CONTENTS. Recommendations. Prize Q & A
|
|
- Pierce Manning
- 6 years ago
- Views:
Transcription
1
2 CONTENTS Contents Disclaimer Introduction Common uses for Web Applications Common Web Application Infrastructure and Users The Importance of Web Application Security Why OWASP About OWASP Top Ten Summary. Mapping to Verizon Data Breach Report (Hacking Methods) In Detail (with Examples and Case Studies) 2013 Release Candidate Update Recommendations Prize Q & A
3 DISCLAIMER Informational Purposes and ownership of views. The content of this publication is for information purposes only, individuals and organisations should assess the suitability of this information for their own purposes. The information is provided for the purpose of understanding software vulnerabilities and how to prevent their exploitation. The views are not necessarily those of OWASP, however their will be similarities. Chatham House Rule This presentation is provided under the Chatham House Rule for the purpose of facilitating free and open discussion. Chatham House Rule: Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any participant, may be revealed.
4 COMMON USES FOR WEB APPLICATIONS Internet Banking Online Shopping Online Bill Payments Online Gambling Online Forums Software as a Service Remote Access Device Management (ICT Infrastructure)
5 COMMON WEB APPLICATION INFRASTRUCTURE & USERS
6 COMMON WEB APPLICATION INFRASTRUCTURE & USERS
7 THE IMPORTANCE OF WEB APP SECURITY Competitive Advantage Increased Consumer / Customer Confidence Lower Costs from managing Theft / Fraud / Misuse / Recovery Continuity of Business Services are less susceptible to data corruption and/or data accessibility problems resulting from unauthorised access Compliance with requirements to protect information
8 WHY OWASP Widely Recognised : 31 Different ICT Security Related Organisations have cited OWASP dustry_codes_of_practice Compliance with Security Standards PCI DSS: Requirement 6.5 Develop Secure Applications (v2). as industry best practices for vulnerability management are updated (for example, the OWASP Guide, Approved Scanning Vendor Program Guide Reference 1.0/PCI DSS Version 1.2: Perform a Scan without Interference from IDS/IPS Australian Government ISM: Control 0971: Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications
9 ABOUT OWASP Open Web Application Security Project OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted Publications Top 10 Full Development Guide (293 Pages) Tutorials Detail advice on Specific Topics
10 OWASP S TOP TEN (1-5)
11 OWASP S TOP TEN (6-10)
12 ALIGNMENT TO VERIZON DATA BREACH REPORT (2012) H A C K I N G M E T H O D S O W A S P T O P 1 0 ( A L L % / E N T E R P R I S E % ) SQL Injection (3/14) Brute force and dictionary attacks (29/14) Exploitation of default or guessable credentials (55/9) Exploitation of insufficient authentication (6/3) Use of stolen login credentials (40/51) Exploitation of backdoor or command and control channel (25/29) Remote File Inclusion (1/6) Abuse of Functionality (1/3) Unknown (4/31) 1. Injection 2. Cross Site Scripting 3. Broken Authentication and Session Management 4. Insecure Direct Object Access 5. Cross Site Request Forgery 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards.
13 INJECTION - OVERVIEW OWASP Rating Prevention: Parameterized Queries, Escaping and Whitelisting.
14 INJECTION CASE STUDY Case Study: Membership Website Root Cause: Unchecked Numeric Field due to lack of security awareness. Log Entries show the attack. Normal Use: GET /<BaseURL>/<Events> <FIELD>=<Number> <ClientIP> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident /5.0) Attack: GET /<BaseURL>/<Events> <FIELD>='+declare+<snip>exec%28%40s% <AttackerIP> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0)
15 INJECTION CASE STUDY
16 INJECTION CASE STUDY Initial Query (insecure) sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. $_POST[ membershipid ]. ; Resultant Query from attempted Exploitation $_POST[ membershipid ]= ; <injected commands>; -- sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id= 1000 ; <injected commands>; -- Using escaping to prevent exploitation, using PHP s addslashes() function. sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. addslashes($_post[ membershipid ]); Resultant Query exploitation prevented sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id= 1000\ ; <injected commands>; --
17 INJECTION EXAMPLE Additional Input Validation Check if membership is a number. // validate all supplied user input. Set $process = true if all input has been validated. $process = false; //don t process by default $valid_data_count=0; //initialise the counter for valid data elements $expected_elements=1; // we are expecting to validate 1 element here. if (is_numeric($_post[ membershipid ]) { //if membershipid is a number increment valid data counter $valid_data_count++; } if ($valid_data_count == $expected_elements) { //if the valid data count the required number of elements? $process = true; } if ($process) { sql_query = select date,title,status from events, registrations where events.id = registrations.id and events.date >. date(). and registrations.id=. addslashes($_post[ membershipid ]); } else { // Gracefully handle the invalid membershipid echo Invalid data has been received\n ; // Log input data, source address, date/time into errors database for security operations review. }
18 INJECTION CASE STUDY Threat Agent Grouping: Organised Crime. Motivation: Spread Malware or Extortion Based on: Sophistication: Use of Multiple Hosting Providers Use of Multiple DNS Names for malware hosting servers Targeting: Attacked Multiple of Businesses Business Impact Outage of Online Membership Functions Reduced Services to members. Increased costs to provide member services. Remediation and Incident Response Costs: Application Remediation to Check User Input by Developers Lost Productivity of IT Support staff diverted to Incident Response 3 rd Party Security Incident Response Assistance
