process Steps in Threat Modelling Application Overview Types of Attacks Damage Potential Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Threat Risk Modelling When designing your application, it is essential you design using threat risk assessed controls, otherwise you will squander resources, time and money on useless controls and not enough on the real risks. The method you use to determine risk is not nearly as important as actually performing structured threat risk modeling. TRM using MS TM Process Microsoft provides a threat modeling tool written in.net to assist with tracking and displaying threat trees. There are five steps in the threat modeling process. Identifying Security Objectives Application Overview Identify Vulnerabilities Decompose Application Identify Threats Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
4 TRM using MS TM Process Identifying Security Objectives Identity: does this application protect user 2019s identity from misuse? Reputation: the loss of reputation derived from the application being misused or successfully attacked Financial: the level of risk the organization is prepared to stake in remediation potential financial loss. Privacy and regulatory: to what extent shall applications protect user s data. Availability guarantees: Highly available applications and techniques are extraordinarily expensive, so setting the correct controls here can save a great deal of time, resources, and money. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Application Overview Once the security objectives have been defined, the application should be analyzed to determine: Components Data Flow Trust Boundaries Look for UML component diagrams, to understand data flow. Once the application is understood, it needs to be decomposed. For example, when investigating the authentication module, it is necessary to understand how data enters the authentication module, how the module validates and processes the data, where the data flows, if data is stored, and what decisions are made by the module. Application Overview Document known threats A threat graph A structured list of threats To understand what threats are applicable, use the security objectives to understand who might attack the application: Accidental discovery: authorized users stumble across a mistake in your application logic using just a browser. Curious Attacker (such as security researchers or users who notice something wrong with your application and test further) Script kiddie: computer criminals attacking or defacing applications for respect or political motive Motivated attacker (such as disgruntled staff or paid attacker) Organized crime (generally for higher risk applications, such as e-commerce or banking) Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
5 Types of Attacks Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege Damage Potential Reproducibility Exploitability Affected Users Discoverability Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 What is Phishing? Phishing Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. What is phishing Basic Phishing Attack What you can do about Phishing? Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
6 Basic Phishing Attack Delivery via a website, , or instant message. Sending threatening s Through installed Spyware. Spurious Security Alerts. What you can do about Phishing? Educate your users Consistent branding Reduce risk - ex: do not send with active content. Increase Trust - consider using digital signatures Incident response - don t send users about fraud, instead lock their accounts and given them a contact number, or better ring them! Don t use pop-ups or frames. Check the client environments, including the DOM. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Securing Web Services Communication Security Using Tokens Securing Web Services Web Service, like other distributed applications, require protection at multiple levels: SOAP messages that are sent on the wire should be delivered confidentially and without tampering The server needs to be confident who it is talking to and what the clients are entitled to The clients need to know that they are talking to the right server, and not a phishing site System message logs should contain sufficient information to reliably reconstruct the chain of events and track those back to the authenticated callers Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
7 Communication Security There is a commonly cited statement, and even more often implemented approach - we are using SSL to protect all communication, we are secure. It provides only point-to-point security There is also a subtle issue of trust transitivity, as trusts between node pairs A,B and B,C do not automatically imply A,C trust relationship. Storage issue After messages are received on the server (even if it is not the intended recipient), they exist in the clear-text form, at least - temporarily. Communication Security... Lack of interoperability While SSL provides a standard mechanism for transport protection, applications then have to utilize highly proprietary mechanisms for transmitting credentials, ensuring freshness, integrity, and confidentiality of data sent over the secure channel. Passing Credentials Since SOAP messages are XML-based, all passed credentials have to be converted to text format. Passing credentials carries an inherited risk of their disclosure - either by sniffing them during the wire transmission, or by analyzing the server logs. Ensuring message freshness Protecting message integrity, and confidentiality. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Communication Security... Access Control do we know who is requesting the operation (Identification) can we verify the caller s identity claim (Authentication) is the caller allowed to perform this operation (Authorization) Using Tokens Types of tokens in SOAP messages: Username token - Defines mechanisms to pass username and, optionally, a password - the latter is described in the username profile document. Unless whole token is encrypted, a message which includes a clear-text password should always be transmitted via a secured channel. Binary token - They are used to convey binary data, such as X.509 certificates, in a text-encoded format, Base64 by default. XML token - These are meant for any kind of XML-based tokens. Tokens are only a mechanism, and by themselves do not provide any security. Use time-stamps along with tokens to ensure freshness. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
