6-Points Strategy to Get Your Application in Security Shape
Size: px
Start display at page:

Download "6-Points Strategy to Get Your Application in Security Shape"

Transcription

1 6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader Application Security Specialist - Software Secured

2 Bio

3 The 6 Points Strategy to Get Your Applications Back in Top Security Shape...

4 1. DRASTIC CHANGES NEED DRASTIC MEASURES! Get to the bottom of things quickly!

5 Why Security Code Reviews: Effectiveness of Security Controls Against Known Threats Testing All Application Execution Paths Find All Instances of a Certain Vulnerability The Only Way to Find Certain Types of Vulnerabilities Effective Remediation Instructions

6 2. COVER THE BASICS FIRST Don t run before you can walk!

7 OWASP Top OWASP Top A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A8. Failure to Restrict URL Access A9. Insufficient Transport Layer Protection A10. Unvalidated Redirects and Forwards A1. Injection A2. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object References A5. Security Misconfiguration A6. Sensitive Data Exposure A7. Missing Function Level Access Control A8. Cross-Site Request Forgery A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards 2010 Modified New

8 3.FOCUS ON WHAT MATTERS! Really...focus on what matters!

9 Effective Application Security Assessment Process Reconnaissance! Reporting! Threat Assessment! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review!

10 4. GET YOUR HANDS DIRTY! No pain...no gain...

11 What Needs Manual Review? This REALLY Matters! Authentication & Authorization Controls Encryption Modules File Upload and Download Operations Validation Controls\Input Filters Security-Sensitive Application Logic

12 Authentication and Authorization Controls WebMethods Don t Follow Regular ASP.net Page Lifecycle

13 Encryption Modules There is a possibility of returning empty hashes on error

14 Security Controls Directory traversal is possible on post-back.

15 5. GET YOUR B-17 FIX! Gain strategic advantage over the attackers...

16 Checklists Advances Technology Aviation: Model : Too much airplane for one man to fly. B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%

17 Resources To Conduct Your NIST Checklist Project Checklist Mozilla s Secure Coding QA Checklist Oracle s Secure Coding Checklist -

18 6. FINISH STRONG! Flex your communications muscles!

19 ! SQL Injection: Reporting! Location: \source\acmeportal\updateinfo.aspx.cs:! Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter mycommand = new! SqlDataAdapter(! 52 "SELECT au_lname, au_fname FROM! author! WHERE au_id = '" +! 53 SSN.Text + "'", myconnection);! Priority: High! Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to msdn.microsoft.com/en-us/library/ff aspx for details.! Owner: John Smith! Metadata Thorough Description Recommendation Assign Appropriate Priority

20 The 6-Points Strategy... 1.Drastic Changes Requires Drastic Measures. 2.Cover The Basics First. 3.Focus on What Matters. 4.Get Your Hands Dirty. 5.Get Your B-17 Fix. 6.Finish Strong.

21 QUESTIONS?

Similar documents

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA) EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Your Turn to Hack the OWASP Top 10!

Your Turn to Hack the OWASP Top 10! OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris if (slide == introduction) System.out.println("I m David Rook"); Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut. OWASP Review Amherst Security Group June 14, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

Managed Application Security trends and best practices in application security

Managed Application Security trends and best practices in application security Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B

More information

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies

More information

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock OWASP Top 10 2017 David Johansson Principal Consultant, Synopsys Presentation material contributed by Andrew van der Stock David Johansson Security consultant with 10 years in AppSec Helping clients design

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

Simplifying Application Security and Compliance with the OWASP Top 10

Simplifying Application Security and Compliance with the OWASP Top 10 Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext

More information

Secure Programming Techniques

Secure Programming Techniques Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

Large Scale Generation of Complex and Faulty PHP Test Cases

Large Scale Generation of Complex and Faulty PHP Test Cases Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand STIVALET Elizabeth FONG ICST 2016 Chicago, IL, USA April 15th, 2016 http://samate.nist.gov Authors Bertrand STIVALET National Institute

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

Curso: Ethical Hacking and Countermeasures

Curso: Ethical Hacking and Countermeasures Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment

More information

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance IBM Innovate 2010 CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance Anthony Lim MBA CISSP CSSLP FCITIL Director, Asia Pacific, Software Security Solutions IBM,

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

TIBCO Cloud Integration Security Overview

TIBCO Cloud Integration Security Overview TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized

More information

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University SECURITY OF VEHICLE TELEMATICS SYSTEMS Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University 1 2 3 TELEMATICS 4 TELEMATICS 5 OBD-II On-Board Diagnostic Perform emissions related

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

CONTENTS. Recommendations. Prize Q & A

CONTENTS. Recommendations. Prize Q & A CONTENTS Contents Disclaimer Introduction Common uses for Web Applications Common Web Application Infrastructure and Users The Importance of Web Application Security Why OWASP About OWASP Top Ten Summary.

