Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India
|
|
- Eric Carroll
- 5 years ago
- Views:
Transcription
1 Microsoft Platform Security - An Overview Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India
2 Agenda Avoiding Common Mistakes Principles to live by Knowing the Enemy Conclusion
3 App level Vulnerabilities Hackers worked overtime in October 07 and defaced over 143 Indian websites during the month compared to just 60 sites that were defaced during September 07. Times of India - Source :
4 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. Dynamic SQL 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability
5 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. Dynamic SQL 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability
6 What s Wrong Here? string Status = "No"; string sqlstring = ""; try { SqlConnection sql = new source=localhost;" + "user id=sa;password=password;"); sql.open(); sqlstring = "SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.executescalar()!= 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.errors) { Status += e.message + "\n\r"; } } catch (Exception e) { Status = e.tostring(); }
7 Why It s Wrong (1 of 2) sqlstring="select HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; Good Guy SELECT HasShipped FROM Shipment WHERE ID='1001' Not so Good Guy SELECT HasShipped FROM Shipment WHERE ID= '1001' or 2>1 -- '
8 Why It s Wrong (2 of 2) sqlstring="select HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; Really Bad Guy SELECT HasShipped FROM Shipment WHERE ID= '1001 ; drop table orders -- ' Downright Evil Guy SELECT HasShipped FROM Shipment WHERE ID= '1001 ; exec xp_cmdshell('...') -- '
9 SQL Injection - Causes Loose or unchecked SQL parameter input. Statements are submitted and executed from a priveledged SQL account SqlConnect sql=new SqlConnect("data source=myserver;user id=sa;password=password;"); Arbitrary statements are allowed to execute CREATE PROCEDURE varchar(128) AS EXEC (@input)
10 SQL Injection - Mitigation Input Validation Parameterized Queries with Stored Procedures
11 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. SQL Injection 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability
12 How would you deface this? /location=<script>document.images[4].src= "
13 XSS in Action Cookie Stealing Welcome.asp Hello, <%= request.querystring( name )%> <a href= <script> document.write( <img src= %2bdocument.cookie%2b> ) </script> here</a>
14 XSS - Mitigation Input Validation Use white list approach Use regular expression Optional ASP.Net ValidateInput Output Encode HTML Encode Anti XSS Library Download:
15 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. SQL Injection 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability
16 Storing Secrets Software cannot defend itself, therefore: Storing secrets securely in software is impossible! Embedded secrets don t stay secret for long
17 Encryption or Encraption? XOR is not your friend! Don t roll your own crypto algorithms Use System.Security.Cryptography Evaluate based on usage Are algorithms appropriate? Use AES (Rijndael) for symmetric encryption Use SHA-1 or better for hashing
18 Key Management Keys are literally the keys to the castle the weakest point in the defense Common key management mistakes Hard coding key values anywhere in the source, including resource files Failure to protect key data in memory or when persisted to file Using key data too often in your application, the more you use it the more chances an attacker will have to steal it Generating the key from a password that is not strong enough
19 Cryptography - Mitigations Don t use home-grown crypto solutions Never hardcode keys Use DPAPI Avoid passing secrets around in memory
20 Defending Against Hacking
21 Principles to Live By
22 Rule #1 - Trust No Input All input is evil, until proven otherwise! Buffer Overruns SQL Injection Blake Blake or 1=1 -- Cross-Site Scripting Blake <script>var i=document</script>
23 Do NOT look only for bad things It assumes you know all the bad things
24 Rule #2 Practice Defense in Depth
25 Defense in Depth Assume you are the last piece of code standing Everything in front of you is destroyed Now protect yourself! We re secure, we use a firewall!
26 Defense in Depth Apply Appropriate Measures for Each Layer Check security Check security Application2.dl l Application.exe Check security Secure resource with an ACL Application.dll Check security
27 Rule #3 - Run With Least Privilege Don t require apps to run with excessive privilege Is it an ACL requirement? Is it a privilege requirement? Revert back to minimum privileges after the task is complete If we don t run as admin, stuff breaks!
28 More Security Principles to Live By Secure Weakest Link First Assume External Systems are Insecure Minimize Attack Surface Use Secure Defaults Use Apt Access Control Security Features!= Secure Features There is no Security thru Obscurity Don t Re-invent the Wheel Don't Mix Code and Data Don't Forget Privacy
29 Knowing the Enemy
30 Why Threat Model? Principle behind threat modeling: One can t feasibly build a secure system until one understands the threats against it Why threat model? Identify threats prior to development Create a defensive security strategy Threat Model to enable application risk management throughout the SDLC and beyond!
