Web Applications (Part 2) The Hackers New Target
|
|
- Juliet Woods
- 6 years ago
- Views:
Transcription
1 Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1
2 How does Application Security Testing work? Explore source code and/or web site to detect structure Identify Vulnerabilities ranked after severity and show how it was identified Advanced remediation, fix recommendations and security enablement 2
3 Black-box (Discovering SQL Injection) ****** SELECT * from tusers where userid= AND password= foobar 3
4 How BB Scanners Work Stage 1: Crawling as an honest user
5 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests 5
6 White-box (Discovering SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + username + "' " + "AND password='" + password + "'"; //... ResultSet rs = stmt.executequery(query); Source a method returning tainted string User can change executed SQL commands Sink - a potentially dangerous method 6
7 White-box (Discovering SQL Injection) String username = request.getparameter("username"); //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; String query = "SELECT " + username //... ResultSet rs = stmt.executequery(query); ResultSet rs = stmt.executequery(query); 7
8 A Common Fix (not always the best for SQL Injection) //... String username = request.getparameter("username"); String password = request.getparameter("password"); //... String query = "SELECT * from tusers where " + "userid='" + Encode(username) + "' " + + "' " + "AND password='" + Encode(password) + "'"; + "'"; //... ResultSet rs = stmt.executequery(query); Sanitizer: a method returning a non-tainted string 8
9 BB vs. WB Paradigm BB Cleverly guessing behaviors that may introduce vulnerabilities WB Examines infinite numbers of behaviors in a finite approach 9
10 BB vs. WB - Perspective BB - Works as an attacker - HTTP awareness only - Works on the big picture WB - Resembles code auditing - Inspects the small details - Hard to connect the dots SQL Injection Found 10
11 BB vs. WB Prerequisite BB - Any deployed application - Easier to use in the testing stage - Where code is often unavailable WB - Application code - Can be used earlier during development - As soon as the application compiles Bank.war 11
12 BB vs. WB Development Effort BB - Oblivious to different languages - And most server-side technology - Affected by Client-Side Technology - Different communication protocols require attention WB - Different languages require support - As do some frameworks - Less affected by Client-Side Technology - Oblivious to communication protocols 12
13 BB vs. WB Time/Accuracy Tradeoffs BB - Crawling takes time - Testing mutations takes (infinite) time WB - Refined model consumes space - And time - Analyzing only important code - Approximating the rest 13
14 BB vs. WB Accuracy Challenges BB - Challenge: - Cover all attack vectors WB -Challenge: - Eliminate non-exploitable issues Hacking 102: Integrating Web Application Security Testing into Development 14
15 Black-box (Dynamic) Analysis Examining a system or software with no prior knowledge or application assets Strengths Testing real software allows for high confidence in findings No need for design specifications or source code Source code and environment agnostic Software is easily tested across a network Challenges Impossible to determine code coverage Logical design flaws are easily missed Requires deployed application 15
16 White-box (Static) Analysis All relevant information is known and available to tester Source code Architectural design Strengths Logical design flaws can be determined Entire attack surface can be examined Very effective at finding programming and implementation errors Challenges Poor coding practices may result in non-vulnerable finding (false positive) Access to source code is not always possible Some weaknesses are only exposed in deployment Software is not easily remotely tested 16
17 Automated vs. Manual Analysis Automated Strengths Low cost Repeatable Scalable Weaknesses Missing human intelligence Manual Weaknesses High cost Dependant on ability Not scalable Strengths Human intelligence IF time and cost were not a barrier to the organization, manual analysis would win out over automation every single time! Human intelligence can not be automated. Automated tools allow you to find the low hanging fruit and address the opportunistic vulnerabilities! 17
18 Security Analysis Techniques Black Box Manual Manual Proxy Netcat Threat Modelling Architectural Fuzzing Tools Web App Scanners Binary Analysis Database Scanners Automated Code Review Analysis Source Code Scanners White Box 18
19 Black-box Analysis Composite Analysis White-box Analysis Accuracy Code/path coverage Source free Limited to given code Code coverage More than HTTP validations HTTP awareness only Support partial applications Multi components support Support per language/framework Requires deployed application No need to deploy application Few Prerequisites Over approximation Works as a remote attacker Integration/deployment issues 19
20 Security Testing Technologies... Combination Delivers a Comprehensive Solution Static Code Analysis = Whitebox Scanning source code for security issues Total Potential Security Issues Dynamic Analysis = Blackbox Performing security analysis of a compiled application Static Analysis Best Coverage Dynamic Analysis
21 Secure code development and vulnerability management IBM Rational AppScan A market leader for Web application vulnerability scanning A leader in numerous industry bake offs Automatically scans Web applications for vulnerabilities SQL Injection Cross-site Scripting Provides clear recommendations on how to remediate identified vulnerabilities Scans Web sites for embedded malware Protect your Web site from distributing the next Conficker to every Web site visitor Powered by the IBM Internet Security Systems X- Force malware prevention system 21
22 IBM Rational AppScan Ecosystem AppScan Enterprise / Reporting Console / Source Ed Core AppScan Source Ed for Developer / Remediation AppScan Ent. QuickScan (web client) AppScan Source Ed for Automation (scanning agent) (QA clients) AppScan Tester Ed AppScan Enterprise user (web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational Build Forge Rational Quality Manager AppScan Source Ed for Security Rational ClearQuest / Issue Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows SECURITY Security & Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan
23 AppScan Source Ed User Components AppScan Source Edition for Security is required in every deployment Security auditor/analyst is the primary user; can be used/deployed to anyone (ie. development leads) Requires connection to a Core Available as Authorized user only AppScan Source Edition for Developer IDE deployment: Eclipse versions 3.2, 3.3, and 3.4; IBM Rational Application Developer V7.0 and V7.5; Visual Studio.NET 2003, 2005, and 2008 Supported Project Files: Visual Studio.NET 2003, Visual Studio 2005, Visual Studio 2008, WebSphere Studio, Application Developer 5.1, Eclipse 3.1, 3.2, 3.3, IBM Rational Application Developer V6.0 and V7.0 Requires a connection to a Core AppScan Source Edition for Remediation Same plug-in as AppScan Source Edition for Developer except no ability to scan
24 Bug in APIs marked both Source, Tainted Callback 24
25 Type II No Trace: Where s the source? 25
26 Profiling for Sources Evaluating technologies in use APIs are marked as technologies Controlled by custom rules Enumerated in SmartAudit 36 API usages (no trace info) 242 SOAP API usages (no trace info) 26
27 Profiling Gives You Knowledge to Ask Questions Why is there an interface? Identifying critical assets Highlights usage in code Why is the application opening a socket? 27
28 AppScan Source Edition Reporting Integration with AppScan Enterprise / AppScan Reporting Console Add-on allows import of results from AppScan Source Ed Provides centralized security dashboard & trend reporting engine for blackbox and whitebox results Reporting Console reporting requirements are to be routed to either offering Clicking on the matrix cells changes the results list below AppScan Enterprise / Reporting Console AppScan Source Ed for Developer / Remediation AppScan Source Ed for Security
29 Hacking 102: Integrating Web Application Security Testing into Development 29
30 Basic Operational Responsibilities Set security requirements: A manager or security expert defines vulnerabilities and how to judge criticality Configure: Use the Project Configuration Wizard to get set up to scan your applications Scan: Scan large code bases and return results. Ounce s unique security compiler technology handles code complexity and size with maximum efficiency Triage: Separate real vulnerabilities from potential ones, allowing triage on critical issues to begin immediately. Resolve: Eliminate vulnerabilities by rewriting code, removing flaws, or adding security functions Verify fixes: Rescan the code to assure that vulnerabilities are eliminated
31 Rational AppScan Source Ed Deployment Overview Build Rational AppScan Source for Automation Functions: Rational AppScan Source Ed Core Development Rational AppScan Source Ed for Developer or for Remediation Security Rational AppScan Source Ed for Security 31
32 Enabling security testing across the SDLC AppScan Enterprise / Reporting Console AppScan Build Ed AppScan Tester Ed AppScan Developer Ed (desktop) AppScan Ent. QuickScan (Web client) (scanning agent) (scanning agent) (QA clients) AppScan Enterprise user (Web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational ClearCase Rational BuildForge Rational Quality Manager AppScan Express (desktop) Rational ClearQuest / Defect Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing and remediation workflows SECURITY Security and Compliance Testing, oversight, control, policy, audits IBM Rational Web Based Training for AppScan 32
33 Deployment and workflow should support your needs Managers Define security requirements Track development progress, review vulnerability data, and monitor remediation results Security Analysis Team Configure scanner for build integration Retrieve code for analysis Scan entire application Triage results Assign vulnerabilities to developers Developers Perform necessary remediation Check in code Hacking 102: Integrating Web Application Security Testing into Development 33
34 AppScan Source Edition Workflow Security Analyst Security Analyst, Reporting Console Configure, On_Board Automation Server, or Developer Plug-in Security Analyst Publish Scan Triage Security Analyst or Developer Plug-in Remediate Assign Security Analyst 34
35 Flexible Deployment Rational AppScan: -Source for Automation -Standard Ed Build QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Functions: Rational AppScan Source Ed Core Rational AppScan Enterprise portal Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance
36 Rational ALM Integrations Build Forge Build Rational AppScan: -Source for Automation -Standard Ed Application Developer QA Rational AppScan Tester Ed for RQM Development Rational AppScan: - Source Ed Developer - Source Ed Remediation - Enterprise QuickScan Rational AppScan Source Ed Core Rational AppScan Enterprise portal Quality Manager ClearQuest Security Rational AppScan: -Standard Ed -Source Ed for Security Compliance
37 AppScan Source Edition serves many stakeholders Insight & Assessment, with Trend Analysis Supports standards compliance Rapid prioritization of threats, full coverage of all assets Simplified analysis customization, provides guidance & confidence Focus on highest-severity threats Distributed reporting & annotated aggregation of results Profiles risk in IT and Audit oriented terms Audit-centric reports Provides critical metrics (Vdensity) to prioritize & track remediation Accepts bundled and annotated results from security analysts Provides full diagnostic capability on developer desktops Simplifies security remediation through extensive knowledgebase
Hacking 102 Integrating Web Application Security Testing into Development
Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology
More informationIBM Rational Software
IBM Rational Software Development Conference 2008 Our Vision for Application Security David Ng Rational Software Security, Asean IBM Software Group 2008 IBM Corporation Agenda Application Security Defined
More informationAppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationName Aaron Clark. Title: Security Shifts to the Application
Name Aaron Clark Title: Security Shifts to the Application You re late to the party Some found that out the hard way Night Dragon Sony LizaMoon HBGary Federal Others were told they had to go PCI Disa STIG
More informationSAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals
SAMPLE QUESTIONS for: Test C2150-500, Security Dynamic and Static Applications V2, Fundamentals Note: The bolded response option is the correct answer. Item 500.1.1.5 A customer of five years calls on
More informationWeb Applications Part 1 The Weak Link in Information Security Your Last Line of Defense
Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009 Welcome
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationIBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners
IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners Anton Barua antonba@ca.ibm.com October 14, 2014 Abstract: To manage the challenge of addressing application security at
More informationSecurity Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
More information<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1
RSA Ready Implementation Guide for Rapid 7 Jeffrey Carlson, RSA Partner Engineering Last Modified: 04/11/2016 Solution Summary Rapid7 Nexpose Enterprise drives the collection
More informationThe Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere
IBM Software Group The Challenge of Managing WebSphere Farm Configuration Rational Automation Framework for WebSphere Terence Chow Technical Specialist IBM Rational Hong Kong 2007 IBM Corporation Example:
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationIntegrate IBM Rational Application Developer and IBM Security AppScan Source Edition
Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition Security testing for the Rational Application Developer application G Kiran Kumar Singh & Arnab Roy July 19, 2012 Page
More informationConverged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products
Converged security Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products Increased risk and wasted resources Gartner estimates more than $1B in
More informationBuild the application using Rational Build Forge
Build the application using Rational Build Forge In this lab, as the Build Engineer, you will run a formal build of Release 2.0 of the RatlBankWeb application. After the build completes, you will be able
More informationCYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun Reading This lecture [McGraw]: Ch. 7-9 2 Seven Touchpoints 1. Code review 2. Architectural
More information4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints
Reading This lecture [McGraw]: Ch. 7-9 CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun 2 Seven Touchpoints Application of Touchpoints
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationNational State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018
Office of the Legislative Auditor State of Minnesota National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018 Christopher Buse Deputy Legislative Auditor Boot Camp
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationAutomated, Real-Time Risk Analysis & Remediation
Automated, Real-Time Risk Analysis & Remediation TABLE OF CONTENTS 03 EXECUTIVE SUMMARY 04 VULNERABILITY SCANNERS ARE NOT ENOUGH 06 REAL-TIME CHANGE CONFIGURATION NOTIFICATIONS ARE KEY 07 FIREMON RISK
More informationManual Testing. Software Development Life Cycle. Verification. Mobile Testing
10 Weeks (Weekday Batches) or 12 Weekends (Weekend batches) To become a Professional Software Tester To enable the students to become Employable Manual Testing Fundamental of Testing What is software testing?
