Application Security Approach

Similar documents
Web Applications Penetration Testing

SECURITY TESTING. Towards a safer web world

RiskSense Attack Surface Validation for Web Applications

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Ingram Micro Cyber Security Portfolio

Network Security Review Approach. Network Security Approach Page 1

Certified Secure Web Application Engineer

Web Application Penetration Testing

Development*Process*for*Secure* So2ware

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Trustwave Managed Security Testing

CSWAE Certified Secure Web Application Engineer

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Security Solutions. Overview. Business Needs

Penetration testing.

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Curso: Ethical Hacking and Countermeasures

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Application. Security. on line training. Academy. by Appsec Labs

Tiger Scheme QST/CTM Standard

Large Scale Generation of Complex and Faulty PHP Test Cases

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

EasyCrypt passes an independent security audit

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

RiskSense Attack Surface Validation for IoT Systems

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Application Security. Philippe Bogaerts

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Protect Your Organization from Cyber Attacks

ASSURANCE PENETRATION TESTING

Continuously Discover and Eliminate Security Risk in Production Apps

V Conference on Application Security and Modern Technologies

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

C1: Define Security Requirements

Presentation Overview

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

ShiftLeft. Real-World Runtime Protection Benchmarking

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Your Turn to Hack the OWASP Top 10!

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Tiger Scheme SST Standards Web Applications

IoT & SCADA Cyber Security Services

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Threats and Remediation. Terry Labach, IST Security Team

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Engineering Your Software For Attack

Copyright

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Atlassian Crowdsourced Penetration Test Results: January 2018

Mitigating Security Breaches in Retail Applications WHITE PAPER

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Definitive Guide to PENETRATION TESTING

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

CoreMax Consulting s Cyber Security Roadmap

Vulnerability Assessments and Penetration Testing

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

6-Points Strategy to Get Your Application in Security Shape

Solutions Business Manager Web Application Security Assessment

Aguascalientes Local Chapter. Kickoff

Web Application Whitepaper

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Security Communications and Awareness

Objectives of the Security Policy Project for the University of Cyprus

Machine-Based Penetration Testing

OWASP TOP OWASP TOP

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CyBot Suite. Machine-based Penetration Testing

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Vulnerability Assessment and Penetration Testing through Artificial Intelligence

Integrigy Consulting Overview

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

The Business Case for Security in the SDLC

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Machine-Based Penetration Testing

OWASP RFP CRITERIA v 1.1

How Secure is Your Border? An Attack and Penetration Audit Houston IIA Annual Conference

Cyber Security Audit & Roadmap Business Process and

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Penetration Testing and Team Overview

Penetration Testing Scope

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Transcription:

Technical Approach Page 1

CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2

1. INTRODUCTION Page 3

It is a Unsafe Cyber world.. Global in minutes due to Cyberspace Human systems can no longer react FACT!!!! 99.9% secure = 100% Vulnerable! Page 4 Source from Internet

Highest Security Risk Web application attacks represent the greatest threat to an organization s security. Page 5 Source from Internet

Need for Secure Application Security OWASP Top 10 RISK Page 6

2. WHAT IS AN APPLICATION SECURITY? Page 7

What is Application Security A form of stress testing, which exposesweaknesses or flaws in a Web Application, Art of finding a ways to exploit Web Application. Insecure Cryptographic Storage Security Misconfiguration Cross Site Request Forgery (CSRF) Insecure Direct Object References Broken Authentication and Session Management Cross Site Scripting (XSS) Injection Flaws Page 8

3. APPROACH Page 9

Typical Approach Authentication Assessment (Grey Box Assessment) Dynamic Pages / Static Pages Login Page Provided with Login Credentials Non-Authentication Assessment (Black Box Assessment) Dynamic Pages / Static Pages Publically Available Pages Login Page / No login page Not Provided with Login Credentials Page 10

4. METHODOLOGY Page 11

Methodology for Application Security Deliverables 07 Scope / Goal Definition 06 01 Exploitation Attempts 05 02 Application Discovery Vulnerability Assessment 04 03 Threat Assessment Infrastructure Analysis Page 12

1. Scope/Goal Definition What type of Assessment to be conducted Authenticated Assessment Non-Authenticated Assessment Which Web Application the test will be conducted Duration of the test Page 13

2. Application Discovery Web application discovery is a process aimed at identifying web applications on a given infrastructure.thelatterisusuallyspecifiedasasetofipaddresses(maybeanetblock),butmay consistofasetofdnssymbolicnamesoramixofthetwo. This information is handed out prior to the execution of an assessment an application-focused assessment. Page 14

3. Infrastructure Analysis Conducting Analysis to find the location of Web Application in the Infrastructure. Do the analysis of what is placed to protect Web Server & find out gaps of the placement. Check for the details for how is Web Server, Application Server and Database Server Located. 15 Page 15

4. Threat Assessment Threat Assessment is conducted based on the findings of Step 2 and Step 3. All the possible Threat related to the Application and Infrastructure are Assessed in this phase. Page 16

5. Vulnerability Assessment Tool Based Scan is conducted based on the Scope defined in the step 1 Authentication Assessment(Grey Box Assessment) Dynamic Pages/ Static Pages LoginPage Provided with Login Credentials Non-Authentication Assessment (Black Box Assessment) DynamicPages/StaticPages Publically Available Pages LoginPage/Nologinpage Not Provided with Login Credentials Our Consultant team does analysis based on the manual intelligence False Positive/ False Negative Alcumus consultants team conduct analysis to find False Positive and False Negative. Vulnerabilities are rated as Critical, High, Medium and Low after the analysis. Page 17

6. Exploitation Attempts HAS Two Sub Stages I. Attack & Penetration Known / available exploit selection Tester acquires publicly available s/w for exploiting. Exploit customization Customize exploits s/w program to work as desired. Exploit development Develop own exploit if no exploit program available Exploit testing Exploit must be tested before formal Test to avoid damage. Attack Use of exploit to gain unauthorized access to target. II. Privilege Escalation What can be done with acquired access / privileges Alter Damage What not Team of consultants at Isolutions will be conducting POC to exploit the Critical and High Vulnerabilities. Page 18

7. Deliverables Organize Data/related results for Management Reporting Consolidation of Information gathered. Analysis and Extraction of General conclusions. Recommendations. Page 19

Thank You! Infopercept Consulting Pvt. Ltd. H-1209, Titanium City Center, Anand Nagar Road, Satellite Road, Ahmedabad 380 015. www.infopercept.com reachus@infopercept.com Page 20

www.infopercept.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback