Application Security Design Principles. What do you need to know?

Size: px
Start display at page:

Download "Application Security Design Principles. What do you need to know?"

Transcription

1 Application Security Design Principles What do you need to know?

2 Anshu Gupta Bio Director of Information Security at HelloSign, a leading esignature company. Served as a trusted advisor on information security issues to Fortune 500 companies at Ernst & Young and KPMG. Recently in senior security roles at Esurance (an AllState company) and Coupa Software.

3 & Hungry What are you up against Smart Hackers V

4 The problem Dev focus on feature & functionality

5 Application Lifecycle Upgrade Design Development Testing Deployment End of Life Maintenance

6 Application Security Methodology Know the threats Threat Modeling Incorporate security in your development lifecycle - Secure SDLC Secure the network, host and application

7 Threat Modeling - STRIDE and DREAD S Spoofing D Damage T Tampering R Reproducibility R Repudiation E Exploitability I Information Disclosure A Affected Users D Denial of Service D Discoverability E Escalation of Privileges Threat Identification Threat Rating There are other methodologies as well e.g. Trike, P.A.S.T.A. (Process for Attack Simulation and Threat Analysis)

8 Secure Software Development Lifecycle The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security & compliance requirements while reducing development cost.

9 Secure Software Development Lifecycle Training Requirements Design Implementation Verification Release Response

10 Secure Software Development Lifecycle Reference Microsoft Secure SDL-

11 Application Security Principles Defense in Depth Check at the Gate Authentication & Authorization Compartmentalize Principle of Least Privilege Secure Defaults Validate User Input Establish trust boundaries Fail Securely Reduce your Attack Surface Secure the Weakest Link

12 Defense in Depth Non-reliance on a single layer of security Assumption that one of your layers may be bypassed or compromised

13 Check at the Gate

14 Compartmentalize - Principle of Least Privilege Only permissions absolutely required for the purpose of the app should be granted Limit the damage from accident, error or unauthorized use

15 Secure by Default Out of box settings put the application in a secure state

16 Validate User Input Attackers primary weapon when targeting your application Assume all input is malicious unless proven otherwise

17 Establish Trust Boundaries Trust boundaries indicate where trust levels change from a data flow perspective.

18 Fail Securely When the application fails, it should fail to a state that rejects all subsequent security requests. Sensitive data should be inaccessible. - Errors should not expose internal system details which could aid hackers. - Expect and Plan for system failure

19 Reduce your attack surface

20 Secure the weakest link Copyright Anshu Gupta All rights reserved.

21 What can you do tomorrow? Apart from source code security analysis (SAST), dynamic application security testing (DAST) and penetration testing Ensure that there is security, compliance and privacy section in the Technical Design Document Sign off is obtained from security/compliance on the technical design document before development starts Develop a basic threat modeling or what can go wrong type of template for developers

22 What can you do tomorrow? Have Dev identify all the deprecated libraries in the code Ask Legal if they would like to initiate an audit of open source code/libraries in the code and have them pay for the audit Ask if any secrets are stored in the code and not in configuration files

23 What can you do tomorrow? Ensure there is a security checklist for developers in the code review checklist or the Defintion of Done template (if following Agile). Work with QA to make sure security test cases are part of testing by QA. Ensure QA is included in Secure Development training along with Developers. Ensure that a pre-deploy security checklist exists for DevOps/Operations teams which includes things like turning off test accounts, disabling stack trace etc. Have Dev managers report application security metrics around found, closed and open security issues to the Dev leadership (see my LinkedIn post on application security metrics)

24 Want to learn more about Threat Modeling

25 Contact Information fromanshu

26 Thank You!

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San

More information

Secure Development Processes

Secure Development Processes Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially

More information

Threat Modeling For Secure Software Design

Threat Modeling For Secure Software Design Threat Modeling For Secure Software Design 2016 Central Ohio InfoSec Summit March 29, 2016 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer

More information

OWASP March 19, The OWASP Foundation Secure By Design

OWASP March 19, The OWASP Foundation   Secure By Design Secure By Design March 19, 2014 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document

More information

An Example of use the Threat Modeling Tool

An Example of use the Threat Modeling Tool 1 Monthly Research 2016.11 An Example of use the Threat Modeling Tool E-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research FFRI, Inc. http://www.ffri.jp/en/ Agenda About threat analysis support

More information

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty IANS Pragmatic Threat Modeling Michael Pinch, IANS Faculty Agenda What Is Threat Modeling? Who Should Be Considering Threat Modeling? Methodologies for Threat Modeling Common Pitfalls Introduction of IANS

More information

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017 Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3

More information

How To Make Threat Modeling Work For You

How To Make Threat Modeling Work For You How To Make Threat Modeling Work For You Strategic Approaches to Real-World Architecture Challenges O Reilly Software Architecture Online Conference March 1, 2016 Robert Hurlbut Robert Hurlbut Software

More information

*NSTAC Report to the President on the Internet of Things.

*NSTAC Report to the President on the Internet of Things. North Carolina Highway Signs Compromised By a Foreign Hacker* Penetration of a Water Treatment Facility by a Foreign Hacker* *NSTAC Report to the President on the Internet of Things. www.dhs.gov/sites/default/files/publications/

More information

SANS Institute , Author retains full rights.

SANS Institute , Author retains full rights. Steven F Burns GIAC Security Essentials Certification (GSEC) Practical Assignment Version 1.4c Threat Modeling: A Process To Ensure Application Security January 5, 2005 Abstract This paper discusses the

More information

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Brochure. Security. Fortify on Demand Dynamic Application Security Testing Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Threat Modeling. Bart De Win Secure Application Development Course, Credits to Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,

More information

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013 Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

How Threat Modeling Can Improve Your IAM Solution

How Threat Modeling Can Improve Your IAM Solution How Threat Modeling Can Improve Your IAM Solution John Fehan Senior Consultant OpenSky Corporation October 2 nd, 2015 Agenda Evolution of Identity and Access Management (IAM) Solutions An sample IAM contextual

More information

Unit Level Secure by Design Approach

Unit Level Secure by Design Approach Unit Level Secure by Design Approach Abstract Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju_MS@McAfee.com Joshua.Rebelo@Siemens.com With cyber-attacks on the rise and high-profile breaches

More information

Threat Modeling Using STRIDE

Threat Modeling Using STRIDE Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F http://www.girindropringgodigdo.net/ girindigdo@gmail.com 1 About Dealing with Information Security Fields: VAPT Generate New Attack

More information

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS

More information

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards. Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Nick Coblentz, CISSP Senior Consultant, AT&T Consulting

Nick Coblentz, CISSP Senior Consultant, AT&T Consulting Nick Coblentz, CISSP Senior Consultant, AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn This work is licensed under a Creative Commons Attribution-Noncommercial-Share

More information

Practical Guide to Securing the SDLC

Practical Guide to Securing the SDLC Practical Guide to Securing the SDLC Branko Ninkovic Dragonfly Technologies Founder Agenda Understanding the Threats Software versus Security Goals Secure Coding and Testing A Proactive Approach to Secure

More information

THE ART OF SECURING 100 PRODUCTS. Nir

THE ART OF SECURING 100 PRODUCTS. Nir THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!

More information

Instructions 1 Elevation of Privilege Instructions

Instructions 1 Elevation of Privilege Instructions Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play

More information

Secure Application Development. OWASP September 28, The OWASP Foundation

Secure Application Development. OWASP September 28, The OWASP Foundation Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or

More information

McAfee Product Security Practices

McAfee Product Security Practices McAfee Product Security Practices 12 October 2017 McAfee Public Page 1 of 8 12 October 2017 Expires 12 Apr 2018 Importance of Security At McAfee (formerly Intel Security) we take product security very

More information

UEFI and the Security Development Lifecycle

UEFI and the Security Development Lifecycle presented by UEFI and the Security Development Lifecycle Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Tim Lewis (Insyde Software) Agenda The Threat Is Real The Security Development