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationHow to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationBuilding Security Into Applications
Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify
More informationJ2EE Application Development : Conversion and Beyond Osmond Ng
IBM Software Group J2EE Application Development : Conversion and Beyond Osmond Ng IBM Software Group Practitioner View Point IBM Rational Application Developer J2EE/EJB Tooling J2EE construction tools
More informationMicro Focus Security Fortify Audit Assistant
White Paper Security Micro Focus Security Fortify Audit Assistant Table of Contents page Introduction... 1 Why Static Application Security Testing?............................................. 1 Confirmation
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationWHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family
WHITEHAT PRODUCT FAMILY WhiteHat Sentinel Product Family Combining technology with human intelligence to deliver the world's most powerful and accurate application security WhiteHat Sentinel is a software-as-a-service
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationIBM Proventia Management SiteProtector Sample Reports
IBM Proventia Management SiteProtector Page Contents IBM Proventia Management SiteProtector Reporting Functionality Sample Report Index 2-25 Reports 26 Available SiteProtector Reports IBM Proventia Management
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationTesting with Soap UI. Tomaš Maconko
Testing with Soap UI Tomaš Maconko 1 Content What is Soap UI? What features does the Soap UI have? Usage in project context Pros and cons Soap UI alternatives 2 What is Soap UI? Open Source Testing Tool
More informationPenetration testing.
Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external
More informationIBM Rational Application Developer for WebSphere Software, Version 7.0
Visual application development for J2EE, Web, Web services and portal applications IBM Rational Application Developer for WebSphere Software, Version 7.0 Enables installation of only the features you need
More information8 Must Have. Features for Risk-Based Vulnerability Management and More
8 Must Have Features for Risk-Based Vulnerability Management and More Introduction Historically, vulnerability management (VM) has been defined as the practice of identifying security vulnerabilities in
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationEnsure Quality in Development
Ensure Quality in Development Quality Challenges On average, professional coders make 00 to 50 errors in every thousand lines of code they write. In Perspective.35 million software developers in United
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationOliopäivät Modelling Now and in the Future, with Acronyms or without = RSA
IBM Software Group Oliopäivät 28-29.11.2006 Modelling Now and in the Future, with Acronyms or without = RSA rami.talme@fi.ibm.com 2006 IBM Corporation IBM Software Group Rational software The business-driven
More informationA Strategic Approach to Web Application Security
A STRATEGIC APPROACH TO WEB APP SECURITY WHITE PAPER A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle The problem: websites are the new
More informationMARCH Secure Software Development WHAT TO CONSIDER
MARCH 2017 Secure Software Development WHAT TO CONSIDER Table of Content Introduction... 2 Background... 3 Problem Statement... 3 Considerations... 4 Planning... 4 Start with security in requirements (Abuse
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationVulnerability Management
Vulnerability Management Service Definition Table of Contents 1 INTRODUCTION... 2 2 SERVICE OFFERINGS VULNERABILITY MANAGEMENT... 2 3 SOLUTION PURPOSE... 3 4 HOW IT WORKS... 3 5 WHAT S INCLUDED... 4 6
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationSECURITY TESTING PROCESS IN SDLC
Khaja Shariff Page 1 7/20/2009 SECURITY TESTING PROCESS IN SDLC Khaja Shariff Page 2 7/20/2009 Table of Contents 1. Introduction... 3 1.1 Description... 3 1.2. Purpose... 3 2. Security Testing process...
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationProduct Security Program
Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationHacking by Numbers OWASP. The OWASP Foundation
Hacking by Numbers OWASP Tom Brennan WhiteHat Security Inc. tom.brennan@whitehatsec.com 973-506-9303 skype: jinxpuppy Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationPresentation Overview
Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application
More informationIBM Internet Security Systems Proventia Management SiteProtector
Supporting compliance and mitigating risk through centralized management of enterprise security devices IBM Internet Security Systems Proventia Management SiteProtector Highlights Reduces the costs and
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 04/12/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationCyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET
DATASHEET Gavin, Technical Director Ensures Penetration Testing Quality CyberSecurity Penetration Testing CHESS CYBERSECURITY CREST-ACCREDITED PEN TESTS PROVIDE A COMPREHENSIVE REVIEW OF YOUR ORGANISATION
More informationOWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis
Static Analysis (SA) Track Session 1: Intro to Static Analysis Eric Dalci Cigital edalci at cigital dot com 5/07/09 Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationCode Reviews. James Walden Northern Kentucky University
Code Reviews James Walden Northern Kentucky University Topics 1. Types of Reviews 2. Code Review Process 3. Checklists 4. Prioritizing Code to Review Code Reviews Inspection of source code by one or more
More informationChristopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud
Christopher Covert Principal Product Manager Enterprise Solutions Group Copyright 2016 Symantec Endpoint Protection Cloud THE PROMISE OF CLOUD COMPUTING We re all moving from challenges like these Large
More informationPEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech
PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...
More informationThreat Centric Vulnerability Management
Threat Centric Vulnerability Management Solution Brief When it comes to vulnerability management, security leaders continue struggle to identify which of the thousands even millions of vulnerabilities
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationEffective Threat Modeling using TAM
Effective Threat Modeling using TAM In my blog entry regarding Threat Analysis and Modeling (TAM) tool developed by (Application Consulting and Engineering) ACE, I have watched many more Threat Models
More informationForeScout Extended Module for Qualys VM
ForeScout Extended Module for Qualys VM Version 1.2.1 Table of Contents About the Qualys VM Integration... 3 Additional Qualys VM Documentation... 3 About This Module... 3 Components... 4 Considerations...
More informationVulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database
Case Study 2018 Solution/Service Title Vulnerability Management & Vulnerability Assessment Client Industry Cybersecurity, Vulnerability Assessment and Management, Network Security Client Overview Client
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationIBM WebSphere Studio Asset Analyzer, Version 5.1
Helping you quickly understand, enhance and maintain enterprise applications IBM, Version 5.1 Highlights n Provides interactive textual n Helps shorten the learning curve and graphic reports that help
More informationSOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.
RiskSense Platform RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 27 RiskSense, Inc. Executive Summary The RiskSense Platform is a Software-as-a-Service
More informationQualys Cloud Platform
Qualys Cloud Platform Quick Tour The Qualys Cloud Platform is a platform of integrated solutions that provides businesses with asset discovery, network security, web application security, threat protection
More informationSoftware Updating: Hitting the Mark
Software Updating: Hitting the Mark Ravi Sankar Technology Evangelist Microsoft Corporation ravi.sankar@microsoft.com Agenda Update Management Overview Update Management Process Update Management Tools
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationPrivilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer
Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationSecurity Challenges: Integrating Apple Computers into Windows Environments
Integrating Apple Computers into Windows Environments White Paper Parallels Mac Management for Microsoft SCCM 2018 Presented By: Table of Contents Environments... 3 Requirements for Managing Mac Natively
More informationMicro Focus Security Fortify. Application Security
Micro Focus Security Fortify Application Security Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 05/24/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationTHE CONTRAST ASSESS COST ADVANTAGE
WHITEPAPER THE CONTRAST ASSESS COST ADVANTAGE APPLICATION SECURITY TESTING COSTS COMPARED WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM EXECUTIVE SUMMARY Applications account for
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationSoftware Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting
Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting July 14 th 2010 Copyright 2010 - The OWASP Foundation Permission
More informationWeb Applications Security. Radovan Gibala F5 Networks
Applications Security Radovan Gibala F5 Networks How does the current situation look like? Application Trends and Drivers ification of applications Intelligent browsers and applications Increasing regulatory
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationTHE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT
WHITEPAPER THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT A comprehensive approach to reducing vulnerabilities across your ecosystem TABLE OF CONTENTS INTRODUCTION PAGE 3 1 2 3 4 ENHANCING NETWORK
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More information10 Things Every Auditor Should Do Before Performing a Security Audit
10 Things Every Auditor Should Do Before Performing a Security Audit 2 Opening Remarks Moderator R. Kinney Poynter Executive Director NASACT Speaker Rick Gamache Senior Consultant BerryDunn Objectives
More informationDiscover, Relate, Model, and Integrate Data Assets with Rational Data Architect
Discover, Relate, Model, and Integrate Data Assets with Rational Data Architect Niels C. Jacobsen (nielsj@dk.ibm.com) Associate IT Architect, IBM Software Group Rational IBM Software Group 2005 IBM Corporation
More information