31 Benefits Benefits for Application Teams Translates technical risk to business impact Provides a security strategy Prioritize security features Understand value of countermeasures Benefits for Security Team More focused Security Assessments Translates vulnerabilities to business impact Improved Security Awareness Bridges the gap between security teams and application teams
32 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
33 Where to do TM? Security Kickoff Security Training Security Design Best Practices Security Arch & Attack Surface Review Threat Modeling Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Traditional Microsoft Software Product Development Lifecycle Tasks and Processes Feature Lists Quality Guidelines Arch Docs Schedules Functional Specifications Design Specifications Development of New Code Testing and Verification Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates Requirements Design Implementation Verification Release Support & Servicing
34 Definitions: Threat, Attack, Vulnerability And Countermeasure Threat Realized through Attacks Materialize through Vulnerabilities Mitigated with Countermeasures Possibility of something bad happening How it happens (the exploit) Why it happens (the cause) How to prevent it (the fix)
35 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
36 Define Scenarios & Background Info Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer Think about an admin browsing the Internet from a Domain Controller Example from Windows CE The stolen device Define your users
37 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
38 Data Flow Diagrams Representation of how data enters, leaves, and traverses your component Not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through * Diagrams taken from Writing Secure Code, 2 nd Edition
39 Implementation Examples External Entity Process Data Flow Data Store Real People Services Function call Database News feeds Data feeds Events Notifications Web Services Assemblies DLLs EXEs COM object Network traffic Shared memory File Registry Shared Memory Queue/Stack
40 Building DFDs Context Level 1 Level 0 Level 2 Context Diagram Very high-level; entire component / product / system Level 0 Diagram High level; single feature / scenario Level 1 Diagram Low level; detailed subcomponents of features Level n Diagram Even more detailed; unlikely to go beyond Level 2
41 Pet Shop: Context Diagram Request View Files and Logging Data Users (1.0) Pet Shop (4.0) Admin (3.0) Response Apply Settings Request Anonymous User (2.0) Response Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)
42 Pet Shop: Level Zero DFD Customer (1.0) Request 1 Web App Config (4.1) R CRU CU R User Profile (4.5) R CU User Profile Data (4.8) Response CU 1 CRUD Request Web App 4.2 R Membership (4.6) R CU Membership Data (4.9) Anon User (2.0) Response R Web Pages (4.3) 1 CRUD CU R Ordering (4.7) 1 CRUD 1 Admin (3.0) Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)
43 Pet Shop: Level One DFD (Order Processing) CRD (purge) CRUD Audit Log Orders Write Audit Entry Logging Engine R Web App 4.2 CU 1 Admin (3.0) Create Audit Entry Order Processor Place Order Get Order Status Or Confirmation Synch Order Get Order Status Or Confirmation Place Order Asynch Order Place Order Get Order Status Or Confirmation 1 Place Order 1 CRUD CRUD Get Order Status Or Confirmation CRU Data Access RU Inventory Asynch Orders CRU Queuing Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)
44 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
45 Threat Types: STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
46 How to determine STRIDE Is this item susceptible to spoofing? Can this item be tampered with? Can an attacker repudiate this action? Can an attacker view this item? Can an attacker deny service to this process or data flow? Can an attacker elevate their privilege by attacking this process?
47 Asset S T R I D E External Entity Process Data Store Data Flow
48 Threats by Assets: External Entities
49 Threats by Assets: Processes
50 Threats by Assets: Data Stores
51 Threats by Assets: Data Flows
52 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
53 Threat Trees Threat Primary Threat Condition Condition And Clause Or Clause Condition Condition Condition Condition Each Leaf Node is a Secondary Threat to be Evaluated
54 Threat Tree Pattern Tampering with datastore Null Protection Scheme Bypass Protection Scheme Violate store semantics Overcapacity failures Canonicalization failure Overly permissive protection Other Null monitor Bypass monitor Discard Wraparound Other Extra-monitor access Tampering against monitor process EoP against monitor process
55 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
56 Measuring Risk: DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability
57 Using DREAD to Calculate Risk Risk = Impact x Probability Impact derived from: Damage Potential Affected Users Probability derived from: Discoverability Exploitability Reproducibility
58 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
59 Mitigation Options Leave as-is Remove from product Remedy with technology countermeasure Warn user
60 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
61 Threat Modeling Process Define Scenarios Create DFD Manual Rote Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations
62 CVE Data for Database level Vulns
63 CVE Data for OS level Vulns
64 Security Tools Visual C++ /GS Switch Mitigation against Buffer Overruns, Int Overflows FxCop Static Code Analysis Tool Enforces Design and Code Correctness PermCalc Calculate minimum permissions required to run code
65 Security Tools - ACE Tools SPIDER: Security Profiler Intelligent Detection Engine for Remediation is a Computer Assisted Audit Technique (CAAT). CAATs can be used in a fiduciary audit environment to ensure regulatory compliance and to provide visibility into the strategic and technical management of mission critical systems to industry best practice standards. TAMe: Threat Analysis and Modeling tool for enterprise. Is the enterprise version of the famous Threat Analysis and Modeling (TAM) tool which is available on MSDN for free download. Download :