More information

Practical Threat Modeling. SecAppDev 2018

Practical Threat Modeling. SecAppDev 2018 Practical Threat Modeling SecAppDev 2018 Material tinyurl.com/secappdev2018 Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Agenda

More information

Cyberspace : Privacy and Security Issues

Cyberspace : Privacy and Security Issues Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy

More information

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications Release Conception Microsoft SDL Security Development Lifecycle and Building Secure Applications KRnet 2010 2010. 6. 22. 한국마이크로소프트보안프로그램매니저김홍석부장 Hongseok.Kim@microsoft.com Agenda Applications under Attack

More information

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods, PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT Eoin Woods, Endava @eoinwoodz BACKGROUND Eoin Woods CTO at Endava (technology services, ~4000 people) 10 years in product development - Bull, Sybase,

More information

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Whiteboard Hacking / Hands-on Threat Modeling. Introduction Whiteboard Hacking / Hands-on Threat Modeling Introduction Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP

More information

Using and Customizing Microsoft Threat Modeling Tool 2016

Using and Customizing Microsoft Threat Modeling Tool 2016 Using and Customizing Microsoft Threat Modeling Tool 2016 Boston Code Camp 27 March 25, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Boston Code Camp 27 - Thanks to our Sponsors! Platinum Gold

More information

AGILE AND CONTINUOUS THREAT MODELS

AGILE AND CONTINUOUS THREAT MODELS SESSION ID: DEV-R04 AGILE AND CONTINUOUS THREAT MODELS Nancy Davoust Vice President, Security Architecture and Technology Solutions Comcast CONTEXT FOR AGILE AND CONTINUOUS THREAT MODELING The Landscape

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer Daimler Business Units German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer

More information

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office Case Study: The Evolution of EMC s Product Security Office Dan Reddy, CISSP, CSSLP EMC Product Security Office 1 The Evolution of EMC Product Security 2000-2004 2005-2009 2010-Beyond External Drivers Hackers

More information

Security Governance and Management Scorecard

Security Governance and Management Scorecard Security Governance and Management Scorecard Risk Analysis 1 - Please indicate the status of your risk analysis process. 6 - Documented, enforced, reviewed, and 2 - Are all (Network, Data, Apps, IAM, End

More information

OpenbankIT: a banking platform for e- money management based on blockchain technology

OpenbankIT: a banking platform for e- money management based on blockchain technology OpenbankIT: a banking platform for e- money management based on blockchain technology Dr. Pavel Kravchenko, Sergiy Vasilchuk, Bohdan Skriabin pavel@distributedlab.com, vsv@atticlab.net, bohdan@distributedlab.com

More information

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE SESSION ID: DEV-F02 THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE Matt Clapham Principal Product Security Leader GE Digital (Healthcare) @ProdSec Agenda What is product security What is a product security

More information

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things Towards Trustworthy Internet of Things for Mission-Critical Applications Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things Internet of Things is a game changer Organizations are benefiting from

More information

ISO/IEC Common Criteria. Threat Categories

ISO/IEC Common Criteria. Threat Categories ISO/IEC 15408 Common Criteria Threat Categories 2005 Bar Biszick-Lockwood / QualityIT Redmond, WA 2003 Purpose This presentation introduces you to the threat categories contained in ISO/IEC 15408, used

More information

Secure Development Lifecycle

Secure Development Lifecycle Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.

More information

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network? Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security

More information

SDLC Maturity Models

SDLC Maturity Models www.pwc.com SDLC Maturity Models SecAppDev 2017 Bart De Win Bart De Win? 20 years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications

More information

LBI Public Information. Please consider the impact to the environment before printing this.

