Benchmarking Vulnerability Detection Tools for Web Services
|
|
- Mark Parks
- 6 years ago
- Views:
Transcription
1 Benchmarking Vulnerability Detection Tools for Web Services, Marco Vieira {nmsa, ICWS 2010 CISUC Department of Informatics Engineering University of Coimbra, Portugal
2 Outline The problem Benchmarking Approach Benchmark for SQL Injection vulnerability detection tools Benchmarking Example Conclusions and Future Work 2
3 Web Services Web Services are becoming a strategic component in a wide range of organizations Web Services are extremely exposed to attacks Any existing vulnerability will most probably be uncovered/exploited Hackers are moving their focus to applications code Both providers and consumers need to assess services security 3
4 Common vulnerabilities in Web Services 300 Public Web Services analyzed 4
5 Vulnerability detection tools Vulnerability Scanners Easy and widely-used way to test applications searching vulnerabilities Use fuzzing techniques to attack applications Avoid the repetitive and tedious task of doing hundreds or even thousands of tests by hand Static Code Analyzers Analyze the code without actually executing it The analysis varies depending on the tool sophistication Provide a way for highlighting possible coding errors 5
6 Using vulnerability detection tools Tools are often expensive Many tools can generate conflicting results Due to time constraints or resource limitations Developers have to select a tool from the set of tools available Rely on that tool to detect vulnerabilities However Previous work shows that the effectiveness of many of these tools is low How to select the tools to use? 6
7 How to select the tools to use? Existing evaluations have limited value By the limited number of tools used By the representativeness of the experiments Developers urge a practical way to compare alternative tools concerning their ability to detect vulnerabilities The solution: Benchmarking! 7
8 Benchmarking vulnerability detection tools Benchmarks are standard approaches to evaluate and compare different systems according to specific characteristics Evaluate and compare the existing tools Select the most effective tools Guide the improvement of methodologies As performance benchmarks have contributed to improve performance of systems 8
9 Benchmarking Approach Workload: Work that a tool must perform during the benchmark execution Measures: Characterize the effectiveness of the tools Must be easy to understand Must allow the comparison among different tools Procedure: The procedures and rules that must be followed during the benchmark execution 9
10 Workload Services to exercise the Vuln. Detection Tools Domain defined by: Class of web services (e.g., SOAP, REST) Types of vulnerabilities (e.g., SQL Injection, XPath Injection, file execution) Vulnerability detection approaches (e.g., penetrationtesting, static analysis, anomaly detection) Different types of workload can be considered: Real workloads Realistic workloads Synthetic workloads 10
11 Measures Computed from the information collected during the benchmark run Relative measures Can be used for comparison or for improvement and tuning Different tools report vulnerabilities in different ways Precision Recall F-Measure 11
12 Procedure Step 1: Preparation Select the tools to be benchmarked Step 2: Execution Use the tools under benchmarking to detect vulnerabilities in the workload Step 3: Measures calculation Analyze the vulnerabilities reported by the tools and calculate the measures. Step 4: Ranking and selection Rank the tools using the measures Select the most effective tool 12
13 A Benchmark for SQL Injection V. D. tools This benchmark targets the domain: Class of web services: SOAP web services Type of vulnerabilities: SQL Injection Vulnerability detection approaches: penetration-testing, static code analysis, and runtime anomaly detection Workload composed by code from standard benchmarks: TPC-App TPC-W* TPC-C* 13
14 Workload Benchmark Service Name Vuln. Inputs Vuln. Queries LOC Avg. C. Comp. TPC-App TPC-C TPC-W ProductDetail NewProducts NewCustomer ChangePaymentMethod Delivery NewOrder OrderStatus Payment StockLevel AdminUpdate CreateNewCustomer CreateShoppingCart DoAuthorSearch DoSubjectSearch DoTitleSearch GetBestSellers GetCustomer GetMostRecentOrder GetNewProducts GetPassword GetUsername Total