19 CROSS SITE SCRIPTING - OVERVIEW OWASP Rating: Prevention: Escaping and Whitelisting.
20 CROSS SITE SCRIPTING CASE STUDY Case Study: User Registration Root Cause: Unchecked form data included in HTML source.
21 CROSS SITE SCRIPTING CASE STUDY Analysis of Vulnerability
22 CROSS SITE SCRIPT CASE STUDY Insecure Code Fix - Escaping <?php //code to obtain data from database echo Customer Name:. $custname; echo Customer Address1:. $custaddr1;?> <?php //code to obtain data from database echo Customer Name:. htmlspecialchars($custname); echo Customer Address1:. htmlspecialchars($custaddr1);?> Fix Output Validation <?php //code to obtain data from database echo Customer Name:. htmlspecialchars($custname); echo Customer Address1:. htmlspecialchars($custaddr1); if (is_number($custpostcode)) { // Works for Australian Numeric Post Codes // accomodation of International Post Codes will require adjustment. echo Customer Post Code:. $custpostcode; } else { //error handler }?>
23 CROSS SITE SCRIPTING CASE STUDY Threat Agent Grouping: Motivation: N/A N/A Business Impact Risk: Cascaded exploitation by attackers. Costs: Application remediation Developer costs
24 BROKEN AUTHENTICATION AND SESSION MANAGEMENT - OVERVIEW Overview
25 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Case Study: Web Application Root Cause: Insufficient protection of passwords exposed by inadequate system maintenance.
26 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Analysis of Vulnerability
27 BROKEN AUTHENTICATION AND SESSION MANAGEMENT Insecure Code <?php //code to store a password from a user in a sql database $query = update passwords set password=. $password. where username=. $username. ; } mysql_query($query); if (mysql_num_rows($query) == 1) {?> //As there is a matching username and password, //we consider the user authenticated
28 BROKEN AUTHENTICATION AND SESSION MANAGEMENT Using Salt + multiple hashing. <?php //code to store a password from a user in a sql database $salt_length = mt_rand(135,270); // characters in the salt. $iterations = mt_rand(2000,4000); // iterations of the hashfunction $hash_algo = sha256 ; //Generate the salt $salt = ; for ($saltcounter = 0; $saltcounter++; $saltcounter < $salt_length) { $salt.= mt_rand(32,255); } //Combine the salt with the password and iterate the hash function. $hashpass = $salt. $password; for ($hashcounter = 0; $hashcounter++; $hashcounter < $iterations) { $hashpass = hash($hash_algo, $hashpass); } $query = update passwords set hashpass=. $hashpass., salt=. $salt., iterations=. $iterations. where username=. $username. ; mysql_query($query);?>
29 BROKEN AUTHENTICATION AND SESSION MANAGEMENT CASE STUDY Threat Agent Grouping: Infamy (Skilled Employed Anti-Forensics) Motivation: (Limited) Distribution of Copyrighted Material Business Impact Disruption: Services unavailable while servers were rebuilt. Delays to other projects as staff were resolving issues. Costs: Security Incident Response Team 7 FTE Staff for 3 Weeks, plus External Security Incident Support. Lost Productivity. Reputational Damage Additional Support Additional Security Awareness Training 1 Year Fixed Term Staff Member to Provide. Improvement to Policies, Procedures and Processes.
30 INSECURE DIRECT OBJECT REFERENCES Overview Prevention: Check access, use per user/session indirect object references.
31 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Root Cause: Direct access to objects, common in White Label Sites.
32 INSECURE DIRECT OBJECT REFERENCES Code Sample <?php include $_GET["header"]; echo "<h1>payment Gateway</h1>\n"; include $_GET["footer"];?>
33 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Analysis of the Vulnerability
34 INSECURE DIRECT OBJECT REFERENCES A Fix Map hostname to a numeric client identifier. <?php clientid = hostclientmap($_server[ http_host ]); include /. $clientid. /header ; echo <h1>payment Gateway</h1>\n ; include /. $clientid. /footer ; function hostclientmap($hostname) { $result = mysql_query( select clientid from client-hostname-mapping where hostname=. addslashes($hostname). ); if(!result) { // return clientid=0 which is a warning to update the clientid <-> hostname mapping. $clientid=0; } else { $row=mysql_row(); $clientid = $row[ clientid ]; } }?>
35 INSECURE DIRECT OBJECT REFERENCES CASE STUDY Threat Agent Grouping: Discovered during testing. Motivation: N/A Business Impact Vendor rework for compliance. Damages Vendor s credibility (hence reputation). Claims of PCI DSS Compliance where able to be cast into doubt.
36 CROSS SITE REQUEST FORGERY Overview
37 CROSS SITE REQUEST FORGERY - EXAMPLE Analysis of the forgery Visiting the malicious site may be incidental e.g compromised ads, forums, etc.
38 CROSS SITE REQUEST FORGERY - EXAMPLE Threat Agent Grouping: Typically Organised Crime Motivation: Fraud / Theft. Business Impact Damages Vendor s reputation. Increased losses from Fraud / Theft.
39 SECURITY MISCONFIGURATION Overview Prevention: System Hardening, System Maintenance.
40 SECURITY MISCONFIGURATION CASE STUDY Code Red Worm (July )..ida isapi extension left enabled. Indexing Service Largely unused. System maintenance not conducted since June
41 SECURITY MISCONFIGURATION CASE STUDY Code Red Worm
42 SECURITY MISCONFIGURATION CASE STUDY Threat Agent Grouping: Self Promotion Motivation: Infamy eeye believed that the worm had the same original as the ILOVEYOU worm. Business Impact Disruption Restoration costs to websites
43 INSECURE CRYPTOGRAPHIC STORAGE Overview
44 INSECURE CRYPTOGRAPHIC STORAGE Transactional Data was stored in a temporary table in clear text.
45 INSECURE CRYPTOGRAPHIC STORAGE Threat Agent Grouping: N/A Motivation: N/A Business Impact Failure to meet contractual obligations Increased compliance costs due to additional infrastructure falling into scope. Remediation Costs
46 FAILURE TO RESTRICT URL ACCESS Overview Prevention:
47 FAILURE TO RESTRICT URL ACCESS
48 FAILURE TO RESTRICT URL ACCESS Threat Agent Grouping: N/A Motivation: N/A Business Impact Possible Denial of Service, Data Sniffing. Remediation Costs Options: Immediate Fix: 2 hours x 200 devices = 4 weeks. Approximately $40,000 to bring in a resource. Delayed Fix and Counter Measures. Action Taken: Delayed fix with other maintenance. Changed Passwords on other systems (4 hours). Risk Acceptance by Management.
49 INSUFFICIENT TRANSPORT LAYER PROTECTION Overview Prevention: Require SSL for Sensitive Pages, Configure SSL to only use approved algorithms.
50 INSUFFICIENT TRANSPORT LAYER PROTECTION CASE STUDY Local Australian Bank. Root Cause: Use of Deprecated Private Key Crypto. SSL Uses both Public Key and Private Key Cryptography.
51 INSUFFICIENT TRANSPORT LAYER PROTECTION CASE STUDY Public Key Ok 2048 Bits Meets recent key length upgrade requirements.
52 INSUFFICIENT TRANSPORT LAYER PROTECTION Private Key Encryption Use of Deprecated RC4. Considered ineffective as early as 2009[1]. Not approved by NIST in SP A Not approved by DSD in the 2012 ISM. PCI-DSS requires strong cryptography. Apache Config changes are easy. SSLProtocol all +SSLv2 SSLCipherSuite SSLv2:+HIGH
53 INSUFFICIENT TRANSPORT LAYER PROTECTION Threat Agent Grouping: Motivation: N/A Obtaining of sensitive information. Business Impact Reputation Damage to reputation. Compliance: Fails to meet compliance requirements for PCI-DSS (Req 3.4). Costs: Reconfigure equipment to use newer algorithms. Possible upgrade costs to equipment for newer algorithms
54 UNVALIDATED REDIRECTS AND FORWARDS Overview Prevention Don t allow users to control redirects. Very common with Central Authentication Systems.