66 Threat Modeling- for Apps TAM v2 (2006) TAM Enterprise (2007) TAM v1 (2004)
67 Video Threat Modeling using TAM
68 Measure Validate Model Define Threat Modeling for Applications Application Context Data A.C.M. Use Cases Generate Threats Identify Countermeasures Determine Risk Response Determine Impact/Prob of Risk Validate / Optimize Threat Model Manual Generated
69 Video TAM Analytics
70 In Summary Avoiding Common Mistakes Is Easy if you are Careful Read 19 Deadly Sins of Software Security Principles to Live By Incorporate in daily coding Read Writing Secure Code 2 nd Ed Knowing the Enemy Model Threats: Need to know what you are fighting against Read Secure Development Lifecycle Tools and Technology to Use Ship as a part of the OS and Visual Studio ACE Tools TAMe/SPIDER/CAT.NET
71 Application Security Consulting Services Services offered by Microsoft ACE Services: Application Security Code Reviews Threat Modeling/Design Reviews Training: Secure Application Development Threat Modeling Assistance with developing and deploying SDL-IT within your environment Contact
72 Questions? ACE Team Blog Site:
73
Secure Development Processes
Secure Development Processes SecAppDev2009 What s the problem? Writing secure software is tough Newcomers often are overwhelmed Fear of making mistakes can hinder Tend to delve into security superficially
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationHunting Security Bugs
Microsoft Hunting Security Bugs * Tom Gallagher Bryan Jeffries Lawrence Landauer Contents at a Glance 1 General Approach to Security Testing 1 2 Using Threat Models for Security Testing 11 3 Finding Entry
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWhiteboard Hacking / Hands-on Threat Modeling. Introduction
Whiteboard Hacking / Hands-on Threat Modeling Introduction Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP
More informationAdam Shostack Microsoft
Adam Shostack Microsoft Mandatory process at Microsoft Covers development from conception to shipping & updates Includes threat modeling during design phase 2008 Microsoft 2008 Microsoft All engineers
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationApplication Security Design Principles. What do you need to know?
Application Security Design Principles What do you need to know? Anshu Gupta Bio Director of Information Security at HelloSign, a leading esignature company. Served as a trusted advisor on information
More informationHow To Make Threat Modeling Work For You
How To Make Threat Modeling Work For You Strategic Approaches to Real-World Architecture Challenges O Reilly Software Architecture Online Conference March 1, 2016 Robert Hurlbut Robert Hurlbut Software
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationDeveloping Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch
Developing Secure Applications with OWASP Martin Knobloch martin.knobloch@owasp.org OWASP OWASP NL Chapter Board OWASP Global Education Committee Chair Copyright The OWASP Foundation Permission is granted
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationInformation Security. Gabriel Lawrence Director, IT Security UCSD
Information Security Gabriel Lawrence Director, IT Security UCSD Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications
More informationCYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun Reading This lecture [McGraw]: Ch. 7-9 2 Seven Touchpoints 1. Code review 2. Architectural
More information4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints
Reading This lecture [McGraw]: Ch. 7-9 CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun 2 Seven Touchpoints Application of Touchpoints
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationThreat Modeling For Secure Software Design
Threat Modeling For Secure Software Design 2016 Central Ohio InfoSec Summit March 29, 2016 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
More informationmission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact
mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More informationSecurity: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore
Security: Threats and Countermeasures Stanley Tan Academic Program Manager Microsoft Singapore Session Agenda Types of threats Threats against the application Countermeasures against the threats Types
More information18-642: Security Mitigation & Validation
18-642: Security Mitigation & Validation 11/27/2017 Security Migitation & Validation Anti-Patterns for security mitigation & validation Poorly considered password policy Poorly considered privilege management
More informationMicrosoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications
Release Conception Microsoft SDL Security Development Lifecycle and Building Secure Applications KRnet 2010 2010. 6. 22. 한국마이크로소프트보안프로그램매니저김홍석부장 Hongseok.Kim@microsoft.com Agenda Applications under Attack
More informationUnit Level Secure by Design Approach
Unit Level Secure by Design Approach Abstract Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju_MS@McAfee.com Joshua.Rebelo@Siemens.com With cyber-attacks on the rise and high-profile breaches
More informationmission critical applications mission critical security Oracle Critical Patch Update July 2011 E-Business Suite Impact
mission critical applications mission critical security Oracle Critical Patch Update July 2011 E-Business Suite Impact Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationWeb 2.0, Consumerization, and Application Security
Web 2.0, Consumerization, and Application Security Chenxi Wang, Ph.D. Principal Analyst Forrester Research OWASP, New York City September 25, 2008 Today s enterprises face multitude of challenges Business-driven