15 Enhancing the workload To create a more realistic workload we created new versions of the services This way, for each web service we have: one version without known vulnerabilities one version with N vulnerabilities N versions with one vulnerable SQL query each This accounts for: Services + Versions Vuln. Inputs Vuln. lines
16 Step 1: Preparation The tools under benchmarking Provider Tool Technique HP WebInspect IBM Rational AppScan Acunetix Web Vulnerability Scanner Penetration testing Univ. Coimbra VS.WS Univ. Maryland FindBugs SourceForge Yasca Static code analysis JetBrains IntelliJ IDEA Univ. Coimbra CIVS-WS Anomaly detection Vulnerability Scanners: VS1, VS2, VS3, VS4 Static code analyzers: SA1, SA2, SA3 16
17 Step 2: Execution Results for Penetration Testing Tool % TP % FP VS % 54.46% VS % 61.22% VS3 1.9% 0% VS % 43.28% 17
18 Step 2: Execution Results for Static Code Analysis and Anomaly Detection Tool % TP % FP CIVS 79.31% 0% SA % 7.69% SA2 100% 36.03% SA % 67.50% 18
19 Step 3: Measures calculation Benchmarking results Tool F-Measure Precision Recall CIVS-WS SA SA SA VS VS VS VS
20 Step 4: Ranking and selection Rank the tools using the measures Select the most effective tool Criteria 1 st 2 nd 3 rd 4 th F-Measure VS1 VS4 VS2 VS3 Inputs Precision VS3 VS4 VS1 VS2 Recall VS1 VS2/VS4 VS3 F-Measure CIVS SA2 SA1 SA3 Queries Precision CIVS SA1 SA2 SA3 Recall SA2 CIVS SA1 SA3 20
21 Benchmark properties Portability Non-intrusiveness Simple to use Repeatability Representativeness 21
22 Conclusions and future work We proposed an approach to benchmark the effectiveness of V. D. tools in web services A concrete benchmark was implemented Targeting tools able to detect SQL Injection A benchmarking example was conducted Results show that the benchmark can be used to assess and compare different tools Future work includes: Extend the benchmark to other types of vulnerabilities Apply the benchmarking approach to define benchmarks for other types of web services 22
23 Questions? Center for Informatics and Systems University of Coimbra 23
24 Benchmark Representativeness Influenced by the representativeness of the workload May not be representative of all the SQL Inj. patterns However, what is important is to compare tools in a relative manner To verify this we replaced the workload by a real workload Constituted by a small set of third-party WS 24
25 Benchmark Representativeness Inputs Queries Criteria 1 st 2 nd 3 rd 4 th F-Measure VS1 VS4 VS2 VS3 Precision VS3/VS4 VS2 VS1 Recall VS1 VS4 VS2 VS3 F-Measure CIVS SA2 SA1 SA3 Precision CIVS SA1 SA2 SA3 Recall SA2/CIVS SA1 SA3 25
Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services
SCC 2009 Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services Nuno Antunes, Nuno Laranjeiro,, Henrique Madeira {nmsa, cnl, mvieira, henrique}@dei.uc.pt CISUC Department of Informatics
More informationThe Devils Behind Web Application Vulnerabilities
The Devils Behind Web Application Vulnerabilities Defending against Web Application Vulnerabilities IEEE Computer, February 2012 Nuno Antunes, Marco Vieira {nmsa, mvieira}@dei.uc.pt Postgrad Colloquium
More informationProtecting Database Centric Web Services Against SQL/XPath Injection Attacks
Protecting Database Centric Web Services Against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationVulnerability & Attack Injection for Web Applications
Vulnerability & Attack Injection for Web Applications José Fonseca Marco Vieira Henrique Madeira DSN, Estoril, Portugal, 30/06/2009 University of Coimbra, Portugal Presentation Outline Research problem
More informationOUTLINE PERFORMANCE BENCHMARKING 7/23/18 SUB BENCHMARKING THE SECURITY OF SOFTWARE SYSTEMS OR TO BENCHMARK OR NOT TO BENCHMARK
BENCHMARKING THE SECURITY OF SOFTWARE SYSTEMS OR TO BENCHMARK OR NOT TO BENCHMARK mvieira@dei.uc.pt Department of Informatics Engineering University of Coimbra - Portugal QRS 2018 Lisbon, Portugal July
More informationAnalyzing & Defining Web Application Vulnerabilities With Dynamic Analysis And Web Mining
Analyzing & Defining Web Application Vulnerabilities With Dynamic Analysis And Web Mining 1 Deepak B. Jadhav, 2 Sachin K. Sanap, 3 Ramesh C. Ghuge, 4 Deore Somnath 1,2,3,4 UG Student, Department Of Computer
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationFault Injection for Failure Prediction assessment and improvement
Fault Injection for Failure Prediction assessment and improvement CISUC Workshop DEI/CISUC, September 17 th, 2013 Ivano Irrera Software and Systems Engineering group (SSE) Faults and failures 2 Faults
More informationOctober, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security
ISSN: 2278 0211 (Online) Web Security Katkar Anjali S. M.E.(Pursuing) in computer science and engineering walchand institute of technology, Sholapur, India Kulkarni Raj B. PhD in computer science Assistance
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationDetecting malicious SQL
Detecting malicious SQL José Fonseca 1, Marco Vieira 2, Henrique Madeira 2 1 ESTG-ISUC, University of Coimbra, Portugal josefonseca@mail.telepac.pt 2 CISUC, University of Coimbra, Portugal {mvieira, henrique}@dei.uc.pt
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationUsing Vulnerability Injection to Improve Web Security
Using Vulnerability Injection to Improve Web Security José Fonseca 1, Francesca Matarese 2 1 DEI/CISUC, University of Coimbra / Polytechnic Institute of Guarda, 3030-290 Coimbra, Portugal josefonseca@ipg.pt
More informationMetrics, Methods and Tools to Measure Security and Trustworthiness
Metrics, Methods and Tools to Measure Security and Trustworthiness Henrique Madeira, University of Coimbra, Portugal Doctoral Symposium in Informatics Engineering FEUP, January 28 th - 29 th, 2010 University
More informationSecurity Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
More informationTools for Security Testing
Tools for Security Testing 2 Due to cloud and mobile computing, new security breaches occur daily as holes are discovered and exploited. Security Testing Tools-When, What kind and Where Due to cloud and
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationHyPer-sonic Combined Transaction AND Query Processing
HyPer-sonic Combined Transaction AND Query Processing Thomas Neumann Technische Universität München December 2, 2011 Motivation There are different scenarios for database usage: OLTP: Online Transaction
More informationMATERIALS AND METHOD
e-issn: 2349-9745 p-issn: 2393-8161 Scientific Journal Impact Factor (SJIF): 1.711 International Journal of Modern Trends in Engineering and Research www.ijmter.com Evaluation of Web Security Mechanisms
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More informationCase Study. Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform
Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform Summary For the University of Aberdeen, protecting IT infrastructure serving
More informationAppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationPractical Database Design Methodology and Use of UML Diagrams Design & Analysis of Database Systems
Practical Database Design Methodology and Use of UML Diagrams 406.426 Design & Analysis of Database Systems Jonghun Park jonghun@snu.ac.kr Dept. of Industrial Engineering Seoul National University chapter
More informationTesting with Soap UI. Tomaš Maconko
Testing with Soap UI Tomaš Maconko 1 Content What is Soap UI? What features does the Soap UI have? Usage in project context Pros and cons Soap UI alternatives 2 What is Soap UI? Open Source Testing Tool
More informationPT Unified Application Security Enforcement. ptsecurity.com
PT Unified Application Security Enforcement ptsecurity.com Positive Technologies: Ongoing research for the best solutions Penetration Testing ICS/SCADA Security Assessment Over 700 employees globally Over
More informationComparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study
Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study Ivano Alessandro Elia Department for Technologies, University of Naples Parthenope Naples, Italy ivano.elia@uniparthenope.it
More informationIBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners
IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners Anton Barua antonba@ca.ibm.com October 14, 2014 Abstract: To manage the challenge of addressing application security at
More informationHP ProLiant delivers #1 overall TPC-C price/performance result with the ML350 G6
HP ProLiant ML350 G6 sets new TPC-C price/performance record ProLiant ML350 continues its leadership for the small business HP Leadership with the ML350 G6» The industry s best selling x86 2-processor
More informationParallelizing SPECjbb2000 with Transactional Memory
Parallelizing SPECjbb2000 with Transactional Memory JaeWoong Chung, Chi Cao Minh,, Brian D. Carlstrom, Christos Kozyrakis Picture comes here Computer Systems Lab Stanford University http://tcc.stanford.edu
More informationCity, University of London Institutional Repository
City Research Online City, University of London Institutional Repository Citation: Algaith, A., Elia, I. A., Gashi, I. & Vieira, M. R. (207). Diversity with Intrusion Detection Systems: An Empirical Study.
More information[MS10987A]: Performance Tuning and Optimizing SQL Databases
[MS10987A]: Performance Tuning and Optimizing SQL Databases Length : 4 Days Audience(s) : IT Professionals Level : 300 Technology : Microsoft SQL Server Delivery Method : Instructor-led (Classroom) Course
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationBuilding Security Into Applications
Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify
More informationMetricon 06. Leading Indicators in Information security. John Nye August 1, 2006
Metricon 06 Leading Indicators in Information security John Nye August 1, 2006 Leading Indicators In Medicine Body temperature Elevated values indicate probable illness and severity Temperature alone can
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments Objectives Define risk and risk management Describe the components of risk management List
More informationSecuring Your Company s Web Presence
Securing Your Company s Web Presence Russ McRee Microsoft Holisticinfosec.org Common security threats to your web presence & what you can do about it ISACA Puget Sound Meeting 3/16/2010 Securing your company
More informationConcurrent execution of an analytical workload on a POWER8 server with K40 GPUs A Technology Demonstration
Concurrent execution of an analytical workload on a POWER8 server with K40 GPUs A Technology Demonstration Sina Meraji sinamera@ca.ibm.com Berni Schiefer schiefer@ca.ibm.com Tuesday March 17th at 12:00
More informationCertified Ethical Hacker
Certified Ethical Hacker Certified Ethical Hacker Course Objective Describe how perimeter defenses function by ethically scanning and attacking networks Conduct information systems security audits by understanding
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationCourse Outline. Performance Tuning and Optimizing SQL Databases Course 10987B: 4 days Instructor Led
Performance Tuning and Optimizing SQL Databases Course 10987B: 4 days Instructor Led About this course This four-day instructor-led course provides students who manage and maintain SQL Server databases
More informationManaging an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1
Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously:
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationApplication Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.
Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,
More informationHyPer-sonic Combined Transaction AND Query Processing
HyPer-sonic Combined Transaction AND Query Processing Thomas Neumann Technische Universität München October 26, 2011 Motivation - OLTP vs. OLAP OLTP and OLAP have very different requirements OLTP high
More informationPerformance Tuning and Optimizing SQL Databases (10987)
Performance Tuning and Optimizing SQL Databases (10987) Duration: 4 Days Price: $895 Delivery Option: Attend via MOC On-Demand Students Will Learn High level architectural overview of SQL Server and its
More informationSECURITY TESTING PROCESS IN SDLC
Khaja Shariff Page 1 7/20/2009 SECURITY TESTING PROCESS IN SDLC Khaja Shariff Page 2 7/20/2009 Table of Contents 1. Introduction... 3 1.1 Description... 3 1.2. Purpose... 3 2. Security Testing process...
More informationBiCEP Benchmarking Complex Event Processing Systems
BiCEP Benchmarking Complex Event Processing Systems Pedro Bizarro University of Coimbra, DEI-CISUC 3030-290 Coimbra, Portugal bizarro@dei.uc.pt Abstract. BiCEP is a new project being started at the University
More informationSecurity!Maturity Oc O t c o t b o er r 20 2, 0,
October 20, 2010 Security!Maturity About me - Joshua Jabra Abraham Security Consultant/Researcher at Rapid7 LLC. Past speaking engagements BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences,
More informationTransaction Processing Performance Council. Past, Present, Future
Transaction Processing Performance Council Past, Present, Future June 2008 Past: Industry Prior to TPC Formation 1980 ATMs and end-user interaction with databases spur an industry transformation from batch
More informationDatabase Systems: Design, Implementation, and Management Tenth Edition. Chapter 9 Database Design
Database Systems: Design, Implementation, and Management Tenth Edition Chapter 9 Database Design Objectives In this chapter, you will learn: That successful database design must reflect the information
More informationSINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker
NH9000 Certified Ethical Hacker 104 Total Hours COURSE TITLE: Certified Ethical Hacker COURSE OVERVIEW: This class will immerse the student into an interactive environment where they will be shown how
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationHacker Academy UK. Black Suits, White Hats!
Hacker Academy UK Black Suits, White Hats! Cyber Security Training and Services Do your devices Protect you against Cyber-attacks? Chinese hackers have allegedly stolen 50 terabytes of data on F-35 aircraft,
More informationThis shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict
1 This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict access between segments This creates a layered defense
More informationBlind XPath Injection Attack: A Case Study
Article can be accessed online at http://www.publishingindia.com Blind XPath Injection Attack: A Case Study Jyoti Lakhani* Abstract Extensible Mark-up Language (XML) is adopted by different organizations
More informationChapter 4. Adaptive Self-tuning : A Neural Network approach. 4.1 Introduction
Chapter 4 Adaptive Self-tuning : A Neural Network approach 4.1 Introduction Machine learning is a method of solving real world problems by employing the hidden knowledge present in the past data or data
More informationOutline. 1 Motivation. 2 Secure Software Development. 3 Enabling Developers: From (Mild) Pain to Success. 4 Lesson s Learned
How to Enable Developers to Deliver Code Outline Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Research Department of Computer Science, The University of Sheffield,
More informationSECURITY TESTING USING MODELS AND TEST PATTERNS. Presented by [Bruno Legeard, Elizabeta Fourneret]
Budapest, 26-28 October 2016 SECURITY TESTING USING MODELS AND TEST PATTERNS Presented by [Bruno Legeard, Elizabeta Fourneret] All rights reserved MODEL-BASED SECURITY TESTING Positionning with respect
More informationIntroducing SQL Query Verifier Plugin
Introducing SQL Query Verifier Plugin IBM Application Runtime Expert for i Document version: 1.0 To download the master version of this document, visit product home site: http://www.ibm.com/systems/power/software/i/are/index.html
More informationApproaches and Challenges in Database Intrusion Detection
Approaches and Challenges in Database Intrusion Detection Ricardo Jorge Santos CISUC DEI FCTUC University of Coimbra 3030-290 Coimbra Portugal lionsoftware.ricardo@gmail.com Jorge Bernardino CISUC DEIS
More informationDetecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp , 2015.
Detecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp. 197-210, 2015. Presented by Xintong Wang and Han Zhang Challenges in Network Monitoring Need a
More informationCA Test Data Manager Key Scenarios
WHITE PAPER APRIL 2016 CA Test Data Manager Key Scenarios Generate and secure all the data needed for rigorous testing, and provision it to highly distributed teams on demand. Muhammad Arif Application
More informationAn Introduction to the Waratek Application Security Platform
Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.
More informationA Risk Management Platform
A Risk Management Platform Michael Lai CISSP, CISA, MBA, MSc, BEng(hons) Territory Manager & Senior Security Sales Engineer Shift to Risk-Based Security OLD MODEL: Prevention-Based Security Prevention
More informationWeb Application Security Statistics Project 2007
Web Application Security Statistics Project 2007 Purpose The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative
More informationSECURITY TESTING USING MODELS AND TEST PATTERNS. Presented by [Bruno Legeard, Elizabeta Fourneret]
Budapest, 26-28 October 2016 SECURITY TESTING USING MODELS AND TEST PATTERNS Presented by [Bruno Legeard, Elizabeta Fourneret] All rights reserved MODEL-BASED SECURITY TESTING Positionning with respect
More informationMicrosoft FAST Search Server 2010 for SharePoint for Application Developers Course 10806A; 3 Days, Instructor-led
Microsoft FAST Search Server 2010 for SharePoint for Application Developers Course 10806A; 3 Days, Instructor-led Course Description This course is designed to highlight the differentiating features of
More informationHacking 102 Integrating Web Application Security Testing into Development
Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology
More informationVulnerability Management
Vulnerability Management Service Definition Table of Contents 1 INTRODUCTION... 2 2 SERVICE OFFERINGS VULNERABILITY MANAGEMENT... 2 3 SOLUTION PURPOSE... 3 4 HOW IT WORKS... 3 5 WHAT S INCLUDED... 4 6
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationMachine-Based Penetration Testing
Always in Control CyBot Suite Machine-Based Penetration Testing www.cronus-cyber.com - April 2016 CyBot PRODUCT SUITE Unique, patented Machine-based Penetration Testing Software with Global Attack Path
More informationDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationBIG-IP Application Security Manager : Getting Started. Version 12.1
BIG-IP Application Security Manager : Getting Started Version 12.1 Table of Contents Table of Contents Introduction to Application Security Manager...5 What is Application Security Manager?...5 When to
More informationI/O Characterization of Commercial Workloads
I/O Characterization of Commercial Workloads Kimberly Keeton, Alistair Veitch, Doug Obal, and John Wilkes Storage Systems Program Hewlett-Packard Laboratories www.hpl.hp.com/research/itc/csl/ssp kkeeton@hpl.hp.com
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationHow were the Credit Card Numbers Published on the Web? February 19, 2004
How were the Credit Card Numbers Published on the Web? February 19, 2004 Agenda Security holes? what holes? Should I worry? How can I asses my exposure? and how can I fix that? Q & A Reference: Resources
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationCyBot Suite. Machine-based Penetration Testing
CyBot Suite Machine-based Penetration Testing CYBOT PRODUCT SUITE Unique, patented Machine-based Penetration Testing Software with Global Attack Path Scenarios (APS) product suite: CyBot Pro CyBot Enterprise
More informationHybrid 2.0 In search of the holy grail
Hybrid 2.0 In search of the holy grail A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify Software Inc 2008 All Right Reserved Fortify Software Inc. 2 Before we Begin: Expectations Objectives
More informationHPE Datacenter Care for SAP and SAP HANA Datacenter Care Addendum
HPE Datacenter Care for SAP and SAP HANA Datacenter Care Addendum This addendum to the HPE Datacenter Care Service data sheet describes HPE Datacenter Care SAP and SAP HANA service features, which are
More informationInside look at benchmarks Wim Coekaerts Senior Vice President, Linux and Virtualization Engineering. Wednesday, August 17, 11
Inside look at benchmarks Wim Coekaerts Senior Vice President, Linux and Virtualization Engineering Overview Purpose of benchmarks Who is involved? What kind of benchmarks exist out there? Benchmarks are
More informationModel- Based Security Tes3ng with Test Pa9erns
Model- Based Security Tes3ng with Test Pa9erns Julien BOTELLA (Smartes5ng) Jürgen GROSSMANN (FOKUS) Bruno LEGEARD (Smartes3ng) Fabien PEUREUX (Smartes5ng) Mar5n SCHNEIDER (FOKUS) Fredrik SEEHUSEN (SINTEF)
More informationWEB APPLICATION SCANNERS. Evaluating Past the Base Case
WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work
More informationClearPath Secure Java Overview For ClearPath Libra and Dorado Servers
5/18/2007 Page 1 ClearPath Secure Java Overview For ClearPath Libra and Dorado Servers Technical Presentation 5/18/2007 Page 2 Agenda ClearPath Java for Core Business Transformation Overview Architectural
More informationIMEC Cybersecurity for Manufacturers Penetration Testing and Top 10
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationLecture 4: Threats CS /5/2018
Lecture 4: Threats CS 5430 2/5/2018 The Big Picture Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures. Once Upon a Time Bugs "bug":
More informationIBM SmartCloud Engage Security
White Paper March 2012 IBM SmartCloud Engage Security 2 IBM SmartCloud Engage Security Contents 3 Introduction 3 Security-rich Infrastructure 4 Policy Enforcement Points Provide Application Security 7
More informationIntrusion Detection and Prevention in Telecommunications Networks
Intrusion Detection and Prevention in Telecommunications Networks Tietoturvatapahtuma 2010, Helsinki February 11 Gabriel Waller, Head of Product Security Nokia Siemens Networks For Tietoturvatapahtuma
More informationWanted: Students to participate in a user study
Wanted: Students to participate in a user study Requirements: Know how to use the Eclipse IDE Knowledge in Java development Knowledge of static analysis is not required, but it is a plus Time: 2-3 hours
More informationCASE STUDIES TACTICAL ADVICE RESOURCES Infrastructure Optimization Security Storage Networking Mobile & Wireless Hardware & Software Management CURRENT ISSUE Subscribe 1/8 5 Next Level Data Consolidation
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationMachine-Based Penetration Testing
Always in Control CyBot Suite Machine-Based Penetration Testing CyBot PRODUCT SUITE Unique, patented Machine-based Penetration Testing Software with Global Attack Path Scenarios (APS) product suite: CyBot
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationHQ 754 th Electronic Systems Group. Application Software Assurance Center of Excellence (ASACoE) Maj Michael Kleffman, CTO ASACoE
HQ 754 th Electronic Systems Group Application Software Assurance Center of Excellence (ASACoE) Maj Michael Kleffman, CTO ASACoE Overview Context and Mission Resources and Tempo Accomplishments Services
More informationEC-Council V9 Exam
Volume: 203 Questions Question: 1 TCP/IP model is a framework for the Internet Protocol suite of computer network protocols that defines the communication in an IP-based network. It provides end-to-end
More information