LBI Public Information. Please consider the impact to the environment before printing this. LBI Public Information. Please consider the impact to the environment before printing this. DGPC Framework People Executive management commitment Engaged management team Integrated governance organization

More information

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

.NET JAVA C ASE. Certified. Certified. Application Security Engineer. .NET C ASE Certified Application Security Engineer JAVA C ASE Certified Application Security Engineer Certified Application Security Engineer www.eccouncil.org EC-Council Course Description The Certified

More information

Gujarat Forensic Sciences University

Gujarat Forensic Sciences University Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat

More information

Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1 Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 1 Introduction The art of war teaches us to rely not on the likelihood of the enemy's

More information

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting

More information

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too? Exploring Different Approaches to Penetration Testing Cara Marie NCC Group ISSA-LA Aug 2017 Obligatory About Me NCC Group Principal

More information

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0 z/tpf V1.1 TPF Users Group - Spring 2009 Security Considerations in a Service Oriented Architecture (SOA) Jason Keenaghan Main Tent AIM Enterprise Platform Software IBM z/transaction Processing Facility

More information

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51 Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

Software Security Touchpoint: Architectural Risk Analysis

Software Security Touchpoint: Architectural Risk Analysis Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized

More information

Oracle API Platform Cloud Service

Oracle API Platform Cloud Service Oracle API Platform Cloud Service Oracle API Platform Cloud Service provides a foundation for Digital Transformation through the first API Management offering that comprises the Full API Lifecycle. Encompassing

More information

Building Security Into Applications

Building Security Into Applications Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify

More information

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government

More information

In collaborazione con

In collaborazione con In collaborazione con 1. Software Security Introduction 2. SDLC frameworks: how OWASP can help on software security 3. OWASP Software Security 5 Dimension Framework 4. Apply the models to a real

More information

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting

More information

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe. Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility

More information

Security: The Key to Affordable Unmanned Aircraft Systems

Security: The Key to Affordable Unmanned Aircraft Systems AN INTEL COMPANY Security: The Key to Affordable Unmanned Aircraft Systems By Alex Wilson, Director of Business Development, Aerospace and Defense WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY

More information

Effective Threat Modeling using TAM

Effective Threat Modeling using TAM Effective Threat Modeling using TAM In my blog entry regarding Threat Analysis and Modeling (TAM) tool developed by (Application Consulting and Engineering) ACE, I have watched many more Threat Models

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Security Policies and Procedures Principles and Practices

Security Policies and Procedures Principles and Practices Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability

More information

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

Threat Modeling OWASP. The OWASP Foundation  Martin Knobloch OWASP NL Chapter Board Threat Modeling Martin Knobloch martin.knobloch@owasp.org NL Chapter Board Global Education Committee Education Project Copyright The Foundation Permission is granted to copy, distribute and/or modify

More information

CS 356 Operating System Security. Fall 2013

CS 356 Operating System Security. Fall 2013 CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database

More information

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics CPET 499/ITC 250 Web Systems Chapter 16 Security Text Book: * Fundamentals of Web Development, 2015, by Randy Connolly and Ricardo Hoar, published by Pearson Paul I-Hai, Professor http://www.etcs.ipfw.edu/~lin

More information

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

OWASP - SAMM. OWASP 12 March The OWASP Foundation   Matt Bartoldus Gotham Digital Science OWASP - SAMM Matt Bartoldus Gotham Digital Science OWASP 12 March 2009 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP

More information

Securing Cloud Computing

Securing Cloud Computing Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and

More information

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018 How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment

More information

New Guidance on Privacy Controls for the Federal Government

New Guidance on Privacy Controls for the Federal Government New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,

More information

QuickBooks Online Security White Paper July 2017

QuickBooks Online Security White Paper July 2017 QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a

More information

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012 Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012 Paul Kalv Electric Director, Chief Smart Grid Systems Architect, City of Leesburg Doug Westlund CEO,

More information

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience

More information

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet 2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet 1 Considerations of the new PI Security Model Bryan S. Owen OSIsoft Cyber Security Manager 2 Security Roadmap 3 Security Reality Today State

More information

Verasys Enterprise Security and IT Guide

Verasys Enterprise Security and IT Guide Verasys Enterprise Johnson Controls Milwaukee WI, USA www.verasyscontrols.com LIT-12013026 March 2018 Contents Introduction... 3 Microsoft Azure security and privacy... 5 Security... 5 Privacy...5 Compliance...5

More information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

Protect your apps and your customers against application layer attacks

Protect your apps and your customers against application layer attacks Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web

More information

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues T-110.470 Salausjärjestelmät (Cryptosystems) Requirements and design issues Introduction to the second part of the course 25.10.2004 1 3 Outline What we'll cover Introduction to the second part of the

More information

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two

More information

Secure Product Design Lifecycle for Connected Vehicles

Secure Product Design Lifecycle for Connected Vehicles Secure Product Design Lifecycle for Connected Vehicles Lisa Boran Vehicle Cybersecurity Manager, Ford Motor Company SAE J3061 Chair SAE/ISO Cybersecurity Engineering Chair AGENDA Cybersecurity Standards

More information

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security White Paper Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security If you use Kubernetes, you know how much it can increase development velocity and reduce operational complexity.

More information

Penetration Testing and Team Overview

Penetration Testing and Team Overview ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going

More information

Managing SaaS risks for cloud customers

Managing SaaS risks for cloud customers Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost

More information

Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India

Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India Microsoft Platform Security - An Overview Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India Agenda Avoiding Common Mistakes Principles to live by Knowing the Enemy Conclusion App

More information

Security!Maturity Oc O t c o t b o er r 20 2, 0,

Security!Maturity Oc O t c o t b o er r 20 2, 0, October 20, 2010 Security!Maturity About me - Joshua Jabra Abraham Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences,

More information

Security Enhancements

Security Enhancements OVERVIEW Security Enhancements February 9, 2009 Abstract This paper provides an introduction to the security enhancements in Microsoft Windows 7. Built upon the security foundations of Windows Vista, Windows

More information

Copyright 2016 EMC Corporation. All rights reserved.

Copyright 2016 EMC Corporation. All rights reserved. 1 BUILDING BUSINESS RESILIENCY Isolated Recovery Services NAZIR VELLANI (ERNST & YOUNG) & DAVID EDBORG (EMC GLOBAL SERVICES) 2 PRESENTERS Nazir Vellani (EY) Senior Manager Tel: +1 214 596 8985 Email: nazir.vellani@ey.com

More information

Identifying unknown Vulnerabilities

Identifying unknown Vulnerabilities Identifying unknown Vulnerabilities Kostengünstige Identifizierung von Sicherheitslücken mit Rapid in-depth Analysis ISSS Security Lunch Zürich 6. Oktober 2010 Prof. Dr. Hartmut Pohl, Peter Sakal B.Sc.,

More information

WHO AM I? Been working in IT Security since 1992

WHO AM I? Been working in IT Security since 1992 (C) MARCHANY 2011 1 WHO AM I? Been working in IT Security since 1992 CISO at VA Tech 35+K node network. dual stack IPV4, IPV6 network since 2006 Multi-national Main campus (Blacksburg, VA), Remote campuses

More information

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012 Threat modeling Tuomas Aura T- 110.4206 Informa1on security technology Aalto University, autumn 2012 Threats Threat = something bad that can happen Given an system or product Assets: what is there to protect?

More information

Security and Architecture SUZANNE GRAHAM

Security and Architecture SUZANNE GRAHAM Security and Architecture SUZANNE GRAHAM Why What How When Why Information Security Information Assurance has been more involved with assessing the overall risk of an organisation's technology and working

More information

Nebraska CERT Conference

Nebraska CERT Conference Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology

More information

Cryptography and Network Security

Cryptography and Network Security Security Sixth Edition Chapter 1 Introduction Dr. Ahmed Y. Mahmoud Background Information Security requirements have changed in recent times traditionally provided by physical and administrative mechanisms

More information

DevOps A How To for Agility with Security

DevOps A How To for Agility with Security DevOps A How To for Agility with Security Murray Goldschmidt, COO Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne

More information

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous

More information