OUTLINE PERFORMANCE BENCHMARKING 7/23/18 SUB BENCHMARKING THE SECURITY OF SOFTWARE SYSTEMS OR TO BENCHMARK OR NOT TO BENCHMARK
|
|
- Amice Ramsey
- 5 years ago
- Views:
Transcription
1 BENCHMARKING THE SECURITY OF SOFTWARE SYSTEMS OR TO BENCHMARK OR NOT TO BENCHMARK Department of Informatics Engineering University of Coimbra - Portugal QRS 2018 Lisbon, Portugal July 19 th, 2018 BENCHMARKING according to specific quality attributes Performance benchmarking Well established both in terms of research and application Supported by organizations like TPC and SPEC Mostly for marketing Dependability benchmarking Well established from a research perspective No endorsement from the industry QRS 2018, Lisbon, Portugal, July 19 th, BENCHMARKING according to specific quality attributes Security benchmarking Several works can be found No common approach available yet Performance benchmarks Whetstone Wisconsin Bench TP1 DebitCredit Orange Book TPC & SPEC Release of commercial performance benchmarks SIGDeB CIS Common Criteria Dependability benchmarks Security benchmarks QRS 2018, Lisbon, Portugal, July 19 th, EMBC Research projects on dependability & security benchmarks OUTLINE The past: Performance & Dependability Benchmarking The present: Security Benchmarking Benchmarking the Security of Systems Approach: + Trustworthiness Assessment Example: Benchmarking Web Service Frameworks Benchmarking Security Tools Approach: Vulnerability and Attack Injection Example: Benchmarking Intrusion Detection Systems Challenges and Conclusions QRS 2018, Lisbon, Portugal, July 19 th, PERFORMANCE BENCHMARKING PERFORMANCE BENCHMARKING in terms of performance : Set of representative operations Throughput Response time Latency QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th,
2 TPC-C (1992) DEPENDABILITY BENCHMARKING DBMS considering dependability attributes : Database transactions Although some integrity tests are performed, it assumes that nothing fails Transaction rate (tpmc) Price per transaction ($/tpmc) QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, Faultload: Faultload DEPENDABILITY BENCHMARKING Set of representative faults, injected into the system Parameters (fault rates, MTBF, etc.) Performance and/or dependability Both baseline and in the presence of faults Unconditional and/or direct Models Unconditional QRS 2018, Lisbon, Portugal, July 19 th, : Faultload TPC-C transactions Faultload: Operator faults + Software faults + HW component failures Performance: tpmc, $/tpmc, Tf, $/Tf Dependability: Ne, AvtS, AvtC DBENCH-OLTP (2005) QRS 2018, Lisbon, Portugal, July 19 th, DBENCH-OLTP (2005) DBENCH-OLTP (2005) tpmc 4000 Baseline Performance tpmc $/tpmc $ 30 Tf 4000 Performance With Faults Tf $/Tf $ A B C D E F G H I J K A B C D E F G H I J K Does not take into account malicious behaviors % Availability AvtS (Server) 100 AvtC (Clients) (faults = vulnerability + attack) Faultload: Operator faults A B C D E F G H I J K QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th,
3 SECURITY BENCHMARKING considering security aspects Benchmarking the Security of Systems / Components Systems that should implement security requirements OS, middleware, server software, etc. Benchmarking Security Tools Tools used to improve the security of systems Penetration testers, static analyzers, IDS, etc. QRS 2018, Lisbon, Portugal, July 19 th, BENCHMARKING SECURITY OF SYSTEMS Does not work if one exposure, wants mean to time benchmark between attacks, how etc.) Attackload: secure different systems are! e.g. Representative does the number attacks of vulnerabilities of a system represent anything? Performance + dependability Security (e.g., number vulnerabilities, attack detection) Attackload Attacking what? Do we know the vulnerabilities? Models What are representative attacks? Unconditional Parameters (vulnerability QRS 2018, Lisbon, Portugal, July 19 th, A DIFFERENT APPROACH A DIFFERENT APPROACH s Security s Security Acceptable Trustworthiness Assessment Security : Apply state-of-the-art techniques and tools to detect vulnerabilities s with vulnerabilities are: Disqualified! Or vulnerabilities are fixed QRS 2018, Lisbon, Portugal, July 19 th, Trustworthiness Assessment: Gather evidences on how much one can trust e.g., best coding practices, development process, bad smells QRS 2018, Lisbon, Portugal, July 19 th, A DIFFERENT APPROACH EXAMPLE: WEB SERVICE FRAMEWORKS s Security Acceptable Trustworthiness Assessment WSFs (testing) Acceptable Assessment (CPU + mem.) Trust. Score Portray trust from a user perspective Dynamic: may change over time Depend on the type of evidences gathered Different for different attack vectors QRS 2018, Lisbon, Portugal, July 19 th, DoS Attacks Coercive Parsing, Malformed XML, Malicious Attachment, etc. Trustworthiness Assessment: Quality model to compute a score QRS 2018, Lisbon, Portugal, July 19 th,
4 QUALITY MODEL SYSTEMS UNDER BENCHMARKING QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, TRUSTWORTHINESS RESULTS BENCHMARKING SECURITY TOOLS Faultload (vulnerabilities + attacks) Data Sec. Tool Faultload: Vulnerabilities are injected Attacks target the injected vulnerabilities Data can be collected for benchmarking security tools Penetration testers, static analyzers, IDS, etc. QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, VULNERABILITY AND ATTACK INJECTION EXAMPLE: BENCHMARKING IDS Security requires a defense in depth approach Coding best practices Testing Static analysis Vulnerability-free code is hard (or even impossible) to achieve... Intrusion detection tools support a post-deployment approach For protecting against known and unknown attacks QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th,
5 EVALUATION APPROACH EXAMPLES OF VULNERABILITIES INJECTED Original PHP code Code with injected vulnerability Operation performed $id=intval($_get['id']); $id=$_get['id']; Removed the intval function allowing also non numeric values (i.e. SQL commands) in the $id variable $page = urlencode($page); $page = $page; Removed the urlencode function allowing also alphanumeric values (i.e. SQL commands) in the $page variable QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, EXAMPLES OF ATTACKS SYSTEMS UNDER BENCHMARKING Attack payloads Expected result ' Modifies the structure of the query; usually results in an error or 1=1 Modifies the structure of the query. Overrides the query restrictions by adding a statement that is always true. ' or 'a'='a Modifies the structure of the query. Overrides the query restrictions by adding a statement that is always true. +connection_id()- connection_id() Modifies the query result to Modifies the query result to ASCII('A') Modifies the query result to ASCII(1) Modifies the query result to 0 Tool Architectural Level monitored Detection Approach Data Source Known Technology Limitations ACD Application Anomaly Based Apache Log Only GET method Apache Scalp Application Signature Based Apache Log Only GET method ModSecurity Application Signature Based HTTP traffic - Snort (v2.8 and Network Network Signature Based v2.9) Trafic - GreenSQL Database Signature Based SQL Proxy Trafic MySQL data DB IDS Database Anomaly Based SQL Sniffer Trafic MySQL and Oracle data QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, EXPERIMENTAL SETUP MAIN RESULTS lvl DB Net App Tool P N Pop TP TN FN FP ACD Scalp ModSecurity Review Snort GreenSQL All Reported Prec. Recall Mark. Infor. DB IDS Net Snort QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th,
6 WHAT IS WRONG? FIXED! Established benchmarks are mostly for marketing! Strict benchmarking conditions Activation Fixed workload & faultload + Small set of & faultload: May not be representative of the user scenario Fixed! May not satisfy the user needs Decision based on several is difficult! No security benchmark endorsed by any organization or industry QRS 2018, Lisbon, Portugal, July 19 th, Example: Fixed! Benchmarking vulnerability detection tools Typical metric: F-Measure Is this good in all scenarios? Business critical: recall Best effort: F-Measure Minimum effort: Markedness QRS 2018, Lisbon, Portugal, July 19 th, A POTENTIAL APPROACH SCENARIOS AND QUALITY MODELS Benchmarking conditions adaptable to the user needs Include multiple usage scenarios: depend on the scenario Adaptable workload and faultload Use quality models instead of independent Quality models should also adapt to the scenario How to define scenarios? How to define quality models? How to adapt workloads and faultloads to the scenarios? QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th, Satisfy industry requirements Representativeness, portability, scalability, nonintrusiveness, low cost, Prevent gaming CHALLENGES Satisfy user requirements Representativeness, usefulness, simplicity of use Adaptable allow gaming Endorsement by TPC, SPEC, How to? Resilience Benchmarking IS THERE A FUTURE? Assess and compare the behavior of components and computer systems when subjected to changes Which resilience? Comparable, consistent, understandable, meaningful, Changeloads: Representative, practical, portable, Trustworthiness Benchmarking What evidences to collect? What? Dynamicity of perception social trust... QRS 2018, Lisbon, Portugal, July 19 th, QRS 2018, Lisbon, Portugal, July 19 th,
7 7/23/18 CONCLUSIONS QUESTIONS? The benchmarking concept is well established! Department of Informatics Engineering University of Coimbra Acceptance by big industry depends on perceived utility for marketing Acceptance by users requires adaptability From a research perspective, performance and dependability benchmarking are well known Security benchmarking approaches are weak New types of benchmarks will bring additional challenges! QRS 2018, Lisbon, Portugal, July 19th, QRS 2018, Lisbon, Portugal, July 19th,
Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services
SCC 2009 Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services Nuno Antunes, Nuno Laranjeiro,, Henrique Madeira {nmsa, cnl, mvieira, henrique}@dei.uc.pt CISUC Department of Informatics
More informationBenchmarking Vulnerability Detection Tools for Web Services
Benchmarking Vulnerability Detection Tools for Web Services, Marco Vieira {nmsa, mvieira}@dei.uc.pt ICWS 2010 CISUC Department of Informatics Engineering University of Coimbra, Portugal Outline The problem
More informationComparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study
Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study Ivano Alessandro Elia Department for Technologies, University of Naples Parthenope Naples, Italy ivano.elia@uniparthenope.it
More informationThe Devils Behind Web Application Vulnerabilities
The Devils Behind Web Application Vulnerabilities Defending against Web Application Vulnerabilities IEEE Computer, February 2012 Nuno Antunes, Marco Vieira {nmsa, mvieira}@dei.uc.pt Postgrad Colloquium
More informationWTF. Amichai Shulman, CTO Yaniv Azaria, Security Research TL
WTF Amichai Shulman, CTO Yaniv Azaria, Security Research TL Imperva, the Imperva logo and SecureSphere are trademarks of Imperva, Inc. 1 Amichai Shulman CTO Imperva 20 year information security veteran
More informationWorkshop on Dependability Benchmarking. 39th Meeting of IFIP Working Group 10.4, Parati, Brazil, March 1-3, 2001
Workshop on Dependability Benchmarking 39th Meeting of IFIP Working Group 10.4, Parati, Brazil, March 1-3, 2001 Wrap up Dependability benchmarking problem space Session 1 - Dependability Benchmarking Approaches
More informationCity, University of London Institutional Repository
City Research Online City, University of London Institutional Repository Citation: Algaith, A., Elia, I. A., Gashi, I. & Vieira, M. R. (207). Diversity with Intrusion Detection Systems: An Empirical Study.
More informationDatabase Replication in Tashkent. CSEP 545 Transaction Processing Sameh Elnikety
Database Replication in Tashkent CSEP 545 Transaction Processing Sameh Elnikety Replication for Performance Expensive Limited scalability DB Replication is Challenging Single database system Large, persistent
More informationDBench Project (Dependability Benchmarking)
DBench Project (Dependability Benchmarking) European IST Program IST-2000-25425 Karama Kanoun 39th Meeting IFIP Working Group 10.4 Paraty, Brazil 28 February- 3 March, 2001 Consortium! Partners Chalmers
More informationTransaction Processing Performance Council (TPC) TPC Overview
Transaction Processing Performance Council (TPC) Intro Welcome Thanks to Oracle Thanks to Klaus Thielen for reaching out to so many of you in a short time. TPC Mission The TPC is a non-profit corporation
More informationVulnerability & Attack Injection for Web Applications
Vulnerability & Attack Injection for Web Applications José Fonseca Marco Vieira Henrique Madeira DSN, Estoril, Portugal, 30/06/2009 University of Coimbra, Portugal Presentation Outline Research problem
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET3420BU Introducing VMware s Transformative Data Center Endpoint Security Solution Vijay Ganti Director, Product Management VMware Christopher Frenz Director of Infrastructure Interfaith Medical Center
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationProtecting Database Centric Web Services Against SQL/XPath Injection Attacks
Protecting Database Centric Web Services Against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationNOSQL DATABASE SYSTEMS: DECISION GUIDANCE AND TRENDS. Big Data Technologies: NoSQL DBMS (Decision Guidance) - SoSe
NOSQL DATABASE SYSTEMS: DECISION GUIDANCE AND TRENDS h_da Prof. Dr. Uta Störl Big Data Technologies: NoSQL DBMS (Decision Guidance) - SoSe 2017 163 Performance / Benchmarks Traditional database benchmarks
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationBIG-IP Application Security Manager : Getting Started. Version 12.1
BIG-IP Application Security Manager : Getting Started Version 12.1 Table of Contents Table of Contents Introduction to Application Security Manager...5 What is Application Security Manager?...5 When to
More informationNext-Generation Cloud Platform
Next-Generation Cloud Platform Jangwoo Kim Jun 24, 2013 E-mail: jangwoo@postech.ac.kr High Performance Computing Lab Department of Computer Science & Engineering Pohang University of Science and Technology
More informationCrescando: Predictable Performance for Unpredictable Workloads
Crescando: Predictable Performance for Unpredictable Workloads G. Alonso, D. Fauser, G. Giannikis, D. Kossmann, J. Meyer, P. Unterbrunner Amadeus S.A. ETH Zurich, Systems Group (Funded by Enterprise Computing
More informationAn Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree
An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree P. Radoglou-Grammatikis and P. Sarigiannidis* University of Western Macedonia Department of Informatics & Telecommunications
More informationM2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres
M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015 The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications
More informationSecuring Web Applications. Architecture Alternatives. Web Application Security Roadmap. Defense in Depth. Defense in Depth
V User Terminal Key Secure Storage Personal Computers AntiVirus Certificate Mgmt Authority :::::: Multiplexor Securing Web Applications Jennifer L. Bayuk jennifer@bayuk.com www.bayuk.com 1 Mainframe Wireless
More informationDetecting malicious SQL
Detecting malicious SQL José Fonseca 1, Marco Vieira 2, Henrique Madeira 2 1 ESTG-ISUC, University of Coimbra, Portugal josefonseca@mail.telepac.pt 2 CISUC, University of Coimbra, Portugal {mvieira, henrique}@dei.uc.pt
More informationSecuring Production Applications & Data at Runtime. Prevoty
Securing Production Applications & Data at Runtime Prevoty Introducing Prevoty Scalable visibility and protection for all applications and services 20+ 3 Over Verticals: Awards & Recognitions Years in
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationIntroduction to Database Services
Introduction to Database Services Shaun Pearce AWS Solutions Architect 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Today s agenda Why managed database services? A non-relational
More informationMemTest: A Novel Benchmark for In-memory Database
MemTest: A Novel Benchmark for In-memory Database Qiangqiang Kang, Cheqing Jin, Zhao Zhang, Aoying Zhou Institute for Data Science and Engineering, East China Normal University, Shanghai, China 1 Outline
More information6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are
PROGRAM Objective Cyber Security is the most sought after domain, and NASSCOM projects a requirment of over 1 million trained professionals by 2025. Tevel training program is an industry & employability
More informationAdvanced Diploma on Information Security
Course Name: Course Duration: Prerequisites: Course Fee: Advanced Diploma on Information Security 300 Hours; 12 Months (10 Months Training + 2 Months Project Work) Candidate should be HSC Pass & Basic
More informationVOLTDB + HP VERTICA. page
VOLTDB + HP VERTICA ARCHITECTURE FOR FAST AND BIG DATA ARCHITECTURE FOR FAST + BIG DATA FAST DATA Fast Serve Analytics BIG DATA BI Reporting Fast Operational Database Streaming Analytics Columnar Analytics
More informationRBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5
RBS-2017-001 OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution 2018-03-22 1 of 5 Vendor / Product Information OpenEMR is a Free and Open Source electronic health records and medical
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationIBM Next Generation Intrusion Prevention System
IBM Next Generation Intrusion Prevention System Fadly Yahaya SWAT Optimizing the World s Infrastructure Oct 2012 Moscow 2012 IBM Corporation Please note: IBM s statements regarding its plans, directions,
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationMicrosoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications
Release Conception Microsoft SDL Security Development Lifecycle and Building Secure Applications KRnet 2010 2010. 6. 22. 한국마이크로소프트보안프로그램매니저김홍석부장 Hongseok.Kim@microsoft.com Agenda Applications under Attack
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationIBM. OA VTAM 3270 Intrusion Detection Services - Overview, Considerations, and Assessment (Prerequisite) z/os Communications Server
z/os Communications Server IBM OA49911 - VTAM 3270 Intrusion Detection Services - Overview, Considerations, and Assessment (Prerequisite) Version 2 Release 2 Note: Links to related publications are from
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationCIS-CAT Pro Dashboard Documentation
CIS-CAT Pro Dashboard Documentation Release 1.0.0 Center for Internet Security February 03, 2017 Contents 1 CIS-CAT Pro Dashboard User s Guide 1 1.1 Introduction...............................................
More informationLecture 12. Application Layer. Application Layer 1
Lecture 12 Application Layer Application Layer 1 Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationAnalyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS
Analyzing Huge Data for Suspicious Traffic Christian Landström, Airbus DS Topics - Overview on security infrastructure - Strategies for network defense - A look at malicious traffic incl. Demos - How Wireshark
More informationUnderstanding the latent value in all content
Understanding the latent value in all content John F. Kennedy (JFK) November 22, 1963 INGEST ENRICH EXPLORE Cognitive skills Data in any format, any Azure store Search Annotations Data Cloud Intelligence
More informationVulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?
Detection Vulnerability Assessment Week 4 Part 2 How Much Danger Am I In? Vulnerability Assessment Aspects of Assessment Vulnerability Assessment is a systematic evaluation of asset exposure to threats
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationFoglight. Resolving the Database Performance. Finding clues in your DB2 LUW workloads
Foglight Resolving the Database Performance Blame Game Finding clues in your DB2 LUW workloads Agenda Introductions Database Monitoring Techniques Understand normal (baseline) behavior Compare DB2 instance,
More informationTPCX-BB (BigBench) Big Data Analytics Benchmark
TPCX-BB (BigBench) Big Data Analytics Benchmark Bhaskar D Gowda Senior Staff Engineer Analytics & AI Solutions Group Intel Corporation bhaskar.gowda@intel.com 1 Agenda Big Data Analytics & Benchmarks Industry
More informationWeb Security Vulnerabilities: Challenges and Solutions
Web Security Vulnerabilities: Challenges and Solutions A Tutorial Proposal for ACM SAC 2018 by Dr. Hossain Shahriar Department of Information Technology Kennesaw State University Kennesaw, GA 30144, USA
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationData 101 Which DB, When. Joe Yong Azure SQL Data Warehouse, Program Management Microsoft Corp.
Data 101 Which DB, When Joe Yong (joeyong@microsoft.com) Azure SQL Data Warehouse, Program Management Microsoft Corp. The world is changing AI increased by 300% in 2017 Data will grow to 44 ZB in 2020
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationWho am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack
Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack Web Application Firewall Shortcomings The presentation
More informationConfiguring BIG-IP ASM v12.1 Application Security Manager
Course Description Configuring BIG-IP ASM v12.1 Application Security Manager Description The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune,
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationMetrics, Methods and Tools to Measure Security and Trustworthiness
Metrics, Methods and Tools to Measure Security and Trustworthiness Henrique Madeira, University of Coimbra, Portugal Doctoral Symposium in Informatics Engineering FEUP, January 28 th - 29 th, 2010 University
More informationForensic Network Analysis in the Time of APTs
SharkFest 16 Forensic Network Analysis in the Time of APTs June 16th 2016 Christian Landström Senior IT Security Consultant Airbus Defence and Space CyberSecurity Topics - Overview on security infrastructure
More informationWHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System
AirGap The Technology That Makes Isla a Powerful Web Malware Isolation System Introduction Web browsers have become a primary target for cyber attacks on the enterprise. If you think about it, it makes
More informationImprove Web Application Performance with Zend Platform
Improve Web Application Performance with Zend Platform Shahar Evron Zend Sr. PHP Specialist Copyright 2007, Zend Technologies Inc. Agenda Benchmark Setup Comprehensive Performance Multilayered Caching
More informationDoes the TPC still have relevance? H. Reza Taheri HPTS 2017, 9-Oct-2017
Does the TPC still have relevance? H. Reza Taheri HPTS 2017, 9-Oct-2017 2016 VMware Inc. All rights reserved. Outline History of the TPC Where things stand today Why the decline? The way forward Not gonna
More informationFit for Purpose Platform Positioning and Performance Architecture
Fit for Purpose Platform Positioning and Performance Architecture Joe Temple IBM Monday, February 4, 11AM-12PM Session Number 12927 Insert Custom Session QR if Desired. Fit for Purpose Categorized Workload
More informationPositive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security
Positive Security Model for Web Applications, Challenges and Promise Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security Introduction Breach Security, Inc. Breach Security is the market leader in
More informationDatabase Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 16 Date 2019-03-08 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationGoing Without CPU Patches on Oracle E-Business Suite 11i?
Going Without CPU Patches on E-Business Suite 11i? September 17, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About
More informationEC-Council V9 Exam
Volume: 203 Questions Question: 1 TCP/IP model is a framework for the Internet Protocol suite of computer network protocols that defines the communication in an IP-based network. It provides end-to-end
More informationVulnerability Assessment with Application Security
Vulnerability Assessment with Application Security Targeted attacks are growing and companies are scrambling to protect critical web applications. Both a vulnerability scanner and a web application firewall
More informationWhat to Look for When Evaluating Next-Generation Firewalls
What to Look for When Evaluating Next-Generation Firewalls Using independent tests to compare performance, cost and functionality Table of Contents Why Use Independent Tests in Evaluations?... 3 What to
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More information745: Advanced Database Systems
745: Advanced Database Systems Yanlei Diao University of Massachusetts Amherst Outline Overview of course topics Course requirements Database Management Systems 1. Online Analytical Processing (OLAP) vs.
More informationCopyright 2018, Oracle and/or its affiliates. All rights reserved.
Beyond SQL Tuning: Insider's Guide to Maximizing SQL Performance Monday, Oct 22 10:30 a.m. - 11:15 a.m. Marriott Marquis (Golden Gate Level) - Golden Gate A Ashish Agrawal Group Product Manager Oracle
More informationApplication Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.
Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,
More informationSQL Server Everything built-in
2016 Everything built-in 2016: Everything built-in built-in built-in built-in built-in built-in $2,230 80 70 60 50 43 69 49 40 30 20 10 0 34 6 0 1 29 4 22 20 15 5 0 0 2010 2011 2012 2013 2014 2015 18 3
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationSample Exam ISTQB Advanced Test Analyst Answer Rationale. Prepared By
Sample Exam ISTQB Advanced Test Analyst Answer Rationale Prepared By Released March 2016 TTA-1.3.1 (K2) Summarize the generic risk factors that the Technical Test Analyst typically needs to consider #1
More informationPerformance Evaluation of Virtualization Technologies
Performance Evaluation of Virtualization Technologies Saad Arif Dept. of Electrical Engineering and Computer Science University of Central Florida - Orlando, FL September 19, 2013 1 Introduction 1 Introduction
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationTransaction Processing Performance Council. Past, Present, Future
Transaction Processing Performance Council Past, Present, Future June 2008 Past: Industry Prior to TPC Formation 1980 ATMs and end-user interaction with databases spur an industry transformation from batch
More informationA Resource Contention Analysis Framework for Diagnosis of Application Performance Anomalies in Consolidated Cloud Environments
A Resource Contention Analysis Framework for Diagnosis of Application Performance Anomalies in Consolidated Cloud Environments Tatsuma Matsuki, Naoki Matsuoka Fujitsu Laboratories LTD. ICPE 206.3.2-6 Copyright
More informationCh. 7: Benchmarks and Performance Tests
Ch. 7: Benchmarks and Performance Tests Kenneth Mitchell School of Computing & Engineering, University of Missouri-Kansas City, Kansas City, MO 64110 Kenneth Mitchell, CS & EE dept., SCE, UMKC p. 1/3 Introduction
More informationConfiguring User Defined Patterns
The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom
More informationCMU SCS CMU SCS Who: What: When: Where: Why: CMU SCS
Carnegie Mellon Univ. Dept. of Computer Science 15-415/615 - DB s C. Faloutsos A. Pavlo Lecture#23: Distributed Database Systems (R&G ch. 22) Administrivia Final Exam Who: You What: R&G Chapters 15-22
More informationCOURSE 20487B: DEVELOPING WINDOWS AZURE AND WEB SERVICES
ABOUT THIS COURSE In this course, students will learn how to design and develop services that access local and remote data from various data sources. Students will also learn how to develop and deploy
More informationCheck Point DDoS Protector Introduction
Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2 (D)DoS Attack Methods
More information"GET /cgi-bin/purchase?itemid=109agfe111;ypcat%20passwd mail 200
128.111.41.15 "GET /cgi-bin/purchase? itemid=1a6f62e612&cc=mastercard" 200 128.111.43.24 "GET /cgi-bin/purchase?itemid=61d2b836c0&cc=visa" 200 128.111.48.69 "GET /cgi-bin/purchase? itemid=a625f27110&cc=mastercard"
More informationPredictive malware response testing methodology. Contents. 1.0 Introduction. Methodology version 1.0; Created 17/01/2018
Predictive malware response testing methodology Methodology version 1.0; Created 17/01/2018 Contents Contents... 1 1.0 Introduction... 1 2.0 Test framework... 2 3.0 Threat selection and management... 3
More informationExploit Vulnerabilities of LAMP Based Web Applications in DETERlab
Exploit Vulnerabilities of LAMP Based Web Applications in DETERlab Jacob M. Hadden Computer Science Texas A&M University - Corpus Christi jhadden@islander.tamucc.edu Graduate Mentor: Jia Bai and Xiaowei
More informationHow were the Credit Card Numbers Published on the Web? February 19, 2004
How were the Credit Card Numbers Published on the Web? February 19, 2004 Agenda Security holes? what holes? Should I worry? How can I asses my exposure? and how can I fix that? Q & A Reference: Resources
More informationLogging. Steven M. Bellovin December 6,
Logging Steven M. Bellovin December 6, 2009 1 Shadow Hawk Shadow Hawk Busted Again As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home searched by agents of the FBI... When he was tagged
More informationAppendix D: Storage Systems (Cont)
Appendix D: Storage Systems (Cont) Instructor: Josep Torrellas CS433 Copyright Josep Torrellas 1999, 2001, 2002, 2013 1 Reliability, Availability, Dependability Dependability: deliver service such that
More informationOracle Exadata: Strategy and Roadmap
Oracle Exadata: Strategy and Roadmap - New Technologies, Cloud, and On-Premises Juan Loaiza Senior Vice President, Database Systems Technologies, Oracle Safe Harbor Statement The following is intended
More informationConceptual Modeling on Tencent s Distributed Database Systems. Pan Anqun, Wang Xiaoyu, Li Haixiang Tencent Inc.
Conceptual Modeling on Tencent s Distributed Database Systems Pan Anqun, Wang Xiaoyu, Li Haixiang Tencent Inc. Outline Introduction System overview of TDSQL Conceptual Modeling on TDSQL Applications Conclusion
More informationBypassing Web Application Firewalls
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More information