Security Testing White Paper
|
|
- Merilyn Harper
- 6 years ago
- Views:
Transcription
1 Security Testing White Paper
2 Table of Contents 1. Introduction Need for Security Testing Security Testing Framework THREAT ANALYSIS Application Overview System Decomposition Identify Threats Planning Test Strategy Test Plan Test Execution Injection Flaws Authentication & Authorization Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Session Management Fuzzing Reporting High-Level Analysis Report Detailed Defect Report P age
3 1. Introduction In today s world, the number and variety of threats to IT systems are multiplying daily, as is the number of security products and services to address them. Businesses that trade electronically are particularly vulnerable to risks such as fraud or breaches of confidentiality, causing loss of assets and damage to their reputation. For these companies, information and transactions need to be protected by means appropriate to their value and their potential for consequential loss. Getting a security test done for a product, improves software quality and aids customers by reducing development and maintenance costs as the product is shipped with minimal security issues. Also, security flaws created during the product s development are discovered. Gartner recommends security testing for products whose development is outsourced. 3 P age
4 2. Need for Security Testing 28 October Art.com says hacker accessed names, encrypted credit cards 10 October ,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA 09 October Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers 18 September Vertical Web Media, publisher of Internet Retailer magazine, suffered a security breach and credit card information of readers had been stolen Source - The above is a list of notable incidents that took place in a span of two months in This is just the tip of the ice berg and many such incidents have been reported from time to time. Incidents like this and many others have resulted in loss or disclosure of personal and financial information like credit card numbers, personal telephone numbers, etc of many an individual. The race to get online and gain an edge over competition, has forced many companies to take to e- commerce on a large scale. Also, the benefits in terms of time and cost has lured many companies to hastily set up shop online with little or no thought for the security implications of doing so. The kind of information that is at risk of exposure due to unauthorized intrusions include credit card details, social security numbers, personal addresses, confidential client information, company s intellectual property, financial details, etc. Compromise of the confidentiality, integrity or availability of any of the above information can cost millions of dollars in lost revenue and legal battles, not to mention the erosion in goodwill, reputation and client base. It is a well known fact that the cost of finding a bug is manifold when it is discovered in the later stages of the development lifecycle, especially after the deployment or release phase. This is more so in security. A security flaw discovered and exploited after the web application has gone into production can prove detrimental to the organisation. The damage is multiplied if it is an e-commerce application involving financial data and credit card information. 4 P age
5 3. Security Testing Framework 5 P age
6 3.1 THREAT ANALYSIS Our Threat analysis includes a four level Threat Modelling process where we analyse the architecture of the application, identify areas where there is a possibility for exploitation and document them. The threat modelling process acts as a driver for our security testing efforts. It is recommended that a thorough threat modelling process be completed before actual security testing begins. Following are the different phase in our Threat Model, 1) Create an application overview a) Identify key functionality b) Identify roles c) Identify application architecture d) Identify the technologies used 2) Decompose the system a) Identify trust levels and trust boundaries b) Identify assets c) Identify entry points d) Identify data flows e) Identify use cases f) Identify security mechanisms 6 P age
7 3) Threat enumeration a) Identify common threats and attacks b) Identify threats in data flows c) Identify threats in use cases d) Identify threat entry points e) Identify impacted assets 4) Document the threat profile 7 P age
8 3.1.1 Application Overview In order to determine the threats to a Web Application, it is essential to study high level Architecture and functionality of the application. At a minimum, testers should have a general understanding of the key functionality of the application and familiarity with the defined user roles. An understanding of the technical implementation and architecture is also useful and can be gained from design or technical documentation. Having an understanding of the key functions of the application simplifies the system decomposition process and makes process and data flows more readily apparent to the tester. Additionally, knowledge of user roles within the system will assist analysis of access controls and technical details may narrow the area of testing required, depending on the implementation choices made with regard to platforms, frameworks and other factors. The application overview is commonly captured in diagrammatic form such as a module or deployment diagram. It should be updated as the system is decomposed and new components are discovered. The identified threats can also be placed on the diagram with the affected components indicated. 8 P age
9 3.1.2 System Decomposition System decomposition involves breaking down the system into its component parts in order to gain a deeper understanding of it. By comprehending more of the inner workings of the system, the ease with which threats can be discovered improves and the completeness of the analysis will be increased. The following elements of the web service application are to be broken out to assist threat enumeration: Assets - The assets of a system are the elements that hold value and need to be protected from unauthorised access and damage. The identification of assets is a necessary step in threat modelling to determine the targets of potential attacks and also to assess the impacts of a successful attack. Entry points - An entry point is an avenue for incoming data to enter the system. By definition, entry points must exist for a Web Application to receive input and perform its purpose. However, they also provide the ability for malicious inputs and attacks to enter the system and cause damage Data flows - Data flows represent the paths that web service requests and responses take between client and server. It is necessary to identify data flows to grasp the interactions of the Web Application with external entities. As data moves between nodes and across trust boundaries, it must be properly validated and protected. Use cases - Functional use cases are another source of information that can be used to derive potential threats to the web service. Use cases can be analysed for ways in which functionality can be invoked without authorisation or malicious data inserted 9 P age
10 3.1.3 Identify Threats In this stage we identify possible threats based on STRIDE classification. Spoofing - Spoofing covers the broad use of faked credentials to gain access to resources that the attacker is not entitled to access. If a web service inadequately verifies the credentials presented by its users, it may be susceptible to spoofing attacks Tampering - Tampering with data means malicious modification of data. An attacker who maliciously changes data is often much harder to detect, and does much more damage, than a smash-and-grab Web site defacer or disk reformatted. Why? First, you might not find the modified data until some time has passed; once you find one tampered item, you ll have to thoroughly check all the other data on your systems to ensure that nothing else was tampered with. Repudiation - Repudiation represents the risk that a legitimate transaction will be disowned by one of the participants. Non-repudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively Information Disclosure - Information disclosure means that an attacker can gain access, without permission, to data that the owner doesn t want him or her to have. Denial of service (DoS) - DoS means an explicit attempt to prevent legitimate users from using a service or system. It involves the overuse of legitimate resources. You can stop all such attacks by removing the resource used by the attacker, but then real users can t use the resource either. Elevation of privilege Escalation of Privileges means an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group 10 P age
11 Also, the vulnerabilities listed in the Top 10 vulnerabilities of the year will be focused. Following are the list of Top 10 vulnerabilities of the year 2007 collected from OWASP - S No Vulnerability Short Description 1 Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. 2 Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. 3 Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. 4 Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. 5 Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. 6 Information Leakage and Improper Error Handling 7 Broken Authentication and Session Management Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks. Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. 8 Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. 9 Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. 10 Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. 11 P age
12 3.2 Planning Effective web application security testing requires the development of both Test Strategy and Test Plan documents. The Test Strategy document provides a high-level overview of the approach to be taken for testing, whilst the Test Plan provides further detail about how the testing should be executed Test Strategy The strategy document provides an overview of the approach to be adopted for the security testing of the web application. This strategy will be used to guide project management, develop detailed test plans and to ensure that testing efforts meet business requirements. The strategy document will clearly identify high-level test objectives and provide a summary of how priority items impact the business. Test strategy will include information on the following items, where relevant: Web Application overview (systems and environments) Architecture diagram Roles and responsibilities Assumptions and risks Test entry and exit criteria Reporting requirements and issue escalation Defect tracking method 12 P age
13 3.2.2 Test Plan Test plans are documents outlining the processes for individual testing scenarios. A test plan is a document containing a logically grouped set of test cases to be executed. Test cases will typically be conducted in a designated order, as each test case may have a number of environment dependencies or setup requirements. In the test plan phase we document test cases. They can be logically derived from the threat profile and security services to be tested and should describe the aspects of the security service under test. An overview of the threats being addressed and some example inputs and procedures for assessing the vulnerability of the web application will be provided. Test cases will be updated accordingly, to reflect changes made to the web application. 13 P age
14 3.3 Test Execution Test Execution phase includes test for Vulnerabilities against the target host. All the threats identified from STRIDE model (Section 1.3 above) will be executed against the target web application including Top 10 vulnerabilities. Following are the list of Vulnerabilities that will be tested for, Injection Flaws SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands 14 P age
15 Reference ID#*** Test Case SQL Injection Objective Identify SQL injection vulnerabilities Threat Spoofing Tampering Information disclosure Denial of Service Elevation of privileges Impacted Asset Web Application availability Stored data System access Test Method Using single quote as a test value should identify most vulnerabilities in this category 15 P age
16 Command Injection The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application which executes unwanted system commands is like a pseudo system shell, and the attacker may use it as any authorized system user, however, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, whose in addition can be manipulated by the attacker (forms, cookies, HTTP headers etc.) Reference ID#*** Test Case Command Injection Objective Discover any command injection vulnerabilities that may exist Threat Tampering Information disclosure Denial of Service Elevation of privileges Impacted Asset Web Application availability Stored data System access Test Method The standard set of potentially dangerous special characters that could be used as a starting point for testing: ; is a command separator that can be used to start a new command is the output stream piping character that can be used to start a new command < and > are the input and output redirectors that can be used to pipe input to a new command The carriage return and line feed can often be used as command separators :,, / and \ which can be used to induce directory traversal possibly enabling an attacker to execute a command other than that which is intended. 16 P age
17 LDAP Injection LDAP Injection (Lightweight Directory Access Protocol) is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. Reference ID#*** Test Case LDAP Injection Objective Assess the Web Application susceptibility to LDAP injection Threat Spoofing Elevation of privileges Impacted Asset Credentials Test Method Identifying vulnerable LDAP parameters involves sending LDAP special characters to the web application and observing if errors occur. The base list of test characters are as follows that are common LDAP usages [%26] & = and [%7C] = or [%21]! = not [%7E] ~ = approx equal [%3E] > = greater than [%3C] < = less than [%2A] * = any [%3F]? = new parameter [%28] ( = start grouping [%29] ) = end grouping [%3D] = = equal 17 P age
18 XPath Injection XPath is a language that has been designed and developed primarily to address parts of an XML document. In XPath injection testing, we test if it is possible to inject data into an application so that it executes user-controlled XPath queries. When successfully exploited, this vulnerability may allow an attacker to bypass authentication mechanisms or access information without proper authorization. Similar to SQL injection, XPath injection is most easily detected by supplying the single quote and double quote character to each web service parameter one at a time, and assessing the responses obtained. Fields vulnerable to XPath injection will cause the application to construct a syntactically invalid XPath query, due to the addition of the quote character, and an error will occur when the query is processed. Reference ID#*** Test Case XPath Injection Objective Identify XPath injection vulnerabilities Threat Information Disclosure Impacted Asset Stored Data Test Method By using single quote and forward slash characters for identify XPath injection vulnerabilities an errors or empty results will occur if XPath injection is possible. Other Injection Other types of injections like Code Injection, XML Injection and more can be identified using similar techniques. We must first identify the subsystem being used and then proceed to further analyse injection possibilities. If numerous components are interacting and no information is provided about the system, such analysis may be near impossible. However, in almost all cases an injection can be revealed by providing the subsystem special characters or combinations thereof to elicit erroneous or unusual responses. It will be up to the tester to identify the characters considered special by the subsystem. 18 P age
19 3.3.2 Authentication & Authorization Authentication Security testing of the authentication component will be performed with the objective of finding areas in which the implementation does not meet specified requirements. Test cases will include forged or modified credentials, missing credentials and other inputs to induce error handling in the application. The other aspect of testing the authentication component is to attack the authentication exchange. This typically consists of capturing a legitimate exchange and attempting to extract the credentials from it necessary for accessing the application. The captured exchange (or parts thereof) can also be replayed to the application in an attempt to impersonate the legitimate user. Brute-force and Dictionary Attacks These types of attacks are typically used against password authentication systems and rely on the ability to repeatedly test potential passwords against the authentication service. Brute-force attacks involve progressively testing all valid combinations of password characters in order to determine the real password for a given user account. This method will always succeed given enough time as all possible passwords will eventually be tested. Dictionary attacks are a more refined approach and involve testing a subset of the possible passwords, typically a dictionary of language words. Additional tests may include appending numbers to dictionary words, replacing letters with defined symbols and applying lowercase or uppercase modifications. Reference ID#*** Test Case Brute-force and Dictionary Attacks Objective Assess the susceptibility of the authentication exchange to brute-force or dictionary attacks. Threat Spoofing Elevating Privileges Impacted Asset Credentials Test Method Check for the default passwords left by developers, automate dictionary attack using Automated tools 19 P age
20 Missing Credentials A user that fails to present credentials should not be allowed access and the application should discard their request. The presence of credentials should not be assumed by the application processing logic and there should not be any form of default or backup account with application privileges Reference ID#*** Test Case Missing Credentials Objective Identify the system response to missing credentials Threat Spoofing Impacted Asset Credentials Test Method Determine the element of the web application request containing user credentials and omit it from a valid request. Ensure that such requests are discarded and not processed under some generic user account 20 P age
21 Confidentiality of Authentication Exchange The authentication exchange should be kept private between the two parties and this is typically achieved by encrypting the communication. Failure to do this may disclose information that assists an attacker in credential theft. Reference ID#*** Test Case Confidentiality of Authentication Exchange Objective Determine the ability to eavesdrop on the authentication exchange Threat Information Disclosure Impacted Asset Credentials Test Method Attempt to capture the authentication exchange and attempt to derive any information that may be of use to an attacker. Determine if the exchange is encrypted or performed in the clear and attempt to recover usable credentials. 21 P age
22 Authorization Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization mechanism. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester. Test for Authorization includes testing for following objectives, To ensure only authorized users can perform allowed actions within their privilege level To control access to protected resources using decisions based upon role or privilege level To prevent privilege escalation attacks, for example using administration functions whilst only an anonymous user or even an authenticated user. 22 P age
23 3.3.3 Cross Site Scripting (XSS) XSS attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, and other clientside languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases, Cross Site Scripting vulnerabilities can perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server. Reference ID#*** Test Case Identify XSS vulnerabilities Objective Determine the ability to insert either Stored/DOM-Based/Reflected XSS into the client side scripting Threat Spoofing Information Disclosure DOS attacks Elevation of Privileges Impacted Asset Credentials Sessions Stored data Test Method Attempt to insert and store XSS code with the input data and then obtain valuable data as an unauthorized user 23 P age
24 3.3.4 Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e- mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. Reference ID#*** Test Case Perform CSRF vulnerabilities Objective Determine whether it is possible to create a Cross site request forgery on the target site Threat Elevation of Privileges Impacted Asset Sessions Stored data Test Method Assuming that the file names and extension of a website are know as an authenticated user, 1. Build an html page containing the http request referencing url u (specifying all relevant parameters; in case of http GET this is straightforward, while to a POST request you need to resort to some Javascript); 2. make sure that the valid user is logged on the application; 3. click on the link created in step-1 and verify if the web server executed the request 24 P age
25 3.3.5 Session Management Cookies are used to implement session management. In a nutshell, when a user accesses an application which needs to keep track of the actions and identity of that user across multiple requests, a cookie (or more than one) is generated by the server and sent to the client. The client will then send the cookie back to the server in all following connections until the cookie expires or is destroyed. The data stored in the cookie can provide to the server a large spectrum of information about who the user is, what actions he has performed so far, what his preferences are, etc. therefore providing a state to a stateless protocol like HTTP Due to the importance of the data that they store, cookies are therefore vital in the overall security of the application. Being able to tamper with cookies may result in hijacking the sessions of legitimate users, gaining higher privileges in an active session, and in general influencing the operations of the application in an unauthorized way. In this test we will check whether the cookies issued to clients can resist a wide range of attacks aimed to interfere with the sessions of legitimate users and with the application itself Reference ID#*** Test Case Session Management Objective Determine whether it is possible to break/hijack the session Threat Elevation of Privileges Impacted Asset Sessions Stored data Test Method Testing for Session Management includes following scenarios, 1. Collection of Cookies 2. Session Tokens are collected and examined for their randomness and uniqueness using Automation tools 3. Perform Cookie reverse engineering to ensure it has following characteristics, it is Unpredictable, Tamper resistance, Expiration, Secure flag 25 P age
26 3.3.6 Fuzzing Fuzz testing basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. A fuzzer is a program which injects automatically semi-random data into a program/stack and detects bugs. The data-generation part is made of generators, and vulnerability identification relies on debugging tools. Generators usually use combinations of static fuzzing vectors (known-to-bedangerous values), or totally random data. New generation fuzzers use genetic algorithms to link injected data and observed impact. Such tools are not public yet. Reference ID#*** Test Case Fuzzing Objective Determine whether it is possible to Fuzz web requests Threat Denial of Service Impacted Asset Stored Data Test Method Using Manual/Automatic injection tools, 1. Fuzz Vectors (Known to be dangerous values) for each request are identified 2. Inject the Fuzz Vectors 26 P age
27 4. Reporting This is the final and most important phase as it is here that all the findings are documented. Successful implementation of the above phases would be futile if they are not properly documented or reported. At the end of the Test execution phase, following two reports will be prepared detailing each finding and assigning a suitable severity level to them. 4.1 High-Level Analysis Report After the execution phase a High level analysis report will be created that reflects issues reported in the detailed defect report. 4.2 Detailed Defect Report All the defects (vulnerabilities) identified during the Test Execution are logged into respective Defect Tracking system (is specified by the client) or a detailed defect report will be sent to the client. 27 P age
Copyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationF5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationTest Harness for Web Application Attacks
IJSRD National Conference on Advances in Computer Science Engineering & Technology May 2017 ISSN: 2321-0613 Test Harness for Web Application Attacks Kishan Chudasama 1 Mr. Girish Khilari 2 Mr. Suresh Sikka
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationIntroduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well
Simplifying Application Security and Compliance with the OWASP Top 10 AN EXECUTIVE PERSPECTIVE Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationDell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide
Dell SonicWALL Secure Mobile Access 8.5 Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the Dell logo,
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationOWASP TOP OWASP TOP
ANALYZING THE OWASP TOP 10 TOP APPLICATION SECURITY THREATS & HOW TO MITIGATE THEM Cars require seatbelts. Pill bottles need safety caps. Applications need web application firewalls, and for good reason.
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (1 st Week) Outline Course Information and Policies Course Syllabus 1. Overview Course Information Instructor: Prof. Dr. Hasan H. BALIK, balik@yildiz.edu.tr,
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Web Application: Testing Security Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 10) Web Application: Testing Security 1 Table of
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationSimplifying Application Security and Compliance with the OWASP Top 10
Simplifying Application Security and Compliance with the OWASP Top 10 An Executive Perspective 187 Ballardvale Street, Wilmington, MA 01887 978.694.1008 ExECuTivE PErSPECTivE 2 introduction From a management
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More information3.5 SECURITY. How can you reduce the risk of getting a virus?
3.5 SECURITY 3.5.4 MALWARE WHAT IS MALWARE? Malware, short for malicious software, is any software used to disrupt the computer s operation, gather sensitive information without your knowledge, or gain
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationISO/IEC Common Criteria. Threat Categories
ISO/IEC 15408 Common Criteria Threat Categories 2005 Bar Biszick-Lockwood / QualityIT Redmond, WA 2003 Purpose This presentation introduces you to the threat categories contained in ISO/IEC 15408, used
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationSecure coding practices
Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important
More informationTitle: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)
Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationHacker Attacks on the Horizon: Web 2.0 Attack Vectors
IBM Software Group Hacker Attacks on the Horizon: Web 2.0 Attack Vectors Danny Allan Director, Security Research dallan@us.ibm.com 2/21/2008 Agenda HISTORY Web Eras & Trends SECURITY Web 2.0 Attack Vectors
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS 2017 Contents Introduction... 3 1. Materials and methods... 3 2. Executive summary... 4 3. Participant portrait... 5 4. Trends... 6 5. Manual web
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationWeb Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationVULNERABILITY STATISTICS FOR E-BANKING SYSTEMS ( ) WHITE PAPER
E-BANKING SYSTEMS VULNERABILITY STATISTICS FOR E-BANKING SYSTEMS (2011 2012) WHITE PAPER Page 1 CONTENTS Executive Summary 3 1. Source Data & Methodology 4 2. Overall Results 6 2.1. The Most Common Vulnerabilities
More informationCNIT 129S: Securing Web Applications. Ch 4: Mapping the Application
CNIT 129S: Securing Web Applications Ch 4: Mapping the Application Mapping Enumerate application's content and functionality Some is hidden, requiring guesswork and luck to discover Examine every aspect
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationCPET 499/ITC 250 Web Systems Chapter 16 Security. Topics
CPET 499/ITC 250 Web Systems Chapter 16 Security Text Book: * Fundamentals of Web Development, 2015, by Randy Connolly and Ricardo Hoar, published by Pearson Paul I-Hai, Professor http://www.etcs.ipfw.edu/~lin
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationWhen the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft
When the Lights go out Hacking Cisco EnergyWise Version: 1.0 Date: 7/1/14 Classification: Author(s): Public Ayhan Koca, Matthias Luft TABLE OF CONTENT 1 HANDLING... 5 1.1 DOCUMENT STATUS AND OWNER... 5
More information