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationIANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty
IANS Pragmatic Threat Modeling Michael Pinch, IANS Faculty Agenda What Is Threat Modeling? Who Should Be Considering Threat Modeling? Methodologies for Threat Modeling Common Pitfalls Introduction of IANS
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationSoftware Security and Exploitation
COMS E6998-9: 9: Software Security and Exploitation Lecture 8: Fail Secure; DoS Prevention; Evaluating Components for Security Hugh Thompson, Ph.D. hthompson@cs.columbia.edu Failing Securely and Denial
More informationSoftware Analysis. Security 1. Motivation. Security. Reliability. Why? Mar Software Quality. Jonathan Aldrich Carnegie Mellon University
Software Analysis Security 1. Motivation Mar 2008 Jonathan Aldrich Carnegie Mellon University Slides by Paulo Marques, University of Coimbra, Portugal Why? Security Reliability Software Quality 2 1 in
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationINNOV-09 How to Keep Hackers Out of your Web Application
INNOV-09 How to Keep Hackers Out of your Web Application Michael Solomon, CISSP PMP CISM Solomon Consulting Inc. www.solomonconsulting.com What is a Web Application? Any access to your data via the Internet
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationTest Harness for Web Application Attacks
IJSRD National Conference on Advances in Computer Science Engineering & Technology May 2017 ISSN: 2321-0613 Test Harness for Web Application Attacks Kishan Chudasama 1 Mr. Girish Khilari 2 Mr. Suresh Sikka
More informationOWASP March 19, The OWASP Foundation Secure By Design
Secure By Design March 19, 2014 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationThe Need for Confluence
The Need for Confluence The Essential Role of Incident Response in Secure Software Development Why do security incidents occur? What is the root cause? Faulty software (more often than not) What is the
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationThreat Modeling Using STRIDE
Threat Modeling Using STRIDE By: Girindro Pringgo Digdo, M.T., CSX-F http://www.girindropringgodigdo.net/ girindigdo@gmail.com 1 About Dealing with Information Security Fields: VAPT Generate New Attack
More informationcs642 /introduction computer security adam everspaugh
cs642 computer security /introduction adam everspaugh ace@cs.wisc.edu definition Computer Security := understanding and improving the behavior of computing systems in the presence of adversaries adversaries
More informationTHE EMERGING PRODUCT SECURITY LEADER DISCIPLINE
SESSION ID: DEV-F02 THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE Matt Clapham Principal Product Security Leader GE Digital (Healthcare) @ProdSec Agenda What is product security What is a product security
More informationmission critical applications mission critical security Oracle Critical Patch Update October 2011 Oracle Database Impact
mission critical applications mission critical security Oracle Critical Patch Update October 2011 Oracle Database Impact Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationSHA-1 to SHA-2. Migration Guide
SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More information.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus
.NET Secure Coding for Client-Server Applications 4-Day hands on Course Course Syllabus Course description.net Secure Coding for Client-Server Applications 4-Day hands on Course Secure programming is the
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationInverting Risk Management for Ethical Hacking. SecureWorld Expo 09
Inverting Risk Management for Ethical Hacking SecureWorld Expo 09 Agenda Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information
More informationAttacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.
Attacking the Application Dave Ferguson, CISSP Security Consultant FishNet Security Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationUnderstanding Perimeter Security
Understanding Perimeter Security In Amazon Web Services Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Changing Your Perspective How do I securing my business applications in AWS? Moving
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationmission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact
mission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of
More informationATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC
ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC AGENDA VULNERABILITIES OF WEB EXPLOIT METHODS COUNTERMEASURE About Me DIRECTOR OF FORESEC COUNTER TERRORIST ACTION TEAM RESEARCH
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationSecuring Apache Tomcat. AppSec DC November The OWASP Foundation
Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationPractical Threat Modeling. SecAppDev 2018
Practical Threat Modeling SecAppDev 2018 Material tinyurl.com/secappdev2018 Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSecurity activities during development
Secure Programming Lecture 9: Secure Development David Aspinall, Informatics @ Edinburgh 12th February 2016 Recap We ve looked in detail at two important vulnerability classes: overflows, stack and heap
More informationCPET 499/ITC 250 Web Systems Chapter 16 Security. Topics
CPET 499/ITC 250 Web Systems Chapter 16 Security Text Book: * Fundamentals of Web Development, 2015, by Randy Connolly and Ricardo Hoar, published by Pearson Paul I-Hai, Professor http://www.etcs.ipfw.edu/~lin
More informationCLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance
IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM,
More informationUEFI and the Security Development Lifecycle
presented by UEFI and the Security Development Lifecycle Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Tim Lewis (Insyde Software) Agenda The Threat Is Real The Security Development
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More information