8 Authentication Basic authentication - sends password in clear text Digest authentication - obfuscates password in HTTP1.0, and uses challenge response in HTTP1.1 Form based authentication - vulnerable to replay attack, man in the middle attack, Phishing, etc. Integrated authentication - used for intranet purposes Certificate based authentication Strong authentication - tokens, certificates etc. Authentication Session Management Data Validation Interpreter Injection Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Authentication Use principle of least privilege Use ACLs and Access Control Matrix to determine access privilege at each non-anonymous entry point. Use Centralized authorization routines, and not re-write / copy-paste code every time. Do not store session information on client side (in cookies). Session Management Authorization and role data should be stored only on the server. Navigation data in URLs is acceptable as long as they can be validated. Avoid permissive session generation - ie. simply issue a new session ID, if one does not exist. Secure session data stored on the server. Use page specific nonces in conjunction with session tokens. Tokens should be sent only on encrypted channels (eg. SSL, TSL). Use session timeouts. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
9 Session Authorization Attacks One of the most common mistakes is not checking authorization prior to performing a restricted function or accessing data. Just because a user has a session does not authorize them to use all of the application or view any data. A particularly embarrassing real life example is the Australian Taxation Office s GST web site, where most Australian companies electronically submit their quarterly tax returns. The ATO uses client-side certificates as authentication. Sounds secure, right? However, this particular web site initially had the ABN (a unique number, sort of like a social security number for companies) in the URL. These numbers are not secret and they are not random. A user worked this out, and tried another company s ABN. To his surprise, it worked, and he was able to view the other company s details. He then wrote a script to mine the database and mail each company s nominated address, notifying each company that the ATO had a serious security flaw. More than 17,000 organizations received s. Data Validation Data validation is a very critical part in securing web applications. Insufficiently validated code, used in sensitive operations like SQL queries, can be fatal. Hidden form-fields are one way of saving state on the client side, instead of on the server. But they should be validated before use, as they can still be altered by a malicious user/program. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Interpreter Injection User Agent Injection - the browser could be compromised. DOM based XSS Injection - allows attacker to introduce hostile code into vulnerable client-side Javascript embedded in many pages. SQL, ORM, LDAP, XML Injections All of the above can be safeguarded against by always validating input data, before using it any form. Global Variables Include and Remote Files Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
10 PHP Guidelines PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely used server-side scripting language for creating dynamic web pages. Server-side means that the code is interpreted on the server before the result is sent to the client. PHP code is embedded in HTML code and it is easy to get started with, while still very powerful for the experienced programmer. However being extremely feature rich and easy to get started with is not only positive, it to often leads to insecure applications vulnerable to several different kinds of attacks. Global variables Variables declared outside of a function are considered global by PHP. Unlike C, in PHP, to use a global variable from local scope you have to declare it global in that scope. register globals make input from GET, POST, and COOKIE, as well as session variables etc. directly accessible as global variables in PHP. This directive, if set in php.ini, is the root of many vulnerabilities. Whenever needed always use superglobal arrays like $ GET, $ POST, $ SESSION. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Include and Remote Files The include and require directives provide means to import code into the current script. If the file name is a HTTP URL, then PHP will fetch it and import it. Consider the following example: //file.php $sincpath= /inc/ ; include($sincpath. functions.php );... //functions.php include($sincpath. filesystem.php ); In above functions.php assumes that $sincpath has been set to a proper value. If register globals is set, the an attacker can directly invoke functions.php with a $sincpath that says something like and the server will now include that script and execute it. Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
11 For Further Reading A Guide to Building Secure Web Applications and Web Services The Open Web Application Security Project This presentation is also available at prakash/isea2006 Prakash Chandrasekaran (MSRI,CMI) Web Security ISEA, IMSc, May / 41
Copyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationOWASP March 19, The OWASP Foundation Secure By Design
Secure By Design March 19, 2014 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationSecurity Testing White Paper
Security Testing White Paper Table of Contents 1. Introduction... 3 2. Need for Security Testing... 4 3. Security Testing Framework... 5 3.1 THREAT ANALYSIS... 6 3.1.1 Application Overview... 8 3.1.2 System
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationXerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers
Xerox FreeFlow Print Server Security White Paper Secure solutions for you and your customers Executive Summary Why is security more important than ever? New government regulations have been implemented
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (1 st Week) Outline Course Information and Policies Course Syllabus 1. Overview Course Information Instructor: Prof. Dr. Hasan H. BALIK, balik@yildiz.edu.tr,
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Web Application: Testing Security Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 10) Web Application: Testing Security 1 Table of
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationIdentity Theft, Fraud & You. PrePare. Protect. Prevent.
PrePare. Protect. Prevent. Identity Theft, Fraud & You Fraud and identity theft incidents claimed fewer victims in 2010 than in previous years. But don t get too comfortable. Average out-of-pocket consumer
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationUnit Level Secure by Design Approach
Unit Level Secure by Design Approach Abstract Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju_MS@McAfee.com Joshua.Rebelo@Siemens.com With cyber-attacks on the rise and high-profile breaches
More informationBusiness Continuity Management
University of Oslo INF3510 Information Security Autumn 2018 Workshop Questions and s Lecture 8: Risk Management and Business Continuity Management Question 1: Risk factors A possible definition of information
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
More informationAssistance with University Projects? Research Reports? Writing Skills? We ve got you covered! www.assignmentstudio.net WhatsApp: +61-424-295050 Toll Free: 1-800-794-425 Email: contact@assignmentstudio.net
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationMASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY
Effective Date: 12 September 2017 MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY Mastercard respects your privacy. This Privacy Policy describes how we process personal data, the types of personal
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationAIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0
z/tpf V1.1 TPF Users Group - Spring 2009 Security Considerations in a Service Oriented Architecture (SOA) Jason Keenaghan Main Tent AIM Enterprise Platform Software IBM z/transaction Processing Facility
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationISC2 EXAM - CISSP. Certified Information Systems Security Professional. Buy Full Product.
ISC2 EXAM - CISSP Certified Information Systems Security Professional Buy Full Product http://www.examskey.com/cissp.html Examskey ISC2 CISSP exam demo product is here for you to test the quality of the
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationPracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam
PracticeDump http://www.practicedump.com Free Practice Dumps - Unlimited Free Access of practice exam Exam : SY0-501 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : DEMO Get Latest
More informationFACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?
FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit
More informationIPM Secure Hardening Guidelines
IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationMitigating Security Breaches in Retail Applications WHITE PAPER
Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationTechnologies for Securing the Networked Supply Chain. Alex Deacon Advanced Products and Research Group VeriSign, Inc.
Technologies for Securing the Networked Supply Chain Alex Deacon Advanced Products and Research Group VeriSign, Inc. Agenda Introduction Security challenges Security technologies in use today Applying
More informationSecuring the managed environment
Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security About Me 15+ year as Mac Admin Small, medium, large enterprise Higher Education FOSS user, contributor
More informationISO/IEC Common Criteria. Threat Categories
ISO/IEC 15408 Common Criteria Threat Categories 2005 Bar Biszick-Lockwood / QualityIT Redmond, WA 2003 Purpose This presentation introduces you to the threat categories contained in ISO/IEC 15408, used
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationAndrew van der Stock OWASP Foundation
Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, and AusCERT, and is a leading Australian
More informationNIST Revision 2: Guide to Industrial Control Systems (ICS) Security
NIST 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security How CyberArk can help meet the unique security requirements of Industrial Control Systems Table of Contents Executive Summary
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationThe requirements were developed with the following objectives in mind:
FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications
More informationAuthor: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0
Author: Tonny Rabjerg Version: 20150730 Company Presentation WSF 4.0 WSF 4.0 Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationHow WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security
How WebSafe Can Protect Customers from Web-Based Attacks Mark DiMinico Sr. Mgr., Systems Engineering Security Drivers for Fraud Prevention WebSafe Protection Drivers for Fraud Prevention WebSafe Protection
More informationTop-Down Network Design
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer 1 Network Security Design The steps for security design are: 1. Identify
More information