55 UNVALIDATED REDIRECTS AND FORWARDS Common with Central Authentication Systems.
56 UNVALIDATED REDIRECTS AND FORWARDS Common with Central Authentication Systems
57 UNVALIDATED REDIRECTS AND FORWARDS
58 UNVALIDATED REDIRECTS AND FORWARDS Threat Agent Grouping: N/A Motivation: N/A Business Impact Reduced Customer / Staff Confidence. Remediation Costs
59 2010 / 2013 RC TOP 10 COMPARISON Injection 2. Cross Site Scripting 3. Broken Authentication & Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards R E L E A S E C A N D I D A T E 1. Injection (NC) 2. Broken Authentication & Session Management (+1) 3. Cross-Site Scripting (XSS) (-1) 4. Insecure Direct Object References (NC) 5. Security Misconfiguration (+1) 6. Sensitive Data Exposure (+1 Similar to 7) 7. Missing Function Level Access Control (+1 Similar to 8) 8. Cross-Site Request Forgery (CSRF) (-3) 9. Using Components with Known Vulnerabilities (New) 10. Unvalidated Redirects and Forwards. (NC)
60 RECOMMENDATIONS When Developing Web Applications Ensure that you have an Application Security Program Train (new) developers before projects (including updates) Develop reusable architectures and code libraries Build-in rather than retrofit Take unintended / unwanted users into consideration When Purchasing Web Applications Include appropriate security measures in the contract. Consider remediation clauses. Consider requiring support for dependant vendor updates. If both cases: Assessing the level of compliance with these measures to understand the risk to your organisation is vital. Assessments should occur at multiple stages during and after development.
61 PRIZE In the presentation iconic object from a James Bond film. a) What is the object? b) Which James Bond film is it from?
62 Q&A
Copyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationWeb Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationPresentation Overview
Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application
More informationEPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)
EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial
More informationApplications Security
Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger
More information6-Points Strategy to Get Your Application in Security Shape
6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader Application Security Specialist - Software
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : SY0-301 Title : CompTIA Security+ Certification Exam (SY0-301) Vendor : CompTIA Version : DEMO 1 / 5 Get Latest & Valid
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationTestpassport http://www.testpassport.net Exam : SY0-301 Title : Security+ Certification Exam 2011 version Version : Demo 1 / 5 1.Which of the following is the BEST approach to perform risk mitigation of
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationPCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing
PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1 WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationSecuring Cloud Applications with a Distributed Web Application Firewall Riverbed Technology
Securing Cloud Applications with a Distributed Web Application Firewall www.riverbed.com 2013 Riverbed Technology Primary Target of Attack Shifting from Networks and Infrastructure to Applications NETWORKS
More informationMitigating Security Breaches in Retail Applications WHITE PAPER
Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationSecurity Best Practices. For DNN Websites
Security Best Practices For DNN Websites Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationOWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock
OWASP Top 10 2017 David Johansson Principal Consultant, Synopsys Presentation material contributed by Andrew van der Stock David Johansson Security consultant with 10 years in AppSec Helping clients design
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationTopics. Ensuring Security on Mobile Devices
Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationSimplifying Application Security and Compliance with the OWASP Top 10
Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) 1 13 13 76 banksa.com.au CONTENTS Page Contents 1 Introduction 2 What are the 12 key requirements of PCIDSS? 3 Protect your business
More informationV Conference on Application Security and Modern Technologies
V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationAtlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.
Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations Table of Contents
More informationApplication Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle
Application Security Doug Ashbaugh CISSP, CISA, CSSLP Page 1 It security Page 2 Page 3 Percent of Breaches Page 4 Hacking 5% 15% 39% Page 5 Common Attack Pathways Page 6 V u ln e ra b ilitie s / We a k
More informationUsing Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach
Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationSecuring Cloud Computing
Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and
More informationWeb Applications Penetration Testing
Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationThe Interactive Guide to Protecting Your Election Website
The Interactive Guide to Protecting Your Election Website 1 INTRODUCTION Cloudflare is on a mission to help build a better Internet. Cloudflare is one of the world s largest networks. Today, businesses,
More informationApplication Security & Verification Requirements
Application Security & Verification Requirements David Jones July 2014 This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contains content Copyright 2008 2013 The
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationIBM Future of Work Forum
IBM Cognitive IBM Future of Work Forum The Engaged Enterprise Comes Alive Improving Organizational Collaboration and Efficiency While Enhancing Security on Mobile and Cloud Apps Chris Hockings IBM Master
More informationRSA Web Threat Detection
RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1 Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationCyber Security Audit & Roadmap Business Process and
Cyber Security Audit & Roadmap Business Process and Organizations planning for a security assessment have to juggle many competing priorities. They are struggling to become compliant, and stay compliant,
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationThe requirements were developed with the following objectives in mind:
FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationCyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA
Cyber Attacks and Application - Motivation, Methods and Mitigation Alfredo Vistola a.vistola@f5.com Solution Architect Security, EMEA Attacks are Moving Up the Stack Network Threats Application Threats
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationIngram Micro Cyber Security Portfolio
Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationPCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide
PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.
More information