More information

V Conference on Application Security and Modern Technologies

V Conference on Application Security and Modern Technologies V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

Security Communications and Awareness

Security Communications and Awareness Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated

More information

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment

More information

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security 2 Historic Threat Hunting German

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017. Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations Table of Contents

More information

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

WEB APPLICATION SCANNERS. Evaluating Past the Base Case WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work

More information

Continuously Discover and Eliminate Security Risk in Production Apps

Continuously Discover and Eliminate Security Risk in Production Apps White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application

More information

Training Program Catalog SECURITY INNOVATION

Training Program Catalog SECURITY INNOVATION Training Program Catalog SECURITY INNOVATION Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 - Information Privacy and Security Awareness for Executives (Duration:

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Using and Customizing Microsoft Threat Modeling Tool 2016

Using and Customizing Microsoft Threat Modeling Tool 2016 Using and Customizing Microsoft Threat Modeling Tool 2016 Boston Code Camp 27 March 25, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Boston Code Camp 27 - Thanks to our Sponsors! Platinum Gold

More information

Information Security. Gabriel Lawrence Director, IT Security UCSD

Information Security. Gabriel Lawrence Director, IT Security UCSD Information Security Gabriel Lawrence Director, IT Security UCSD Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Introductions. Jack Katie

Introductions. Jack Katie Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

Test Harness for Web Application Attacks

Test Harness for Web Application Attacks IJSRD National Conference on Advances in Computer Science Engineering & Technology May 2017 ISSN: 2321-0613 Test Harness for Web Application Attacks Kishan Chudasama 1 Mr. Girish Khilari 2 Mr. Suresh Sikka

More information

Injecting Security Controls into Software Applications. Katy Anton

Injecting Security Controls into Software Applications. Katy Anton Injecting Security Controls into Software Applications Katy Anton About me Software development background Principal Security Consultant - CA Technologies Veracode OWASP Bristol Chapter Leader Project

More information

Bank Infrastructure - Video - 1

Bank Infrastructure - Video - 1 Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation

More information

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well Simplifying Application Security and Compliance with the OWASP Top 10 AN EXECUTIVE PERSPECTIVE Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within

More information

16th Annual Karnataka Conference

16th Annual Karnataka Conference 16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu OWASP Top 10 An Overview The Open Web Application Security

More information

Security Solutions. Overview. Business Needs

Security Solutions. Overview. Business Needs Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

Secure Development Guide

Secure Development Guide Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided

More information

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response

More information

Cybersecurity Education Catalog

Cybersecurity Education Catalog Cybersecurity Education Catalog CYBERSECURITY EDUCATION CATALOG Introduction The human factor what employees do or don t do is the biggest vulnerability to an organization s information security, yet it

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review Training Course 17th & 18th of October Table of Contents Seth & Ken s Excellent Adventures in Secure Code Review 1 Course Abstract 2 What attendees

More information

Security Testing for Benefits Screening & Management Project

Security Testing for Benefits Screening & Management Project 1 Security Testing for Benefits Screening & Management Project Abstract Beneficiary can come to know about for what benefits they are eligible through accessing the Benefits Screening & Management application

More information

Sichere Webanwendungen mit Java

Sichere Webanwendungen mit Java Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP

More information

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

OWASP TOP OWASP TOP

OWASP TOP OWASP TOP ANALYZING THE OWASP TOP 10 TOP APPLICATION SECURITY THREATS & HOW TO MITIGATE THEM Cars require seatbelts. Pill bottles need safety caps. Applications need web application firewalls, and for good reason.

More information

Mitigating Security Breaches in Retail Applications WHITE PAPER

Mitigating Security Breaches in Retail Applications WHITE PAPER Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

MBFuzzer - MITM Fuzzing for Mobile Applications

MBFuzzer - MITM Fuzzing for Mobile Applications MBFuzzer - MITM Fuzzing for Mobile Applications Fatih Özavcı Mentor of MBFuzer @ yakindanegitim.org fatih.ozavci at gamasec.net gamasec.net/fozavci Scope Yakindan Egitim Project Security Vulnerabilities

More information

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST Agenda Chapter I - Brief Introduction Chapter II - Why OWASP ASVS? Chapter III - OWAS ASVS in Practice Chapter IV

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

PRESENTED BY:

PRESENTED BY: PRESENTED BY: scheff@f5.com APPLICATIONS ARE The reason people use the Internet The business the target The gateway to DATA 765 Average # of Apps in use per enterprise 6 min before its scanned 1/3 If vulnerable,

More information

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP

More information

Trustwave Managed Security Testing

Trustwave Managed Security Testing Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to

More information

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA Cyber Attacks and Application - Motivation, Methods and Mitigation Alfredo Vistola a.vistola@f5.com Solution Architect Security, EMEA Attacks are Moving Up the Stack Network Threats Application Threats

More information

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018] Development Security Guide Oracle Banking Credit Facilities Process Management Release 14.1.0.0.0 [July] [2018] Security Guide Table of Contents 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.2

More information

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Development Security Guide Oracle Banking Virtual Account Management Release July 2018 Development Security Guide Oracle Banking Virtual Account Management Release 14.1.0.0.0 July 2018 Oracle Banking Virtual Account Management Development Security Guide Oracle Financial Services Software

More information

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

INTERACTIVE APPLICATION SECURITY TESTING (IAST) WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals

More information

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.

More information

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10 Top 10 from a developer s perspective John Wilander, /Omegapoint, IBWAS 10 John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader Sweden Certified Java Programmer

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback