Web App Testing: RECON. MAPPING. ANALYSIS.

Similar documents
TestBraindump. Latest test braindump, braindump actual test

Practical Guide to Securing the SDLC

CSWAE Certified Secure Web Application Engineer

RiskSense Attack Surface Validation for Web Applications

CyberArk Privileged Threat Analytics

Certified Secure Web Application Engineer

Overview of Web Application Security and Setup

Web Application Penetration Testing

TRAINING CURRICULUM 2017 Q2

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

Instructor-led Training Course Catalog

90% of data breaches are caused by software vulnerabilities.

Continuously Discover and Eliminate Security Risk in Production Apps

How NOT To Get Hacked

Risk Intelligence. Quick Start Guide - Data Breach Risk

security mindfulness dwayne.

LIPPU-API: Security Considerations

Understanding Perimeter Security

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

OWASP InfoSec Romania 2013

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Symantec Security Monitoring Services

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Run the business. Not the risks.

Vulnerability Assessment with Application Security

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

AGILE AND CONTINUOUS THREAT MODELS

ANATOMY OF AN ATTACK!

N different strategies to automate OWASP ZAP

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

C1: Define Security Requirements

The requirements were developed with the following objectives in mind:

Managing Microsoft 365 Identity and Access

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

ESCALATING INSIDER THREATS USING VMWARE'S API

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

Professional Services Overview

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

SECURITY TESTING. Towards a safer web world

FISMA Cybersecurity Performance Metrics and Scoring

Combating Today s Cyber Threats Inside Look at McAfee s Security

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

A Risk Management Platform

Cyber Security - Information Security & Testing

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Cyber Security Audit & Roadmap Business Process and

Introducing Cyber Observer

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

IoT & SCADA Cyber Security Services

10 FOCUS AREAS FOR BREACH PREVENTION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Readiness Assessment

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Doxxing, Dissidents, And. Digital Extortion. Fortify Your Digital Risk Defenses. Nick Hayes, Senior Analyst

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Training Program Catalog SECURITY INNOVATION

Best Practices in Securing a Multicloud World

OWASP TOP 10 vs OWASP ASVS. Joe Blanchard St. Louis OWASP Chapter

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Fortify Software Security Content 2017 Update 4 December 15, 2017

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Critical Hygiene for Preventing Major Breaches

W H IT E P A P E R. Salesforce Security for the IT Executive

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Copyright

SECURITY TRAINING SECURITY TRAINING

Web Security School Lesson 3 Locking down your Web applications

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Shortcut guide to Web application firewall deployment

2017 Annual Meeting of Members and Board of Directors Meeting

empow s Security Platform The SIEM that Gives SIEM a Good Name

Application security : going quicker

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Improving Security in the Application Development Life-cycle

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

align security instill confidence

RiskSense Attack Surface Validation for IoT Systems

Going Without CPU Patches on Oracle E-Business Suite 11i?

MOBILE THREAT LANDSCAPE. February 2018

OWASP CISO Survey Report 2015 Tactical Insights for Managers

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Aguascalientes Local Chapter. Kickoff

Changing face of endpoint security

The 3 Pillars of SharePoint Security

RSA INCIDENT RESPONSE SERVICES

IEEE Sec Dev Conference

Transcription:

www.pandoralabs.net Expert Advice. Experience Advantage. Proactive Security Solutions Through Cutting-Edge Research. Web App Testing: RECON. MAPPING. ANALYSIS. By @isaacsabas

We are a Security-as-a-Service company Expert Advice. Experience Advantage. Proactive Security Solutions Through Cutting-Edge Research. www.pandoralabs.net Providing businesses with on-demand threat detection & intelligence capabilities to secure their IT infrastructure, 24x7. We Make IT Secure PANDORA SECURITY LABS Who we are. Why we exist.

#pandorasecurity WEB APPLICATION TESTING RECON MAPPING ANALYSIS

#pandorasecurity Recon Analysis Homework Mapping Q/A Discussion Flow What we will be discussing today

#pandorasecurity The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out. Recon What should we check for?

The Attack Surface is: #pandorasecurity All paths for data/commands into and out of the application The code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding) All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and The code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).

Samples of Attack Points #pandorasecurity User interface (UI) forms and fields HTTP headers and cookies APIs Files Databases Other local storage Email or other kinds of messages Run-time arguments

Attack Surface Recon allows you to: #pandorasecurity Identify what functions and what parts of the system you need to review/test for security vulnerabilities Identify high risk areas of code that require defense-in-depth protection (what parts of the system that you need to defend) Identify when you have changed the attack surface and need to do some kind of threat assessment

Tools we can use to RECON #pandorasecurity Builtwith.com OWASP ZAP

#pandorasecurity OWASP ZAP DEMO

#pandorasecurity Mapping Attack Surface mapping is to map out and prioritze what parts of a system need to be reviewed and tested for security vulnerabilities. Mapping out the Attack Surface with Potential Use Cases

Mapping Attack Surface/Point to: #pandorasecurity Types of users/roles, and its privilege levels External-facing or internal-facing Purpose (function, storage, informational, etc.) Implementation (server-side, client-side) Technology Attack Point User/Role External/ Internal Purpose Implementation Technology User Search Form Member Internal Function Server-side PHP, AJAX Contact Us Form Anonymous External Function Server-side PHP, AJAX

Prioritization & Focus #pandorasecurity By grouping attack surface or attack points: You don't need to understand every endpoint in order to understand the total Attack Surface and the potential risk profile of a system. You can budget what it will take to assess risk at scale, and you can tell the risk profile of an application based on a certain criteria or parameter.

#pandorasecurity Analysis Attack Surface Analysis is about identifying which parts of the system need to be fixed given the risk score and how it affects the overall system. Based on the mapped out Attack Surface and identified risks, what now?

#pandorasecurity What Now? Prioritize what is the most important attack surface to address As modification and adjustments are made, use the baseline to test: What has changed? What are you doing different? (technology, new approach, etc.) What holes could you have opened? Helps in the SDLC to build the application securely

#pandorasecurity TIME FOR Q&A RECON. MAPPING. ANALYSIS.

Homework #pandorasecurity Install OWASP ZAP on your system https://github.com/zaproxy/zaproxy/wiki/downloads Conduct the recon, mapping, and analysis procedures on your web application and identify the following: Attack Surface/Points Map and

#pandorasecurity WEB APPLICATION TESTING RECON MAPPING ANALYSIS

www.pandoralabs.net Expert Advice. Experience Advantage. Proactive Security Solutions Through Cutting-Edge Research. Web App Testing: RECON. MAPPING. ANALYSIS. By @isaacsabas

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback